syedatharhussain
Заглянувший
Заглянувший
S
syedatharhussain
Заглянувший
Заглянувший
- Сообщения
- 11
- Реакции
- 3
Put dbghelp.dll, symsrv.dll and symsrv.yes to folder with your *.exe/*.dll from Windows Debugging Kit (look at C:\Windows Kits\N\Debuggers\[x86 or x64]\)
C#:
#include <windows.h>
#include <vector>
#include <string>
#include "SymParser.h"
#include <iostream>
...
SymParser Parser;
if (!Parser.IsInitialized())
throw std::runtime_error("Unable to initialize DbgHelp!");
// Download PDB and load it to parser:
Parser.LoadModule(L"C:\\Windows\\System32\\ntoskrnl.exe");
// Dump you want:
SymParser::SYM_INFO Info = {};
Parser.DumpSymbol(L"_EPROCESS", Info);
// Print as C-struct:
std::wcout << L"typedef struct " << Info.Name << L" {" << std::endl;
for (const auto& Entry : Info.Entries) {
std::wcout << L" /* " << Entry.Offset << L" */ " << Entry.TypeName << L" " << Entry.Name;
if (Entry.ElementsCount > 1) std::wcout << L"[" << Entry.ElementsCount << L"]"; // Is array
if (Entry.IsBitField) std::wcout << L" : " << Entry.BitPosition;
std::wcout << std::endl;
}
std::wcout << L"};" << std::endl;
// Or try to obtain unexported function offset:
Parser.DumpSymbol(L"ZwQueryVirtualMemory", Info);
std::wcout << L"ZwQueryVirtualMemory offset = 0x" << std::hex << Info.Offset << std::endl;