Exemplo n.º 1
0
const bool Symbols::SymbolFromName(const char * const pName, const SymbolInfo **pFullSymbolInfo)
{
    char pBuffer[sizeof(SYMBOL_INFO) + MAX_SYM_NAME * sizeof(char)
        + sizeof(ULONG64) - 1 / sizeof(ULONG64)] = { 0 };
    PSYMBOL_INFO pSymInfo = (PSYMBOL_INFO)pBuffer;
    
    pSymInfo->SizeOfStruct = sizeof(SYMBOL_INFO);
    pSymInfo->MaxNameLen = MAX_SYM_NAME;

    const bool bSuccess = BOOLIFY(SymFromName(m_hProcess, pName, pSymInfo));
    if (!bSuccess)
    {
        fprintf(stderr, "Could not retrieve symbol for name %s. Error = %X.\n",
            pName, GetLastError());
        return false;
    }

    fprintf(stderr, "Symbol found for %s. Name: %.*s. Address: %p. Base address of module: %p\n",
        pName, pSymInfo->NameLen, pSymInfo->Name, (DWORD_PTR)pSymInfo->Address,
        (DWORD_PTR)pSymInfo->ModBase);

    *pFullSymbolInfo = FindSymbolByAddress((DWORD_PTR)pSymInfo->Address);

    return bSuccess;
}
Exemplo n.º 2
0
    // private
    //-------------------------------------------------------------------------
    Bool Injector::_GetFunctionAddress( UHuge& address, const CHAR* name )
    {
        SYMBOL_INFO symbol = {0};

        // init parameters
        symbol.SizeOfStruct = sizeof(symbol);

        // get address of function
        if( !SymFromName(_process, name, &symbol) || symbol.Address == 0 )
            return false;

        // store address
        address = symbol.Address;
        return true;
    }
Exemplo n.º 3
0
static int find_pe_symbol_by_name(Context * ctx, int frame, ContextAddress ip, char * name, Symbol * sym) {
    HANDLE process = get_context_handle(ctx->parent == NULL ? ctx : ctx->parent);
    ULONG64 buffer[(sizeof(SYMBOL_INFO) + MAX_SYM_NAME * sizeof(TCHAR) + sizeof(ULONG64) - 1) / sizeof(ULONG64)];
    SYMBOL_INFO * info = (SYMBOL_INFO *)buffer;
    IMAGEHLP_STACK_FRAME stack_frame;
    DWORD err;

    if (set_pe_context(ctx, frame, ip, process, &stack_frame) < 0) return -1;

    memset(info, 0, sizeof(SYMBOL_INFO));
    info->SizeOfStruct = sizeof(SYMBOL_INFO);
    info->MaxNameLen = MAX_SYM_NAME;

    if (find_cache_symbol(ctx, frame, stack_frame.InstructionOffset, name, sym)) return errno ? -1 : 0;

    /* TODO: SymFromName() searches only main executable, need to search DLLs too */
    if (SymFromName(process, name, info) && info->Tag != SymTagPublicSymbol) {
        syminfo2symbol(ctx, frame, info, sym);
        add_cache_symbol(ctx, stack_frame.InstructionOffset, name, sym, 0);
        return 0;
    }
    if (stack_frame.InstructionOffset != 0) {
        DWORD64 module = SymGetModuleBase64(process, stack_frame.InstructionOffset);
        if (module != 0 && SymGetTypeFromName(process, module, name, info)) {
            syminfo2symbol(ctx, frame, info, sym);
            add_cache_symbol(ctx, stack_frame.InstructionOffset, name, sym, 0);
            return 0;
        }
    }
    set_win32_errno(err = GetLastError());
    if (err == 0 || err == ERROR_MOD_NOT_FOUND) {
        add_cache_symbol(ctx, stack_frame.InstructionOffset, name, NULL, ERR_SYM_NOT_FOUND);
        errno = ERR_SYM_NOT_FOUND;
    }
    return -1;
}
Exemplo n.º 4
0
int main(int argc, char* argv[])
{
	if (argc != 2)
	{
		printf("\n	*** OffsetToSource by Sasha Goldshtein (blog.sashag.net), (C) 2013 ***\n\n");
		printf("	Usage: OffsetToSource module[.exe|.dll][!function]+0x<offset>\n\n");
		printf("		Example: OffsetToSource myapp!main+0xd0\n");
		printf("		Example: OffsetToSource myapp+0x441d0\n");
		return 2;
	}

	const HANDLE hProcess = GetCurrentProcess();

