mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4512 lines
115 KiB
4512 lines
115 KiB
/*++
|
|
|
|
Copyright (c) 1995 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
symbolsp.c
|
|
|
|
Abstract:
|
|
|
|
This function implements a generic simple symbol handler.
|
|
|
|
Author:
|
|
|
|
Wesley Witt (wesw) 1-Sep-1994
|
|
|
|
Environment:
|
|
|
|
User Mode
|
|
|
|
--*/
|
|
|
|
#include <nt.h>
|
|
#include <ntrtl.h>
|
|
#include <nturtl.h>
|
|
#include <ntldr.h>
|
|
#include "private.h"
|
|
#include "symbols.h"
|
|
#include "globals.h"
|
|
#include "tlhelp32.h"
|
|
|
|
#include "fecache.hpp"
|
|
|
|
typedef BOOL (WINAPI *PMODULE32)(HANDLE, LPMODULEENTRY32);
|
|
typedef HANDLE (WINAPI *PCREATE32SNAPSHOT)(DWORD, DWORD);
|
|
|
|
typedef ULONG (NTAPI *PRTLQUERYPROCESSDEBUGINFORMATION)(HANDLE,ULONG,PRTL_DEBUG_INFORMATION);
|
|
typedef PRTL_DEBUG_INFORMATION (NTAPI *PRTLCREATEQUERYDEBUGBUFFER)(ULONG,BOOLEAN);
|
|
typedef NTSTATUS (NTAPI *PRTLDESTROYQUERYDEBUGBUFFER)(PRTL_DEBUG_INFORMATION);
|
|
typedef NTSTATUS (NTAPI *PNTQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS,PVOID,ULONG,PULONG);
|
|
typedef ULONG (NTAPI *PRTLNTSTATUSTODOSERROR)(NTSTATUS);
|
|
//typedef NTSTATUS (NTAPI *PNTQUERYINFORMATIONPROCESS)(UINT_PTR,PROCESSINFOCLASS,UINT_PTR,ULONG,UINT_PTR);
|
|
typedef NTSTATUS (NTAPI *PNTQUERYINFORMATIONPROCESS)(HANDLE,PROCESSINFOCLASS,PVOID,ULONG,PULONG);
|
|
|
|
DWORD_PTR Win95GetProcessModules(HANDLE, PINTERNAL_GET_MODULE ,PVOID);
|
|
DWORD_PTR NTGetProcessModules(HANDLE, PINTERNAL_GET_MODULE ,PVOID);
|
|
DWORD64 miGetModuleBase(HANDLE hProcess, DWORD64 Address);
|
|
|
|
// private version of qsort used to avoid compat problems on NT4 and win2k.
|
|
// code is published from base\crts
|
|
extern
|
|
void __cdecl dbg_qsort(void *, size_t, size_t,
|
|
int (__cdecl *) (const void *, const void *));
|
|
|
|
|
|
typedef struct _SYMBOL_INFO_LOOKUP {
|
|
ULONG Segment;
|
|
ULONG64 Offset;
|
|
PCHAR NamePtr;
|
|
SYMBOL_INFO SymInfo;
|
|
} SYMBOL_INFO_LOOKUP;
|
|
|
|
|
|
BOOL
|
|
LoadSymbols(
|
|
HANDLE hp,
|
|
PMODULE_ENTRY mi,
|
|
DWORD flags
|
|
)
|
|
{
|
|
if (flags & LS_JUST_TEST) {
|
|
if ((mi->Flags & MIF_DEFERRED_LOAD) && !(mi->Flags & MIF_NO_SYMBOLS))
|
|
return FALSE;
|
|
else
|
|
return TRUE;
|
|
}
|
|
|
|
if (flags & LS_QUALIFIED) {
|
|
if (g.SymOptions & SYMOPT_NO_UNQUALIFIED_LOADS) {
|
|
if ((mi->Flags & MIF_DEFERRED_LOAD) && !(mi->Flags & MIF_NO_SYMBOLS))
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
if ((mi->Flags & MIF_DEFERRED_LOAD) && !(mi->Flags & MIF_NO_SYMBOLS))
|
|
return load(hp, mi);
|
|
else if (flags & LS_FAIL_IF_LOADED)
|
|
return FALSE;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//
|
|
// Get the address form section no and offset in a PE file
|
|
//
|
|
ULONG
|
|
GetAddressFromOffset(
|
|
PMODULE_ENTRY mi,
|
|
ULONG section,
|
|
ULONG64 Offset,
|
|
PULONG64 pAddress
|
|
)
|
|
{
|
|
ULONG Bias;
|
|
if (section > mi->NumSections
|
|
|| !pAddress
|
|
|| !section
|
|
|| !mi
|
|
)
|
|
{
|
|
// Invalid !!
|
|
return FALSE;
|
|
}
|
|
|
|
*pAddress = mi->BaseOfDll + mi->OriginalSectionHdrs[section-1].VirtualAddress + Offset;
|
|
*pAddress = ConvertOmapFromSrc( mi, *pAddress, &Bias );
|
|
if (*pAddress) {
|
|
*pAddress += Bias;
|
|
}
|
|
return TRUE;
|
|
}
|
|
|
|
/*
|
|
* GetSymbolInfo
|
|
* This extracts useful information from a CV SYMBOl record into a generic
|
|
* SYMBOL_ENTRY structure.
|
|
*
|
|
*
|
|
*/
|
|
ULONG
|
|
GetSymbolInfo(
|
|
PMODULE_ENTRY me,
|
|
PCHAR pRawSym,
|
|
SYMBOL_INFO_LOOKUP *pSymEntry
|
|
)
|
|
{
|
|
PCHAR SymbolInfo = pRawSym;
|
|
ULONG symIndex, typeIndex=0, segmentNum=0;
|
|
ULONG64 Offset=0, Address=0, Value=0;
|
|
// ULONG Register=0, bpRel=0, BaseReg=0;
|
|
BOOL HasAddr=FALSE, HasValue=FALSE;
|
|
PSYMBOL_INFO pSymInfo = &pSymEntry->SymInfo;
|
|
|
|
if ((pRawSym != NULL) && (pSymEntry != NULL)) {
|
|
|
|
SymbolInfo = (PCHAR) pRawSym;
|
|
typeIndex = 0;
|
|
symIndex = ((SYMTYPE *) (pRawSym))->rectyp;
|
|
ZeroMemory(pSymEntry, sizeof(SYMBOL_INFO));
|
|
|
|
pSymInfo->ModBase = me->BaseOfDll;
|
|
|
|
|
|
#define ExtractSymName(from) (pSymEntry->NamePtr = ((PCHAR) from) + 1); pSymInfo->NameLen = (UCHAR) *((PUCHAR) from);
|
|
switch (symIndex) {
|
|
case S_COMPILE : // 0x0001 Compile flags symbol
|
|
case S_REGISTER_16t : { // 0x0002 Register variable
|
|
break;
|
|
}
|
|
case S_CONSTANT_16t : { // 0x0003 constant symbol
|
|
DWORD len=4;
|
|
CONSTSYM_16t *constSym;
|
|
|
|
constSym = (CONSTSYM_16t *) SymbolInfo;
|
|
typeIndex = constSym->typind;
|
|
// GetNumericValue((PCHAR)&constSym->value, &Value, &len);
|
|
|
|
pSymInfo->Flags |= IMAGEHLP_SYMBOL_INFO_VALUEPRESENT;
|
|
pSymInfo->Value = Value;
|
|
ExtractSymName((constSym->name + len));
|
|
break;
|
|
}
|
|
case S_UDT_16t : { // 0x0004 User defined type
|
|
UDTSYM_16t *udtSym;
|
|
|
|
udtSym = (UDTSYM_16t *) SymbolInfo;
|
|
typeIndex = udtSym->typind;
|
|
ExtractSymName(udtSym->name); // strncpy(name, (PCHAR)symReturned + 7, (UCHAR) symReturned[6]);
|
|
break;
|
|
}
|
|
case S_SSEARCH : // 0x0005 Start Search
|
|
case S_END : // 0x0006 Block, procedure, "with" or thunk end
|
|
case S_SKIP : // 0x0007 Reserve symbol space in $$Symbols table
|
|
case S_CVRESERVE : // 0x0008 Reserved symbol for CV internal use
|
|
case S_OBJNAME : // 0x0009 path to object file name
|
|
case S_ENDARG : // 0x000a end of argument/return list
|
|
case S_COBOLUDT_16t : // 0x000b special UDT for cobol that does not symbol pack
|
|
case S_MANYREG_16t : // 0x000c multiple register variable
|
|
case S_RETURN : // 0x000d return description symbol
|
|
case S_ENTRYTHIS : // 0x000e description of this pointer on entry
|
|
break;
|
|
|
|
case S_BPREL16 : // 0x0100 BP-relative
|
|
case S_LDATA16 : // 0x0101 Module-local symbol
|
|
case S_GDATA16 : // 0x0102 Global data symbol
|
|
case S_PUB16 : // 0x0103 a public symbol
|
|
case S_LPROC16 : // 0x0104 Local procedure start
|
|
case S_GPROC16 : // 0x0105 Global procedure start
|
|
case S_THUNK16 : // 0x0106 Thunk Start
|
|
case S_BLOCK16 : // 0x0107 block start
|
|
case S_WITH16 : // 0x0108 with start
|
|
case S_LABEL16 : // 0x0109 code label
|
|
case S_CEXMODEL16 : // 0x010a change execution model
|
|
case S_VFTABLE16 : // 0x010b address of virtual function table
|
|
case S_REGREL16 : // 0x010c register relative address
|
|
case S_BPREL32_16t : { // 0x0200 BP-relative
|
|
break;
|
|
}
|
|
case S_LDATA32_16t :// 0x0201 Module-local symbol
|
|
case S_GDATA32_16t :// 0x0202 Global data symbol
|
|
case S_PUB32_16t : { // 0x0203 a public symbol (CV internal reserved)
|
|
DATASYM32_16t *pData;
|
|
|
|
pData = (DATASYM32_16t *) SymbolInfo;
|
|
typeIndex = pData->typind;
|
|
Offset = pData->off; segmentNum = pData->seg;
|
|
HasAddr = TRUE;
|
|
ExtractSymName(pData->name);
|
|
// strncpy(name, (PCHAR)&pData->name[1], (UCHAR) pData->name[0]);
|
|
break;
|
|
}
|
|
case S_LPROC32_16t : // 0x0204 Local procedure start
|
|
case S_GPROC32_16t : { // 0x0205 Global procedure start
|
|
PROCSYM32_16t *procSym;
|
|
|
|
procSym = (PROCSYM32_16t *)SymbolInfo;
|
|
// CONTEXT-SENSITIVE
|
|
// Offset = procSym->off; segmentNum = procSym->seg;
|
|
typeIndex = procSym->typind;
|
|
ExtractSymName(procSym->name);
|
|
// strncpy(name, (PCHAR)symReturned + 36, (UCHAR) symReturned[35]);
|
|
break;
|
|
}
|
|
case S_THUNK32 : // 0x0206 Thunk Start
|
|
case S_BLOCK32 : // 0x0207 block start
|
|
case S_WITH32 : // 0x0208 with start
|
|
case S_LABEL32 : // 0x0209 code label
|
|
case S_CEXMODEL32 : // 0x020a change execution model
|
|
case S_VFTABLE32_16t : // 0x020b address of virtual function table
|
|
case S_REGREL32_16t : // 0x020c register relative address
|
|
case S_LTHREAD32_16t : // 0x020d local thread storage
|
|
case S_GTHREAD32_16t : // 0x020e global thread storage
|
|
case S_SLINK32 : // 0x020f static link for MIPS EH implementation
|
|
case S_LPROCMIPS_16t : // 0x0300 Local procedure start
|
|
case S_GPROCMIPS_16t : { // 0x0301 Global procedure start
|
|
break;
|
|
}
|
|
|
|
case S_PROCREF : { // 0x0400 Reference to a procedure
|
|
// typeIndex = ((PDWORD) symReturned) + 3;
|
|
// strncpy(name, symReturned + 13, (char) *(symReturned+12));
|
|
break;
|
|
}
|
|
case S_DATAREF : // 0x0401 Reference to data
|
|
case S_ALIGN : // 0x0402 Used for page alignment of symbols
|
|
case S_LPROCREF : // 0x0403 Local Reference to a procedure
|
|
|
|
// sym records with 32-bit types embedded instead of 16-bit
|
|
// all have 0x1000 bit set for easy identification
|
|
// only do the 32-bit target versions since we don't really
|
|
// care about 16-bit ones anymore.
|
|
case S_TI16_MAX : // 0x1000,
|
|
break;
|
|
|
|
case S_REGISTER : { // 0x1001 Register variable
|
|
REGSYM *regSym;
|
|
|
|
regSym = (REGSYM *)SymbolInfo;
|
|
typeIndex = regSym->typind;
|
|
pSymInfo->Flags = IMAGEHLP_SYMBOL_INFO_REGISTER;
|
|
LookupRegID((DWORD)regSym->reg, me->MachineType, &pSymInfo->Register);
|
|
ExtractSymName(regSym->name);
|
|
break;
|
|
}
|
|
|
|
case S_CONSTANT : { // 0x1002 constant symbol
|
|
CONSTSYM *constSym;
|
|
DWORD len=4, val;
|
|
|
|
constSym = (CONSTSYM *) SymbolInfo;
|
|
// GetNumericValue((PCHAR)&constSym->value, &Value, &len);
|
|
|
|
pSymInfo->Flags |= IMAGEHLP_SYMBOL_INFO_VALUEPRESENT;
|
|
pSymInfo->Value = Value;
|
|
typeIndex = constSym->typind;
|
|
ExtractSymName((constSym->name+len));
|
|
break;
|
|
}
|
|
case S_UDT : { // 0x1003 User defined type
|
|
UDTSYM *udtSym;
|
|
|
|
udtSym = (UDTSYM *) SymbolInfo;
|
|
typeIndex = udtSym->typind;
|
|
ExtractSymName(udtSym->name);
|
|
break;
|
|
}
|
|
|
|
case S_COBOLUDT : // 0x1004 special UDT for cobol that does not symbol pack
|
|
break;
|
|
|
|
case S_MANYREG : // 0x1005 multiple register variable
|
|
#if 0
|
|
typedef struct MANYREGSYM {
|
|
unsigned short reclen; // Record length
|
|
unsigned short rectyp; // S_MANYREG
|
|
CV_typ_t typind; // Type index
|
|
unsigned char count; // count of number of registers
|
|
unsigned char reg[1]; // count register enumerates followed by
|
|
// length-prefixed name. Registers are
|
|
// most significant first.
|
|
} MANYREGSYM;
|
|
|
|
typedef struct MANYREGSYM2 {
|
|
unsigned short reclen; // Record length
|
|
unsigned short rectyp; // S_MANYREG2
|
|
CV_typ_t typind; // Type index
|
|
unsigned short count; // count of number of registers
|
|
unsigned short reg[1]; // count register enumerates followed by
|
|
// length-prefixed name. Registers are
|
|
// most significant first.
|
|
} MANYREGSYM2;
|
|
#endif
|
|
break;
|
|
|
|
case S_BPREL32 : { // 0x1006 BP-relative
|
|
BPRELSYM32 *bprelSym;
|
|
|
|
bprelSym = (BPRELSYM32 *)SymbolInfo;
|
|
typeIndex = bprelSym->typind;
|
|
pSymInfo->Flags = IMAGEHLP_SYMBOL_INFO_FRAMERELATIVE;
|
|
pSymInfo->Address = bprelSym->off;
|
|
ExtractSymName(bprelSym->name);
|
|
break;
|
|
}
|
|
|
|
case S_LDATA32 : // 0x1007 Module-local symbol
|
|
case S_GDATA32 : // 0x1008 Global data symbol
|
|
case S_PUB32 : { // 0x1009 a public symbol (CV internal reserved)
|
|
DATASYM32 *dataSym;
|
|
|
|
dataSym = (DATASYM32 *)SymbolInfo;
|
|
HasAddr = TRUE;
|
|
Offset = dataSym->off; segmentNum = dataSym->seg;
|
|
typeIndex = dataSym->typind; //(PDWORD) symReturned;
|
|
ExtractSymName(dataSym->name); // strncpy(name, (PCHAR)symReturned+11, (UCHAR) symReturned[10]);
|
|
|
|
break;
|
|
}
|
|
case S_LPROC32 : // 0x100a Local procedure start
|
|
case S_GPROC32 : { // 0x100b Global procedure start
|
|
PROCSYM32 *procSym;
|
|
|
|
procSym = (PROCSYM32 *) SymbolInfo;
|
|
// CONTEXT-SENSITIVE
|
|
HasAddr = TRUE;
|
|
Offset = procSym->off; segmentNum = procSym->seg;
|
|
typeIndex = procSym->typind;
|
|
ExtractSymName(procSym->name);
|
|
break;
|
|
}
|
|
|
|
case S_VFTABLE32 : // 0x100c address of virtual function table
|
|
break;
|
|
|
|
case S_REGREL32 : { // 0x100d register relative address
|
|
REGREL32 *regrelSym;
|
|
|
|
regrelSym = (REGREL32 *)SymbolInfo;
|
|
typeIndex = regrelSym->typind;
|
|
pSymInfo->Flags = IMAGEHLP_SYMBOL_INFO_REGRELATIVE;
|
|
pSymInfo->Address = regrelSym->off;
|
|
LookupRegID((DWORD)regrelSym->reg, me->MachineType, &pSymInfo->Register);
|
|
ExtractSymName(regrelSym->name);
|
|
break;
|
|
}
|
|
|
|
case S_LTHREAD32 : // 0x100e local thread storage
|
|
case S_GTHREAD32 : // 0x100f global thread storage
|
|
case S_LPROCMIPS : // 0x1010 Local procedure start
|
|
case S_GPROCMIPS : // 0x1011 Global procedure start
|
|
case S_FRAMEPROC : // 0x1012 extra frame and proc information
|
|
case S_COMPILE2 : // 0x1013 extended compile flags and info
|
|
case S_MANYREG2 : // 0x1014 multiple register variable
|
|
case S_LPROCIA64 : // 0x1015 Local procedure start (IA64)
|
|
case S_GPROCIA64 : // 0x1016 Global procedure start (IA64)
|
|
case S_RECTYPE_MAX :
|
|
default:
|
|
return FALSE;
|
|
} /* switch */
|
|
|
|
|
|
if (HasAddr && GetAddressFromOffset(me, segmentNum, Offset, &Address)) {
|
|
pSymInfo->Address = Address;
|
|
}
|
|
|
|
pSymInfo->TypeIndex = typeIndex;
|
|
pSymEntry->Offset = Offset;
|
|
pSymEntry->Segment = segmentNum;
|
|
|
|
} else {
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
/*
|
|
* cvExtractSymbolInfo
|
|
* This extracts useful information from a CV SYMBOl record into a generic
|
|
* SYMBOL_ENTRY structure.
