NTSTATUS DriverEntry ( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath ) { NTSTATUS status = STATUS_SUCCESS; PVOID OldImageBase; PVOID NewImageBase; pDriverObject->DriverUnload = HelloDDKUnload; KdPrint(("加载驱动成功!\n")); OldImageBase = GetModuleBase("ntoskrnl.exe"); if(NULL != OldImageBase) { NewImageBase = KeLoadLibrary(L"\\??\\C:\\windows\\system32\\ntoskrnl.exe", OldImageBase); } else { OldImageBase = GetModuleBase("ntkrnlpa.exe"); NewImageBase = KeLoadLibrary(L"\\??\\C:\\windows\\system32\\ntkrnlpa.exe", OldImageBase); } FixNewKiServiceTable(NewImageBase, OldImageBase); SetSysenterHook(); SetDebugPortDrxHook(); return status; }
DWORD WINAPI MainScan(LPVOID lpParams) { while (true) { DWORD pID; csWind = FindWindow(0, "Counter-Strike: Global Offensive"); GetWindowThreadProcessId(csWind, &pID); csHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pID); clientBase = GetModuleBase(pID, "client.dll"); while (true) { if (updateEnts()) { if ((GetKeyState(0x4B) & 0x100) != 0) { if (localPlayer.cid > 0 && localPlayer.cid <= 64) { if (players[localPlayer.cid - 1].team != 0 && players[localPlayer.cid - 1].team != localPlayer.team && (players[localPlayer.cid - 1].health > 0)) { Sleep(25); sim(); } } } } } } return 0; }
static BOOL BfdGetLineFromAddr(bfd *abfd, asymbol **syms, long symcount, DWORD dwAddress, LPTSTR lpFileName, DWORD nSize, LPDWORD lpLineNumber) { HMODULE hModule; struct find_handle info; if(!(hModule = (HMODULE) GetModuleBase(dwAddress))) return FALSE; info.pc = dwAddress; if(!(bfd_get_file_flags (abfd) & HAS_SYMS) || !symcount) return FALSE; info.syms = syms; info.found = FALSE; bfd_map_over_sections (abfd, find_address_in_section, (PTR) &info); if (info.found == FALSE || info.line == 0) return FALSE; assert(lpFileName && lpLineNumber); lstrcpyn(lpFileName, info.filename, nSize); *lpLineNumber = info.line; return TRUE; }
static BOOL BfdGetSymFromAddr(bfd *abfd, asymbol **syms, long symcount, DWORD dwAddress, LPTSTR lpSymName, DWORD nSize) { HMODULE hModule; struct find_handle info; if(!(hModule = (HMODULE) GetModuleBase(dwAddress))) return FALSE; info.pc = dwAddress; if(!(bfd_get_file_flags (abfd) & HAS_SYMS) || !symcount) return FALSE; info.syms = syms; info.found = FALSE; bfd_map_over_sections (abfd, find_address_in_section, (PTR) &info); if (info.found == FALSE || info.line == 0) return FALSE; assert(lpSymName); if(info.functionname == NULL && *info.functionname == '\0') return FALSE; lstrcpyn(lpSymName, info.functionname, nSize); return TRUE; }
HRESULT LLDBServices::GetModuleByIndex( ULONG index, PULONG64 base) { ULONG64 moduleBase = UINT64_MAX; lldb::SBTarget target; lldb::SBModule module; target = m_debugger.GetSelectedTarget(); if (!target.IsValid()) { goto exit; } module = target.GetModuleAtIndex(index); if (!module.IsValid()) { goto exit; } moduleBase = GetModuleBase(target, module); exit: if (base) { *base = moduleBase; } return moduleBase == UINT64_MAX ? E_FAIL : S_OK; }
