typedef enum { SymNone = 0, SymCoff, SymCv, SymPdb, SymExport, SymDeferred, SymSym, // .sym file SymDia, SymVirtual, NumSymTypes } SYM_TYPE; typedef struct _IMAGEHLP_MODULE { DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_MODULE) DWORD BaseOfImage; // base load address of module DWORD ImageSize; // virtual size of the loaded module DWORD TimeDateStamp; // date/time stamp from pe header DWORD CheckSum; // checksum from the pe header DWORD NumSyms; // number of symbols in the symbol table SYM_TYPE SymType; // type of symbols loaded CHAR ModuleName[32]; // module name CHAR ImageName[256]; // image name CHAR LoadedImageName[256]; // symbol file name } IMAGEHLP_MODULE, *PIMAGEHLP_MODULE; /* typedef struct _SYMBOL_INFO { ULONG SizeOfStruct; ULONG TypeIndex; // Type Index of symbol ULONG64 Reserved[2]; ULONG Index; ULONG Size; ULONG64 ModBase; // Base Address of module comtaining this symbol ULONG Flags; ULONG64 Value; // Value of symbol, ValuePresent should be 1 ULONG64 Address; // Address of symbol including base address of module ULONG Register; // register holding value or pointer to value ULONG Scope; // scope of the symbol ULONG Tag; // pdb classification ULONG NameLen; // Actual length of name ULONG MaxNameLen; CHAR Name[1]; // Name of symbol } SYMBOL_INFO, *PSYMBOL_INFO; */ //this original above commented out structure definition was butchered by me //fubared for making it work with ollydbg see below // fubared symbol info structure typedef struct _SYMBOL_INFO { ULONG SizeOfStruct; CHAR butchered[0x34]; ULONG Address; CHAR butcheredagain[0x18]; CHAR Name[1]; }SYMBOL_INFO, *PSYMBOL_INFO; typedef BOOL (CALLBACK *PSYM_ENUMERATESYMBOLS_CALLBACK)( PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext ); typedef BOOL (WINAPI *PSymInitialize)( HANDLE hProcess, PCSTR UserSearchPath, BOOL fInvadeProcess ); typedef DWORD (WINAPI *PSymLoadModule)( HANDLE hProcess, HANDLE hFile, PCSTR ImageName, PCSTR ModuleName, DWORD BaseOfDll, DWORD SizeOfDll ); typedef BOOL (WINAPI *PSymGetModuleInfo)( HANDLE hProcess, DWORD dwAddr, PIMAGEHLP_MODULE ModuleInfo ); typedef BOOL (WINAPI *PSymEnumSymbols)( HANDLE hProcess, ULONG64 BaseOfDll, PCSTR Mask, PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback, PVOID UserContext ); typedef BOOL (WINAPI *PSymUnloadModule)( HANDLE hProcess, DWORD BaseOfDll ); typedef BOOL (WINAPI *PSymCleanup)( HANDLE hProcess ); typedef DWORD (WINAPI *PSymSetOptions)( DWORD SymOptions ); BOOL CALLBACK SYM_ENUMERATESYMBOLS_CALLBACK( PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext ); int Loadpdb(char *answer,ulong parm) { PSYM_ENUMERATESYMBOLS_CALLBACK psymcallback = SYM_ENUMERATESYMBOLS_CALLBACK; PSymInitialize psyminit; PSymLoadModule psymloadmodule; PSymGetModuleInfo psymgetmoduleinfo; PSymEnumSymbols psymenumsymbols; PSymUnloadModule psymunloadmodule; PSymSetOptions psymsetoptions; PSymCleanup psymcleanup; HINSTANCE dbghlp_dll; HANDLE hProcess; DWORD dbgpid; DWORD dwModuleBase; IMAGEHLP_MODULE im; CHAR filename[TEXTLEN]; CHAR lpname[] = {"_NT_SYMBOL_PATH"}; CHAR lpbuffer[4]; DWORD nsize = (sizeof(lpbuffer)-1); DWORD