|
|
*
|
|
*
|
|
*/
|
|
ULONG
|
|
cvExtractSymbolInfo(
|
|
PMODULE_ENTRY me,
|
|
PCHAR pRawSym,
|
|
PSYMBOL_ENTRY pSymEntry,
|
|
BOOL fCopyName
|
|
)
|
|
{
|
|
SYMBOL_INFO_LOOKUP SymInfoLookup={0};
|
|
ULONG reg;
|
|
|
|
pSymEntry->Size = 0;
|
|
pSymEntry->Flags = 0;
|
|
pSymEntry->Address = 0;
|
|
if (fCopyName)
|
|
*pSymEntry->Name = 0;
|
|
else
|
|
pSymEntry->Name = 0;
|
|
pSymEntry->NameLength = 0;
|
|
pSymEntry->Segment = 0;
|
|
pSymEntry->Offset = 0;
|
|
pSymEntry->TypeIndex = 0;
|
|
pSymEntry->ModBase = 0;
|
|
|
|
if (GetSymbolInfo(me, pRawSym, &SymInfoLookup)) {
|
|
LARGE_INTEGER li;
|
|
pSymEntry->NameLength = SymInfoLookup.SymInfo.NameLen;
|
|
pSymEntry->TypeIndex = SymInfoLookup.SymInfo.TypeIndex;
|
|
pSymEntry->Offset = SymInfoLookup.Offset;
|
|
pSymEntry->Segment = SymInfoLookup.Segment;
|
|
pSymEntry->ModBase = me->BaseOfDll;
|
|
// NOTE: this was implented as a mask - but used differently
|
|
switch (SymInfoLookup.SymInfo.Flags)
|
|
{
|
|
case IMAGEHLP_SYMBOL_INFO_REGISTER:
|
|
pSymEntry->Flags = SYMF_REGISTER;
|
|
pSymEntry->Address = SymInfoLookup.SymInfo.Register;
|
|
break;
|
|
|
|
case IMAGEHLP_SYMBOL_INFO_REGRELATIVE:
|
|
// DBGHELP_HACK - HiPart of Addr = RegId , LowPart = Pffset
|
|
pSymEntry->Flags = SYMF_REGREL;
|
|
//LookupRegID((DWORD)SymInfoLookup.SymInfo.Register, me->MachineType, &pSymEntry->Segment);
|
|
li.LowPart = (ULONG) SymInfoLookup.SymInfo.Address;
|
|
li.HighPart = SymInfoLookup.SymInfo.Register;
|
|
pSymEntry->Segment = SymInfoLookup.SymInfo.Register;
|
|
pSymEntry->Address = li.QuadPart;
|
|
break;
|
|
|
|
case IMAGEHLP_SYMBOL_INFO_FRAMERELATIVE:
|
|
pSymEntry->Flags = SYMF_FRAMEREL;
|
|
pSymEntry->Address = SymInfoLookup.SymInfo.Address;
|
|
break;
|
|
|
|
case IMAGEHLP_SYMBOL_INFO_VALUEPRESENT:
|
|
default:
|
|
pSymEntry->Address = SymInfoLookup.SymInfo.Address;
|
|
break;
|
|
}
|
|
if (fCopyName) {
|
|
if (!pSymEntry->Name)
|
|
return FALSE;
|
|
*pSymEntry->Name = 0;
|
|
strncpy(pSymEntry->Name, SymInfoLookup.NamePtr ? SymInfoLookup.NamePtr : "", SymInfoLookup.SymInfo.NameLen);
|
|
} else {
|
|
pSymEntry->Name = SymInfoLookup.NamePtr;
|
|
}
|
|
return TRUE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
DWORD_PTR
|
|
NTGetPID(
|
|
HANDLE hProcess
|
|
)
|
|
{
|
|
HMODULE hModule;
|
|
PNTQUERYINFORMATIONPROCESS NtQueryInformationProcess;
|
|
PROCESS_BASIC_INFORMATION pi;
|
|
NTSTATUS status;
|
|
|
|
hModule = GetModuleHandle( "ntdll.dll" );
|
|
if (!hModule) {
|
|
return ERROR_MOD_NOT_FOUND;
|
|
}
|
|
|
|
NtQueryInformationProcess = (PNTQUERYINFORMATIONPROCESS)GetProcAddress(
|
|
hModule,
|
|
"NtQueryInformationProcess"
|
|
);
|
|
|
|
if (!NtQueryInformationProcess) {
|
|
return ERROR_INVALID_FUNCTION;
|
|
}
|
|
|
|
|
|
status = NtQueryInformationProcess(hProcess,
|
|
ProcessBasicInformation,
|
|
&pi,
|
|
sizeof(pi),
|
|
NULL);
|
|
|
|
if (!NT_SUCCESS(status))
|
|
return 0;
|
|
|
|
return pi.UniqueProcessId;
|
|
}
|
|
|
|
|
|
//
|
|
// the block bounded by the #ifdef _X86_ statement
|
|
// contains the code for getting the PID from an
|
|
// HPROCESS when running under Win9X
|
|
//
|
|
|
|
#ifdef _X86_
|
|
|
|
#define HANDLE_INVALID ((HANDLE)0xFFFFFFFF)
|
|
#define HANDLE_CURRENT_PROCESS ((HANDLE)0x7FFFFFFF)
|
|
#define HANDLE_CURRENT_THREAD ((HANDLE)0xFFFFFFFE)
|
|
#define MAX_HANDLE_VALUE ((HANDLE)0x00FFFFFF)
|
|
|
|
|
|
// Thread Information Block.
|
|
|
|
typedef struct _TIB {
|
|
|
|
DWORD unknown[12];
|
|
DWORD_PTR ppdb;
|
|
|
|
} TIB, *PTIB;
|
|
|
|
// Task Data Block
|
|
|
|
typedef struct _TDB {
|
|
|
|
DWORD unknown[2];
|
|
TIB tib;
|
|
|
|
} TDB, *PTDB;
|
|
|
|
typedef struct _OBJ {
|
|
|
|
BYTE typObj; // object type
|
|
BYTE objFlags; // object flags
|
|
WORD cntUses; // count of this objects usage
|
|
|
|
} OBJ, *POBJ;
|
|
|
|
typedef struct _HTE {
|
|
|
|
DWORD flFlags;
|
|
POBJ pobj;
|
|
|
|
} HTE, *PHTE;
|
|
|
|
typedef struct _HTB {
|
|
|
|
DWORD chteMax;
|
|
HTE rghte[1];
|
|
|
|
} HTB, *PHTB;
|
|
|
|
typedef struct _W9XPDB {
|
|
|
|
DWORD unknown[17];
|
|
PHTB phtbHandles;
|
|
|
|
} W9XPDB, *PW9XPDB;
|
|
|
|
#pragma warning(disable:4035)
|
|
|
|
_inline struct _TIB * GetCurrentTib(void) { _asm mov eax, fs:[0x18] }
|
|
|
|
// stuff needed to convert local handle
|
|
|
|
#define IHTETOHANDLESHIFT 2
|
|
#define GLOBALHANDLEMASK (0x453a4d3cLU)
|
|
|
|
#define IHTEFROMHANDLE(hnd) ((hnd) == HANDLE_INVALID ? (DWORD)(hnd) : (((DWORD)(hnd)) >> IHTETOHANDLESHIFT))
|
|
|
|
#define IHTEISGLOBAL(ihte) \
|
|
(((ihte) >> (32 - 8 - IHTETOHANDLESHIFT)) == (((DWORD)GLOBALHANDLEMASK) >> 24))
|
|
|
|
#define IS_WIN32_PREDEFINED_HANDLE(hnd) \
|
|
((hnd == HANDLE_CURRENT_PROCESS)||(hnd == HANDLE_CURRENT_THREAD)||(hnd == HANDLE_INVALID))
|
|
|
|
DWORD
|
|
GetWin9xObsfucator(
|
|
VOID
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
GetWin9xObsfucator()
|
|
|
|
|
|
Arguments:
|
|
|
|
none
|
|
|
|
|
|
Return Value:
|
|
|
|
Obsfucator key used by Windows9x to hide Process and Thread Id's
|
|
|
|
|
|
Notes:
|
|
|
|
The code has only been tested on Windows98SE and Millennium.
|
|
|
|
|
|
--*/
|
|
{
|
|
DWORD ppdb = 0; // W9XPDB = Process Data Block
|
|
DWORD processId = (DWORD) GetCurrentProcessId();
|
|
|
|
// get PDB pointer
|
|
|
|
ppdb = GetCurrentTib()->ppdb;
|
|
|
|
return ppdb ^ processId;
|
|
}
|
|
|
|
|
|
DWORD_PTR
|
|
GetPtrFromHandle(
|
|
IN HANDLE Handle
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
GetPtrFromHandle()
|
|
|
|
|
|
Arguments:
|
|
|
|
Handle - handle from Process handle table
|
|
|
|
|
|
Return Value:
|
|
|
|
Real Pointer to object
|
|
|
|
|
|
Notes:
|
|
|
|
The code has only been tested on Windows98SE and Millennium.
|
|
|
|
|
|
--*/
|
|
{
|
|
DWORD_PTR ptr = 0;
|
|
DWORD ihte = 0;
|
|
PW9XPDB ppdb = 0;
|
|
|
|
ppdb = (PW9XPDB) GetCurrentTib()->ppdb;
|
|
|
|
// check for pre-defined handle values.
|
|
|
|
if (Handle == HANDLE_CURRENT_PROCESS) {
|
|
ptr = (DWORD_PTR) ppdb;
|
|
} else if (Handle == HANDLE_CURRENT_THREAD) {
|
|
ptr = (DWORD_PTR) CONTAINING_RECORD(GetCurrentTib(), TDB, tib);
|
|
} else if (Handle == HANDLE_INVALID) {
|
|
ptr = 0;
|
|
} else {
|
|
// not a special handle, we can perform our magic.
|
|
|
|
ihte = IHTEFROMHANDLE(Handle);
|
|
|
|
// if we have a global handle, it is only meaningful in the context
|
|
// of the kernel process's handle table...we don't currently deal with
|
|
// this type of handle
|
|
|
|
if (!(IHTEISGLOBAL(ihte))) {
|
|
ptr = (DWORD_PTR) ppdb->phtbHandles->rghte[ihte].pobj;
|
|
}
|
|
}
|
|
|
|
return ptr;
|
|
}
|
|
|
|
|
|
DWORD_PTR
|
|
Win9xGetPID(
|
|
IN HANDLE hProcess
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Win9xGetPid()
|
|
|
|
|
|
Arguments:
|
|
|
|
hProcess - Process handle
|
|
|
|
|
|
Return Value:
|
|
|
|
Process Id
|
|
|
|
|
|
Notes:
|
|
|
|
The code has only been tested on Windows98SE and Millennium.
|
|
|
|
|
|
--*/
|
|
{
|
|
static DWORD dwObsfucator = 0;
|
|
|
|
// check to see that we have a predefined handle or an index into
|
|
// our local handle table.
|
|
|
|
if (IS_WIN32_PREDEFINED_HANDLE(hProcess) || (hProcess < MAX_HANDLE_VALUE)) {
|
|
if (!dwObsfucator) {
|
|
dwObsfucator = GetWin9xObsfucator();
|
|
assert(dwObsfucator != 0);
|
|
}
|
|
return dwObsfucator ^ GetPtrFromHandle(hProcess);
|
|
}
|
|
|
|
// don't know what we have here
|
|
|
|
return 0;
|
|
}
|
|
|
|
#endif // _X86_
|
|
|
|
|
|
DWORD_PTR
|
|
GetPID(
|
|
HANDLE hProcess
|
|
)
|
|
{
|
|
OSVERSIONINFO VerInfo;
|
|
|
|
if (hProcess == GetCurrentProcess())
|
|
return GetCurrentProcessId();
|
|
|
|
VerInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
|
|
GetVersionEx(&VerInfo);
|
|
if (VerInfo.dwPlatformId == VER_PLATFORM_WIN32_NT) {
|
|
return NTGetPID(hProcess);
|
|
} else {
|
|
#ifdef _X86_
|
|
return Win9xGetPID(hProcess);
|
|
#else
|
|
return 0;
|
|
#endif
|
|
}
|
|
}
|
|
|
|
|
|
PMODULE_ENTRY
|
|
GetModFromAddr(
|
|
PPROCESS_ENTRY pe,
|
|
IN DWORD64 addr
|
|
)
|
|
{
|
|
PMODULE_ENTRY mi = NULL;
|
|
|
|
__try {
|
|
mi = GetModuleForPC(pe, addr, FALSE);
|
|
if (!mi) {
|
|
SetLastError(ERROR_MOD_NOT_FOUND);
|
|
return NULL;
|
|
}
|
|
|
|
if (!LoadSymbols(pe->hProcess, mi, 0)) {
|
|
SetLastError(ERROR_MOD_NOT_FOUND);
|
|
return NULL;
|
|
}
|
|
|
|
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
|
|
|
ImagepSetLastErrorFromStatus(GetExceptionCode());
|
|
return NULL;
|
|
}
|
|
|
|
return mi;
|
|
}
|
|
|
|
|
|
DWORD
|
|
GetProcessModules(
|
|
HANDLE hProcess,
|
|
PINTERNAL_GET_MODULE InternalGetModule,
|
|
PVOID Context
|
|
)
|
|
{
|
|
#ifdef _X86_
|
|
OSVERSIONINFO VerInfo;
|
|
|
|
VerInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
|
|
GetVersionEx(&VerInfo);
|
|
if (VerInfo.dwPlatformId == VER_PLATFORM_WIN32_NT) {
|
|
return NTGetProcessModules(hProcess, InternalGetModule, Context);
|
|
} else {
|
|
return Win95GetProcessModules(hProcess, InternalGetModule, Context);
|
|
}
|
|
}
|
|
|
|
|
|
DWORD
|
|
Win95GetProcessModules(
|
|
HANDLE hProcess,
|
|
PINTERNAL_GET_MODULE InternalGetModule,
|
|
PVOID Context
|
|
)
|
|
{
|
|
MODULEENTRY32 mi;
|
|
PMODULE32 pModule32Next, pModule32First;
|
|
PCREATE32SNAPSHOT pCreateToolhelp32Snapshot;
|
|
HANDLE hSnapshot;
|
|
HMODULE hToolHelp;
|
|
DWORD pid;
|
|
|
|
// get the PID:
|
|
// this hack supports old bug workaround, in which callers were passing
|
|
// a pid, because an hprocess didn't work on W9X.
|
|
|
|
pid = GetPID(hProcess);
|
|
if (!pid)
|
|
pid = (DWORD)hProcess;
|
|
|
|
// get the module list from toolhelp apis
|
|
|
|
hToolHelp = GetModuleHandle("kernel32.dll");
|
|
if (!hToolHelp)
|
|
return ERROR_MOD_NOT_FOUND;
|
|
|
|
pModule32Next = (PMODULE32)GetProcAddress(hToolHelp, "Module32Next");
|
|
pModule32First = (PMODULE32)GetProcAddress(hToolHelp, "Module32First");
|
|
pCreateToolhelp32Snapshot = (PCREATE32SNAPSHOT)GetProcAddress(hToolHelp, "CreateToolhelp32Snapshot");
|
|
if (!pModule32Next || !pModule32First || !pCreateToolhelp32Snapshot)
|
|
return ERROR_MOD_NOT_FOUND;
|
|
|
|
hSnapshot = pCreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
|
|
if (hSnapshot == (HANDLE)-1) {
|
|
return ERROR_MOD_NOT_FOUND;
|
|
}
|
|
|
|
mi.dwSize = sizeof(MODULEENTRY32);
|
|
|
|
if (pModule32First(hSnapshot, &mi)) {
|
|
do
|
|
{
|
|
if (!InternalGetModule(
|
|
hProcess,
|
|
mi.szModule,
|
|
(DWORD) mi.modBaseAddr,
|
|
mi.modBaseSize,
|
|
Context))
|
|
{
|
|
break;
|
|
}
|
|
|
|
} while ( pModule32Next(hSnapshot, &mi) );
|
|
}
|
|
|
|
CloseHandle(hSnapshot);
|
|
|
|
return(ERROR_SUCCESS);
|
|
}
|
|
|
|
|
|
DWORD
|
|
NTGetProcessModules(
|
|
HANDLE hProcess,
|
|
PINTERNAL_GET_MODULE InternalGetModule,
|
|
PVOID Context
|
|
)
|
|
{
|
|
|
|
#endif // _X86_
|
|
|
|
PRTLQUERYPROCESSDEBUGINFORMATION RtlQueryProcessDebugInformation;
|
|
PRTLCREATEQUERYDEBUGBUFFER RtlCreateQueryDebugBuffer;
|
|
PRTLDESTROYQUERYDEBUGBUFFER RtlDestroyQueryDebugBuffer;
|
|
HMODULE hModule;
|
|
NTSTATUS Status;
|
|
PRTL_DEBUG_INFORMATION Buffer;
|
|
ULONG i;
|
|
DWORD_PTR ProcessId;
|
|
|
|
hModule = GetModuleHandle( "ntdll.dll" );
|
|
if (!hModule) {
|
|
return ERROR_MOD_NOT_FOUND;
|
|
}
|
|
|
|
RtlQueryProcessDebugInformation = (PRTLQUERYPROCESSDEBUGINFORMATION)GetProcAddress(
|
|
hModule,
|
|
"RtlQueryProcessDebugInformation"
|
|
);
|
|
|
|
if (!RtlQueryProcessDebugInformation) {
|
|
return ERROR_INVALID_FUNCTION;
|
|
}
|
|
|
|
RtlCreateQueryDebugBuffer = (PRTLCREATEQUERYDEBUGBUFFER)GetProcAddress(
|
|
hModule,
|
|
"RtlCreateQueryDebugBuffer"
|
|
);
|
|
|
|
if (!RtlCreateQueryDebugBuffer) {
|
|
return ERROR_INVALID_FUNCTION;
|
|
}
|
|
|
|
RtlDestroyQueryDebugBuffer = (PRTLDESTROYQUERYDEBUGBUFFER)GetProcAddress(
|
|
hModule,
|
|
"RtlDestroyQueryDebugBuffer"
|
|
);
|
|
|
|
if (!RtlDestroyQueryDebugBuffer) {
|
|
return ERROR_INVALID_FUNCTION;
|
|
}
|
|
|
|
Buffer = RtlCreateQueryDebugBuffer( 0, FALSE );
|
|
if (!Buffer) {
|
|
return ERROR_NOT_ENOUGH_MEMORY;
|
|
}
|
|
|
|
ProcessId = GetPID(hProcess);
|
|
|
|
// for backwards compatibility with an old bug
|
|
if (!ProcessId)
|
|
ProcessId = (DWORD_PTR)hProcess;
|
|
|
|
ULONG QueryFlags = RTL_QUERY_PROCESS_MODULES |
|
|
RTL_QUERY_PROCESS_NONINVASIVE;
|
|
|
|
if (g.SymOptions & SYMOPT_INCLUDE_32BIT_MODULES) {
|
|
QueryFlags |= RTL_QUERY_PROCESS_MODULES32;
|
|
}
|
|
|
|
Status = RtlQueryProcessDebugInformation(
|
|
(HANDLE)ProcessId,
|
|
QueryFlags,
|
|
Buffer
|
|
);
|
|
|
|
if (Status != STATUS_SUCCESS) {
|
|
RtlDestroyQueryDebugBuffer( Buffer );
|
|
return(ImagepSetLastErrorFromStatus(Status));
|
|
}
|
|
|
|
for (i=0; i<Buffer->Modules->NumberOfModules; i++) {
|
|
PRTL_PROCESS_MODULE_INFORMATION Module = &Buffer->Modules->Modules[i];
|
|
if (!InternalGetModule(
|
|
hProcess,
|
|
(LPSTR) &Module->FullPathName[Module->OffsetToFileName],
|
|
(DWORD64)Module->ImageBase,
|
|
(DWORD)Module->ImageSize,
|
|
Context
|
|
))
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
|
|
RtlDestroyQueryDebugBuffer( Buffer );
|
|
return ERROR_SUCCESS;
|
|
}
|
|
|
|
|
|
VOID
|
|
FreeModuleEntry(
|
|
PPROCESS_ENTRY pe,
|
|
PMODULE_ENTRY mi
|
|
)
|
|
{
|
|
FunctionEntryCache* Cache;
|
|
|
|
if (pe && (Cache = GetFeCache(mi->MachineType, FALSE))) {
|
|
Cache->InvalidateProcessOrModule(pe->hProcess, mi->BaseOfDll);
|
|
}
|
|
if (pe && pe->ipmi == mi) {
|
|
pe->ipmi = NULL;
|
|
}
|
|
if (mi->symbolTable) {
|
|
MemFree( mi->symbolTable );
|
|
}
|
|
if (mi->SectionHdrs) {
|
|
MemFree( mi->SectionHdrs );
|
|
}
|
|
if (mi->OriginalSectionHdrs) {
|
|
MemFree( mi->OriginalSectionHdrs );
|
|
}
|
|
if (mi->pFpoData) {
|
|
VirtualFree( mi->pFpoData, 0, MEM_RELEASE );
|
|
}
|
|
if (mi->pFpoDataOmap) {
|
|
VirtualFree( mi->pFpoDataOmap, 0, MEM_RELEASE );
|
|
}
|
|
if (mi->pExceptionData) {
|
|
VirtualFree( mi->pExceptionData, 0, MEM_RELEASE );
|
|
}
|
|
if (mi->pPData) {
|
|
MemFree( mi->pPData );
|
|
}
|
|
if (mi->pXData) {
|
|
MemFree( mi->pXData );
|
|
}
|
|
if (mi->TmpSym.Name) {
|
|
MemFree( mi->TmpSym.Name );
|
|
}
|
|
if (mi->ImageName) {
|
|
MemFree( mi->ImageName );
|
|
}
|
|
if (mi->LoadedImageName) {
|
|
MemFree( mi->LoadedImageName );
|
|
}
|
|
if (mi->LoadedPdbName) {
|
|
MemFree( mi->LoadedPdbName );
|
|
}
|
|
if (mi->pOmapTo) {
|
|
MemFree( mi->pOmapTo );
|
|
}
|
|
if (mi->pOmapFrom) {
|
|
MemFree( mi->pOmapFrom );
|
|
}
|
|
if (mi->CallerData) {
|
|
MemFree( mi->CallerData );
|
|
}
|
|
if (mi->SourceFiles) {
|
|
PSOURCE_ENTRY Src, SrcNext;
|
|
|
|
for (Src = mi->SourceFiles; Src != NULL; Src = SrcNext) {
|
|
SrcNext = Src->Next;
|
|
MemFree(Src);
|
|
}
|
|
}
|
|
if (mi->dia) {
|
|
diaRelease(mi->dia);
|
|
}
|
|
|
|
MemFree( mi );
|
|
}
|
|
|
|
|
|
|
|
|
|
BOOL
|
|
MatchSymbolName(
|
|
PSYMBOL_ENTRY sym,
|
|
LPSTR SymName
|
|
)
|
|
{
|
|
if (g.SymOptions & SYMOPT_CASE_INSENSITIVE) {
|
|
if (_stricmp( sym->Name, SymName ) == 0) {
|
|
return TRUE;
|
|
}
|
|
} else {
|
|
if (strcmp( sym->Name, SymName ) == 0) {
|
|
return TRUE;
|
|
}
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
PSYMBOL_ENTRY
