想枚举出PDB里的所有符号,并且区分出函数,变量,枚举等,但在实际枚举过程中,从SYMBOL_INFO里得到的TypeIndex,Flags,都是0,Tag也是一个固定值0xa,标红代码,不知道是不是函数参数设置有问题还是Options设置的有问题,有了解这方面的大牛帮忙看下,先谢过了
代码:
#include <windows.h>
#include <shlwapi.h>
#include <imagehlp.h>
#include "pdbpar.h"
int analyze_pdb_init(const char* symbolpath)
{
unsigned long options;
HANDLE proc;
char search[512];
if (PathFileExistsA("symsrv.yes") == FALSE)
{
FILE* file;
file = fopen("symsrv.yes", "r");
if (!file)
file = fopen("symsrv.yes", "w+");
fclose(file);
}
[COLOR="red"] options = SymGetOptions();[/COLOR]
//options |= (SYMOPT_CASE_INSENSITIVE | SYMOPT_DEFERRED_LOADS | SYMOPT_UNDNAME);
//options |= SYMOPT_DEBUG;
//options &= ~SYMOPT_UNDNAME;
[COLOR="Red"] options |= (SYMOPT_DEBUG | SYMOPT_LOAD_LINES | SYMOPT_FAIL_CRITICAL_ERRORS);
options &= ~SYMOPT_DEFERRED_LOADS;
SymSetOptions(options);[/COLOR]
proc = GetCurrentProcess();
if (SymInitialize(proc, NULL, FALSE) == 0)
return -1;
sprintf(search, SRV_PATH, symbolpath);
SymSetSearchPath(proc, search);
return 0;
}
int analyze_pdb_uninit()
{
HANDLE proc;
proc = GetCurrentProcess();
SymCleanup(proc);
return 0;
}
int analyze_pdb_file(const char* file, FUNCTION_NOTIFY notify, void* context)
{
HANDLE proc;
int st;
DWORD64 BaseOfDll;
PLOADED_IMAGE li;
char SymFile[MAX_PATH] = { 0 };
st = -1;
BaseOfDll = 0;
proc = GetCurrentProcess();
li = ImageLoad(file, NULL);
if (li == 0)
return st;
do {
st = SymGetSymbolFile(proc,
NULL,
li->ModuleName,
sfPdb,
SymFile,
MAX_PATH,
SymFile,
MAX_PATH);
if (st == 0)
{
st = -2;
break;
}
BaseOfDll = SymLoadModule64(proc,
li->hFile,
li->ModuleName,
NULL,
(DWORD64)(li->MappedAddress), // 0,
li->SizeOfImage);
if (BaseOfDll == 0)
{
st = -3;
break;
}
st = SymEnumSymbols(proc, BaseOfDll, 0, EnumSymbolsCallback, notify);
if (st == 0)
{
st = -4;
break;
}
st = 0;
} while (0);
if (BaseOfDll)
{
SymUnloadModule64(proc, BaseOfDll);
}
if (li)
{
ImageUnload(li);
}
return st;
}
BOOL
CALLBACK
EnumSymbolsCallback(
PSYMBOL_INFO SymInfo,
ULONG SymbolSize,
PVOID UserContext
)
{
HANDLE proc;
DWORD SymTag;
int st;
proc = GetCurrentProcess();
_dprintf(4, "[symbol] %d, %x : %I64x (%x, %x) --> [ %x, %x, %x ] %s\n",
SymInfo->Index,
SymInfo->[COLOR="Red"]TypeIndex[/COLOR],
SymInfo->Address,
[COLOR="red"]SymbolSize[/COLOR],
SymInfo->Size,
SymInfo->[COLOR="red"]Flags[/COLOR],
SymInfo->[COLOR="red"]Tag[/COLOR],
SymInfo->[COLOR="red"]Scope[/COLOR],
SymInfo->Name);
st = SymGetTypeInfo(proc,
SymInfo->ModBase,
SymInfo->TypeIndex,
TI_GET_SYMTAG,
&SymTag);
return TRUE;
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