dwretfake; DWORD dwret; char *hMem; dwretfake = GetEnvironmentVariable(lpname,lpbuffer,nsize); if((dwretfake ==0)) { MessageBox(NULL,"YOU have to set _NT_SYMBOL_PATH to load pdbs from this plugin","ERROR",NULL); return 1; } else if((dwretfake > nsize)) { hMem = (CHAR *)VirtualAlloc(NULL,(dwretfake+100),MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE); dwret = GetEnvironmentVariable(lpname,hMem,dwretfake+10); } Addtolist(0,1,"%x %s",dwret,hMem); memset(&im,0,sizeof(im)); // see comment below this sets only 0 for 239 bytes im.SizeOfStruct = 0x23c; // hack coz of packed struct i think enum SYM_TYPE Is proabbly treated a 1 byte // whereas default is probably (dword align) 4 bytes so sizeof for me return 0x239 while dbghlp checks for 0x23c strncpy(filename,string,(TEXTLEN-1)); dbgpid = Plugingetvalue(VAL_PROCESSID); hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dbgpid); dbghlp_dll = LoadLibrary("dbghelp.dll"); if((dbghlp_dll)) { psyminit = (PSymInitialize) GetProcAddress(dbghlp_dll,"SymInitialize"); psymloadmodule = (PSymLoadModule) GetProcAddress(dbghlp_dll,"SymLoadModule"); psymsetoptions = (PSymSetOptions) GetProcAddress(dbghlp_dll,"SymSetOptions"); psymgetmoduleinfo = (PSymGetModuleInfo) GetProcAddress(dbghlp_dll,"SymGetModuleInfo"); psymenumsymbols = (PSymEnumSymbols) GetProcAddress(dbghlp_dll,"SymEnumSymbols"); psymunloadmodule = (PSymUnloadModule) GetProcAddress(dbghlp_dll,"SymUnloadModule"); psymcleanup = (PSymCleanup) GetProcAddress(dbghlp_dll,"SymCleanup"); if((psyminit) && (psymloadmodule) && (psymsetoptions) && (psymgetmoduleinfo) && (psymenumsymbols) && (psymunloadmodule) &&(psymcleanup) ) { Addtolist(0,1,"dbghelp dll loaded and address retrieved"); } else { Addtolist(0,1,"dbghelp loaded but get proc failed"); VirtualFree(hMem,0,MEM_RELEASE); CloseHandle(hProcess); return 1; } } else { Addtolist(0,1,"load lib failed"); VirtualFree(hMem,0,MEM_RELEASE); CloseHandle(hProcess); return 1; } if ( !psyminit( hProcess, hMem, FALSE ) ) { Addtolist(0,1, "SymInitialize failed" ); VirtualFree(hMem,0,MEM_RELEASE); CloseHandle(hProcess); return 1; } psymsetoptions(0x80000003); dwModuleBase = psymloadmodule( hProcess, 0, filename, 0,0,0); if ( !dwModuleBase ) { Addtolist(0,1, "SymLoadModuleFailed" ); VirtualFree(hMem,0,MEM_RELEASE); CloseHandle(hProcess); return 1; } psymgetmoduleinfo( hProcess, dwModuleBase, &im ); if ( im.SymType == SymExport ) { Addtolist(0,1, "Only Export symbols - skipping"); VirtualFree(hMem,0,MEM_RELEASE); CloseHandle(hProcess); return FALSE; } if ( im.SymType == SymNone ) { Addtolist(0,1, "No Symbols - skipping"); VirtualFree(hMem,0,MEM_RELEASE); CloseHandle(hProcess); return FALSE; } psymenumsymbols( hProcess, dwModuleBase, 0, psymcallback, 0 ); psymunloadmodule( hProcess, dwModuleBase ); psymcleanup( hProcess ); VirtualFree(hMem,0,MEM_RELEASE); CloseHandle(hProcess); return 0; } #pragma argsused BOOL CALLBACK SYM_ENUMERATESYMBOLS_CALLBACK( PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext ) { Insertname(pSymInfo->Address,NM_LIBRARY,pSymInfo->Name); return TRUE; }
There are 31,316 total registered users.
[+] expand