|
|
HandleDuplicateSymbols(
|
|
PPROCESS_ENTRY pe,
|
|
PMODULE_ENTRY mi,
|
|
PSYMBOL_ENTRY sym
|
|
)
|
|
{
|
|
DWORD i;
|
|
DWORD Dups;
|
|
DWORD NameSize;
|
|
PIMAGEHLP_SYMBOL64 Syms64 = NULL;
|
|
PIMAGEHLP_SYMBOL Syms32 = NULL;
|
|
PIMAGEHLP_DUPLICATE_SYMBOL64 DupSym64 = NULL;
|
|
PIMAGEHLP_DUPLICATE_SYMBOL DupSym32 = NULL;
|
|
PULONG SymSave;
|
|
|
|
|
|
if (!pe->pCallbackFunction32 && !pe->pCallbackFunction64) {
|
|
return sym;
|
|
}
|
|
|
|
if (!(sym->Flags & SYMF_DUPLICATE)) {
|
|
return sym;
|
|
}
|
|
|
|
Dups = 0;
|
|
NameSize = 0;
|
|
for (i = 0; i < mi->numsyms; i++) {
|
|
if ((mi->symbolTable[i].NameLength == sym->NameLength) &&
|
|
(strcmp( mi->symbolTable[i].Name, sym->Name ) == 0)) {
|
|
Dups += 1;
|
|
NameSize += (mi->symbolTable[i].NameLength + 1);
|
|
}
|
|
}
|
|
|
|
if (pe->pCallbackFunction32) {
|
|
DupSym32 = (PIMAGEHLP_DUPLICATE_SYMBOL) MemAlloc( sizeof(IMAGEHLP_DUPLICATE_SYMBOL) );
|
|
if (!DupSym32) {
|
|
return sym;
|
|
}
|
|
|
|
Syms32 = (PIMAGEHLP_SYMBOL) MemAlloc( (sizeof(IMAGEHLP_SYMBOL) * Dups) + NameSize );
|
|
if (!Syms32) {
|
|
MemFree( DupSym32 );
|
|
return sym;
|
|
}
|
|
|
|
SymSave = (PULONG) MemAlloc( sizeof(ULONG) * Dups );
|
|
if (!SymSave) {
|
|
MemFree( Syms32 );
|
|
MemFree( DupSym32 );
|
|
return sym;
|
|
}
|
|
|
|
DupSym32->SizeOfStruct = sizeof(IMAGEHLP_DUPLICATE_SYMBOL);
|
|
DupSym32->NumberOfDups = Dups;
|
|
DupSym32->Symbol = Syms32;
|
|
DupSym32->SelectedSymbol = (ULONG) -1;
|
|
|
|
Dups = 0;
|
|
for (i = 0; i < mi->numsyms; i++) {
|
|
if ((mi->symbolTable[i].NameLength == sym->NameLength) &&
|
|
(strcmp( mi->symbolTable[i].Name, sym->Name ) == 0)) {
|
|
symcpy32( Syms32, &mi->symbolTable[i] );
|
|
Syms32 += (sizeof(IMAGEHLP_SYMBOL) + mi->symbolTable[i].NameLength + 1);
|
|
SymSave[Dups] = i;
|
|
Dups += 1;
|
|
}
|
|
}
|
|
|
|
} else {
|
|
DupSym64 = (PIMAGEHLP_DUPLICATE_SYMBOL64) MemAlloc( sizeof(IMAGEHLP_DUPLICATE_SYMBOL64) );
|
|
if (!DupSym64) {
|
|
return sym;
|
|
}
|
|
|
|
Syms64 = (PIMAGEHLP_SYMBOL64) MemAlloc( (sizeof(IMAGEHLP_SYMBOL64) * Dups) + NameSize );
|
|
if (!Syms64) {
|
|
MemFree( DupSym64 );
|
|
return sym;
|
|
}
|
|
|
|
SymSave = (PULONG) MemAlloc( sizeof(ULONG) * Dups );
|
|
if (!SymSave) {
|
|
MemFree( Syms64 );
|
|
MemFree( DupSym64 );
|
|
return sym;
|
|
}
|
|
|
|
DupSym64->SizeOfStruct = sizeof(IMAGEHLP_DUPLICATE_SYMBOL64);
|
|
DupSym64->NumberOfDups = Dups;
|
|
DupSym64->Symbol = Syms64;
|
|
DupSym64->SelectedSymbol = (ULONG) -1;
|
|
|
|
Dups = 0;
|
|
for (i = 0; i < mi->numsyms; i++) {
|
|
if ((mi->symbolTable[i].NameLength == sym->NameLength) &&
|
|
(strcmp( mi->symbolTable[i].Name, sym->Name ) == 0)) {
|
|
symcpy64( Syms64, &mi->symbolTable[i] );
|
|
Syms64 += (sizeof(IMAGEHLP_SYMBOL64) + mi->symbolTable[i].NameLength + 1);
|
|
SymSave[Dups] = i;
|
|
Dups += 1;
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
sym = NULL;
|
|
|
|
__try {
|
|
|
|
if (pe->pCallbackFunction32) {
|
|
pe->pCallbackFunction32(
|
|
pe->hProcess,
|
|
CBA_DUPLICATE_SYMBOL,
|
|
(PVOID) DupSym32,
|
|
(PVOID) pe->CallbackUserContext
|
|
);
|
|
|
|
if (DupSym32->SelectedSymbol != (ULONG) -1) {
|
|
if (DupSym32->SelectedSymbol < DupSym32->NumberOfDups) {
|
|
sym = &mi->symbolTable[SymSave[DupSym32->SelectedSymbol]];
|
|
}
|
|
}
|
|
} else {
|
|
pe->pCallbackFunction64(
|
|
pe->hProcess,
|
|
CBA_DUPLICATE_SYMBOL,
|
|
(ULONG64) &DupSym64,
|
|
pe->CallbackUserContext
|
|
);
|
|
|
|
if (DupSym64->SelectedSymbol != (ULONG) -1) {
|
|
if (DupSym64->SelectedSymbol < DupSym64->NumberOfDups) {
|
|
sym = &mi->symbolTable[SymSave[DupSym64->SelectedSymbol]];
|
|
}
|
|
}
|
|
}
|
|
|
|
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
|
;
|
|
}
|
|
|
|
if (DupSym32) {
|
|
MemFree( DupSym32 );
|
|
}
|
|
if (DupSym64) {
|
|
MemFree( DupSym64 );
|
|
}
|
|
if (Syms32) {
|
|
MemFree( Syms32 );
|
|
}
|
|
if (Syms64) {
|
|
MemFree( Syms64 );
|
|
}
|
|
MemFree( SymSave );
|
|
|
|
return sym;
|
|
}
|
|
|
|
|
|
PSYMBOL_ENTRY
|
|
FindSymbolByName(
|
|
PPROCESS_ENTRY pe,
|
|
PMODULE_ENTRY mi,
|
|
LPSTR SymName
|
|
)
|
|
{
|
|
DWORD hash;
|
|
PSYMBOL_ENTRY sym;
|
|
DWORD i;
|
|
|
|
if (!mi || mi->dia)
|
|
return diaFindSymbolByName(pe, mi, SymName);
|
|
|
|
hash = ComputeHash( SymName, strlen(SymName) );
|
|
sym = mi->NameHashTable[hash];
|
|
|
|
if (sym) {
|
|
//
|
|
// there are collision(s) so lets walk the
|
|
// collision list and match the names
|
|
//
|
|
while( sym ) {
|
|
if (MatchSymbolName( sym, SymName )) {
|
|
sym = HandleDuplicateSymbols( pe, mi, sym );
|
|
return sym;
|
|
}
|
|
sym = sym->Next;
|
|
}
|
|
}
|
|
|
|
//
|
|
// the symbol did not hash to anything valid
|
|
// this is possible if the caller passed an undecorated name
|
|
// now we must look linearly thru the list
|
|
//
|
|
for (i=0; i<mi->numsyms; i++) {
|
|
sym = &mi->symbolTable[i];
|
|
if (MatchSymbolName( sym, SymName )) {
|
|
sym = HandleDuplicateSymbols( pe, mi, sym );
|
|
return sym;
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
|
|
IMGHLP_RVA_FUNCTION_DATA *
|
|
SearchRvaFunctionTable(
|
|
IMGHLP_RVA_FUNCTION_DATA *FunctionTable,
|
|
LONG High,
|
|
LONG Low,
|
|
DWORD dwPC
|
|
)
|
|
{
|
|
LONG Middle;
|
|
IMGHLP_RVA_FUNCTION_DATA *FunctionEntry;
|
|
|
|
// Perform binary search on the function table for a function table
|
|
// entry that subsumes the specified PC.
|
|
|
|
while (High >= Low) {
|
|
|
|
// Compute next probe index and test entry. If the specified PC
|
|
// is greater than of equal to the beginning address and less
|
|
// than the ending address of the function table entry, then
|
|
// return the address of the function table entry. Otherwise,
|
|
// continue the search.
|
|
|
|
Middle = (Low + High) >> 1;
|
|
FunctionEntry = &FunctionTable[Middle];
|
|
if (dwPC < FunctionEntry->rvaBeginAddress) {
|
|
High = Middle - 1;
|
|
|
|
} else if (dwPC >= FunctionEntry->rvaEndAddress) {
|
|
Low = Middle + 1;
|
|
|
|
} else {
|
|
return FunctionEntry;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
PIMGHLP_RVA_FUNCTION_DATA
|
|
GetFunctionEntryFromDebugInfo (
|
|
PPROCESS_ENTRY pe,
|
|
DWORD64 ControlPc
|
|
)
|
|
{
|
|
PMODULE_ENTRY mi;
|
|
IMGHLP_RVA_FUNCTION_DATA *FunctionTable;
|
|
|
|
mi = GetModuleForPC( pe, ControlPc, FALSE );
|
|
if (mi == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
if (!GetPData(pe->hProcess, mi)) {
|
|
return NULL;
|
|
}
|
|
|
|
FunctionTable = (IMGHLP_RVA_FUNCTION_DATA *)mi->pExceptionData;
|
|
return SearchRvaFunctionTable(FunctionTable, mi->dwEntries - 1, 0,
|
|
(ULONG)(ControlPc - mi->BaseOfDll));
|
|
}
|
|
|
|
PIMAGE_FUNCTION_ENTRY
|
|
LookupFunctionEntryAxp32 (
|
|
HANDLE hProcess,
|
|
DWORD ControlPc
|
|
)
|
|
{
|
|
FunctionEntryCache* Cache;
|
|
FeCacheEntry* FunctionEntry;
|
|
|
|
if ((Cache = GetFeCache(IMAGE_FILE_MACHINE_ALPHA, TRUE)) == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
// Don't specify the function table access callback or it will
|
|
// cause recursion.
|
|
|
|
FunctionEntry = Cache->
|
|
Find(hProcess, (ULONG64)(LONG)ControlPc, ReadInProcMemory,
|
|
miGetModuleBase, NULL);
|
|
if ( FunctionEntry == NULL ) {
|
|
return NULL;
|
|
}
|
|
|
|
// Alpha function entries are always stored as 64-bit
|
|
// so downconvert.
|
|
tlsvar(FunctionEntry32).StartingAddress =
|
|
(ULONG)FunctionEntry->Data.Axp64.BeginAddress;
|
|
tlsvar(FunctionEntry32).EndingAddress =
|
|
(ULONG)FunctionEntry->Data.Axp64.EndAddress;
|
|
tlsvar(FunctionEntry32).EndOfPrologue =
|
|
(ULONG)FunctionEntry->Data.Axp64.PrologEndAddress;
|
|
return &tlsvar(FunctionEntry32);
|
|
}
|
|
|
|
PIMAGE_FUNCTION_ENTRY64
|
|
LookupFunctionEntryAxp64 (
|
|
HANDLE hProcess,
|
|
DWORD64 ControlPc
|
|
)
|
|
{
|
|
FunctionEntryCache* Cache;
|
|
FeCacheEntry* FunctionEntry;
|
|
|
|
if ((Cache = GetFeCache(IMAGE_FILE_MACHINE_ALPHA64, TRUE)) == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
// Don't specify the function table access callback or it will
|
|
// cause recursion.
|
|
|
|
FunctionEntry = Cache->
|
|
Find(hProcess, ControlPc, ReadInProcMemory,
|
|
miGetModuleBase, NULL);
|
|
if ( FunctionEntry == NULL ) {
|
|
return NULL;
|
|
}
|
|
|
|
tlsvar(FunctionEntry64).StartingAddress =
|
|
FunctionEntry->Data.Axp64.BeginAddress;
|
|
tlsvar(FunctionEntry64).EndingAddress =
|
|
FunctionEntry->Data.Axp64.EndAddress;
|
|
tlsvar(FunctionEntry64).EndOfPrologue =
|
|
FunctionEntry->Data.Axp64.PrologEndAddress;
|
|
return &tlsvar(FunctionEntry64);
|
|
}
|
|
|
|
// NTRAID#96939-2000/03/27-patst
|
|
//
|
|
// All the platform dependent "LookupFunctionEntryXxx" should be retyped as returning
|
|
// a PIMAGE_FUNCTION_ENTRY64. This would require a modification of the callers, especially
|
|
// the IA64 specific locations that assume that the returned function entries contains RVAs
|
|
// and not absolute addresses. I implemented a platform-independant
|
|
// "per address space / per module" cache of function entries - capable of supporting the
|
|
// dynamic function entries scheme but I fell short of time in delivering it.
|
|
|
|
PIMAGE_IA64_RUNTIME_FUNCTION_ENTRY
|
|
LookupFunctionEntryIa64 (
|
|
HANDLE hProcess,
|
|
DWORD64 ControlPc
|
|
)
|
|
{
|
|
FunctionEntryCache* Cache;
|
|
FeCacheEntry* FunctionEntry;
|
|
|
|
if ((Cache = GetFeCache(IMAGE_FILE_MACHINE_IA64, TRUE)) == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
//
|
|
// IA64-NOTE 08/99: IA64 Function entries contain file offsets, not absolute relocated addresses.
|
|
// IA64 Callers assume this.
|
|
//
|
|
|
|
|
|
// Don't specify the function table access callback or it will
|
|
// cause recursion.
|
|
|
|
FunctionEntry = Cache->
|
|
Find(hProcess, ControlPc, ReadInProcMemory,
|
|
miGetModuleBase, NULL);
|
|
if ( FunctionEntry == NULL ) {
|
|
return NULL;
|
|
}
|
|
|
|
tlsvar(Ia64FunctionEntry) = FunctionEntry->Data.Ia64;
|
|
return &tlsvar(Ia64FunctionEntry);
|
|
}
|
|
|
|
_PIMAGE_RUNTIME_FUNCTION_ENTRY
|
|
LookupFunctionEntryAmd64 (
|
|
HANDLE hProcess,
|
|
DWORD64 ControlPc
|
|
)
|
|
{
|
|
FunctionEntryCache* Cache;
|
|
FeCacheEntry* FunctionEntry;
|
|
|
|
if ((Cache = GetFeCache(IMAGE_FILE_MACHINE_AMD64, TRUE)) == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
// Don't specify the function table access callback or it will
|
|
// cause recursion.
|
|
|
|
FunctionEntry = Cache->
|
|
Find(hProcess, ControlPc, ReadInProcMemory,
|
|
miGetModuleBase, NULL);
|
|
if ( FunctionEntry == NULL ) {
|
|
return NULL;
|
|
}
|
|
|
|
tlsvar(Amd64FunctionEntry) = FunctionEntry->Data.Amd64;
|
|
return &tlsvar(Amd64FunctionEntry);
|
|
}
|
|
|
|
PFPO_DATA
|
|
SwSearchFpoData(
|
|
DWORD key,
|
|
PFPO_DATA base,
|
|
DWORD num
|
|
)
|
|
{
|
|
PFPO_DATA lo = base;
|
|
PFPO_DATA hi = base + (num - 1);
|
|
PFPO_DATA mid;
|
|
DWORD half;
|
|
|
|
while (lo <= hi) {
|
|
if (half = num / 2) {
|
|
mid = lo + ((num & 1) ? half : (half - 1));
|
|
if ((key >= mid->ulOffStart)&&(key < (mid->ulOffStart+mid->cbProcSize))) {
|
|
return mid;
|
|
}
|
|
if (key < mid->ulOffStart) {
|
|
hi = mid - 1;
|
|
num = (num & 1) ? half : half-1;
|
|
} else {
|
|
lo = mid + 1;
|
|
num = half;
|
|
}
|
|
} else
|
|
if (num) {
|
|
if ((key >= lo->ulOffStart)&&(key < (lo->ulOffStart+lo->cbProcSize))) {
|
|
return lo;
|
|
} else {
|
|
break;
|
|
}
|
|
} else {
|
|
break;
|
|
}
|
|
}
|
|
return(NULL);
|
|
}
|
|
|
|
BOOL
|
|
DoSymbolCallback (
|
|
PPROCESS_ENTRY pe,
|
|
ULONG CallbackType,
|
|
IN PMODULE_ENTRY mi,
|
|
PIMAGEHLP_DEFERRED_SYMBOL_LOAD64 idsl64,
|
|
LPSTR FileName
|
|
)
|
|
{
|
|
BOOL Status;
|
|
IMAGEHLP_DEFERRED_SYMBOL_LOAD idsl32;
|
|
|
|
Status = FALSE;
|
|
if (pe->pCallbackFunction32) {
|
|
idsl32.SizeOfStruct = sizeof(IMAGEHLP_DEFERRED_SYMBOL_LOAD);
|
|
idsl32.BaseOfImage = (ULONG)mi->BaseOfDll;
|
|
idsl32.CheckSum = mi->CheckSum;
|
|
idsl32.TimeDateStamp = mi->TimeDateStamp;
|
|
idsl32.Reparse = FALSE;
|
|
idsl32.FileName[0] = 0;
|
|
if (FileName) {
|
|
strncat( idsl32.FileName, FileName, MAX_PATH - 1 );
|
|
}
|
|
|
|
__try {
|
|
|
|
Status = pe->pCallbackFunction32(
|
|
pe->hProcess,
|
|
CallbackType,
|
|
(PVOID)&idsl32,
|
|
(PVOID)pe->CallbackUserContext
|
|
);
|
|
idsl64->SizeOfStruct = sizeof(IMAGEHLP_DEFERRED_SYMBOL_LOAD64);
|
|
idsl64->BaseOfImage = idsl32.BaseOfImage;
|
|
idsl64->CheckSum = idsl32.CheckSum;
|
|
idsl64->TimeDateStamp = idsl32.TimeDateStamp;
|
|
idsl64->Reparse = idsl32.Reparse;
|
|
if (idsl32.FileName) {
|
|
strncpy( idsl64->FileName, idsl32.FileName, MAX_PATH );
|
|
}
|
|
|
|
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
|
}
|
|
} else
|
|
if (pe->pCallbackFunction64) {
|
|
idsl64->SizeOfStruct = sizeof(IMAGEHLP_DEFERRED_SYMBOL_LOAD64);
|
|
idsl64->BaseOfImage = mi->BaseOfDll;
|
|
idsl64->CheckSum = mi->CheckSum;
|
|
idsl64->TimeDateStamp = mi->TimeDateStamp;
|
|
idsl64->Reparse = FALSE;
|
|
idsl64->FileName[0] = 0;
|
|
if (FileName) {
|
|
strncat( idsl64->FileName, FileName, MAX_PATH );
|
|
}
|
|
|
|
__try {
|
|
|
|
Status = pe->pCallbackFunction64(
|
|
pe->hProcess,
|
|
CallbackType,
|
|
(ULONG64)(ULONG_PTR)idsl64,
|
|
pe->CallbackUserContext
|
|
);
|
|
|
|
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
|
}
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
|
|
BOOL
|
|
DoCallback(
|
|
PPROCESS_ENTRY pe,
|
|
ULONG type,
|
|
PVOID data
|
|
)
|
|
{
|
|
BOOL rc = TRUE;
|
|
|
|
__try {
|
|
|
|
// if we weren't passed a process entry, then call all processes
|
|
|
|
if (!pe) {
|
|
BOOL ret;
|
|
PLIST_ENTRY next;
|
|
|
|
next = g.ProcessList.Flink;
|
|
if (!next)
|
|
return FALSE;
|
|
|
|
while ((PVOID)next != (PVOID)&g.ProcessList) {
|
|
pe = CONTAINING_RECORD( next, PROCESS_ENTRY, ListEntry );
|
|
next = pe->ListEntry.Flink;
|
|
if (!pe)
|
|
return rc;
|
|
ret = DoCallback(pe, type, data);
|
|
if (!ret)
|
|
rc = ret;
|
|
}
|
|
|
|
return rc;
|
|
}
|
|
|
|
// otherwise call this process
|
|
|
|
if (pe->pCallbackFunction32) {
|
|
rc = pe->pCallbackFunction32(pe->hProcess,
|
|
type,
|
|
data,
|
|
(PVOID)pe->CallbackUserContext);
|
|
} else if (pe->pCallbackFunction64) {
|
|
rc = pe->pCallbackFunction64(pe->hProcess,
|
|
type,
|
|
(ULONG64)data,
|
|
pe->CallbackUserContext);
|
|
}
|
|
|
|
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
|
rc = FALSE;
|
|
}
|
|
|
|
return rc;
|
|
}
|
|
|
|
|
|
VOID
|
|
SympSendDebugString(
|
|
PPROCESS_ENTRY pe,
|
|
LPSTR String
|
|
)
|
|
{
|
|
__try {
|
|
if (!pe)
|
|
pe = FindFirstProcessEntry();
|
|
|
|
if (!pe) {
|
|
printf(String);
|
|
} else if (pe->pCallbackFunction32) {
|
|
pe->pCallbackFunction32(pe->hProcess,
|
|
CBA_DEBUG_INFO,
|
|
(PVOID)String,
|
|
(PVOID)pe->CallbackUserContext
|
|
);
|
|
} else if (pe->pCallbackFunction64) {
|
|
pe->pCallbackFunction64(pe->hProcess,
|
|
CBA_DEBUG_INFO,
|
|
(ULONG64)String,
|
|
pe->CallbackUserContext
|
|
);
|
|
}
|
|
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
|
}
|
|
}
|
|
|
|
int
|
|
WINAPIV
|
|
_pprint(
|
|
PPROCESS_ENTRY pe,
|
|
LPSTR Format,
|
|
...