HRESULT LLDBServices::GetModuleByModuleName( PCSTR name, ULONG startIndex, PULONG index, PULONG64 base) { ULONG64 moduleBase = UINT64_MAX; ULONG moduleIndex = UINT32_MAX; lldb::SBTarget target; lldb::SBModule module; lldb::SBFileSpec fileSpec; fileSpec.SetFilename(name); target = m_debugger.GetSelectedTarget(); if (!target.IsValid()) { goto exit; } module = target.FindModule(fileSpec); if (!module.IsValid()) { goto exit; } moduleBase = GetModuleBase(target, module); if (index) { int numModules = target.GetNumModules(); for (int mi = startIndex; mi < numModules; mi++) { lldb::SBModule mod = target.GetModuleAtIndex(mi); if (module == mod) { moduleIndex = mi; break; } } } exit: if (index) { *index = moduleIndex; } if (base) { *base = moduleBase; } return moduleBase == UINT64_MAX ? E_FAIL : S_OK; }
int SetupandLoad(){ //memset to ensure we dont have unusual char attributes at starting memset(&Enemy, 0, sizeof(Character)); memset(&Player, 0, sizeof(Character)); //TODO temp hardcoding Enemy.weaponRange = 6; Player.weaponRange = 2.5; //get access to dark souls memory char * processName = "DARKSOULS.exe"; //get the process id from the name int processId = GetProcessIdFromName(processName); //open the handle processHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, processId); //get the base address of the process and append all other addresses onto it memorybase = GetModuleBase(processId, processName); Enemy_base_add += memorybase; player_base_add += memorybase; ReadPointerEndAddresses(processHandle); //start gui guiStart(); //get current camera details to lock readCamera(&processHandle, memorybase); //load neural network and threads int error = ReadyThreads(); if (error){ return error; } //TODO load vJoy driver(we ONLY want the driver loaded when program running) //want to use controller input, instead of keyboard, as analog stick is more precise movement int loadresult = loadvJoy(iInterface); if (loadresult != 0){ return loadresult; } iReport.bDevice = (BYTE)iInterface; ResetVJoyController(); //set window focus HWND h = FindWindow(NULL, TEXT("DARK SOULS")); SetForegroundWindow(h); SetFocus(h); return EXIT_SUCCESS; }
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShow) { PROCESSENTRY32 pe32; HANDLE hSnapshot, hProcess; int nStatus = 0; // patch bytes BYTE bPatch[5] = { 0x66, 0xB8, 0xFF, 0xFF, 0x90 }; // RC4 Key char *szRC4Key = "KOrUPt"; // TamperProtectionPlugin.dll char szTargetDll[] = "\xB3\x36\x2D\x49\x8F\xB1\x27\x51\x22\x0F\x6B\x6F\x8C\x55\x05\xC5\x0C\x84\x58\x64\xB5\xF9\x99\x90\x02\x1E"; // savmain.exe char szTargetProcessName[] = "\x94\x36\x36\x54\x8B\xAA\x19\x0D\x28\x03\x6B"; // stealthly resolve API's that may be considered suspicous if seen in our import table lpK32Base = GetK32Base(); pWriteProcessMemory = GetAPIAddress((HMODULE)lpK32Base, dwAPIHashTable[nWriteProcessMemory]); pOpenProcess = GetAPIAddress((HMODULE)lpK32Base, dwAPIHashTable[nOpenProcess]); // decrypt sensitive strings RC4((unsigned char *)szTargetDll, (unsigned char *)szRC4Key, strlen(szTargetDll), strlen(szRC4Key)); RC4((unsigned char *)szTargetProcessName, (unsigned char *)szRC4Key, strlen(szTargetProcessName), strlen(szRC4Key)); // find process and patch accordingly pe32.dwSize = sizeof(PROCESSENTRY32); hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(hSnapshot != INVALID_HANDLE_VALUE){ if(Process32First(hSnapshot, &pe32)){ do{ if(stricmp(pe32.szExeFile, szTargetProcessName) == 0){ hProcess = sOpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, TRUE, pe32.th32ProcessID); if(hProcess){ DWORD dwBaseAddress = GetModuleBase(szTargetDll, pe32.th32ProcessID); DWORD dwPatchAddress = dwBaseAddress + (0x7924 ^ 0xFDFD); // = 0x84D9 = offset sWriteProcessMemory(hProcess, (BYTE *)dwPatchAddress, bPatch, 5, NULL); CloseHandle(hProcess); } break; } }while(Process32Next(hSnapshot, &pe32)); } CloseHandle(hSnapshot); } return nStatus; }
