个人中心
文章发布
退出
作者热门文章
- android - RelativeLayout 背景可绘制重叠内容
- android - 如何链接 cpufeatures lib 以获取 native android 库?
- java - OnItemClickListener 不起作用,但 OnLongItemClickListener 在自定义 ListView 中起作用
- java - Android 文件转字符串
26
4
我想以与 windbg 的 dt 命令相同的方式转储结构的字段和偏移量。例如,我想转储 Microsoft 公共(public)符号中的 _PEB 结构(因为 windbg 的 DT 命令有效)。
从 MSDN 文档中我了解到 SymFromName 函数应该能够执行此操作,下面是我尝试过的代码,该代码在 SymFromName 上失败并出现 LastError 126(找不到指定的模块)。从注册的回调中,我得到以下输出:
CBA_SET_OPTIONS
CBA_SET_OPTIONS
CBA_SET_OPTIONS
CBA_EVENT: code 0 desc DBGHELP: Symbol Search Path: symsrv*symsrv.dll*C:\Symbols*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: symsrv*symsrv.dll*C:\Symbols*http://msdl.microsoft.com/download/symbols
CBA_DEFERRED_SYMBOL_LOAD_START: C:\Windows\Sysnative\ntdll.dll
CBA_DEFERRED_SYMBOL_LOAD_PARTIAL: C:\Windows\Sysnative\ntdll.dll
CBA_EVENT: code 0 desc DBGHELP: No header for C:\Windows\Sysnative\ntdll.dll. Searching for image on disk
DBGHELP: No header for C:\Windows\Sysnative\ntdll.dll. Searching for image on disk
CBA_EVENT: code 0 desc DBGHELP: C:\Windows\Sysnative\ntdll.dll - OK
DBGHELP: C:\Windows\Sysnative\ntdll.dll - OK
CBA_DEFERRED_SYMBOL_LOAD_COMPLETE: C:\Windows\Sysnative\ntdll.dll
CBA_EVENT: code 0 desc DBGHELP: ntdll - public symbols
C:\Symbols\ntdll.pdb\823B51C37A764AF7BA1558B42B627FAC2\ntdll.pdb
DBGHELP: ntdll - public symbols
C:\Symbols\ntdll.pdb\823B51C37A764AF7BA1558B42B627FAC2\ntdll.pdb
代码:
const
Index: THandle =1;
Size = (SizeOf(SYMBOL_INFO)-1 + MAX_SYM_NAME * SizeOf(TCHAR) + SizeOf(ULONG64) -1) div SizeOf(ULONG64);
var
Symbol: String;
Filename: String;
Path: String;
dwBaseAddress: DWORD;
im: IMAGEHLP_MODULE64;
Buffer: array[0..Size] of ULONG64;
pSymbol: PSYMBOL_INFO;
SymbolName: array[0..MAX_SYM_NAME-1] of Char;
begin
ZeroMemory(@SymbolName, SizeOf(SymbolName));
SymbolName := '_PEB';
Filename := 'C:\Windows\Sysnative\ntdll.dll';
Path := 'symsrv*symsrv.dll*C:\Symbols*http://msdl.microsoft.com/download/symbols';
{ Initialize }
Win32Check(SymInitialize(Index, nil, False));
{ Register callback to get some debug info }
Win32Check(SymRegisterCallback64(Index, DbgHelpCallback, 0));
{ Set Options }
SymSetOptions(SymGetOptions or SYMOPT_UNDNAME);
SymSetOptions(SymGetOptions or SYMOPT_DEBUG);
SymSetOptions(SymGetOptions or SYMOPT_LOAD_ANYTHING);
{ Set Symbol Path }
Win32Check(SymSetSearchPathW(Index, PChar(Path)));
{ Load Module }
dwBaseAddress := SymLoadModuleExW(Index, 0, PChar(Filename), nil, 0, 0, nil, 0);
Win32Check(dwBaseAddress > 0);
ZeroMemory(@im, SizeOf(im));
im.SizeOfStruct := SizeOf(im);
Win32Check(SymGetModuleInfoW64(Index, dwBaseAddress, im));
ZeroMemory(@Buffer, SizeOf(Buffer));
pSymbol := PSYMBOL_INFO(@Buffer);
pSymbol^.SizeOfStruct := SizeOf(SYMBOL_INFO);