|
|
)
|
|
{
|
|
static char buf[1000] = "DBGHELP: ";
|
|
va_list args;
|
|
|
|
va_start(args, Format);
|
|
_vsnprintf(buf+9, sizeof(buf)-9, Format, args);
|
|
va_end(args);
|
|
SympSendDebugString(pe, buf);
|
|
return 1;
|
|
}
|
|
|
|
int
|
|
WINAPIV
|
|
_peprint(
|
|
PPROCESS_ENTRY pe,
|
|
LPSTR Format,
|
|
...
|
|
)
|
|
{
|
|
static char buf[1000] = "";
|
|
va_list args;
|
|
|
|
va_start(args, Format);
|
|
_vsnprintf(buf, sizeof(buf), Format, args);
|
|
va_end(args);
|
|
SympSendDebugString(pe, buf);
|
|
return 1;
|
|
}
|
|
|
|
|
|
int
|
|
WINAPIV
|
|
_dprint(
|
|
LPSTR format,
|
|
...
|
|
)
|
|
{
|
|
static char buf[1000] = "DBGHELP: ";
|
|
va_list args;
|
|
|
|
va_start(args, format);
|
|
_vsnprintf(buf+9, sizeof(buf)-9, format, args);
|
|
va_end(args);
|
|
SympSendDebugString(NULL, buf);
|
|
return 1;
|
|
}
|
|
|
|
int
|
|
WINAPIV
|
|
_eprint(
|
|
LPSTR format,
|
|
...
|
|
)
|
|
{
|
|
static char buf[1000] = "";
|
|
va_list args;
|
|
|
|
va_start(args, format);
|
|
_vsnprintf(buf, sizeof(buf), format, args);
|
|
va_end(args);
|
|
SympSendDebugString(NULL, buf);
|
|
return 1;
|
|
}
|
|
|
|
|
|
BOOL
|
|
WINAPIV
|
|
evtprint(
|
|
PPROCESS_ENTRY pe,
|
|
DWORD severity,
|
|
DWORD code,
|
|
PVOID object,
|
|
LPSTR format,
|
|
...
|
|
)
|
|
{
|
|
static char buf[1000] = "";
|
|
IMAGEHLP_CBA_EVENT evt;
|
|
va_list args;
|
|
|
|
va_start(args, format);
|
|
_vsnprintf(buf, sizeof(buf), format, args);
|
|
va_end(args);
|
|
evt.severity = severity;
|
|
evt.code = code;
|
|
evt.desc = buf;
|
|
evt.object = object;
|
|
|
|
return DoCallback(pe, CBA_EVENT, &evt);
|
|
}
|
|
|
|
BOOL
|
|
traceAddr(
|
|
DWORD64 addr
|
|
)
|
|
{
|
|
DWORD64 taddr = 0;
|
|
|
|
if (!*g.DebugToken)
|
|
return FALSE;
|
|
sscanf(g.DebugToken, "0x%I64x", &taddr);
|
|
taddr = EXTEND64(taddr);
|
|
addr = EXTEND64(addr);
|
|
return (addr == taddr);
|
|
}
|
|
|
|
|
|
BOOL
|
|
traceName(
|
|
PCHAR name
|
|
)
|
|
{
|
|
if (!*g.DebugToken)
|
|
return FALSE;
|
|
return !_strnicmp(name, g.DebugToken, strlen(g.DebugToken));
|
|
}
|
|
|
|
|
|
BOOL
|
|
traceSubName(
|
|
PCHAR name
|
|
)
|
|
{
|
|
char *lname;
|
|
BOOL rc;
|
|
|
|
if (!*g.DebugToken)
|
|
return FALSE;
|
|
lname = (char *)MemAlloc(sizeof(char) * (strlen(name) + 1));
|
|
if (!lname) {
|
|
return FALSE;
|
|
}
|
|
strcpy(lname, name);
|
|
if (!lname)
|
|
return FALSE;
|
|
_strlwr(lname);
|
|
rc = strstr(lname, g.DebugToken) ? TRUE : FALSE;
|
|
MemFree(lname);
|
|
|
|
return rc;
|
|
}
|
|
|
|
|
|
BOOL
|
|
load(
|
|
IN HANDLE hProcess,
|
|
IN PMODULE_ENTRY mi
|
|
)
|
|
{
|
|
IMAGEHLP_DEFERRED_SYMBOL_LOAD64 idsl;
|
|
PPROCESS_ENTRY pe;
|
|
ULONG i;
|
|
PIMGHLP_DEBUG_DATA pIDD;
|
|
ULONG bias;
|
|
PIMAGE_SYMBOL lpSymbolEntry;
|
|
PUCHAR lpStringTable;
|
|
PUCHAR p;
|
|
BOOL SymbolsLoaded = FALSE;
|
|
PCHAR CallbackFileName, ImageName;
|
|
ULONG Size;
|
|
|
|
g.LastSymLoadError = SYMLOAD_DEFERRED;
|
|
pe = FindProcessEntry( hProcess );
|
|
if (!pe) {
|
|
SetLastError(ERROR_INVALID_HANDLE);
|
|
return FALSE;
|
|
}
|
|
|
|
// if (traceName(mi->ModuleName)) // for setting debug breakpoints from DBGHELP_TOKEN
|
|
// pprint(pe, "debug(%s)\n", mi->ModuleName);
|
|
|
|
CallbackFileName = mi->LoadedImageName ? mi->LoadedImageName :
|
|
mi->ImageName ? mi->ImageName : mi->ModuleName;
|
|
|
|
DoSymbolCallback(
|
|
pe,
|
|
CBA_DEFERRED_SYMBOL_LOAD_START,
|
|
mi,
|
|
&idsl,
|
|
CallbackFileName
|
|
);
|
|
|
|
ImageName = mi->ImageName;
|
|
for (; ;) {
|
|
pIDD = GetDebugData(
|
|
hProcess,
|
|
mi->hFile,
|
|
ImageName,
|
|
pe->SymbolSearchPath,
|
|
mi->BaseOfDll,
|
|
&mi->mld,
|
|
0
|
|
);
|
|
mi->SymLoadError = g.LastSymLoadError;
|
|
|
|
if (pIDD) {
|
|
break;
|
|
}
|
|
|
|
pprint(pe, "GetDebugData(%p, %s, %s, %I64x, 0) failed\n",
|
|
mi->hFile,
|
|
ImageName,
|
|
pe->SymbolSearchPath,
|
|
mi->BaseOfDll
|
|
);
|
|
|
|
if (!DoSymbolCallback(
|
|
pe,
|
|
CBA_DEFERRED_SYMBOL_LOAD_FAILURE,
|
|
mi,
|
|
&idsl,
|
|
CallbackFileName
|
|
) || !idsl.Reparse)
|
|
{
|
|
mi->SymType = SymNone;
|
|
mi->Flags |= MIF_NO_SYMBOLS;
|
|
return FALSE;
|
|
}
|
|
|
|
ImageName = idsl.FileName;
|
|
CallbackFileName = idsl.FileName;
|
|
}
|
|
|
|
pIDD->flags = mi->Flags;
|
|
|
|
// The following code ONLY works if the dll wasn't rebased
|
|
// during install. Is it really useful?
|
|
|
|
if (!mi->BaseOfDll) {
|
|
//
|
|
// This case occurs when modules are loaded multiple times by
|
|
// name with no explicit base address.
|
|
//
|
|
if (GetModuleForPC( pe, pIDD->ImageBaseFromImage, TRUE )) {
|
|
if (pIDD->ImageBaseFromImage) {
|
|
pprint(pe, "GetModuleForPC(%p, %I64x, TRUE) failed\n",
|
|
pe,
|
|
pIDD->ImageBaseFromImage,
|
|
TRUE
|
|
);
|
|
} else {
|
|
pprint(pe, "No base address for %s: Please specify\n", ImageName);
|
|
}
|
|
return FALSE;
|
|
}
|
|
mi->BaseOfDll = pIDD->ImageBaseFromImage;
|
|
}
|
|
|
|
if (!mi->DllSize) {
|
|
mi->DllSize = pIDD->SizeOfImage;
|
|
}
|
|
|
|
mi->hProcess = pIDD->hProcess;
|
|
mi->InProcImageBase = pIDD->InProcImageBase;
|
|
|
|
mi->CheckSum = pIDD->CheckSum;
|
|
mi->TimeDateStamp = pIDD->TimeDateStamp;
|
|
mi->MachineType = pIDD->Machine;
|
|
|
|
mi->ImageType = pIDD->ImageType;
|
|
mi->PdbSrc = pIDD->PdbSrc;
|
|
mi->ImageSrc = pIDD->ImageSrc;
|
|
|
|
if (!mi->MachineType && g.MachineType) {
|
|
mi->MachineType = (USHORT) g.MachineType;
|
|
}
|
|
if (pIDD->dia) {
|
|
mi->LoadedPdbName = StringDup(pIDD->PdbFileName);
|
|
}
|
|
if (pIDD->DbgFileMap) {
|
|
mi->LoadedImageName = StringDup(pIDD->DbgFilePath);
|
|
} else if (*pIDD->ImageFilePath) {
|
|
mi->LoadedImageName = StringDup(pIDD->ImageFilePath);
|
|
} else if (pIDD->dia) {
|
|
mi->LoadedImageName = StringDup(pIDD->PdbFileName);
|
|
} else {
|
|
mi->LoadedImageName = StringDup("");
|
|
}
|
|
|
|
if (pIDD->fROM) {
|
|
mi->Flags |= MIF_ROM_IMAGE;
|
|
}
|
|
|
|
if (!mi->ImageName) {
|
|
mi->ImageName = StringDup(pIDD->OriginalImageFileName);
|
|
_splitpath( mi->ImageName, NULL, NULL, mi->ModuleName, NULL );
|
|
mi->AliasName[0] = 0;
|
|
}
|
|
|
|
mi->dsExceptions = pIDD->dsExceptions;
|
|
|
|
if (pIDD->cFpo) {
|
|
//
|
|
// use virtualalloc() because the rtf search function
|
|
// return a pointer into this memory. we want to make
|
|
// all of this memory read only so that callers cannot
|
|
// stomp on imagehlp's data
|
|
//
|
|
mi->pFpoData = (PFPO_DATA)VirtualAlloc(
|
|
NULL,
|
|
sizeof(FPO_DATA) * pIDD->cFpo,
|
|
MEM_COMMIT,
|
|
PAGE_READWRITE
|
|
);
|
|
if (mi->pFpoData) {
|
|
mi->dwEntries = pIDD->cFpo;
|
|
CopyMemory(
|
|
mi->pFpoData,
|
|
pIDD->pFpo,
|
|
sizeof(FPO_DATA) * mi->dwEntries
|
|
);
|
|
VirtualProtect(
|
|
mi->pFpoData,
|
|
sizeof(FPO_DATA) * mi->dwEntries,
|
|
PAGE_READONLY,
|
|
&i
|
|
);
|
|
}
|
|
}
|
|
|
|
// copy the pdata block from the pdb
|
|
|
|
if (pIDD->pPData) {
|
|
mi->pPData = MemAlloc(pIDD->cbPData);
|
|
if (mi->pPData) {
|
|
mi->cPData = pIDD->cPData;
|
|
mi->cbPData = pIDD->cbPData;
|
|
CopyMemory(mi->pPData, pIDD->pPData, pIDD->cbPData);
|
|
}
|
|
}
|
|
|
|
if (pIDD->pXData) {
|
|
mi->pXData = MemAlloc(pIDD->cbXData);
|
|
if (mi->pXData) {
|
|
mi->cXData = pIDD->cXData;
|
|
mi->cbXData = pIDD->cbXData;
|
|
CopyMemory(mi->pXData, pIDD->pXData, pIDD->cbXData);
|
|
}
|
|
}
|
|
|
|
// now the sections
|
|
|
|
mi->NumSections = pIDD->cCurrentSections;
|
|
if (pIDD->fCurrentSectionsMapped) {
|
|
mi->SectionHdrs = (PIMAGE_SECTION_HEADER) MemAlloc(
|
|
sizeof(IMAGE_SECTION_HEADER) * mi->NumSections
|
|
);
|
|
if (mi->SectionHdrs) {
|
|
CopyMemory(
|
|
mi->SectionHdrs,
|
|
pIDD->pCurrentSections,
|
|
sizeof(IMAGE_SECTION_HEADER) * mi->NumSections
|
|
);
|
|
}
|
|
} else {
|
|
mi->SectionHdrs = pIDD->pCurrentSections;
|
|
}
|
|
|
|
if (pIDD->pOriginalSections) {
|
|
mi->OriginalNumSections = pIDD->cOriginalSections;
|
|
mi->OriginalSectionHdrs = pIDD->pOriginalSections;
|
|
} else {
|
|
mi->OriginalNumSections = mi->NumSections;
|
|
mi->OriginalSectionHdrs = (PIMAGE_SECTION_HEADER) MemAlloc(
|
|
sizeof(IMAGE_SECTION_HEADER) * mi->NumSections
|
|
);
|
|
if (mi->OriginalSectionHdrs) {
|
|
CopyMemory(
|
|
mi->OriginalSectionHdrs,
|
|
pIDD->pCurrentSections,
|
|
sizeof(IMAGE_SECTION_HEADER) * mi->NumSections
|
|
);
|
|
}
|
|
}
|
|
|
|
// symbols
|
|
|
|
mi->TmpSym.Name = (LPSTR) MemAlloc( TMP_SYM_LEN );
|
|
|
|
if (pIDD->dia) {
|
|
mi->SymType = SymDia;
|
|
SymbolsLoaded = TRUE;
|
|
} else {
|
|
if (pIDD->pMappedCv) {
|
|
SymbolsLoaded = LoadCodeViewSymbols(
|
|
hProcess,
|
|
mi,
|
|
pIDD
|
|
);
|
|
pprint(pe, "codeview symbols %sloaded\n", SymbolsLoaded?"":"not ");
|
|
}
|
|
if (!SymbolsLoaded && pIDD->pMappedCoff) {
|
|
SymbolsLoaded = LoadCoffSymbols(hProcess, mi, pIDD);
|
|
pprint(pe, "coff symbols %sloaded\n", SymbolsLoaded?"":"not ");
|
|
}
|
|
|
|
if (!SymbolsLoaded && pIDD->cExports) {
|
|
SymbolsLoaded = LoadExportSymbols( mi, pIDD );
|
|
if (SymbolsLoaded) {
|
|
mi->PdbSrc = srcNone;
|
|
}
|
|
pprint(pe, "export symbols %sloaded\n", SymbolsLoaded?"":"not ");
|
|
}
|
|
|
|
if (!SymbolsLoaded) {
|
|
mi->SymType = SymNone;
|
|
pprint(pe, "no symbols loaded\n");
|
|
}
|
|
}
|
|
|
|
mi->dia = pIDD->dia;
|
|
|
|
ProcessOmapForModule( mi, pIDD );
|
|
|
|
ReleaseDebugData(pIDD,
|
|
IMGHLP_FREE_FPO | IMGHLP_FREE_SYMPATH | IMGHLP_FREE_PDATA | IMGHLP_FREE_XDATA);
|
|
mi->Flags &= ~MIF_DEFERRED_LOAD;
|
|
|
|
DoSymbolCallback(pe,
|
|
CBA_DEFERRED_SYMBOL_LOAD_COMPLETE,
|
|
mi,
|
|
&idsl,
|
|
CallbackFileName);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
DWORD64
|
|
InternalLoadModule(
|
|
IN HANDLE hProcess,
|
|
IN PSTR ImageName,
|
|
IN PSTR ModuleName,
|
|
IN DWORD64 BaseOfDll,
|
|
IN DWORD DllSize,
|
|
IN HANDLE hFile,
|
|
IN PMODLOAD_DATA data,
|
|
IN DWORD flags
|
|
)
|
|
{
|
|
IMAGEHLP_DEFERRED_SYMBOL_LOAD64 idsl;
|
|
PPROCESS_ENTRY pe;
|
|
PMODULE_ENTRY mi;
|
|
LPSTR p;
|
|
DWORD64 ip;
|
|
|
|
// if (traceSubName(ImageName)) // for setting debug breakpoints from DBGHELP_TOKEN
|
|
// dprint("debug(%s)\n", ImageName);
|
|
|
|
if (BaseOfDll == (DWORD64)-1)
|
|
return 0;
|
|
|
|
__try {
|
|
CHAR c;
|
|
if (ImageName)
|
|
c = *ImageName;
|
|
if (ModuleName)
|
|
c = *ModuleName;
|
|
} __except(EXCEPTION_EXECUTE_HANDLER) {
|
|
SetLastError(ERROR_INVALID_PARAMETER);
|
|
return 0;
|
|
}
|
|
|
|
pe = FindProcessEntry( hProcess );
|
|
if (!pe) {
|
|
return 0;
|
|
}
|
|
|
|
if (BaseOfDll) {
|
|
mi = GetModuleForPC( pe, BaseOfDll, TRUE );
|
|
} else {
|
|
mi = NULL;
|
|
}
|
|
|
|
if (mi) {
|
|
//
|
|
// in this case the symbols are already loaded
|
|
// so the caller really wants the deferred
|
|
// symbols to be loaded
|
|
//
|
|
if ( (mi->Flags & MIF_DEFERRED_LOAD) &&
|
|
load( hProcess, mi )) {
|
|
|
|
return mi->BaseOfDll;
|
|
} else {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
//
|
|
// look to see if there is an overlapping module entry
|
|
//
|
|
if (BaseOfDll) {
|
|
do {
|
|
mi = GetModuleForPC( pe, BaseOfDll, FALSE );
|
|
if (mi) {
|
|
RemoveEntryList( &mi->ListEntry );
|
|
|
|
DoSymbolCallback(
|
|
pe,
|
|
CBA_SYMBOLS_UNLOADED,
|
|
mi,
|
|
&idsl,
|
|
mi->LoadedImageName ? mi->LoadedImageName : mi->ImageName ? mi->ImageName : mi->ModuleName
|
|
);
|
|
|
|
FreeModuleEntry(pe, mi);
|
|
}
|
|
} while(mi);
|
|
}
|
|
|
|
mi = (PMODULE_ENTRY) MemAlloc( sizeof(MODULE_ENTRY) );
|
|
if (!mi) {
|
|
return 0;
|
|
}
|
|
InitModuleEntry(mi);
|
|
|
|
mi->BaseOfDll = BaseOfDll;
|
|
mi->DllSize = DllSize;
|
|
mi->hFile = hFile;
|
|
if (ImageName) {
|
|
char SplitMod[_MAX_FNAME];
|
|
|
|
mi->ImageName = StringDup(ImageName);
|
|
_splitpath( ImageName, NULL, NULL, SplitMod, NULL );
|
|
mi->ModuleName[0] = 0;
|
|
strncat(mi->ModuleName, SplitMod, sizeof(mi->ModuleName) - 1);
|
|
if (ModuleName && _stricmp( ModuleName, mi->ModuleName ) != 0) {
|
|
mi->AliasName[0] = 0;
|
|
strncat( mi->AliasName, ModuleName, sizeof(mi->AliasName) - 1 );
|
|
} else {
|
|
mi->AliasName[0] = 0;
|
|
}
|
|
} else {
|
|
|
|
if (ModuleName) {
|
|
mi->AliasName[0] = 0;
|
|
strncat( mi->AliasName, ModuleName, sizeof(mi->AliasName) - 1 );
|
|
}
|
|
|
|
}
|
|
mi->mod = NULL;
|
|
mi->cbPdbSymbols = 0;
|
|
mi->pPdbSymbols = NULL;
|
|
|
|
if (data) {
|
|
if (data->ssize != sizeof(MODLOAD_DATA)) {
|
|
SetLastError(ERROR_INVALID_PARAMETER);
|
|
return 0;
|
|
}
|
|
memcpy(&mi->mld, data, data->ssize);
|
|
mi->CallerData = MemAlloc(mi->mld.size);
|
|
if (!mi->CallerData) {
|
|
SetLastError(ERROR_NOT_ENOUGH_MEMORY);
|
|
return 0;
|
|
}
|
|
mi->mld.data = mi->CallerData;
|
|
memcpy(mi->mld.data, data->data, mi->mld.size);
|
|
}
|
|
|
|
if ((g.SymOptions & SYMOPT_DEFERRED_LOADS) && BaseOfDll) {
|
|
mi->Flags |= MIF_DEFERRED_LOAD;
|
|
mi->SymType = SymDeferred;
|
|
} else if (!load( hProcess, mi )) {
|
|
FreeModuleEntry(pe, mi);
|
|
return 0;
|
|
}
|
|
|
|
pe->Count += 1;
|
|
|
|
InsertTailList( &pe->ModuleList, &mi->ListEntry);
|
|
|
|
ip = GetIP(pe);
|
|
if ((mi->BaseOfDll <= ip) && (mi->BaseOfDll + DllSize >= ip))
|
|
diaSetModFromIP(pe);
|
|
|
|
return mi->BaseOfDll;
|
|
}
|
|
|
|
PPROCESS_ENTRY
|
|
FindProcessEntry(
|
|
HANDLE hProcess
|
|
)
|
|
{
|
|
PLIST_ENTRY next;
|
|
PPROCESS_ENTRY pe;
|
|
DWORD count;
|
|
|
|
next = g.ProcessList.Flink;
|
|
if (!next) {
|
|
return NULL;
|
|
}
|
|
|
|
for (count = 0; (PVOID)next != (PVOID)&g.ProcessList; count++) {
|
|
assert(count < g.cProcessList);
|
|
if (count >= g.cProcessList)
|
|
return NULL;
|
|
pe = CONTAINING_RECORD( next, PROCESS_ENTRY, ListEntry );
|
|
next = pe->ListEntry.Flink;
|
|
if (pe->hProcess == hProcess) {
|
|
return pe;
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
PPROCESS_ENTRY
|
|
FindFirstProcessEntry(
|
|
)
|
|
{
|
|
return CONTAINING_RECORD(g.ProcessList.Flink, PROCESS_ENTRY, ListEntry);
|
|
}
|
|
|
|
|
|
PMODULE_ENTRY
|
|
FindModule(
|
|
HANDLE hProcess,
|
|
PPROCESS_ENTRY pe,
|
|
LPSTR ModuleName,
|
|
BOOL fLoad
|
|
)
|
|
{
|
|
PLIST_ENTRY next;
|
|
PMODULE_ENTRY mi;
|
|
|
|
if (!ModuleName || !*ModuleName)
|
|
return NULL;
|
|
|
|
next = pe->ModuleList.Flink;
|
|
if (next) {
|
|
while ((PVOID)next != (PVOID)&pe->ModuleList) {
|
|
mi = CONTAINING_RECORD( next, MODULE_ENTRY, ListEntry );
|
|
next = mi->ListEntry.Flink;
|
|
|
|
if ((_stricmp( mi->ModuleName, ModuleName ) == 0) ||
|
|
(mi->AliasName[0] &&
|
|
_stricmp( mi->AliasName, ModuleName ) == 0))
|
|
{
|
|
if (fLoad && !LoadSymbols(hProcess, mi, 0)) {
|
|
return NULL;
|
|
}
|
|
|
|
return mi;
|
|
}
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
|
|
#ifndef _DBGHELP_USER_GENERATED_SYMBOLS_NOTSUPPORTED
|
|
|
|
BOOL
|
|
SymCheckUserGenerated(
|
|
ULONG64 dwAddr,
|
|
PSYMBOL_ENTRY sym,
|
|
PMODULE_ENTRY mi
|
|
)
|
|
{
|
|
PSYMBOL_ENTRY nextSym;
|
|
|
|
/*
|
|
// We do not know the size of a user generated symbol...