char* getSC2Info(HANDLE sc2_handle, uint32_t &base_address, uint32_t &build) { char* sc2_exe_path = (char*)malloc(MAX_PROC_NAME_SIZE); if(GetModuleFileNameEx(sc2_handle, 0, sc2_exe_path, MAX_PROC_NAME_SIZE)==0) { printf("ERROR %d: Unable to retrieve executable file name", GetLastError()); return NULL; } DWORD infoSize = GetFileVersionInfoSize(sc2_exe_path, 0); void *infoBuffer = malloc(infoSize); VS_FIXEDFILEINFO *sc2VersionInfo; GetFileVersionInfo(sc2_exe_path, 0, infoSize, infoBuffer); VerQueryValue(infoBuffer, "\\", (LPVOID*)&sc2VersionInfo, 0); build = sc2VersionInfo->dwFileVersionLS & 0xffff; free(infoBuffer); DWORD proc_id = GetProcessId(sc2_handle); base_address = GetModuleBase(proc_id, "SC2.exe"); return sc2_exe_path; }
static ULONG_ADDR CheckAddress(void* address) { ULONG_ADDR dwAddress = (ULONG_ADDR)(GC_ULONG_PTR)address; GetModuleBase(GetSymHandle(), dwAddress); return dwAddress; }
static void GenerateExceptionReport(PEXCEPTION_POINTERS pExceptionInfo) { PEXCEPTION_RECORD pExceptionRecord = pExceptionInfo->ExceptionRecord; TCHAR szModule[MAX_PATH]; HMODULE hModule; PCONTEXT pContext; // Start out with a banner rprintf(_T("-------------------\r\n\r\n")); { const TCHAR *lpDayOfWeek[] = { _T("Sunday"), _T("Monday"), _T("Tuesday"), _T("Wednesday"), _T("Thursday"), _T("Friday"), _T("Saturday") }; const TCHAR *lpMonth[] = { NULL, _T("January"), _T("February"), _T("March"), _T("April"), _T("May"), _T("June"), _T("July"), _T("August"), _T("September"), _T("October"), _T("November"), _T("December") }; SYSTEMTIME SystemTime; GetLocalTime(&SystemTime); rprintf(_T("Error occured on %s, %s %i, %i at %02i:%02i:%02i.\r\n\r\n"), lpDayOfWeek[SystemTime.wDayOfWeek], lpMonth[SystemTime.wMonth], SystemTime.wDay, SystemTime.wYear, SystemTime.wHour, SystemTime.wMinute, SystemTime.wSecond ); } // Dump a generic info header dbgDumpHeader(hReportFile); // First print information about the type of fault rprintf(_T("\r\n%s caused "), GetModuleFileName(NULL, szModule, MAX_PATH) ? szModule : "Application"); switch(pExceptionRecord->ExceptionCode) { case EXCEPTION_ACCESS_VIOLATION: rprintf(_T("an Access Violation")); break; case EXCEPTION_ARRAY_BOUNDS_EXCEEDED: rprintf(_T("an Array Bound Exceeded")); break; case EXCEPTION_BREAKPOINT: rprintf(_T("a Breakpoint")); break; case EXCEPTION_DATATYPE_MISALIGNMENT: rprintf(_T("a Datatype Misalignment")); break; case EXCEPTION_FLT_DENORMAL_OPERAND: rprintf(_T("a Float Denormal Operand")); break; case EXCEPTION_FLT_DIVIDE_BY_ZERO: rprintf(_T("a Float Divide By Zero")); break; case EXCEPTION_FLT_INEXACT_RESULT: rprintf(_T("a Float Inexact Result")); break; case EXCEPTION_FLT_INVALID_OPERATION: rprintf(_T("a Float Invalid Operation")); break; case EXCEPTION_FLT_OVERFLOW: rprintf(_T("a Float Overflow")); break; case EXCEPTION_FLT_STACK_CHECK: rprintf(_T("a Float Stack Check")); break; case