pSymbol^.MaxNameLen := MAX_SYM_NAME;
Win32Check(SymFromNameW(Index, Symbolname, pSymbol));
Win32Check(SymUnloadModule64(Index, dwBaseAddress));
Win32Check(SymCleanup(Index));
最佳答案
我通过使用 SymGetTypeFromName 获取符号索引然后使用 SymGetTypeInfo 获取详细信息使其工作:
const
Index: THandle =1;
Size = (SizeOf(SYMBOL_INFO)-1 + MAX_SYM_NAME * SizeOf(TCHAR) + SizeOf(ULONG64) -1) div SizeOf(ULONG64);
var
Filename: String;
Path: String;
dwBaseAddress: array[0..0] of DWORD;
im: IMAGEHLP_MODULE64;
Buffer: array[0..Size] of ULONG64;
pSymbol: PSYMBOL_INFO;
SymbolName: array[0..MAX_SYM_NAME-1] of Char;
i: Integer;
ChildParams: TI_FINDCHILDREN_PARAMS;
dwOffset: DWORD;
pSymName: PChar;
begin
ZeroMemory(@SymbolName, SizeOf(SymbolName));
SymbolName := '_PEB';
Filename := 'C:\Windows\System32\ntdll.dll';
Path := 'symsrv*symsrv.dll*C:\Symbols*http://msdl.microsoft.com/download/symbols';
{ Initialize }
Win32Check(SymInitialize(Index, nil, False));
{ Register callback to get some debug info }
Win32Check(SymRegisterCallback64(Index, DbgHelpCallback, 0));
{ Set Options }
SymSetOptions(SymGetOptions or SYMOPT_UNDNAME);
SymSetOptions(SymGetOptions or SYMOPT_DEBUG);
SymSetOptions(SymGetOptions or SYMOPT_LOAD_ANYTHING);
{ Set Symbol Path }
Win32Check(SymSetSearchPathW(Index, PChar(Path)));
{ Load Module }
dwBaseAddress[0] := SymLoadModuleExW(Index, 0, PChar(Filename), nil, 0, 0, nil, 0);
ZeroMemory(@im, SizeOf(im));
im.SizeOfStruct := SizeOf(im);
for i := 0 to Length(dwBaseAddress)-1 do
begin
SymGetModuleInfoW64(Index, dwBaseAddress[i], im);
end;
ZeroMemory(@Buffer, SizeOf(Buffer));
pSymbol := PSYMBOL_INFO(@Buffer);
pSymbol^.SizeOfStruct := SizeOf(SYMBOL_INFO);
pSymbol^.MaxNameLen := MAX_SYM_NAME;
{ Get Type Info by Symbol Name (we need the index) }
Win32Check(SymGetTypeFromNameW(Index, dwBaseAddress[0], SymbolName, pSymbol));
{ Get Child Count }
ZeroMemory(@ChildParams, SizeOf(ChildParams));
Win32Check(SymGetTypeInfo(Index, dwBaseAddress[0], pSymbol^.TypeIndex, TI_GET_CHILDRENCOUNT, @ChildParams.Count));
{ Get Child Info }
// TODO: Caller must reserve memory for the ChildId array (Count * SizeOf(ULONG))
Win32Check(SymGetTypeInfo(Index, dwBaseAddress[0], pSymbol^.TypeIndex, TI_FINDCHILDREN, @ChildParams));
for i := ChildParams.Start to ChildParams.Count - 1 do
begin
{ Get Child Name }
Win32Check(SymGetTypeInfo(Index, dwBaseAddress[0], {pSymbol^.TypeIndex + }ChildParams.ChildId[i], TI_GET_SYMNAME, @pSymName));
{ Get Child Offset }
Win32Check(SymGetTypeInfo(Index, dwBaseAddress[0], {pSymbol^.TypeIndex + }ChildParams.ChildId[i], TI_GET_OFFSET, @dwOffset));
Memo1.Lines.Add(Format('+0x%.3x %s', [dwOffset, pSymName]));
LocalFree(Cardinal(pSymName));
end;
for i := 0 to Length(dwBaseAddress)-1 do
begin