|
|
// This work because of the execution of CompleteSymbolTable() after AllocSym().
|
|
// Particularly, the size has been adjusted.
|
|
*/
|
|
|
|
if ( !(sym->Flags & SYMF_USER_GENERATED) ) {
|
|
dprint("SymCheckUserGenerated: We should not call this function. This is not a user generated symbol...\n" );
|
|
return FALSE;
|
|
}
|
|
|
|
if ( (dwAddr == sym->Address) || (sym == &mi->symbolTable[mi->numsyms - 1]) ) {
|
|
return TRUE;
|
|
}
|
|
|
|
nextSym = sym + 1;
|
|
if ( dwAddr < nextSym->Address ) {
|
|
return TRUE;
|
|
}
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
#endif // !_DBGHELP_USER_GENERATED_SYMBOLS_NOTSUPPORTED
|
|
|
|
PSYMBOL_ENTRY
|
|
GetSymFromAddr(
|
|
DWORD64 dwAddr,
|
|
PDWORD64 pqwDisplacement,
|
|
PMODULE_ENTRY mi
|
|
)
|
|
{
|
|
PSYMBOL_ENTRY sym = NULL;
|
|
LONG High;
|
|
LONG Low;
|
|
LONG Middle;
|
|
|
|
if (mi == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
if (mi->dia)
|
|
return diaGetSymFromAddr(dwAddr, mi, pqwDisplacement);
|
|
|
|
//
|
|
// do a binary search to locate the symbol
|
|
//
|
|
|
|
Low = 0;
|
|
High = mi->numsyms - 1;
|
|
|
|
while (High >= Low) {
|
|
Middle = (Low + High) >> 1;
|
|
sym = &mi->symbolTable[Middle];
|
|
if (dwAddr < sym->Address) {
|
|
|
|
High = Middle - 1;
|
|
|
|
} else if (dwAddr >= sym->Address + sym->Size) {
|
|
|
|
#ifndef _DBGHELP_USER_GENERATED_SYMBOLS_NOTSUPPORTED
|
|
|
|
if ( (sym->Flags & SYMF_USER_GENERATED) && SymCheckUserGenerated( dwAddr, sym, mi ) ) {
|
|
if (pqwDisplacement) {
|
|
*pqwDisplacement = dwAddr - sym->Address;
|
|
}
|
|
return sym;
|
|
}
|
|
|
|
#endif // !_DBGHELP_USER_GENERATED_SYMBOLS_NOTSUPPORTED
|
|
|
|
Low = Middle + 1;
|
|
|
|
} else {
|
|
|
|
if (pqwDisplacement) {
|
|
*pqwDisplacement = dwAddr - sym->Address;
|
|
}
|
|
return sym;
|
|
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
|
|
PMODULE_ENTRY
|
|
GetModuleForPC(
|
|
PPROCESS_ENTRY pe,
|
|
DWORD64 dwPcAddr,
|
|
BOOL ExactMatch
|
|
)
|
|
{
|
|
static PLIST_ENTRY next = NULL;
|
|
PMODULE_ENTRY mi;
|
|
|
|
if (dwPcAddr == (DWORD64)-1) {
|
|
if (!next)
|
|
return NULL;
|
|
if ((PVOID)next == (PVOID)&pe->ModuleList) {
|
|
// Reset to NULL so the list can be re-walked
|
|
next = NULL;
|
|
return NULL;
|
|
}
|
|
mi = CONTAINING_RECORD( next, MODULE_ENTRY, ListEntry );
|
|
next = mi->ListEntry.Flink;
|
|
return mi;
|
|
}
|
|
|
|
next = pe->ModuleList.Flink;
|
|
if (!next) {
|
|
return NULL;
|
|
}
|
|
|
|
while ((PVOID)next != (PVOID)&pe->ModuleList) {
|
|
mi = CONTAINING_RECORD( next, MODULE_ENTRY, ListEntry );
|
|
next = mi->ListEntry.Flink;
|
|
if (dwPcAddr == 0) {
|
|
return mi;
|
|
}
|
|
if (ExactMatch) {
|
|
if (dwPcAddr == mi->BaseOfDll) {
|
|
return mi;
|
|
}
|
|
} else
|
|
if ((dwPcAddr == mi->BaseOfDll && mi->DllSize == 0) ||
|
|
((dwPcAddr >= mi->BaseOfDll) &&
|
|
(dwPcAddr < mi->BaseOfDll + mi->DllSize))) {
|
|
return mi;
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
PSYMBOL_ENTRY
|
|
GetSymFromAddrAllContexts(
|
|
DWORD64 dwAddr,
|
|
PDWORD64 pqwDisplacement,
|
|
PPROCESS_ENTRY pe
|
|
)
|
|
{
|
|
PMODULE_ENTRY mi = GetModuleForPC( pe, dwAddr, FALSE );
|
|
if (mi == NULL) {
|
|
return NULL;
|
|
}
|
|
return GetSymFromAddr( dwAddr, pqwDisplacement, mi );
|
|
}
|
|
|
|
DWORD
|
|
ComputeHash(
|
|
LPSTR lpbName,
|
|
ULONG cb
|
|
)
|
|
{
|
|
ULONG UNALIGNED * lpulName;
|
|
ULONG ulEnd = 0;
|
|
int cul;
|
|
int iul;
|
|
ULONG ulSum = 0;
|
|
|
|
while (cb & 3) {
|
|
ulEnd |= (lpbName[cb - 1] & 0xdf);
|
|
ulEnd <<= 8;
|
|
cb -= 1;
|
|
}
|
|
|
|
cul = cb / 4;
|
|
lpulName = (ULONG UNALIGNED *) lpbName;
|
|
for (iul =0; iul < cul; iul++) {
|
|
ulSum ^= (lpulName[iul] & 0xdfdfdfdf);
|
|
ulSum = _lrotl( ulSum, 4);
|
|
}
|
|
ulSum ^= ulEnd;
|
|
return ulSum % HASH_MODULO;
|
|
}
|
|
|
|
PSYMBOL_ENTRY
|
|
AllocSym(
|
|
PMODULE_ENTRY mi,
|
|
DWORD64 addr,
|
|
LPSTR name
|
|
)
|
|
{
|
|
PSYMBOL_ENTRY sym;
|
|
ULONG Length;
|
|
|
|
|
|
if (mi->numsyms == mi->MaxSyms) {
|
|
// dprint("AllocSym: ERROR - symbols Table overflow!\n");
|
|
return NULL;
|
|
}
|
|
|
|
if (!mi->StringSize) {
|
|
// dprint("AllocSym: ERROR - symbols strings not allocated for module!\n");
|
|
return NULL;
|
|
}
|
|
|
|
Length = strlen(name);
|
|
|
|
if ((Length + 1) > mi->StringSize) {
|
|
// dprint("AllocSym: ERROR - symbols strings buffer overflow!\n");
|
|
return NULL;
|
|
}
|
|
|
|
sym = &mi->symbolTable[mi->numsyms];
|
|
|
|
mi->numsyms += 1;
|
|
sym->Name = mi->SymStrings;
|
|
mi->SymStrings += (Length + 2);
|
|
mi->StringSize -= (Length + 2);
|
|
|
|
strcpy( sym->Name, name );
|
|
sym->Address = addr;
|
|
sym->Size = 0;
|
|
sym->Flags = 0;
|
|
sym->Next = NULL;
|
|
sym->NameLength = Length;
|
|
|
|
return sym;
|
|
}
|
|
|
|
int __cdecl
|
|
SymbolTableAddressCompare(
|
|
const void *e1,
|
|
const void *e2
|
|
)
|
|
{
|
|
PSYMBOL_ENTRY sym1 = (PSYMBOL_ENTRY) e1;
|
|
PSYMBOL_ENTRY sym2 = (PSYMBOL_ENTRY) e2;
|
|
LONG64 diff;
|
|
|
|
if ( sym1 && sym2 ) {
|
|
diff = (sym1->Address - sym2->Address);
|
|
return (diff < 0) ? -1 : (diff == 0) ? 0 : 1;
|
|
} else {
|
|
return 1;
|
|
}
|
|
}
|
|
|
|
int __cdecl
|
|
SymbolTableNameCompare(
|
|
const void *e1,
|
|
const void *e2
|
|
)
|
|
{
|
|
PSYMBOL_ENTRY sym1 = (PSYMBOL_ENTRY) e1;
|
|
PSYMBOL_ENTRY sym2 = (PSYMBOL_ENTRY) e2;
|
|
|
|
return strcmp( sym1->Name, sym2->Name );
|
|
}
|
|
|
|
VOID
|
|
CompleteSymbolTable(
|
|
PMODULE_ENTRY mi
|
|
)
|
|
{
|
|
PSYMBOL_ENTRY sym;
|
|
PSYMBOL_ENTRY symH;
|
|
ULONG Hash;
|
|
ULONG i;
|
|
ULONG dups;
|
|
ULONG seq;
|
|
|
|
|
|
//
|
|
// sort the symbols by name
|
|
//
|
|
dbg_qsort(
|
|
mi->symbolTable,
|
|
mi->numsyms,
|
|
sizeof(SYMBOL_ENTRY),
|
|
SymbolTableNameCompare
|
|
);
|
|
|
|
//
|
|
// mark duplicate names
|
|
//
|
|
seq = 0;
|
|
for (i=0; i<mi->numsyms; i++) {
|
|
dups = 0;
|
|
while ((mi->symbolTable[i+dups].NameLength == mi->symbolTable[i+dups+1].NameLength) &&
|
|
(strcmp( mi->symbolTable[i+dups].Name, mi->symbolTable[i+dups+1].Name ) == 0)) {
|
|
mi->symbolTable[i+dups].Flags |= SYMF_DUPLICATE;
|
|
mi->symbolTable[i+dups+1].Flags |= SYMF_DUPLICATE;
|
|
dups += 1;
|
|
}
|
|
i += dups;
|
|
}
|
|
|
|
//
|
|
// sort the symbols by address
|
|
//
|
|
dbg_qsort(
|
|
mi->symbolTable,
|
|
mi->numsyms,
|
|
sizeof(SYMBOL_ENTRY),
|
|
SymbolTableAddressCompare
|
|
);
|
|
|
|
//
|
|
// calculate the size of each symbol
|
|
//
|
|
for (i=0; i<mi->numsyms; i++) {
|
|
mi->symbolTable[i].Next = NULL;
|
|
if (i+1 < mi->numsyms) {
|
|
mi->symbolTable[i].Size = (ULONG)(mi->symbolTable[i+1].Address - mi->symbolTable[i].Address);
|
|
}
|
|
}
|
|
|
|
//
|
|
// compute the hash for each symbol
|
|
//
|
|
ZeroMemory( mi->NameHashTable, sizeof(mi->NameHashTable) );
|
|
for (i=0; i<mi->numsyms; i++) {
|
|
sym = &mi->symbolTable[i];
|
|
|
|
Hash = ComputeHash( sym->Name, sym->NameLength );
|
|
|
|
if (mi->NameHashTable[Hash]) {
|
|
|
|
//
|
|
// we have a collision
|
|
//
|
|
symH = mi->NameHashTable[Hash];
|
|
while( symH->Next ) {
|
|
symH = symH->Next;
|
|
}
|
|
symH->Next = sym;
|
|
|
|
} else {
|
|
|
|
mi->NameHashTable[Hash] = sym;
|
|
|
|
}
|
|
}
|
|
}
|
|
|
|
BOOL
|
|
CreateSymbolTable(
|
|
PMODULE_ENTRY mi,
|
|
DWORD SymbolCount,
|
|
SYM_TYPE SymType,
|
|
DWORD NameSize
|
|
)
|
|
{
|
|
//
|
|
// allocate the symbol table
|
|
//
|
|
NameSize += OMAP_SYM_STRINGS;
|
|
mi->symbolTable = (PSYMBOL_ENTRY) MemAlloc(
|
|
(sizeof(SYMBOL_ENTRY) * (SymbolCount + OMAP_SYM_EXTRA)) + NameSize + (SymbolCount * CPP_EXTRA)
|
|
);
|
|
if (!mi->symbolTable) {
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// initialize the relevant fields
|
|
//
|
|
mi->numsyms = 0;
|
|
mi->MaxSyms = SymbolCount + OMAP_SYM_EXTRA;
|
|
mi->SymType = SymType;
|
|
mi->StringSize = NameSize + (SymbolCount * CPP_EXTRA);
|
|
mi->SymStrings = (LPSTR)(mi->symbolTable + SymbolCount + OMAP_SYM_EXTRA);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
PIMAGE_SECTION_HEADER
|
|
FindSection(
|
|
PIMAGE_SECTION_HEADER sh,
|
|
ULONG NumSections,
|
|
ULONG Address
|
|
)
|
|
{
|
|
ULONG i;
|
|
for (i=0; i<NumSections; i++) {
|
|
if (Address >= sh[i].VirtualAddress &&
|
|
Address < (sh[i].VirtualAddress + sh[i].Misc.VirtualSize)) {
|
|
return &sh[i];
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
PVOID
|
|
GetSectionPhysical(
|
|
HANDLE hp,
|
|
ULONG64 base,
|
|
PIMGHLP_DEBUG_DATA pIDD,
|
|
ULONG Address
|
|
)
|
|
{
|
|
PIMAGE_SECTION_HEADER sh;
|
|
|
|
sh = FindSection( pIDD->pCurrentSections, pIDD->cCurrentSections, Address );
|
|
if (!sh) {
|
|
return 0;
|
|
}
|
|
|
|
return (PCHAR)pIDD->ImageMap + sh->PointerToRawData + (Address - sh->VirtualAddress);
|
|
}
|
|
|
|
BOOL
|
|
ReadSectionInfo(
|
|
HANDLE hp,
|
|
ULONG64 base,
|
|
PIMGHLP_DEBUG_DATA pIDD,
|
|
ULONG address,
|
|
PVOID buf,
|
|
DWORD size
|
|
)
|
|
{
|
|
PIMAGE_SECTION_HEADER sh;
|
|
DWORD_PTR status = TRUE;
|
|
|
|
sh = FindSection( pIDD->pCurrentSections, pIDD->cCurrentSections, address );
|
|
if (!sh)
|
|
return FALSE;
|
|
|
|
if (!hp) {
|
|
status = (DWORD_PTR)memcpy((PCHAR)buf,
|
|
(PCHAR)base + sh->PointerToRawData + (address - sh->VirtualAddress),
|
|
size);
|
|
} else {
|
|
status = ReadImageData(hp, base, address, buf, size);
|
|
}
|
|
if (!status)
|
|
return FALSE;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
PCHAR
|
|
expptr(
|
|
HANDLE hp,
|
|
ULONG64 base,
|
|
PIMGHLP_DEBUG_DATA pIDD,
|
|
ULONG address
|
|
)
|
|
{
|
|
PIMAGE_SECTION_HEADER sh;
|
|
DWORD_PTR status = TRUE;
|
|
|
|
if (hp)
|
|
return (PCHAR)base + address;
|
|
|
|
sh = FindSection( pIDD->pCurrentSections, pIDD->cCurrentSections, address );
|
|
if (!sh)
|
|
return FALSE;
|
|
|
|
return (PCHAR)base + sh->PointerToRawData + (address - sh->VirtualAddress);
|
|
}
|
|
|
|
|
|
ULONG
|
|
LoadExportSymbols(
|
|
PMODULE_ENTRY mi,
|
|
PIMGHLP_DEBUG_DATA pIDD
|
|
)
|
|
{
|
|
PULONG names;
|
|
PULONG addrs;
|
|
PUSHORT ordinals;
|
|
PUSHORT ordidx = NULL;
|
|
ULONG cnt;
|
|
ULONG idx;
|
|
PIMAGE_EXPORT_DIRECTORY expdir;
|
|
PCHAR expbuf = NULL;
|
|
ULONG i;
|
|
PSYMBOL_ENTRY sym;
|
|
ULONG NameSize;
|
|
HANDLE hp;
|
|
ULONG64 base;
|
|
CHAR name[2048];
|
|
BOOL rc;
|
|
DWORD64 endExports;
|
|
PCHAR p;
|
|
|
|
if (g.SymOptions & SYMOPT_EXACT_SYMBOLS)
|
|
return 0;
|
|
|
|
// setup pointers for grabing data
|
|
|
|
switch (pIDD->dsExports) {
|
|
case dsInProc:
|
|
hp = pIDD->hProcess;
|
|
expbuf = (PCHAR)MemAlloc(pIDD->cExports);
|
|
if (!expbuf)
|
|
goto cleanup;
|
|
if (!ReadImageData(hp, pIDD->InProcImageBase, pIDD->oExports, expbuf, pIDD->cExports))
|
|
goto cleanup;
|
|
base = (ULONG64)expbuf - pIDD->oExports;
|
|
expdir = (PIMAGE_EXPORT_DIRECTORY)expbuf;
|
|
break;
|
|
case dsImage:
|
|
hp = NULL;
|
|
expbuf = NULL;
|
|
if (!pIDD->ImageMap)
|
|
pIDD->ImageMap = MapItRO(pIDD->ImageFileHandle);
|
|
base = (ULONG64)pIDD->ImageMap;
|
|
expdir = &pIDD->expdir;
|
|
break;
|
|
default:
|
|
return 0;
|
|
}
|
|
|
|
cnt = 0;
|
|
|
|
names = (PULONG)expptr(hp, base, pIDD, expdir->AddressOfNames);
|
|
if (!names)
|
|
goto cleanup;
|
|
|
|
addrs = (PULONG)expptr(hp, base, pIDD, expdir->AddressOfFunctions);
|
|
if (!addrs)
|
|
goto cleanup;
|
|
|
|
ordinals = (PUSHORT)expptr(hp, base, pIDD, expdir->AddressOfNameOrdinals);
|
|
if (!ordinals)
|
|
goto cleanup;
|
|
|
|
ordidx = (PUSHORT) MemAlloc( max(expdir->NumberOfFunctions, expdir->NumberOfNames) * sizeof(USHORT) );
|
|
|
|
if (!ordidx)
|
|
goto cleanup;
|
|
|
|
cnt = 0;
|
|
NameSize = 0;
|
|
|
|
// count the symbols
|
|
|
|
for (i=0; i<expdir->NumberOfNames; i++) {
|
|
*name = 0;
|
|
p = expptr(hp, base, pIDD, names[i]);
|
|
if (!p)
|
|
continue;
|
|
strcpy(name, p);
|
|
if (!*name)
|
|
continue;
|
|
if (g.SymOptions & SYMOPT_UNDNAME) {
|
|
SymUnDNameInternal( mi->TmpSym.Name, TMP_SYM_LEN, name, strlen(name), mi->MachineType, TRUE );
|
|
NameSize += strlen(mi->TmpSym.Name);
|
|
cnt += 1;
|
|
} else {
|
|
NameSize += (strlen(name) + 2);
|
|
cnt += 1;
|
|
}
|
|
}
|
|
|
|
for (i=0,idx=expdir->NumberOfNames; i<expdir->NumberOfFunctions; i++) {
|
|
if (!ordidx[i]) {
|
|
NameSize += 16;
|
|
cnt += 1;
|
|
}
|
|
}
|
|
|
|
// allocate the symbol table
|
|
|
|
if (!CreateSymbolTable( mi, cnt, SymExport, NameSize )) {
|
|
cnt = 0;
|
|
goto cleanup;
|
|
}
|
|
|
|
// allocate the symbols
|
|
|
|
cnt = 0;
|
|
endExports = pIDD->oExports + pIDD->cExports;
|
|
|
|
for (i=0; i<expdir->NumberOfNames; i++) {
|
|
idx = ordinals[i];
|
|
ordidx[idx] = TRUE;
|
|
*name = 0;
|
|
p = expptr(hp, base, pIDD, names[i]);
|
|
if (!p)
|
|
continue;
|
|
strcpy(name, p);
|
|
if (!*name)
|
|
continue;
|
|
if (g.SymOptions & SYMOPT_UNDNAME) {
|
|
SymUnDNameInternal( mi->TmpSym.Name, TMP_SYM_LEN, (LPSTR)name, strlen(name), mi->MachineType, TRUE );
|
|
sym = AllocSym( mi, addrs[idx] + mi->BaseOfDll, mi->TmpSym.Name);
|
|
} else {
|
|
sym = AllocSym( mi, addrs[idx] + mi->BaseOfDll, name);
|
|
}
|
|
if (sym) {
|
|
cnt += 1;
|
|
}
|
|
if (pIDD->oExports <= addrs[idx]
|
|
&& addrs[idx] <= endExports)
|
|
{
|
|
sym->Flags |= SYMF_FORWARDER;
|
|
} else {
|
|
sym->Flags |= SYMF_EXPORT;
|
|
}
|
|
}
|
|
|
|
for (i=0,idx=expdir->NumberOfNames; i<expdir->NumberOfFunctions; i++) {
|
|
if (!ordidx[i]) {
|
|
CHAR NameBuf[sizeof("Ordinal99999") + 1]; // Ordinals are only 64k max.