EXCEPTION_FLT_UNDERFLOW: rprintf(_T("a Float Underflow")); break; case EXCEPTION_GUARD_PAGE: rprintf(_T("a Guard Page")); break; case EXCEPTION_ILLEGAL_INSTRUCTION: rprintf(_T("an Illegal Instruction")); break; case EXCEPTION_IN_PAGE_ERROR: rprintf(_T("an In Page Error")); break; case EXCEPTION_INT_DIVIDE_BY_ZERO: rprintf(_T("an Integer Divide By Zero")); break; case EXCEPTION_INT_OVERFLOW: rprintf(_T("an Integer Overflow")); break; case EXCEPTION_INVALID_DISPOSITION: rprintf(_T("an Invalid Disposition")); break; case EXCEPTION_INVALID_HANDLE: rprintf(_T("an Invalid Handle")); break; case EXCEPTION_NONCONTINUABLE_EXCEPTION: rprintf(_T("a Noncontinuable Exception")); break; case EXCEPTION_PRIV_INSTRUCTION: rprintf(_T("a Privileged Instruction")); break; case EXCEPTION_SINGLE_STEP: rprintf(_T("a Single Step")); break; case EXCEPTION_STACK_OVERFLOW: rprintf(_T("a Stack Overflow")); break; case DBG_CONTROL_C: rprintf(_T("a Control+C")); break; case DBG_CONTROL_BREAK: rprintf(_T("a Control+Break")); break; case DBG_TERMINATE_THREAD: rprintf(_T("a Terminate Thread")); break; case DBG_TERMINATE_PROCESS: rprintf(_T("a Terminate Process")); break; case RPC_S_UNKNOWN_IF: rprintf(_T("an Unknown Interface")); break; case RPC_S_SERVER_UNAVAILABLE: rprintf(_T("a Server Unavailable")); break; default: /* static TCHAR szBuffer[512] = { 0 }; // If not one of the "known" exceptions, try to get the string // from NTDLL.DLL's message table. FormatMessage(FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_HMODULE, GetModuleHandle(_T("NTDLL.DLL")), dwCode, 0, szBuffer, sizeof(szBuffer), 0); */ rprintf(_T("an Unknown [0x%lX] Exception"), pExceptionRecord->ExceptionCode); break; } // Now print information about where the fault occured rprintf(_T(" at location %08x"), (DWORD) pExceptionRecord->ExceptionAddress); if((hModule = (HMODULE) GetModuleBase((DWORD) pExceptionRecord->ExceptionAddress)) && GetModuleFileName(hModule, szModule, sizeof(szModule))) rprintf(_T(" in module %s"), szModule); // If the exception was an access violation, print out some additional information, to the error log and the debugger. if(pExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION && pExceptionRecord->NumberParameters >= 2) rprintf(" %s location %08x", pExceptionRecord->ExceptionInformation[0] ? "Writing to" : "Reading from", pExceptionRecord->ExceptionInformation[1]); rprintf(".\r\n\r\n"); dbgDumpLog(hReportFile); pContext = pExceptionInfo->ContextRecord; #ifdef _M_IX86 // Intel Only! // Show the registers rprintf(_T("Registers:\r\n")); if(pContext->ContextFlags & CONTEXT_INTEGER) rprintf( _T("eax=%08lx ebx=%08lx ecx=%08lx edx=%08lx esi=%08lx edi=%08lx\r\n"), pContext->Eax, pContext->Ebx, pContext->Ecx, pContext->Edx, pContext->Esi, pContext->Edi ); if(pContext->ContextFlags & CONTEXT_CONTROL) rprintf( _T("eip=%08lx esp=%08lx ebp=%08lx iopl=%1lx %s %s %s %s %s %s %s %s %s %s\r\n"), pContext->Eip, pContext->Esp, pContext->Ebp, (pContext->EFlags >> 12) & 3, // IOPL level value pContext->EFlags & 0x00100000 ? "vip" : " ", // VIP (virtual interrupt pending) pContext->EFlags & 0x00080000 ? "vif" : " ", // VIF (virtual interrupt flag) pContext->EFlags & 0x00000800 ? "ov" : "nv", // VIF (virtual interrupt