x64加载内核符号解析地址
原文:【推荐】分享一个x64内核符号枚举代码 50行 简洁易懂
作者:友情zyj
链接:http://bbs.pediy.com/showthread.php?t=204535
#include <Windows.h>
#include <stdio.h>
#include <string>
#include <psapi.h>
#include "dbghelp.h"
#pragma comment(lib,"dbghelp.lib")
BOOL CALLBACK EnumSymCallBack(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext)
{
if (strcmp((pSymInfo->Name), "PspCreateProcessNotifyRoutine") == 0 ||
strcmp((pSymInfo->Name), "PspLoadImageNotifyRoutine") == 0 ||
strcmp((pSymInfo->Name), "PspCreateThreadNotifyRoutine") == 0)
{
printf("%-30s :%p\n", pSymInfo->Name, pSymInfo->Address);
}
return TRUE;
}
int main()
{
std::string strMod;
PVOID dwBaseAddr = 0;
PVOID pDrvAddr[128*8];
DWORD dwcbNeeded = 0;
if (EnumDeviceDrivers(pDrvAddr,sizeof(pDrvAddr),&dwcbNeeded))
{
for (unsigned int i=0 ; i<(dwcbNeeded/8) ; i++)
{
LPSTR chDrvName[MAX_PATH];
GetDeviceDriverBaseNameA(pDrvAddr[i],(LPSTR)chDrvName,MAX_PATH);
dwBaseAddr = pDrvAddr[i];
strMod = std::string((char*)chDrvName);
printf("%-20s 0x%p\n",strMod.c_str(),dwBaseAddr);
break;
}
}
SymSetOptions(SYMOPT_DEFERRED_LOADS);
HANDLE hProcess = GetCurrentProcess();
SymInitialize(hProcess, 0, FALSE);
std::string strSymbolPath = "srv*C:\\Windows\\symbols*http://msdl.microsoft.com/download/symbols";
std::string strSystemPath = "C:\\Windows\\System32\\" + strMod;
SymSetSearchPath(hProcess, strSymbolPath.c_str());
HANDLE hSystemFile = CreateFileA(strSystemPath.c_str(), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, 0, NULL);
DWORD dwFileSize = GetFileSize(hSystemFile, NULL);
DWORD64 dwBase = SymLoadModule64(hProcess, NULL, strSystemPath.c_str(), NULL, (DWORD64)dwBaseAddr, dwFileSize);
printf("正在枚举符号...\n");
SymEnumSymbols(hProcess, dwBase, 0, EnumSymCallBack, 0);
printf("枚举符号结束...\n");
SymUnloadModule64(hProcess, dwBase);
SymCleanup(hProcess);
system("pause");
return 0;
}
看别人源码写的邋里邋遢,于是改了下,发上来看看大家能用不
工程要编译成x64位的。
还需要两个DLL dbghelp.dll symsrv.dll 和编译生成的EXE放在一起 (在windbg目录有这俩个DLL)
以下是测试结果...
ntoskrnl.exe 0xFFFFF8000400E000
正在枚举符号...
PspCreateProcessNotifyRoutine :FFFFF80004234F80
PspLoadImageNotifyRoutine :FFFFF80004234D00
PspCreateThreadNotifyRoutine :FFFFF80004234D60
枚举符号结束...
请按任意键继续. . .