|
|
strcpy( NameBuf, "Ordinal" );
|
|
_itoa( i+expdir->Base, &NameBuf[7], 10 );
|
|
sym = AllocSym( mi, addrs[i] + mi->BaseOfDll, NameBuf);
|
|
if (sym) {
|
|
cnt += 1;
|
|
}
|
|
idx += 1;
|
|
}
|
|
}
|
|
|
|
CompleteSymbolTable( mi );
|
|
|
|
cleanup:
|
|
if (expbuf) {
|
|
MemFree(expbuf);
|
|
}
|
|
if (ordidx) {
|
|
MemFree(ordidx);
|
|
}
|
|
|
|
return cnt;
|
|
}
|
|
|
|
|
|
BOOL
|
|
LoadCoffSymbols(
|
|
HANDLE hProcess,
|
|
PMODULE_ENTRY mi,
|
|
PIMGHLP_DEBUG_DATA pIDD
|
|
)
|
|
{
|
|
PIMAGE_COFF_SYMBOLS_HEADER pCoffHeader = (PIMAGE_COFF_SYMBOLS_HEADER)(pIDD->pMappedCoff);
|
|
PUCHAR stringTable;
|
|
PIMAGE_SYMBOL allSymbols;
|
|
DWORD numberOfSymbols;
|
|
PIMAGE_LINENUMBER LineNumbers;
|
|
PIMAGE_SYMBOL NextSymbol;
|
|
PIMAGE_SYMBOL Symbol;
|
|
PSYMBOL_ENTRY sym;
|
|
CHAR szSymName[256];
|
|
DWORD i;
|
|
DWORD64 addr;
|
|
DWORD CoffSymbols = 0;
|
|
DWORD NameSize = 0;
|
|
DWORD64 Bias;
|
|
|
|
allSymbols = (PIMAGE_SYMBOL)((PCHAR)pCoffHeader +
|
|
pCoffHeader->LvaToFirstSymbol);
|
|
|
|
stringTable = (PUCHAR)pCoffHeader +
|
|
pCoffHeader->LvaToFirstSymbol +
|
|
(pCoffHeader->NumberOfSymbols * IMAGE_SIZEOF_SYMBOL);
|
|
|
|
numberOfSymbols = pCoffHeader->NumberOfSymbols;
|
|
LineNumbers = (PIMAGE_LINENUMBER)(PCHAR)pCoffHeader +
|
|
pCoffHeader->LvaToFirstLinenumber;
|
|
|
|
//
|
|
// count the number of actual symbols
|
|
//
|
|
NextSymbol = allSymbols;
|
|
for (i= 0; i < numberOfSymbols; i++) {
|
|
Symbol = NextSymbol++;
|
|
if (Symbol->StorageClass == IMAGE_SYM_CLASS_EXTERNAL &&
|
|
Symbol->SectionNumber > 0) {
|
|
GetSymName( Symbol, stringTable, szSymName, sizeof(szSymName) );
|
|
if (szSymName[0] == '?' && szSymName[1] == '?' &&
|
|
szSymName[2] == '_' && szSymName[3] == 'C' ) {
|
|
//
|
|
// ignore strings
|
|
//
|
|
} else if (g.SymOptions & SYMOPT_UNDNAME) {
|
|
SymUnDNameInternal(mi->TmpSym.Name,
|
|
TMP_SYM_LEN,
|
|
szSymName,
|
|
strlen(szSymName),
|
|
mi->MachineType,
|
|
TRUE);
|
|
NameSize += strlen(mi->TmpSym.Name);
|
|
CoffSymbols += 1;
|
|
} else {
|
|
CoffSymbols += 1;
|
|
NameSize += (strlen(szSymName) + 1);
|
|
}
|
|
}
|
|
|
|
NextSymbol += Symbol->NumberOfAuxSymbols;
|
|
i += Symbol->NumberOfAuxSymbols;
|
|
}
|
|
|
|
//
|
|
// allocate the symbol table
|
|
//
|
|
if (!CreateSymbolTable( mi, CoffSymbols, SymCoff, NameSize )) {
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// populate the symbol table
|
|
//
|
|
|
|
if (mi->Flags & MIF_ROM_IMAGE) {
|
|
Bias = mi->BaseOfDll & 0xffffffff00000000;
|
|
} else {
|
|
Bias = mi->BaseOfDll;
|
|
}
|
|
|
|
NextSymbol = allSymbols;
|
|
for (i= 0; i < numberOfSymbols; i++) {
|
|
Symbol = NextSymbol++;
|
|
if (Symbol->StorageClass == IMAGE_SYM_CLASS_EXTERNAL &&
|
|
Symbol->SectionNumber > 0) {
|
|
GetSymName( Symbol, stringTable, szSymName, sizeof(szSymName) );
|
|
addr = Symbol->Value + Bias;
|
|
if (szSymName[0] == '?' && szSymName[1] == '?' &&
|
|
szSymName[2] == '_' && szSymName[3] == 'C' ) {
|
|
//
|
|
// ignore strings
|
|
//
|
|
} else if (g.SymOptions & SYMOPT_UNDNAME) {
|
|
SymUnDNameInternal(mi->TmpSym.Name,
|
|
TMP_SYM_LEN,
|
|
szSymName,
|
|
strlen(szSymName),
|
|
mi->MachineType,
|
|
TRUE);
|
|
AllocSym( mi, addr, mi->TmpSym.Name);
|
|
} else {
|
|
AllocSym( mi, addr, szSymName );
|
|
}
|
|
}
|
|
|
|
NextSymbol += Symbol->NumberOfAuxSymbols;
|
|
i += Symbol->NumberOfAuxSymbols;
|
|
}
|
|
|
|
CompleteSymbolTable( mi );
|
|
|
|
if (g.SymOptions & SYMOPT_LOAD_LINES) {
|
|
AddLinesForCoff(mi, allSymbols, numberOfSymbols, LineNumbers);
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
BOOL
|
|
LoadCodeViewSymbols(
|
|
HANDLE hProcess,
|
|
PMODULE_ENTRY mi,
|
|
PIMGHLP_DEBUG_DATA pIDD
|
|
)
|
|
{
|
|
DWORD i, j;
|
|
PPROCESS_ENTRY pe;
|
|
OMFSignature *omfSig;
|
|
OMFDirHeader *omfDirHdr;
|
|
OMFDirEntry *omfDirEntry;
|
|
OMFSymHash *omfSymHash;
|
|
DATASYM32 *dataSym;
|
|
DWORD64 addr;
|
|
DWORD CvSymbols;
|
|
DWORD NameSize;
|
|
SYMBOL_ENTRY SymEntry;
|
|
|
|
pe = FindProcessEntry( hProcess );
|
|
if (!pe) {
|
|
return FALSE;
|
|
}
|
|
|
|
pprint(pe, "LoadCodeViewSymbols:\n"
|
|
" hProcess %p\n"
|
|
" mi %p\n"
|
|
" pCvData %p\n"
|
|
" dwSize %x\n",
|
|
hProcess,
|
|
mi,
|
|
pIDD->pMappedCv,
|
|
pIDD->cMappedCv
|
|
);
|
|
|
|
omfSig = (OMFSignature*) pIDD->pMappedCv;
|
|
if ((*(DWORD *)(omfSig->Signature) != '80BN') &&
|
|
(*(DWORD *)(omfSig->Signature) != '90BN') &&
|
|
(*(DWORD *)(omfSig->Signature) != '11BN'))
|
|
{
|
|
if ((*(DWORD *)(omfSig->Signature) != '01BN') &&
|
|
(*(DWORD *)(omfSig->Signature) != 'SDSR'))
|
|
{
|
|
pprint(pe, "unrecognized OMF sig: %x\n", *(DWORD *)(omfSig->Signature));
|
|
}
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// count the number of actual symbols
|
|
//
|
|
omfDirHdr = (OMFDirHeader*) ((ULONG_PTR)omfSig + (DWORD)omfSig->filepos);
|
|
omfDirEntry = (OMFDirEntry*) ((ULONG_PTR)omfDirHdr + sizeof(OMFDirHeader));
|
|
|
|
NameSize = 0;
|
|
CvSymbols = 0;
|
|
|
|
for (i=0; i<omfDirHdr->cDir; i++,omfDirEntry++) {
|
|
LPSTR SymbolName;
|
|
UCHAR SymbolLen;
|
|
SYMBOL_ENTRY SymEntry;
|
|
|
|
if (omfDirEntry->SubSection == sstGlobalPub) {
|
|
omfSymHash = (OMFSymHash*) ((ULONG_PTR)omfSig + omfDirEntry->lfo);
|
|
dataSym = (DATASYM32*) ((ULONG_PTR)omfSig + omfDirEntry->lfo + sizeof(OMFSymHash));
|
|
for (j=sizeof(OMFSymHash); j<=omfSymHash->cbSymbol; ) {
|
|
addr = 0;
|
|
cvExtractSymbolInfo(mi, (PCHAR) dataSym, &SymEntry, FALSE);
|
|
if (SymEntry.Segment && (SymEntry.Segment <= mi->OriginalNumSections))
|
|
{
|
|
addr = mi->OriginalSectionHdrs[SymEntry.Segment-1].VirtualAddress + SymEntry.Offset + mi->BaseOfDll;
|
|
SymbolName = SymEntry.Name;
|
|
SymbolLen = (UCHAR) SymEntry.NameLength;
|
|
if (SymbolName[0] == '?' &&
|
|
SymbolName[1] == '?' &&
|
|
SymbolName[2] == '_' &&
|
|
SymbolName[3] == 'C' )
|
|
{
|
|
//
|
|
// ignore strings
|
|
//
|
|
} else if (g.SymOptions & SYMOPT_UNDNAME) {
|
|
SymUnDNameInternal(mi->TmpSym.Name,
|
|
TMP_SYM_LEN,
|
|
SymbolName,
|
|
SymbolLen,
|
|
mi->MachineType,
|
|
TRUE);
|
|
NameSize += strlen(mi->TmpSym.Name);
|
|
CvSymbols += 1;
|
|
} else {
|
|
CvSymbols += 1;
|
|
NameSize += SymbolLen + 1;
|
|
}
|
|
}
|
|
j += dataSym->reclen + 2;
|
|
dataSym = (DATASYM32*) ((ULONG_PTR)dataSym + dataSym->reclen + 2);
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// allocate the symbol table
|
|
//
|
|
if (!CreateSymbolTable( mi, CvSymbols, SymCv, NameSize )) {
|
|
pprint(pe, "CreateSymbolTable failed\n");
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// populate the symbol table
|
|
//
|
|
omfDirHdr = (OMFDirHeader*) ((ULONG_PTR)omfSig + (DWORD)omfSig->filepos);
|
|
omfDirEntry = (OMFDirEntry*) ((ULONG_PTR)omfDirHdr + sizeof(OMFDirHeader));
|
|
for (i=0; i<omfDirHdr->cDir; i++,omfDirEntry++) {
|
|
LPSTR SymbolName;
|
|
if (omfDirEntry->SubSection == sstGlobalPub) {
|
|
omfSymHash = (OMFSymHash*) ((ULONG_PTR)omfSig + omfDirEntry->lfo);
|
|
dataSym = (DATASYM32*) ((ULONG_PTR)omfSig + omfDirEntry->lfo + sizeof(OMFSymHash));
|
|
for (j=sizeof(OMFSymHash); j<=omfSymHash->cbSymbol; ) {
|
|
addr = 0;
|
|
cvExtractSymbolInfo(mi, (PCHAR) dataSym, &SymEntry, FALSE);
|
|
|
|
|
|
if (SymEntry.Segment && (SymEntry.Segment <= mi->OriginalNumSections))
|
|
{
|
|
addr = mi->OriginalSectionHdrs[SymEntry.Segment-1].VirtualAddress + SymEntry.Offset + mi->BaseOfDll;
|
|
SymbolName = SymEntry.Name;
|
|
if (SymbolName[0] == '?' &&
|
|
SymbolName[1] == '?' &&
|
|
SymbolName[2] == '_' &&
|
|
SymbolName[3] == 'C' )
|
|
{
|
|
//
|
|
// ignore strings
|
|
//
|
|
} else if (g.SymOptions & SYMOPT_UNDNAME) {
|
|
SymUnDNameInternal(mi->TmpSym.Name,
|
|
TMP_SYM_LEN,
|
|
SymbolName,
|
|
SymEntry.NameLength,
|
|
mi->MachineType,
|
|
TRUE);
|
|
AllocSym( mi, addr, (LPSTR) mi->TmpSym.Name);
|
|
} else {
|
|
mi->TmpSym.NameLength = SymEntry.NameLength;
|
|
memcpy( mi->TmpSym.Name, SymbolName, mi->TmpSym.NameLength );
|
|
mi->TmpSym.Name[mi->TmpSym.NameLength] = 0;
|
|
AllocSym( mi, addr, mi->TmpSym.Name);
|
|
}
|
|
}
|
|
j += dataSym->reclen + 2;
|
|
dataSym = (DATASYM32*) ((ULONG_PTR)dataSym + dataSym->reclen + 2);
|
|
}
|
|
break;
|
|
}
|
|
else if (omfDirEntry->SubSection == sstSrcModule &&
|
|
(g.SymOptions & SYMOPT_LOAD_LINES)) {
|
|
AddLinesForOmfSourceModule(mi,
|
|
(PUCHAR)(pIDD->pMappedCv)+omfDirEntry->lfo,
|
|
(OMFSourceModule *)
|
|
((PCHAR)(pIDD->pMappedCv)+omfDirEntry->lfo),
|
|
NULL);
|
|
}
|
|
}
|
|
|
|
CompleteSymbolTable( mi );
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
VOID
|
|
GetSymName(
|
|
PIMAGE_SYMBOL Symbol,
|
|
PUCHAR StringTable,
|
|
LPSTR s,
|
|
DWORD size
|
|
)
|
|
{
|
|
DWORD i;
|
|
|
|
if (Symbol->n_zeroes) {
|
|
for (i=0; i<8; i++) {
|
|
if ((Symbol->n_name[i]>0x1f) && (Symbol->n_name[i]<0x7f)) {
|
|
*s++ = Symbol->n_name[i];
|
|
}
|
|
}
|
|
*s = 0;
|
|
}
|
|
else {
|
|
strncpy( s, (char *) &StringTable[Symbol->n_offset], size );
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
ProcessOmapForModule(
|
|
PMODULE_ENTRY mi,
|
|
PIMGHLP_DEBUG_DATA pIDD
|
|
)
|
|
{
|
|
PSYMBOL_ENTRY sym;
|
|
PSYMBOL_ENTRY symN;
|
|
DWORD i;
|
|
ULONG64 addr;
|
|
DWORD bias;
|
|
PFPO_DATA fpo;
|
|
|
|
if (pIDD->cOmapTo && pIDD->pOmapTo) {
|
|
if (pIDD->fOmapToMapped || pIDD->dia) {
|
|
mi->pOmapTo = (POMAP)MemAlloc(pIDD->cOmapTo * sizeof(OMAP));
|
|
if (mi->pOmapTo) {
|
|
CopyMemory(
|
|
mi->pOmapTo,
|
|
pIDD->pOmapTo,
|
|
pIDD->cOmapTo * sizeof(OMAP)
|
|
);
|
|
}
|
|
} else {
|
|
mi->pOmapTo = pIDD->pOmapTo;
|
|
}
|
|
mi->cOmapTo = pIDD->cOmapTo;
|
|
}
|
|
|
|
if (pIDD->cOmapFrom && pIDD->pOmapFrom) {
|
|
if (pIDD->fOmapFromMapped) {
|
|
mi->pOmapFrom = (POMAP)MemAlloc(pIDD->cOmapFrom * sizeof(OMAP));
|
|
if (mi->pOmapFrom) {
|
|
CopyMemory(
|
|
mi->pOmapFrom,
|
|
pIDD->pOmapFrom,
|
|
pIDD->cOmapFrom * sizeof(OMAP)
|
|
);
|
|
}
|
|
} else {
|
|
mi->pOmapFrom = pIDD->pOmapFrom;
|
|
}
|
|
mi->cOmapFrom = pIDD->cOmapFrom;
|
|
}
|
|
|
|
if (mi->pFpoData) {
|
|
//
|
|
// if this module is BBT-optimized, then build
|
|
// another fpo table with omap transalation
|
|
//
|
|
mi->pFpoDataOmap = (PFPO_DATA)VirtualAlloc(
|
|
NULL,
|
|
sizeof(FPO_DATA) * mi->dwEntries,
|
|
MEM_COMMIT,
|
|
PAGE_READWRITE
|
|
);
|
|
if (mi->pFpoDataOmap) {
|
|
CopyMemory(
|
|
mi->pFpoDataOmap,
|
|
pIDD->pFpo,
|
|
sizeof(FPO_DATA) * mi->dwEntries
|
|
);
|
|
for (i = 0, fpo = mi->pFpoDataOmap;
|
|
i < mi->dwEntries;
|
|
i++, fpo++) {
|
|
addr = ConvertOmapFromSrc(mi,
|
|
mi->BaseOfDll + fpo->ulOffStart,
|
|
&bias);
|
|
if (addr)
|
|
fpo->ulOffStart = (ULONG)(addr - mi->BaseOfDll) + bias;
|
|
}
|
|
VirtualProtect(
|
|
mi->pFpoData,
|
|
sizeof(FPO_DATA) * mi->dwEntries,
|
|
PAGE_READONLY,
|
|
&i
|
|
);
|
|
}
|
|
}
|
|
|
|
if (!mi->pOmapFrom ||
|
|
!mi->symbolTable ||
|
|
((mi->SymType != SymCoff) && (mi->SymType != SymCv))
|
|
)
|
|
{
|
|
return;
|
|
}
|
|
|
|
for (i=0; i<mi->numsyms; i++) {
|
|
ProcessOmapSymbol( mi, &mi->symbolTable[i] );
|
|
}
|
|
|
|
CompleteSymbolTable( mi );
|
|
}
|
|
|
|
|
|
BOOL
|
|
ProcessOmapSymbol(
|
|
PMODULE_ENTRY mi,
|
|
PSYMBOL_ENTRY sym
|
|
)
|
|
{
|
|
DWORD bias;
|
|
DWORD64 OptimizedSymAddr;
|
|
