从零开始,亚博娱乐中国唯一正规官网论坛

快捷导航
广告联系qq1031180668亚博娱乐中国唯一正规官网
查看: 138|回复: 0
打印 上一主题 下一主题

[逆向破解/内核驱动] 利用dbghelp解析PDB符号 代码 示例

[复制链接]
  • ta_mind

    2019-8-30 13:16
  • classn_01: 73 classn_02

    [LV.6]常住居民II

    1053

    主题

    1775

    帖子

    3667

    积分

    管理员

    Rank: 9Rank: 9Rank: 9

    积分
    3667

    最佳新人活跃会员热心会员推广达人宣传达人灌水之王突出贡献优秀版主荣誉管理论坛元老

    跳转到指定楼层
    楼主
    发表于 2019-9-7 23:15:13 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
    [C] syntaxhighlighter_viewsource syntaxhighlighter_copycode
    #include "stdafx.h"
    #include "DbgHelpWrapper.h"
    
    
    DbgHelpWrapper::DbgHelpWrapper() {
            hProcess = GetCurrentProcess();
    }
    
    DbgHelpWrapper::~DbgHelpWrapper() {
            DeinitializeDbgHelp();
    }
    
    
    
    BOOL DbgHelpWrapper::InitializeDbgHelp(LPSTR SymbolsPath) {
            if (SymbolsPath == NULL) SymbolsPath = (LPSTR)DefaultSymbolsPath;
    
            if (IsInitialized) DeinitializeDbgHelp();
            IsInitialized = SymInitialize(hProcess, SymbolsPath, FALSE);
            return IsInitialized;
    }
    
    BOOL DbgHelpWrapper::DeinitializeDbgHelp() {
            if (IsInitialized) {
                    if (SymCleanup(hProcess)) IsInitialized = FALSE;
            }
            return IsInitialized;
    }
    
    
    
    BOOL DbgHelpWrapper::LoadSymbols(LPSTR ModulePath) {
            ModuleBase = SymLoadModuleEx(hProcess, NULL, ModulePath, NULL, 0, 0, NULL, 0);
            return ModuleBase != 0;
    }
    
    BOOL DbgHelpWrapper::GetRootSymbol(LPSTR SymbolName, PULONG SymbolIndex) {
            SYMBOL_INFO SymbolInfo;
            SymbolInfo.SizeOfStruct = sizeof(SymbolInfo);
            BOOL Status = SymGetTypeFromName(hProcess, ModuleBase, SymbolName, &SymbolInfo);
            if (Status) *SymbolIndex = SymbolInfo.Index;
            return Status;
    }
    
    BOOL DbgHelpWrapper::GetChildrenCount(ULONG SymbolIndex, OUT PULONG ChildrenCount) {
            return SymGetTypeInfo(hProcess, ModuleBase, SymbolIndex, TI_GET_CHILDRENCOUNT, ChildrenCount);
    }
    
    BOOL DbgHelpWrapper::GetChildrenSymbols(
            ULONG     ParentSymbolIndex, 
            ULONG*    IndicesBuffer, 
            ULONG     MaxIndices, 
            OUT ULONG &ChildrenCount
    ) {
            if ((IndicesBuffer == NULL) || (MaxIndices == 0)) return FALSE;
    
            // Получаем количество внутренних элементов ("наследников"):
            if (!GetChildrenCount(ParentSymbolIndex, &ChildrenCount)) return FALSE;
            if (ChildrenCount == 0) return TRUE;
    
            CONST ULONG FindChildrenSize = sizeof(TI_FINDCHILDREN_PARAMS) + ChildrenCount * sizeof(ULONG);
            TI_FINDCHILDREN_PARAMS* FindChildrenParams = (TI_FINDCHILDREN_PARAMS*)malloc(FindChildrenSize);
            memset(FindChildrenParams, 0, FindChildrenSize);
    
            FindChildrenParams->Count = ChildrenCount;
    
            // Получаем наследников:
            if (!SymGetTypeInfo(hProcess, ModuleBase, ParentSymbolIndex, TI_FINDCHILDREN, FindChildrenParams)) {
                    free(FindChildrenParams);
                    return FALSE;
            }
    
            // Копируем индексы наследников в выходной массив:
            ULONG IndicesToCopyCount = ChildrenCount > MaxIndices ? MaxIndices : ChildrenCount;
            for (ULONG i = 0; i < IndicesToCopyCount; i++) {
                    IndicesBuffer[i] = FindChildrenParams->ChildId[i];
            }
    
            free(FindChildrenParams);
    
            return TRUE;
    }
    
    
    
    ULONG DbgHelpWrapper::GetSymbolIndex(LPWSTR SymbolName, ULONG* IndicesBuffer, ULONG IndicesCount) {
            for (ULONG i = 0; i < IndicesCount; i++) {
                    LPWSTR CurrentSymbolName = NULL;
                    if (GetSymbolName(IndicesBuffer[i], &CurrentSymbolName)) {
                            if (wcscmp(CurrentSymbolName, SymbolName) == 0) {
                                    FreeSymbolName(SymbolName);
                                    return IndicesBuffer[i];
                            }
    
                            FreeSymbolName(SymbolName);
                    }
            }
    
            return 0;
    }
    
    ULONG DbgHelpWrapper::GetSymbolIndex(ULONG ParentSymbolIndex, LPWSTR SymbolName) {
            ULONG ChildrenIndex = 0;
            
            ULONG ChildrenCount = 0;
            if (!GetChildrenCount(ParentSymbolIndex, &ChildrenCount)) return 0;
            if (ChildrenCount == 0) return 0;
            
            PULONG ChildrenIndices = (PULONG)malloc(ChildrenCount * sizeof(ULONG));
            memset(ChildrenIndices, 0, ChildrenCount);
    
            if (GetChildrenSymbols(ParentSymbolIndex, ChildrenIndices, ChildrenCount, ChildrenCount)) {
                    ChildrenIndex = GetSymbolIndex(SymbolName, ChildrenIndices, ChildrenCount);
            }
    
            free(ChildrenIndices);
    
            return ChildrenIndex;
    }
    
    
    
    BOOL DbgHelpWrapper::GetSymbolName(ULONG SymbolIndex, OUT LPWSTR* SymbolName) { 
            return SymGetTypeInfo(hProcess, ModuleBase, SymbolIndex, TI_GET_SYMNAME, SymbolName);
    }
    
    VOID DbgHelpWrapper::FreeSymbolName(LPWSTR SymbolName) {
            VirtualFree(SymbolName, 0, MEM_RELEASE);
    }
    
    BOOL DbgHelpWrapper::GetSymbolOffset(ULONG SymbolIndex, OUT PULONG Offset) {
            return SymGetTypeInfo(hProcess, ModuleBase, SymbolIndex, TI_GET_OFFSET, Offset);
    }

    帖子来源:郁金香
    不积跬步,无以至千里
    游客
    回复
    您需要登录后才可以回帖 登录 | 立即注册

    手机版|Archiver|小黑屋|sitemap| 从零开始,亚博娱乐中国唯一正规官网论坛 - 一个单纯的亚博娱乐中国唯一正规官网学习交流论坛 ( 豫ICP备15032706号 )

    GMT+8, 2019-10-9 12:50 , Processed in 1.105756 second(s), 24 queries .

    Powered by Discuz! X3.4

    ? 2001-2013 Comsenz Inc.

    快速回复 返回顶部 返回列表