#include "stdafx.h"
/*
本意是想获取未公开的变量和函数的信息的.
结果获取的全是公开的.
获取的信息不及windbg(x nt!*)的十分之一.
参考:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms679318(v=vs.85).aspx
made by correy
made at 2014.01.20
email:kouleguan at hotmail dot com
homepage:http://correy.webs.com
*/
#include <windows.h>
//#include <stdio.h>
#include <dbghelp.h>
#pragma comment(lib,"Dbghelp.lib")
BOOL CALLBACK EnumSymProc(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext)
{
UNREFERENCED_PARAMETER(UserContext);
//printf("%p %4u %s\n", pSymInfo->Address, SymbolSize, pSymInfo->Name);//经测试,开启这一行,会导致SymEnumSymbols失败.
printf("%s\n", pSymInfo->Name);
return TRUE;
}
void main()
{
HANDLE hProcess = GetCurrentProcess();
BOOL status = SymInitialize(hProcess, NULL, FALSE);
if (status == FALSE) {
return;
}
char FileName[256] = {0} ;
GetSystemDirectoryA(FileName,sizeof(FileName));
lstrcatA(FileName,"\\ntoskrnl.exe");//ntkrnlmp.exe ntoskrnl.exe ntkrnlpa.exe
DWORD64 BaseOfDll = SymLoadModuleEx(hProcess, NULL, FileName, NULL, 0, 0, NULL, 0);
if (BaseOfDll == 0) {
int x = GetLastError();
SymCleanup(hProcess);
return;
}
char * Mask = "*";//"PspCreateProcessNotifyRoutine" "*"
if (SymEnumSymbols(hProcess,// Process handle from SymInitialize.
BaseOfDll, // Base address of module.
Mask, // Name of symbols to match.
EnumSymProc, // Symbol handler procedure.
NULL)) // User context.
{//这个函数和回调函数运行完毕,才会走下面的代码.
printf("SymEnumSymbols succeeded\n");
} else {
printf("SymEnumSymbols failed: %d\n", GetLastError());
}
SymCleanup(hProcess);
}
没有评论:
发表评论