flag) pContext->EFlags & 0x00000400 ? "dn" : "up", // OF (overflow flag) pContext->EFlags & 0x00000200 ? "ei" : "di", // IF (interrupt enable flag) pContext->EFlags & 0x00000080 ? "ng" : "pl", // SF (sign flag) pContext->EFlags & 0x00000040 ? "zr" : "nz", // ZF (zero flag) pContext->EFlags & 0x00000010 ? "ac" : "na", // AF (aux carry flag) pContext->EFlags & 0x00000004 ? "po" : "pe", // PF (parity flag) pContext->EFlags & 0x00000001 ? "cy" : "nc" // CF (carry flag) ); if(pContext->ContextFlags & CONTEXT_SEGMENTS) { rprintf( _T("cs=%04lx ss=%04lx ds=%04lx es=%04lx fs=%04lx gs=%04lx"), pContext->SegCs, pContext->SegSs, pContext->SegDs, pContext->SegEs, pContext->SegFs, pContext->SegGs, pContext->EFlags ); if(pContext->ContextFlags & CONTEXT_CONTROL) rprintf( _T(" efl=%08lx"), pContext->EFlags ); } else if(pContext->ContextFlags & CONTEXT_CONTROL) rprintf( _T(" efl=%08lx"), pContext->EFlags ); rprintf(_T("\r\n\r\n")); #endif // FIXME: We *never* return from the below call! StackBackTrace(GetCurrentProcess(), GetCurrentThread(), pContext); rprintf(_T("\r\n\r\n")); }
static BOOL StackBackTrace(HANDLE hProcess, HANDLE hThread, PCONTEXT pContext) { STACKFRAME StackFrame; HMODULE hModule = NULL; TCHAR szModule[MAX_PATH]; #ifdef HAVE_BFD bfd *abfd = NULL; asymbol **syms = NULL; // The symbol table. long symcount = 0; // Number of symbols in `syms'. #endif /* HAVE_BFD */ assert(!bSymInitialized); j_SymSetOptions(/* SYMOPT_UNDNAME | */ SYMOPT_LOAD_LINES); if(j_SymInitialize(hProcess, NULL, TRUE)) bSymInitialized = TRUE; memset( &StackFrame, 0, sizeof(StackFrame) ); // Initialize the STACKFRAME structure for the first call. This is only // necessary for Intel CPUs, and isn't mentioned in the documentation. StackFrame.AddrPC.Offset = pContext->Eip; StackFrame.AddrPC.Mode = AddrModeFlat; StackFrame.AddrStack.Offset = pContext->Esp; StackFrame.AddrStack.Mode = AddrModeFlat; StackFrame.AddrFrame.Offset = pContext->Ebp; StackFrame.AddrFrame.Mode = AddrModeFlat; rprintf( _T("Call stack:\r\n") ); if(0) rprintf( _T("AddrPC AddrReturn AddrFrame AddrStack\r\n") ); while ( 1 ) { BOOL bSuccess = FALSE; #ifdef HAVE_BFD const HMODULE hPrevModule = hModule; #endif /* HAVE_BFD */ TCHAR szSymName[512] = _T(""); TCHAR szFileName[MAX_PATH] = _T(""); DWORD LineNumber = 0; if(bSymInitialized) { if(!j_StackWalk( IMAGE_FILE_MACHINE_I386, hProcess, hThread, &StackFrame, pContext, NULL, j_SymFunctionTableAccess, j_SymGetModuleBase, NULL ) ) break; } else { if(!IntelStackWalk( IMAGE_FILE_MACHINE_I386, hProcess, hThread, &StackFrame, pContext, NULL, NULL, NULL, NULL ) ) break; } // Basic sanity check to make sure the frame is OK. Bail if not. if ( 0 == StackFrame.AddrFrame.Offset ) break; if(0) { rprintf( _T("%08lX %08lX %08lX %08lX\r\n"), StackFrame.AddrPC.Offset, StackFrame.AddrReturn.Offset, StackFrame.AddrFrame.Offset, StackFrame.AddrStack.Offset ); rprintf( _T("%08lX %08lX %08lX %08lX\r\n"), StackFrame.Params[0], StackFrame.Params[1], StackFrame.Params[2], StackFrame.Params[3] ); } rprintf( _T("%08lX"), StackFrame.AddrPC.Offset); if((hModule = (HMODULE) GetModuleBase(StackFrame.AddrPC.Offset)) && GetModuleFileName(hModule, szModule, sizeof(szModule))) { #ifndef HAVE_BFD rprintf( _T(" %s:ModulBase %08lX"), szModule, hModule); #else /* HAVE_BFD */ rprintf( _T(" %s:%08lX"), szModule, StackFrame.AddrPC.Offset); if(hModule != hPrevModule) { if(syms) { GlobalFree(syms); syms = NULL; symcount = 0; } if(abfd) bfd_close(abfd); if((abfd = bfd_openr (szModule, NULL))) if(bfd_check_format(abfd, bfd_object)) { bfd_vma adjust_section_vma = 0; /* If we are adjusting section VMA's, change them all now. Changing the BFD information is a hack. However, we must do it, or bfd_find_nearest_line will not do the right thing. */ if ((adjust_section_vma = (bfd_vma) hModule - pe_data(abfd)->pe_opthdr.ImageBase)) { asection *s; for (s = abfd->sections; s != NULL; s = s->next) { s->vma += adjust_section_vma; s->lma += adjust_section_vma; } } if(bfd_get_file_flags(abfd) & HAS_SYMS) /* Read in the symbol table. */ slurp_symtab(abfd, &syms, &symcount); } } if(!bSuccess && abfd && syms && symcount) if((bSuccess = BfdGetSymFromAddr(abfd, syms, symcount, StackFrame.AddrPC.Offset, szSymName, 512))) { /* framepointer = StackFrame.AddrFrame.Offset; hprocess = hProcess; */ BfdDemangleSymName(szSymName, szSymName, 512); rprintf( _T(" %s"), szSymName); if(BfdGetLineFromAddr(abfd, syms, symcount, StackFrame.AddrPC.Offset, szFileName, MAX_PATH, &LineNumber)) rprintf( _T(" %s:%ld"), szFileName, LineNumber); } #endif /* HAVE_BFD */ if(!bSuccess && bSymInitialized) if((bSuccess = ImagehlpGetSymFromAddr(hProcess, StackFrame.AddrPC.Offset, szSymName, 512))) { rprintf( _T(" %s"), szSymName); ImagehlpDemangleSymName(szSymName, szSymName, 512); if(ImagehlpGetLineFromAddr(hProcess, StackFrame.AddrPC.Offset, szFileName, MAX_PATH, &LineNumber)) rprintf( _T(" %s:%ld"), szFileName, LineNumber); } if(!bSuccess) if((bSuccess = PEGetSymFromAddr(hProcess, StackFrame.AddrPC.Offset, szSymName, 512))) rprintf( _T(" %s"), szSymName); } rprintf(_T("\r\n")); } #ifdef HAVE_BFD if(syms) { GlobalFree(syms); syms = NULL; symcount = 0; } if(abfd) bfd_close(abfd); #endif /* HAVE_BFD */ if(bSymInitialized) { if(!j_SymCleanup(hProcess)) assert(0); bSymInitialized = FALSE; } return TRUE; }
static BOOL PEGetSymFromAddr(HANDLE hProcess, DWORD dwAddress, LPTSTR lpSymName, DWORD nSize) { HMODULE hModule; PIMAGE_NT_HEADERS pNtHdr; IMAGE_NT_HEADERS NtHdr; PIMAGE_SECTION_HEADER pSection; DWORD dwNearestAddress = 0, dwNearestName; int i; if(!(hModule = (HMODULE) GetModuleBase(dwAddress))) return FALSE; { PIMAGE_DOS_HEADER pDosHdr; LONG e_lfanew; // Point to the DOS header in memory pDosHdr = (PIMAGE_DOS_HEADER)hModule; // From the DOS header, find the NT (PE) header if(!ReadProcessMemory(hProcess, &pDosHdr->e_lfanew, &e_lfanew, sizeof(e_lfanew), NULL)) return FALSE; pNtHdr = (PIMAGE_NT_HEADERS)((DWORD)hModule + (DWORD)e_lfanew); if(!ReadProcessMemory(hProcess, pNtHdr, &NtHdr, sizeof(IMAGE_NT_HEADERS), NULL)) return FALSE; } pSection = (PIMAGE_SECTION_HEADER) ((DWORD)pNtHdr + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER) + NtHdr.FileHeader.SizeOfOptionalHeader); // Look for export section for (i = 0; i < NtHdr.FileHeader.NumberOfSections; i++, pSection++) { IMAGE_SECTION_HEADER Section; PIMAGE_EXPORT_DIRECTORY pExportDir = NULL; BYTE ExportSectionName[IMAGE_SIZEOF_SHORT_NAME] = {'.', 'e', 'd', 'a', 't', 'a', '\0', '\0'}; if(!ReadProcessMemory(hProcess, pSection, &Section, sizeof(IMAGE_SECTION_HEADER), NULL)) return FALSE; if(memcmp(Section.Name, ExportSectionName, IMAGE_SIZEOF_SHORT_NAME) == 0) pExportDir = (PIMAGE_EXPORT_DIRECTORY) Section.VirtualAddress; else if ((NtHdr.