从零开始,www.yahu11.con论坛

 找回密码
 立即注册
广告联系qq1031180668喜欢网购的小伙伴们看过来啦
查看: 194|回复: 0
打印 上一主题 下一主题

[逆向破解/内核驱动] 利用dbghelp解析PDB符号 代码 示例

[复制链接]

1055

主题

1777

帖子

3679

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
3679

最佳新人活跃会员热心会员推广达人宣传达人灌水之王突出贡献优秀版主荣誉管理论坛元老

跳转到指定楼层
楼主
发表于 2019-9-7 23:15:13 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
[mw_shl_code=c,true]#include "stdafx.h"
#include "DbgHelpWrapper.h"


DbgHelpWrapper::DbgHelpWrapper() {
        hProcess = GetCurrentProcess();
}

DbgHelpWrapper::~DbgHelpWrapper() {
        DeinitializeDbgHelp();
}



BOOL DbgHelpWrapper::InitializeDbgHelp(LPSTR SymbolsPath) {
        if (SymbolsPath == NULL) SymbolsPath = (LPSTR)DefaultSymbolsPath;

        if (IsInitialized) DeinitializeDbgHelp();
        IsInitialized = SymInitialize(hProcess, SymbolsPath, FALSE);
        return IsInitialized;
}

BOOL DbgHelpWrapper::DeinitializeDbgHelp() {
        if (IsInitialized) {
                if (SymCleanup(hProcess)) IsInitialized = FALSE;
        }
        return IsInitialized;
}



BOOL DbgHelpWrapper::LoadSymbols(LPSTR ModulePath) {
        ModuleBase = SymLoadModuleEx(hProcess, NULL, ModulePath, NULL, 0, 0, NULL, 0);
        return ModuleBase != 0;
}

BOOL DbgHelpWrapper::GetRootSymbol(LPSTR SymbolName, PULONG SymbolIndex) {
        SYMBOL_INFO SymbolInfo;
        SymbolInfo.SizeOfStruct = sizeof(SymbolInfo);
        BOOL Status = SymGetTypeFromName(hProcess, ModuleBase, SymbolName, &SymbolInfo);
        if (Status) *SymbolIndex = SymbolInfo.Index;
        return Status;
}

BOOL DbgHelpWrapper::GetChildrenCount(ULONG SymbolIndex, OUT PULONG ChildrenCount) {
        return SymGetTypeInfo(hProcess, ModuleBase, SymbolIndex, TI_GET_CHILDRENCOUNT, ChildrenCount);
}

BOOL DbgHelpWrapper::GetChildrenSymbols(
        ULONG     ParentSymbolIndex,
        ULONG*    IndicesBuffer,
        ULONG     MaxIndices,
        OUT ULONG &ChildrenCount
) {
        if ((IndicesBuffer == NULL) || (MaxIndices == 0)) return FALSE;

        // Получаем количество внутренних элементов ("наследников"):
        if (!GetChildrenCount(ParentSymbolIndex, &ChildrenCount)) return FALSE;
        if (ChildrenCount == 0) return TRUE;

        CONST ULONG FindChildrenSize = sizeof(TI_FINDCHILDREN_PARAMS) + ChildrenCount * sizeof(ULONG);
        TI_FINDCHILDREN_PARAMS* FindChildrenParams = (TI_FINDCHILDREN_PARAMS*)malloc(FindChildrenSize);
        memset(FindChildrenParams, 0, FindChildrenSize);

        FindChildrenParams->Count = ChildrenCount;

        // Получаем наследников:
        if (!SymGetTypeInfo(hProcess, ModuleBase, ParentSymbolIndex, TI_FINDCHILDREN, FindChildrenParams)) {
                free(FindChildrenParams);
                return FALSE;
        }

        // Копируем индексы наследников в выходной массив:
        ULONG IndicesToCopyCount = ChildrenCount > MaxIndices ? MaxIndices : ChildrenCount;
        for (ULONG i = 0; i < IndicesToCopyCount; i++) {
                IndicesBuffer = FindChildrenParams->ChildId;
        }

        free(FindChildrenParams);

        return TRUE;
}



ULONG DbgHelpWrapper::GetSymbolIndex(LPWSTR SymbolName, ULONG* IndicesBuffer, ULONG IndicesCount) {
        for (ULONG i = 0; i < IndicesCount; i++) {
                LPWSTR CurrentSymbolName = NULL;
                if (GetSymbolName(IndicesBuffer, &CurrentSymbolName)) {
                        if (wcscmp(CurrentSymbolName, SymbolName) == 0) {
                                FreeSymbolName(SymbolName);
                                return IndicesBuffer;
                        }

                        FreeSymbolName(SymbolName);
                }
        }

        return 0;
}

ULONG DbgHelpWrapper::GetSymbolIndex(ULONG ParentSymbolIndex, LPWSTR SymbolName) {
        ULONG ChildrenIndex = 0;
        
        ULONG ChildrenCount = 0;
        if (!GetChildrenCount(ParentSymbolIndex, &ChildrenCount)) return 0;
        if (ChildrenCount == 0) return 0;
        
        PULONG ChildrenIndices = (PULONG)malloc(ChildrenCount * sizeof(ULONG));
        memset(ChildrenIndices, 0, ChildrenCount);

        if (GetChildrenSymbols(ParentSymbolIndex, ChildrenIndices, ChildrenCount, ChildrenCount)) {
                ChildrenIndex = GetSymbolIndex(SymbolName, ChildrenIndices, ChildrenCount);
        }

        free(ChildrenIndices);

        return ChildrenIndex;
}



BOOL DbgHelpWrapper::GetSymbolName(ULONG SymbolIndex, OUT LPWSTR* SymbolName) {
        return SymGetTypeInfo(hProcess, ModuleBase, SymbolIndex, TI_GET_SYMNAME, SymbolName);
}

VOID DbgHelpWrapper::FreeSymbolName(LPWSTR SymbolName) {
        VirtualFree(SymbolName, 0, MEM_RELEASE);
}

BOOL DbgHelpWrapper::GetSymbolOffset(ULONG SymbolIndex, OUT PULONG Offset) {
        return SymGetTypeInfo(hProcess, ModuleBase, SymbolIndex, TI_GET_OFFSET, Offset);
}[/mw_shl_code]
帖子来源:郁金香
不积跬步,无以至千里
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

手机版|Archiver|小黑屋|sitemap|从零开始,www.yahu11.con论坛 - 一个单纯的www.yahu11.con学习交流论坛 ( 豫ICP备15032706号 )

GMT+8, 2019-11-4 00:37 , Processed in 0.056340 second(s), 22 queries .

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表