DWORD rvaSym;
|
|
POMAPLIST pomaplistHead;
|
|
DWORD64 SymbolValue;
|
|
DWORD64 OrgSymAddr;
|
|
POMAPLIST pomaplistNew;
|
|
POMAPLIST pomaplistPrev;
|
|
POMAPLIST pomaplistCur;
|
|
POMAPLIST pomaplistNext;
|
|
DWORD rva;
|
|
DWORD rvaTo;
|
|
DWORD cb;
|
|
DWORD end;
|
|
DWORD rvaToNext;
|
|
LPSTR NewSymName;
|
|
CHAR Suffix[32];
|
|
DWORD64 addrNew;
|
|
POMAP pomap;
|
|
PSYMBOL_ENTRY symOmap;
|
|
|
|
if ((sym->Flags & SYMF_OMAP_GENERATED) || (sym->Flags & SYMF_OMAP_MODIFIED)) {
|
|
return FALSE;
|
|
}
|
|
|
|
OrgSymAddr = SymbolValue = sym->Address;
|
|
|
|
OptimizedSymAddr = ConvertOmapFromSrc( mi, SymbolValue, &bias );
|
|
|
|
if (OptimizedSymAddr == 0) {
|
|
//
|
|
// No equivalent address
|
|
//
|
|
sym->Address = 0;
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
//
|
|
// We have successfully converted
|
|
//
|
|
sym->Address = OptimizedSymAddr + bias;
|
|
|
|
rvaSym = (ULONG)(SymbolValue - mi->BaseOfDll);
|
|
SymbolValue = sym->Address;
|
|
|
|
pomap = GetOmapFromSrcEntry( mi, OrgSymAddr );
|
|
if (!pomap) {
|
|
goto exit;
|
|
}
|
|
|
|
pomaplistHead = NULL;
|
|
|
|
//
|
|
// Look for all OMAP entries belonging to SymbolEntry
|
|
//
|
|
|
|
end = (ULONG)(OrgSymAddr - mi->BaseOfDll + sym->Size);
|
|
|
|
while (pomap && (pomap->rva < end)) {
|
|
|
|
if (pomap->rvaTo == 0) {
|
|
pomap++;
|
|
continue;
|
|
}
|
|
|
|
//
|
|
// Allocate and initialize a new entry
|
|
//
|
|
pomaplistNew = (POMAPLIST) MemAlloc( sizeof(OMAPLIST) );
|
|
if (!pomaplistNew) {
|
|
return FALSE;
|
|
}
|
|
|
|
pomaplistNew->omap = *pomap;
|
|
pomaplistNew->cb = pomap[1].rva - pomap->rva;
|
|
|
|
pomaplistPrev = NULL;
|
|
pomaplistCur = pomaplistHead;
|
|
|
|
while (pomaplistCur != NULL) {
|
|
if (pomap->rvaTo < pomaplistCur->omap.rvaTo) {
|
|
//
|
|
// Insert between Prev and Cur
|
|
//
|
|
break;
|
|
}
|
|
pomaplistPrev = pomaplistCur;
|
|
pomaplistCur = pomaplistCur->next;
|
|
}
|
|
|
|
if (pomaplistPrev == NULL) {
|
|
//
|
|
// Insert in head position
|
|
//
|
|
pomaplistHead = pomaplistNew;
|
|
} else {
|
|
pomaplistPrev->next = pomaplistNew;
|
|
}
|
|
|
|
pomaplistNew->next = pomaplistCur;
|
|
|
|
pomap++;
|
|
}
|
|
|
|
if (pomaplistHead == NULL) {
|
|
goto exit;
|
|
}
|
|
|
|
pomaplistCur = pomaplistHead;
|
|
pomaplistNext = pomaplistHead->next;
|
|
|
|
//
|
|
// we do have a list
|
|
//
|
|
while (pomaplistNext != NULL) {
|
|
rva = pomaplistCur->omap.rva;
|
|
rvaTo = pomaplistCur->omap.rvaTo;
|
|
cb = pomaplistCur->cb;
|
|
rvaToNext = pomaplistNext->omap.rvaTo;
|
|
|
|
if (rvaToNext == sym->Address - mi->BaseOfDll) {
|
|
//
|
|
// Already inserted above
|
|
//
|
|
} else if (rvaToNext < (rvaTo + cb + 8)) {
|
|
//
|
|
// Adjacent to previous range
|
|
//
|
|
} else {
|
|
addrNew = mi->BaseOfDll + rvaToNext;
|
|
Suffix[0] = '_';
|
|
_ltoa( pomaplistNext->omap.rva - rvaSym, &Suffix[1], 10 );
|
|
memcpy( mi->TmpSym.Name, sym->Name, sym->NameLength );
|
|
strncpy( &mi->TmpSym.Name[sym->NameLength], Suffix, strlen(Suffix) + 1 );
|
|
symOmap = AllocSym( mi, addrNew, mi->TmpSym.Name);
|
|
if (symOmap) {
|
|
symOmap->Flags |= SYMF_OMAP_GENERATED;
|
|
}
|
|
}
|
|
|
|
MemFree(pomaplistCur);
|
|
|
|
pomaplistCur = pomaplistNext;
|
|
pomaplistNext = pomaplistNext->next;
|
|
}
|
|
|
|
MemFree(pomaplistCur);
|
|
|
|
exit:
|
|
if (sym->Address != OrgSymAddr) {
|
|
sym->Flags |= SYMF_OMAP_MODIFIED;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
DWORD64
|
|
ConvertOmapFromSrc(
|
|
PMODULE_ENTRY mi,
|
|
DWORD64 addr,
|
|
LPDWORD bias
|
|
)
|
|
{
|
|
DWORD rva;
|
|
DWORD comap;
|
|
POMAP pomapLow;
|
|
POMAP pomapHigh;
|
|
DWORD comapHalf;
|
|
POMAP pomapMid;
|
|
|
|
|
|
*bias = 0;
|
|
|
|
if (!mi->pOmapFrom) {
|
|
return addr;
|
|
}
|
|
|
|
rva = (DWORD)(addr - mi->BaseOfDll);
|
|
|
|
comap = mi->cOmapFrom;
|
|
pomapLow = mi->pOmapFrom;
|
|
pomapHigh = pomapLow + comap;
|
|
|
|
while (pomapLow < pomapHigh) {
|
|
|
|
comapHalf = comap / 2;
|
|
|
|
pomapMid = pomapLow + ((comap & 1) ? comapHalf : (comapHalf - 1));
|
|
|
|
if (rva == pomapMid->rva) {
|
|
if (pomapMid->rvaTo) {
|
|
return mi->BaseOfDll + pomapMid->rvaTo;
|
|
} else {
|
|
return(0); // No need adding the base. This address was discarded...
|
|
}
|
|
}
|
|
|
|
if (rva < pomapMid->rva) {
|
|
pomapHigh = pomapMid;
|
|
comap = (comap & 1) ? comapHalf : (comapHalf - 1);
|
|
} else {
|
|
pomapLow = pomapMid + 1;
|
|
comap = comapHalf;
|
|
}
|
|
}
|
|
|
|
//
|
|
// If no exact match, pomapLow points to the next higher address
|
|
//
|
|
if (pomapLow == mi->pOmapFrom) {
|
|
//
|
|
// This address was not found
|
|
//
|
|
return 0;
|
|
}
|
|
|
|
if (pomapLow[-1].rvaTo == 0) {
|
|
//
|
|
// This address is in a discarded block
|
|
//
|
|
return 0;
|
|
}
|
|
|
|
//
|
|
// Return the closest address plus the bias
|
|
//
|
|
*bias = rva - pomapLow[-1].rva;
|
|
|
|
return mi->BaseOfDll + pomapLow[-1].rvaTo;
|
|
}
|
|
|
|
|
|
DWORD64
|
|
ConvertOmapToSrc(
|
|
PMODULE_ENTRY mi,
|
|
DWORD64 addr,
|
|
LPDWORD bias,
|
|
BOOL fBackup
|
|
)
|
|
{
|
|
DWORD rva;
|
|
DWORD comap;
|
|
POMAP pomapLow;
|
|
POMAP pomapHigh;
|
|
DWORD comapHalf;
|
|
POMAP pomapMid;
|
|
|
|
*bias = 0;
|
|
|
|
if (!mi->pOmapTo) {
|
|
return addr;
|
|
}
|
|
|
|
rva = (DWORD)(addr - mi->BaseOfDll);
|
|
|
|
comap = mi->cOmapTo;
|
|
pomapLow = mi->pOmapTo;
|
|
pomapHigh = pomapLow + comap;
|
|
|
|
while (pomapLow < pomapHigh) {
|
|
|
|
comapHalf = comap / 2;
|
|
|
|
pomapMid = pomapLow + ((comap & 1) ? comapHalf : (comapHalf - 1));
|
|
|
|
if (rva == pomapMid->rva) {
|
|
if (pomapMid->rvaTo == 0) {
|
|
//
|
|
// We may be at the start of an inserted branch instruction
|
|
//
|
|
|
|
if (fBackup) {
|
|
//
|
|
// Return information about the next lower address
|
|
//
|
|
|
|
rva--;
|
|
pomapLow = pomapMid;
|
|
break;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
return mi->BaseOfDll + pomapMid->rvaTo;
|
|
}
|
|
|
|
if (rva < pomapMid->rva) {
|
|
pomapHigh = pomapMid;
|
|
comap = (comap & 1) ? comapHalf : (comapHalf - 1);
|
|
} else {
|
|
pomapLow = pomapMid + 1;
|
|
comap = comapHalf;
|
|
}
|
|
}
|
|
|
|
//
|
|
// If no exact match, pomapLow points to the next higher address
|
|
//
|
|
|
|
if (pomapLow == mi->pOmapTo) {
|
|
//
|
|
// This address was not found
|
|
//
|
|
return 0;
|
|
}
|
|
|
|
// find the previous valid item in the omap
|
|
|
|
do {
|
|
pomapLow--;
|
|
if (pomapLow->rvaTo)
|
|
break;
|
|
} while (pomapLow > mi->pOmapTo);
|
|
|
|
// should never occur
|
|
|
|
// assert(pomapLow->rvaTo);
|
|
if (pomapLow->rvaTo == 0) {
|
|
return 0;
|
|
}
|
|
|
|
//
|
|
// Return the new address plus the bias
|
|
//
|
|
*bias = rva - pomapLow->rva;
|
|
|
|
return mi->BaseOfDll + pomapLow->rvaTo;
|
|
}
|
|
|
|
POMAP
|
|
GetOmapFromSrcEntry(
|
|
PMODULE_ENTRY mi,
|
|
DWORD64 addr
|
|
)
|
|
{
|
|
DWORD rva;
|
|
DWORD comap;
|
|
POMAP pomapLow;
|
|
POMAP pomapHigh;
|
|
DWORD comapHalf;
|
|
POMAP pomapMid;
|
|
|
|
|
|
if (mi->pOmapFrom == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
rva = (DWORD)(addr - mi->BaseOfDll);
|
|
|
|
comap = mi->cOmapFrom;
|
|
pomapLow = mi->pOmapFrom;
|
|
pomapHigh = pomapLow + comap;
|
|
|
|
while (pomapLow < pomapHigh) {
|
|
|
|
comapHalf = comap / 2;
|
|
|
|
pomapMid = pomapLow + ((comap & 1) ? comapHalf : (comapHalf - 1));
|
|
|
|
if (rva == pomapMid->rva) {
|
|
return pomapMid;
|
|
}
|
|
|
|
if (rva < pomapMid->rva) {
|
|
pomapHigh = pomapMid;
|
|
comap = (comap & 1) ? comapHalf : (comapHalf - 1);
|
|
} else {
|
|
pomapLow = pomapMid + 1;
|
|
comap = comapHalf;
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
|
|
VOID
|
|
DumpOmapForModule(
|
|
PMODULE_ENTRY mi
|
|
)
|
|
{
|
|
POMAP pomap;
|
|
DWORD i;
|
|
|
|
i = sizeof(ULONG_PTR);
|
|
i = sizeof(DWORD);
|
|
|
|
if (!mi->pOmapFrom)
|
|
return;
|
|
|
|
dprint("\nOMAP FROM:\n");
|
|
for(i = 0, pomap = mi->pOmapFrom;
|
|
i < 100; // mi->cOmapFrom;
|
|
i++, pomap++)
|
|
{
|
|
dprint("%8x %8x\n", pomap->rva, pomap->rvaTo);
|
|
}
|
|
|
|
if (!mi->pOmapTo)
|
|
return;
|
|
|
|
dprint("\nOMAP TO:\n");
|
|
for(i = 0, pomap = mi->pOmapTo;
|
|
i < 100; // mi->cOmapTo;
|
|
i++, pomap++)
|
|
{
|
|
dprint("%8x %8x\n", pomap->rva, pomap->rvaTo);
|
|
}
|
|
}
|
|
|
|
|
|
LPSTR
|
|
StringDup(
|
|
LPSTR str
|
|
)
|
|
{
|
|
LPSTR ds = (LPSTR) MemAlloc( strlen(str) + 1 );
|
|
if (ds) {
|
|
strcpy( ds, str );
|
|
}
|
|
return ds;
|
|
}
|
|
|
|
|
|
BOOL
|
|
InternalGetModule(
|
|
HANDLE hProcess,
|
|
LPSTR ModuleName,
|
|
DWORD64 ImageBase,
|
|
DWORD ImageSize,
|
|
PVOID Context
|
|
)
|
|
{
|
|
InternalLoadModule(
|
|
hProcess,
|
|
ModuleName,
|
|
NULL,
|
|
ImageBase,
|
|
ImageSize,
|
|
NULL,
|
|
0,
|
|
NULL
|
|
);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
BOOL
|
|
LoadedModuleEnumerator(
|
|
HANDLE hProcess,
|
|
LPSTR ModuleName,
|
|
DWORD64 ImageBase,
|
|
DWORD ImageSize,
|
|
PLOADED_MODULE lm
|
|
)
|
|
{
|
|
if (lm->EnumLoadedModulesCallback64) {
|
|
return lm->EnumLoadedModulesCallback64( ModuleName, ImageBase, ImageSize, lm->Context );
|
|
} else {
|
|
return lm->EnumLoadedModulesCallback32( ModuleName, (DWORD)ImageBase, ImageSize, lm->Context );
|
|
}
|
|
}
|
|
|
|
|
|
BOOL
|
|
ToggleFailCriticalErrors(
|
|
BOOL reset
|
|
)
|
|
{
|
|
static UINT oldmode = 0;
|
|
|
|
if (!(g.SymOptions & SYMOPT_FAIL_CRITICAL_ERRORS))
|
|
return FALSE;
|
|
|
|
if (reset)
|
|
SetErrorMode(oldmode);
|
|
else
|
|
oldmode = SetErrorMode(SEM_FAILCRITICALERRORS);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
DWORD
|
|
fnGetFileAttributes(
|
|
LPCTSTR lpFileName
|
|
)
|
|
{
|
|
DWORD rc;
|
|
|
|
SetCriticalErrorMode();
|
|
rc = GetFileAttributes(lpFileName);
|
|
ResetCriticalErrorMode();
|
|
|
|
return rc;
|
|
}
|
|
|
|
|
|
LPSTR
|
|
SymUnDNameInternal(
|
|
LPSTR UnDecName,
|
|
DWORD UnDecNameLength,
|
|
LPSTR DecName,
|
|
DWORD DecNameLength,
|
|
DWORD MachineType,
|
|
BOOL IsPublic
|
|
)
|
|
{
|
|
LPSTR p;
|
|
ULONG Suffix;
|
|
ULONG i;
|
|
LPSTR TmpDecName;
|
|
|
|
UnDecName[0] = 0;
|
|
|
|
if (DecName[0] == '?' || !strncmp(DecName, ".?", 2) || !strncmp(DecName, "..?", 3)) {
|
|
|
|
__try {
|
|
|
|
if (DecName[0] == '.') {
|
|
if (DecName[1] == '.') {
|
|
Suffix = 2;
|
|
UnDecName[0] = '.';
|
|
UnDecName[1] = '.';
|
|
} else { // DecName[1] = '?'
|
|
Suffix = 1;
|
|
UnDecName[0] = '.';
|
|
}
|
|
} else { // DecName[0] = '?'
|
|
Suffix = 0;
|
|
}
|
|
|
|
TmpDecName = (LPSTR)MemAlloc( 4096 );
|
|
if (!TmpDecName) {
|
|
strncat( UnDecName, DecName, min(DecNameLength,UnDecNameLength) );
|
|
return UnDecName;
|
|
}
|
|
TmpDecName[0] = 0;
|
|
strncat( TmpDecName, DecName+Suffix, DecNameLength );
|
|
|
|
if (UnDecorateSymbolName( TmpDecName,
|
|
UnDecName+Suffix,
|
|
UnDecNameLength-Suffix,
|
|
UNDNAME_NAME_ONLY ) == 0 ) {
|
|
strncat( UnDecName, DecName, min(DecNameLength,UnDecNameLength) );
|
|
}
|
|
|
|
MemFree( TmpDecName );
|
|
|
|
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
|
|
|
strncat( UnDecName, DecName, min(DecNameLength,UnDecNameLength) );
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
__try {
|
|
|
|
if ((IsPublic && (DecName[0] == '_' || DecName[0] == '.'))