Win32Check(SymUnloadModule64(Index, dwBaseAddress[i]));
end;
Win32Check(SymCleanup(Index));
end;
这是输出:
+0x000 InheritedAddressSpace
+0x001 ReadImageFileExecOptions
+0x002 BeingDebugged
+0x003 BitField
+0x003 ImageUsesLargePages
+0x003 IsProtectedProcess
+0x003 IsLegacyProcess
+0x003 IsImageDynamicallyRelocated
+0x003 SkipPatchingUser32Forwarders
+0x003 SpareBits
+0x004 Mutant
+0x008 ImageBaseAddress
+0x00C Ldr
+0x010 ProcessParameters
+0x014 SubSystemData
+0x018 ProcessHeap
+0x01C FastPebLock
+0x020 AtlThunkSListPtr
+0x024 IFEOKey
+0x028 CrossProcessFlags
+0x028 ProcessInJob
+0x028 ProcessInitializing
+0x028 ProcessUsingVEH
+0x028 ProcessUsingVCH
+0x028 ProcessUsingFTH
+0x028 ReservedBits0
+0x02C KernelCallbackTable
+0x02C UserSharedInfoPtr
+0x030 SystemReserved
+0x034 AtlThunkSListPtr32
+0x038 ApiSetMap
+0x03C TlsExpansionCounter
+0x040 TlsBitmap
+0x044 TlsBitmapBits
+0x04C ReadOnlySharedMemoryBase
+0x050 HotpatchInformation
+0x054 ReadOnlyStaticServerData
+0x058 AnsiCodePageData
+0x05C OemCodePageData
+0x060 UnicodeCaseTableData
+0x064 NumberOfProcessors
+0x068 NtGlobalFlag
+0x070 CriticalSectionTimeout
+0x078 HeapSegmentReserve
+0x07C HeapSegmentCommit
+0x080 HeapDeCommitTotalFreeThreshold
+0x084 HeapDeCommitFreeBlockThreshold
+0x088 NumberOfHeaps
+0x08C MaximumNumberOfHeaps
+0x090 ProcessHeaps
+0x094 GdiSharedHandleTable
+0x098 ProcessStarterHelper
+0x09C GdiDCAttributeList
+0x0A0 LoaderLock
+0x0A4 OSMajorVersion
+0x0A8 OSMinorVersion
+0x0AC OSBuildNumber
+0x0AE OSCSDVersion
+0x0B0 OSPlatformId
+0x0B4 ImageSubsystem
+0x0B8 ImageSubsystemMajorVersion
+0x0BC ImageSubsystemMinorVersion
+0x0C0 ActiveProcessAffinityMask
+0x0C4 GdiHandleBuffer
+0x14C PostProcessInitRoutine
+0x150 TlsExpansionBitmap
+0x154 TlsExpansionBitmapBits
+0x1D4 SessionId
+0x1D8 AppCompatFlags
+0x1E0 AppCompatFlagsUser
+0x1E8 pShimData
+0x1EC AppCompatInfo
+0x1F0 CSDVersion
+0x1F8 ActivationContextData
+0x1FC ProcessAssemblyStorageMap
+0x200 SystemDefaultActivationContextData
+0x204 SystemAssemblyStorageMap
+0x208 MinimumStackCommit
+0x20C FlsCallback
+0x210 FlsListHead
+0x218 FlsBitmap
+0x21C FlsBitmapBits
+0x22C FlsHighIndex
+0x230 WerRegistrationData
+0x234 WerShipAssertPtr
+0x238 pContextData
+0x23C pImageHeaderHash
+0x240 TracingFlags
+0x240 HeapTracingEnabled
+0x240 CritSecTracingEnabled
+0x240 SpareTracingBits
现在进行下一步:使用 Delphi 2010 的 RTTI 并使用此机制比较偏移量(这有助于我转换 Jedi ApiLib 的 header )。
关于windows - 如何使用 dbghlp 和 pdb 获取结构的字段名称和偏移量,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/3092609/
26
4
0
概述 CentOS Stream 成立于 2019 年,是“RHEL 下一步的滚动预览”。Red Hat 首席技术官 Chris Wright 和 CentOS 社区经理 Rich Bowen 各
我有一个使用 Mesosphere DC/OS 编排选项进行配置的 Azure 容器服务 (ACS) 集群。我可以在 Marathon UI 中创建一个应用程序。 但是,当我通过 Marathon U
我是一名优秀的程序员,十分优秀!