	SymSetOptions(SYMOPT_UNDNAME | SYMOPT_DEFERRED_LOADS | SYMOPT_DEBUG | SYMOPT_LOAD_LINES);

	if (FALSE == SymInitialize(hProcess, NULL, FALSE))
	{
		printf("*** Error initializing symbol engine: 0x%x\n", GetLastError());
		return 1;
	}

	CHAR symbolPath[2048], path[2048];
	GetEnvironmentVariableA("PATH", path, ARRAYSIZE(symbolPath));
	GetEnvironmentVariableA("_NT_SYMBOL_PATH", symbolPath, ARRAYSIZE(symbolPath));
	strcat_s(path, ";.;");
	strcat_s(path, symbolPath);
	SymSetSearchPath(hProcess, path);

	//Parse argv[1] to obtain the module name, symbol name, and offset
	//		Example format:		module!Class::Method+0x40
	//		Another option:		module+0x1000
	BOOL symbolNameSpecified;
	CHAR moduleName[200], symName[200];
	DWORD offset = 0;
	CHAR* bang = strchr(argv[1], '!');
	if (bang != NULL)
	{
		strncpy_s(moduleName, argv[1], bang - argv[1]);
		CHAR* plus = strchr(bang, '+');
		if (plus != NULL)
		{
			strncpy_s(symName, bang + 1, plus - bang - 1);
			sscanf_s(plus + 1, "0x%x", &offset);
		}
		else
		{
			strcpy_s(symName, bang + 1);
		}
		symbolNameSpecified = TRUE;
	}
	else
	{
		CHAR* plus = strchr(argv[1], '+');
		if (plus == NULL)
		{
			printf("*** Invalid input: %s\n", argv[1]);
			return 1;
		}
		strncpy_s(moduleName, argv[1], plus - argv[1]);
		sscanf_s(plus + 1, "0x%x", &offset);
		symbolNameSpecified = FALSE;
	}

	BOOL nakedName = strstr(moduleName, ".dll") == NULL && strstr(moduleName, ".exe") == NULL;
	if (nakedName)
	{
		strcat_s(moduleName, ".dll");
	}
	DWORD64 moduleBase;
	while (0 == (moduleBase = SymLoadModule64(hProcess, NULL, moduleName, NULL, 0, 0)))
	{
		if (nakedName)
		{
			strcpy(strstr(moduleName, ".dll"), ".exe");
			nakedName = FALSE;
			continue;
		}
		printf("*** Error loading symbols: 0x%x\n", GetLastError());
		return 1;
	}

	DWORD64 symbolAddress;
	if (symbolNameSpecified)
	{
		ULONG64 buffer[(sizeof(SYMBOL_INFO) + MAX_SYM_NAME * sizeof(TCHAR) + sizeof(ULONG64) - 1) / sizeof(ULONG64)];
		PSYMBOL_INFO pSymbol = (PSYMBOL_INFO)buffer;
		pSymbol->SizeOfStruct = sizeof(SYMBOL_INFO);
		pSymbol->MaxNameLen = MAX_SYM_NAME;
		if (FALSE == SymFromName(hProcess, symName, pSymbol))
		{
			printf("*** Error retrieving symbol information for symbol %s: 0x%x\n",
				argv[1], GetLastError());
			return 1;
		}
		symbolAddress = pSymbol->Address + offset;
	}
	else
	{
		symbolAddress = moduleBase + offset;
	}

	DWORD displacement;
	IMAGEHLP_LINE64 line;
	RtlZeroMemory(&line, sizeof(line));
	line.SizeOfStruct = sizeof(line);
	if (FALSE == SymGetLineFromAddr64(hProcess, symbolAddress, &displacement, &line))
	{
		printf("*** Error retrieving source line for %s: 0x%x\n", argv[1], GetLastError());
		return 1;
	}

	printf("%s [0x%I64x] = %s line %d (+0x%x)\n", argv[1], symbolAddress,
		line.FileName, line.LineNumber, displacement);

	SymCleanup(hProcess);

	return 0;
}