|
|
|| DecName[0] == '@') {
|
|
DecName += 1;
|
|
DecNameLength -= 1;
|
|
}
|
|
|
|
p = 0;
|
|
for (i = 0; i < DecNameLength; i++) {
|
|
if (DecName [i] == '@') {
|
|
p = &DecName [i];
|
|
break;
|
|
}
|
|
}
|
|
if (p) {
|
|
i = (int)(p - DecName);
|
|
} else {
|
|
i = min(DecNameLength,UnDecNameLength);
|
|
}
|
|
|
|
strncat( UnDecName, DecName, i );
|
|
|
|
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
|
|
|
strncat( UnDecName, DecName, min(DecNameLength,UnDecNameLength) );
|
|
|
|
}
|
|
}
|
|
|
|
if (g.SymOptions & SYMOPT_NO_CPP) {
|
|
while (p = strstr( UnDecName, "::" )) {
|
|
p[0] = '_';
|
|
p[1] = '_';
|
|
}
|
|
}
|
|
|
|
return UnDecName;
|
|
}
|
|
|
|
|
|
BOOL
|
|
MatchSymName(
|
|
LPSTR matchName,
|
|
LPSTR symName
|
|
)
|
|
{
|
|
assert(matchName && symName);
|
|
if (!*matchName || !*symName)
|
|
return FALSE;
|
|
|
|
if (g.SymOptions & SYMOPT_CASE_INSENSITIVE) {
|
|
if (!_strnicmp(matchName, symName, MAX_SYM_NAME))
|
|
return TRUE;
|
|
} else {
|
|
if (!strncmp(matchName, symName, MAX_SYM_NAME))
|
|
return TRUE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
PIMAGEHLP_SYMBOL
|
|
symcpy32(
|
|
PIMAGEHLP_SYMBOL External,
|
|
PSYMBOL_ENTRY Internal
|
|
)
|
|
{
|
|
External->Address = (ULONG)Internal->Address;
|
|
External->Size = Internal->Size;
|
|
External->Flags = Internal->Flags;
|
|
|
|
External->Name[0] = 0;
|
|
strncat( External->Name, Internal->Name, External->MaxNameLength );
|
|
|
|
return External;
|
|
}
|
|
|
|
PIMAGEHLP_SYMBOL64
|
|
symcpy64(
|
|
PIMAGEHLP_SYMBOL64 External,
|
|
PSYMBOL_ENTRY Internal
|
|
)
|
|
{
|
|
External->Address = Internal->Address;
|
|
External->Size = Internal->Size;
|
|
External->Flags = Internal->Flags;
|
|
|
|
External->Name[0] = 0;
|
|
strncat( External->Name, Internal->Name, External->MaxNameLength );
|
|
|
|
return External;
|
|
}
|
|
|
|
BOOL
|
|
SympConvertSymbol64To32(
|
|
PIMAGEHLP_SYMBOL64 Symbol64,
|
|
PIMAGEHLP_SYMBOL Symbol32
|
|
)
|
|
{
|
|
Symbol32->Address = (DWORD)Symbol64->Address;
|
|
Symbol32->Size = Symbol64->Size;
|
|
Symbol32->Flags = Symbol64->Flags;
|
|
Symbol32->MaxNameLength = Symbol64->MaxNameLength;
|
|
Symbol32->Name[0] = 0;
|
|
strncat( Symbol32->Name, Symbol64->Name, Symbol32->MaxNameLength );
|
|
|
|
return (Symbol64->Address >> 32) == 0;
|
|
}
|
|
|
|
BOOL
|
|
SympConvertSymbol32To64(
|
|
PIMAGEHLP_SYMBOL Symbol32,
|
|
PIMAGEHLP_SYMBOL64 Symbol64
|
|
)
|
|
{
|
|
Symbol64->Address = Symbol32->Address;
|
|
Symbol64->Size = Symbol32->Size;
|
|
Symbol64->Flags = Symbol32->Flags;
|
|
Symbol64->MaxNameLength = Symbol32->MaxNameLength;
|
|
Symbol64->Name[0] = 0;
|
|
strncat( Symbol64->Name, Symbol32->Name, Symbol64->MaxNameLength );
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
BOOL
|
|
SympConvertLine64To32(
|
|
PIMAGEHLP_LINE64 Line64,
|
|
PIMAGEHLP_LINE Line32
|
|
)
|
|
{
|
|
Line32->Key = Line64->Key;
|
|
Line32->LineNumber = Line64->LineNumber;
|
|
Line32->FileName = Line64->FileName;
|
|
Line32->Address = (DWORD)Line64->Address;
|
|
|
|
return (Line64->Address >> 32) == 0;
|
|
}
|
|
|
|
BOOL
|
|
SympConvertLine32To64(
|
|
PIMAGEHLP_LINE Line32,
|
|
PIMAGEHLP_LINE64 Line64
|
|
)
|
|
{
|
|
Line64->Key = Line32->Key;
|
|
Line64->LineNumber = Line32->LineNumber;
|
|
Line64->FileName = Line32->FileName;
|
|
Line64->Address = Line32->Address;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
BOOL
|
|
__stdcall
|
|
ReadInProcMemory(
|
|
HANDLE hProcess,
|
|
DWORD64 addr,
|
|
PVOID buf,
|
|
DWORD bytes,
|
|
DWORD *bytesread
|
|
)
|
|
{
|
|
DWORD rc;
|
|
PPROCESS_ENTRY pe;
|
|
IMAGEHLP_CBA_READ_MEMORY rm;
|
|
|
|
rm.addr = addr;
|
|
rm.buf = buf;
|
|
rm.bytes = bytes;
|
|
rm.bytesread = bytesread;
|
|
|
|
rc = FALSE;
|
|
|
|
__try {
|
|
pe = FindProcessEntry(hProcess);
|
|
if (!pe) {
|
|
SetLastError( ERROR_INVALID_HANDLE );
|
|
return FALSE;
|
|
}
|
|
|
|
if (pe->pCallbackFunction32) {
|
|
rc = pe->pCallbackFunction32(pe->hProcess,
|
|
CBA_READ_MEMORY,
|
|
(PVOID)&rm,
|
|
(PVOID)pe->CallbackUserContext);
|
|
|
|
} else if (pe->pCallbackFunction64) {
|
|
rc = pe->pCallbackFunction64(pe->hProcess,
|
|
CBA_READ_MEMORY,
|
|
(ULONG64)&rm,
|
|
pe->CallbackUserContext);
|
|
} else {
|
|
SIZE_T RealBytesRead=0;
|
|
rc = ReadProcessMemory(hProcess,
|
|
(LPVOID)(ULONG_PTR)addr,
|
|
buf,
|
|
bytes,
|
|
&RealBytesRead);
|
|
*bytesread = (DWORD)RealBytesRead;
|
|
}
|
|
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
|
rc = FALSE;
|
|
}
|
|
|
|
return (rc != FALSE);
|
|
}
|
|
|
|
DWORD64
|
|
miGetModuleBase(
|
|
HANDLE hProcess,
|
|
DWORD64 Address
|
|
)
|
|
{
|
|
IMAGEHLP_MODULE64 ModuleInfo = {0};
|
|
ModuleInfo.SizeOfStruct = sizeof(ModuleInfo);
|
|
|
|
if (SymGetModuleInfo64(hProcess, Address, &ModuleInfo)) {
|
|
return ModuleInfo.BaseOfImage;
|
|
} else {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
BOOL
|
|
GetPData(
|
|
HANDLE hp,
|
|
PMODULE_ENTRY mi
|
|
)
|
|
{
|
|
BOOL status;
|
|
ULONG cb;
|
|
PCHAR pc;
|
|
BOOL fROM = FALSE;
|
|
IMAGE_DOS_HEADER DosHeader;
|
|
IMAGE_NT_HEADERS ImageNtHeaders;
|
|
PIMAGE_FILE_HEADER ImageFileHdr;
|
|
PIMAGE_OPTIONAL_HEADER ImageOptionalHdr;
|
|
PIMAGE_OPTIONAL_HEADER32 OptionalHeader32 = NULL;
|
|
PIMAGE_OPTIONAL_HEADER64 OptionalHeader64 = NULL;
|
|
ULONG feCount = 0;
|
|
ULONG i;
|
|
|
|
HANDLE fh = 0;
|
|
PCHAR base = NULL;
|
|
USHORT filetype;
|
|
PIMAGE_SEPARATE_DEBUG_HEADER sdh;
|
|
PIMAGE_DOS_HEADER dh;
|
|
PIMAGE_NT_HEADERS inth;
|
|
PIMAGE_OPTIONAL_HEADER32 ioh32;
|
|
PIMAGE_OPTIONAL_HEADER64 ioh64;
|
|
ULONG cdd;
|
|
PCHAR p;
|
|
PIMAGE_DEBUG_DIRECTORY dd;
|
|
ULONG cexp = 0;
|
|
ULONG tsize;
|
|
ULONG csize = 0;
|
|
|
|
// if the pdata is already loaded, return
|
|
|
|
if (mi->pExceptionData)
|
|
return TRUE;
|
|
|
|
if (!LoadSymbols(hp, mi, 0))
|
|
return FALSE;
|
|
|
|
// try to get pdata from dia
|
|
|
|
if (mi->dia) {
|
|
if ((mi->pPData) && (mi->dsExceptions == dsDia))
|
|
goto dia;
|
|
|
|
if (diaGetPData(mi)) {
|
|
p = (PCHAR)mi->pPData;
|
|
csize = mi->cbPData;
|
|
goto dia;
|
|
}
|
|
}
|
|
|
|
if (!mi->dsExceptions)
|
|
return FALSE;
|
|
|
|
// open the file and get the file type
|
|
|
|
SetCriticalErrorMode();
|
|
|
|
fh = CreateFile(mi->LoadedImageName,
|
|
GENERIC_READ,
|
|
g.OSVerInfo.dwPlatformId == VER_PLATFORM_WIN32_NT ? (FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE) : (FILE_SHARE_READ | FILE_SHARE_WRITE),
|
|
NULL,
|
|
OPEN_EXISTING,
|
|
0,
|
|
NULL
|
|
);
|
|
|
|
ResetCriticalErrorMode();
|
|
|
|
if (fh == INVALID_HANDLE_VALUE)
|
|
return FALSE;
|
|
|
|
base = (PCHAR)MapItRO(fh);
|
|
if (!base)
|
|
goto cleanup;
|
|
p = base;
|
|
|
|
filetype = *(USHORT *)p;
|
|
if (filetype == IMAGE_DOS_SIGNATURE)
|
|
goto image;
|
|
if (filetype == IMAGE_SEPARATE_DEBUG_SIGNATURE)
|
|
goto dbg;
|
|
goto cleanup;
|
|
|
|
image:
|
|
|
|
// process disk-based image
|
|
|
|
dh = (PIMAGE_DOS_HEADER)p;
|
|
p += dh->e_lfanew;
|
|
inth = (PIMAGE_NT_HEADERS)p;
|
|
|
|
if (inth->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
|
|
ioh32 = (PIMAGE_OPTIONAL_HEADER32)&inth->OptionalHeader;
|
|
p = base + ioh32->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress;
|
|
csize = ioh32->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size;
|
|
}
|
|
else if (inth->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
|
|
ioh64 = (PIMAGE_OPTIONAL_HEADER64)&inth->OptionalHeader;
|
|
p = base + ioh64->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress;
|
|
csize = ioh64->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size;
|
|
}
|
|
|
|
dia:
|
|
|
|
if (!csize)
|
|
goto cleanup;
|
|
|
|
switch (mi->MachineType)
|
|
{
|
|
case IMAGE_FILE_MACHINE_ALPHA:
|
|
cexp = csize / sizeof(IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY);
|
|
break;
|
|
case IMAGE_FILE_MACHINE_ALPHA64:
|
|
cexp = csize / sizeof(IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY);
|
|
break;
|
|
case IMAGE_FILE_MACHINE_IA64:
|
|
cexp = csize / sizeof(IMAGE_IA64_RUNTIME_FUNCTION_ENTRY);
|
|
break;
|
|
case IMAGE_FILE_MACHINE_AMD64:
|
|
cexp = csize / sizeof(_IMAGE_RUNTIME_FUNCTION_ENTRY);
|
|
break;
|
|
default:
|
|
goto cleanup;
|
|
}
|
|
|
|
goto table;
|
|
|
|
dbg:
|
|
|
|
// process dbg file
|
|
|
|
sdh = (PIMAGE_SEPARATE_DEBUG_HEADER)p;
|
|
cdd = sdh->DebugDirectorySize / sizeof(IMAGE_DEBUG_DIRECTORY);
|
|
p += sizeof(IMAGE_SEPARATE_DEBUG_HEADER) +
|
|
(sdh->NumberOfSections * sizeof(IMAGE_SECTION_HEADER)) +
|
|
sdh->ExportedNamesSize;
|
|
dd = (PIMAGE_DEBUG_DIRECTORY)p;
|
|
|
|
for (i = 0; i < cdd; i++, dd++) {
|
|
if (dd->Type == IMAGE_DEBUG_TYPE_EXCEPTION) {
|
|
p = base + dd->PointerToRawData;
|
|
cexp = dd->SizeOfData / sizeof(IMAGE_FUNCTION_ENTRY);
|
|
break;
|
|
}
|
|
}
|
|
|
|
table:
|
|
|
|
// parse the pdata into a table
|
|
|
|
if (!cexp)
|
|
goto cleanup;
|
|
|
|
tsize = cexp * sizeof(IMGHLP_RVA_FUNCTION_DATA);
|
|
|
|
mi->pExceptionData = (PIMGHLP_RVA_FUNCTION_DATA)VirtualAlloc( NULL, tsize, MEM_COMMIT, PAGE_READWRITE );
|
|
|
|
if (mi->pExceptionData) {
|
|
PIMGHLP_RVA_FUNCTION_DATA pIRFD = mi->pExceptionData;
|
|
switch (mi->MachineType) {
|
|
|
|
case IMAGE_FILE_MACHINE_ALPHA:
|
|
if (filetype == IMAGE_SEPARATE_DEBUG_SIGNATURE) {
|
|
// easy case. The addresses are already in rva format.
|
|
PIMAGE_FUNCTION_ENTRY pFE = (PIMAGE_FUNCTION_ENTRY)p;
|
|
for (i = 0; i < cexp; i++) {
|
|
pIRFD[i].rvaBeginAddress = pFE[i].StartingAddress;
|
|
pIRFD[i].rvaEndAddress = pFE[i].EndingAddress;
|
|
pIRFD[i].rvaPrologEndAddress = pFE[i].EndOfPrologue;
|
|
pIRFD[i].rvaExceptionHandler = 0;
|
|
pIRFD[i].rvaHandlerData = 0;
|
|
}
|
|
} else {
|
|
PIMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY pRFE = (PIMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY)p;
|
|
for (i = 0; i < cexp; i++) {
|
|
pIRFD[i].rvaBeginAddress = pRFE[i].BeginAddress - (ULONG)mi->BaseOfDll;
|
|
pIRFD[i].rvaEndAddress = pRFE[i].EndAddress - (ULONG)mi->BaseOfDll;
|
|
pIRFD[i].rvaPrologEndAddress = pRFE[i].PrologEndAddress - (ULONG)mi->BaseOfDll;
|
|
pIRFD[i].rvaExceptionHandler = pRFE[i].ExceptionHandler - (ULONG)mi->BaseOfDll;
|
|
pIRFD[i].rvaHandlerData = pRFE[i].HandlerData - (ULONG)mi->BaseOfDll;
|
|
}
|
|
}
|
|
break;
|
|
|
|
case IMAGE_FILE_MACHINE_ALPHA64:
|
|
{
|
|
PIMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY pRFE = (PIMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY)p;
|
|
for (i = 0; i < cexp; i++) {
|
|
pIRFD[i].rvaBeginAddress = (DWORD)(pRFE[i].BeginAddress - mi->BaseOfDll);
|
|
pIRFD[i].rvaEndAddress = (DWORD)(pRFE[i].EndAddress - mi->BaseOfDll);
|
|
pIRFD[i].rvaPrologEndAddress = (DWORD)(pRFE[i].PrologEndAddress - mi->BaseOfDll);
|
|
pIRFD[i].rvaExceptionHandler = (DWORD)(pRFE[i].ExceptionHandler - mi->BaseOfDll);
|
|
pIRFD[i].rvaHandlerData = (DWORD)(pRFE[i].HandlerData - mi->BaseOfDll);
|
|
}
|
|
}
|
|
break;
|
|
|
|
case IMAGE_FILE_MACHINE_IA64:
|
|
{
|
|
PIMAGE_IA64_RUNTIME_FUNCTION_ENTRY pRFE = (PIMAGE_IA64_RUNTIME_FUNCTION_ENTRY)p;
|
|
for (i = 0; i < cexp; i++) {
|
|
pIRFD[i].rvaBeginAddress = pRFE[i].BeginAddress;
|
|
pIRFD[i].rvaEndAddress = pRFE[i].EndAddress;
|
|
pIRFD[i].rvaPrologEndAddress = pRFE[i].UnwindInfoAddress;
|
|
pIRFD[i].rvaExceptionHandler = 0;
|
|
pIRFD[i].rvaHandlerData = 0;
|
|
}
|
|
}
|
|
break;
|
|
|
|
case IMAGE_FILE_MACHINE_AMD64:
|
|
{
|
|
_PIMAGE_RUNTIME_FUNCTION_ENTRY pRFE = (_PIMAGE_RUNTIME_FUNCTION_ENTRY)p;
|
|
for (i = 0; i < cexp; i++) {
|
|
pIRFD[i].rvaBeginAddress = pRFE[i].BeginAddress;
|
|
pIRFD[i].rvaEndAddress = pRFE[i].EndAddress;
|
|
pIRFD[i].rvaPrologEndAddress = pRFE[i].UnwindInfoAddress;
|
|
pIRFD[i].rvaExceptionHandler = 0;
|
|
pIRFD[i].rvaHandlerData = 0;
|
|
}
|
|
}
|
|
break;
|
|
|
|
default:
|
|
break;
|
|
}
|
|
|
|
VirtualProtect( mi->pExceptionData, tsize, PAGE_READONLY, &i );
|
|
|
|
mi->dwEntries = cexp;
|
|
}
|
|
|
|
cleanup:
|
|
|
|
if (mi->pPData) {
|
|
MemFree(mi->pPData);
|
|
mi->pPData = NULL;
|
|
}
|
|
|
|
if (base)
|
|
UnmapViewOfFile(base);
|
|
|
|
if (fh)
|
|
CloseHandle(fh);
|
|
|
|
return (cexp) ? TRUE : FALSE;
|
|
}
|
|
|
|
BOOL
|
|
GetXData(
|
|
HANDLE hp,
|
|
PMODULE_ENTRY mi
|
|
)
|
|
{
|
|
if (mi->pXData)
|
|
return TRUE;
|
|
|
|
if (LoadSymbols(hp, mi, 0) && !mi->pXData && mi->dia && !diaGetXData(mi))
|
|
return FALSE;
|
|
|
|
return (mi->pXData != NULL);
|
|
}
|
|
|
|
PVOID
|
|
GetXDataFromBase(
|
|
HANDLE hp,
|
|
DWORD64 base,
|
|
ULONG_PTR* size
|
|
)
|
|
{
|
|
PPROCESS_ENTRY pe;
|
|
PMODULE_ENTRY mi;
|
|
|
|
pe = FindProcessEntry(hp);
|
|
if (!pe) {
|
|
SetLastError(ERROR_INVALID_HANDLE);
|
|
return NULL;
|
|
}
|
|
|
|
mi = GetModuleForPC(pe, base, FALSE);
|
|
if (!mi) {
|
|
SetLastError(ERROR_MOD_NOT_FOUND);
|
|
return NULL;
|
|
}
|
|
|
|
if (!GetXData(hp, mi))
|
|
return NULL;
|
|
|
|
if (size) *size = mi->cbXData;
|
|
return mi->pXData;
|
|
}
|
|
|
|
PVOID
|
|
GetUnwindInfoFromSymbols(
|
|
HANDLE hProcess,
|
|
DWORD64 ModuleBase,
|
|
ULONG UnwindInfoAddress,
|
|
ULONG_PTR* Size
|
|
)
|
|
{
|
|
ULONG_PTR XDataSize;
|
|
|
|
PBYTE pXData = (PBYTE)GetXDataFromBase(hProcess, ModuleBase, &XDataSize);
|
|
if (!pXData)
|
|
return NULL;
|
|
|
|
DWORD DataBase = *(DWORD*)pXData;
|
|
pXData += sizeof(DWORD);
|
|
|
|
if (DataBase > UnwindInfoAddress)
|
|
return NULL;
|
|
|
|
ULONG_PTR Offset = UnwindInfoAddress - DataBase;
|
|
|
|
if (Offset >= XDataSize)
|
|
return NULL;
|
|
|
|
if (Size) *Size = XDataSize - Offset;
|
|
return pXData + Offset;
|
|
}
|