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress >= Section.VirtualAddress) && (NtHdr.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress < (Section.VirtualAddress + Section.SizeOfRawData))) pExportDir = (PIMAGE_EXPORT_DIRECTORY) NtHdr.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; if(pExportDir) { IMAGE_EXPORT_DIRECTORY ExportDir; if(!ReadProcessMemory(hProcess, (PVOID)((DWORD)hModule + (DWORD)pExportDir), &ExportDir, sizeof(IMAGE_EXPORT_DIRECTORY), NULL)) return FALSE; { PDWORD *AddressOfFunctions = alloca(ExportDir.NumberOfFunctions*sizeof(PDWORD)); int j; if(!ReadProcessMemory(hProcess, (PVOID)((DWORD)hModule + (DWORD)ExportDir.AddressOfFunctions), AddressOfFunctions, ExportDir.NumberOfFunctions*sizeof(PDWORD), NULL)) return FALSE; for(j = 0; j < ExportDir.NumberOfNames; ++j) { DWORD pFunction = (DWORD)hModule + (DWORD)AddressOfFunctions[j]; //ReadProcessMemory(hProcess, (DWORD) hModule + (DWORD) (&ExportDir.AddressOfFunctions[j]), &pFunction, sizeof(pFunction), NULL); if(pFunction <= dwAddress && pFunction > dwNearestAddress) { dwNearestAddress = pFunction; if(!ReadProcessMemory(hProcess, (PVOID)((DWORD)hModule + (DWORD)(&ExportDir.AddressOfNames)[j]), &dwNearestName, sizeof(dwNearestName), NULL)) return FALSE; dwNearestName = (DWORD) hModule + dwNearestName; } } } } } if(!dwNearestAddress) return FALSE; if(!ReadProcessMemory(hProcess, (PVOID)dwNearestName, lpSymName, nSize, NULL)) return FALSE; lpSymName[nSize - 1] = 0; return TRUE; }
HRESULT LLDBServices::GetModuleNames( ULONG index, ULONG64 base, PSTR imageNameBuffer, ULONG imageNameBufferSize, PULONG imageNameSize, PSTR moduleNameBuffer, ULONG moduleNameBufferSize, PULONG moduleNameSize, PSTR loadedImageNameBuffer, ULONG loadedImageNameBufferSize, PULONG loadedImageNameSize) { lldb::SBTarget target; lldb::SBFileSpec fileSpec; HRESULT hr = S_OK; target = m_debugger.GetSelectedTarget(); if (!target.IsValid()) { hr = E_FAIL; goto exit; } if (index != DEBUG_ANY_ID) { lldb::SBModule module = target.GetModuleAtIndex(index); if (module.IsValid()) { fileSpec = module.GetFileSpec(); } } else { int numModules = target.GetNumModules(); for (int mi = 0; mi < numModules; mi++) { lldb::SBModule module = target.GetModuleAtIndex(mi); if (module.IsValid()) { ULONG64 moduleBase = GetModuleBase(target, module); if (base == moduleBase) { fileSpec = module.GetFileSpec(); break; } } } } if (!fileSpec.IsValid()) { hr = E_FAIL; goto exit; } exit: if (imageNameBuffer) { int size = fileSpec.GetPath(imageNameBuffer, imageNameBufferSize); if (imageNameSize) { *imageNameSize = size; } } if (moduleNameBuffer) { const char *fileName = fileSpec.GetFilename(); if (fileName == NULL) { fileName = ""; } stpncpy(moduleNameBuffer, fileName, moduleNameBufferSize); if (moduleNameSize) { *moduleNameSize = strlen(fileName); } } if (loadedImageNameBuffer) { int size = fileSpec.GetPath(loadedImageNameBuffer, loadedImageNameBufferSize); if (loadedImageNameSize) { *loadedImageNameSize = size; } } return hr; }