?? dbghelp.h
字號:
// Address of the kernel function that calls out to user mode
//
DWORD64 KiCallUserMode;
//
// Address of the user mode dispatcher function
//
DWORD64 KeUserCallbackDispatcher;
//
// Lowest kernel mode address
//
DWORD64 SystemRangeStart;
DWORD64 Reserved[8];
} KDHELP64, *PKDHELP64;
#if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64)
#define KDHELP KDHELP64
#define PKDHELP PKDHELP64
#else
typedef struct _KDHELP {
//
// address of kernel thread object, as provided in the
// WAIT_STATE_CHANGE packet.
//
DWORD Thread;
//
// offset in thread object to pointer to the current callback frame
// in kernel stack.
//
DWORD ThCallbackStack;
//
// offsets to values in frame:
//
// address of next callback frame
DWORD NextCallback;
// address of saved frame pointer (if applicable)
DWORD FramePointer;
//
// Address of the kernel function that calls out to user mode
//
DWORD KiCallUserMode;
//
// Address of the user mode dispatcher function
//
DWORD KeUserCallbackDispatcher;
//
// Lowest kernel mode address
//
DWORD SystemRangeStart;
//
// offset in thread object to pointer to the current callback backing
// store frame in kernel stack.
//
DWORD ThCallbackBStore;
DWORD Reserved[8];
} KDHELP, *PKDHELP;
__inline
void
KdHelp32To64(
PKDHELP p32,
PKDHELP64 p64
)
{
p64->Thread = p32->Thread;
p64->ThCallbackStack = p32->ThCallbackStack;
p64->NextCallback = p32->NextCallback;
p64->FramePointer = p32->FramePointer;
p64->KiCallUserMode = p32->KiCallUserMode;
p64->KeUserCallbackDispatcher = p32->KeUserCallbackDispatcher;
p64->SystemRangeStart = p32->SystemRangeStart;
}
#endif
typedef struct _tagSTACKFRAME64 {
ADDRESS64 AddrPC; // program counter
ADDRESS64 AddrReturn; // return address
ADDRESS64 AddrFrame; // frame pointer
ADDRESS64 AddrStack; // stack pointer
ADDRESS64 AddrBStore; // backing store pointer
PVOID FuncTableEntry; // pointer to pdata/fpo or NULL
DWORD64 Params[4]; // possible arguments to the function
BOOL Far; // WOW far call
BOOL Virtual; // is this a virtual frame?
DWORD64 Reserved[3];
KDHELP64 KdHelp;
} STACKFRAME64, *LPSTACKFRAME64;
#if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64)
#define STACKFRAME STACKFRAME64
#define LPSTACKFRAME LPSTACKFRAME64
#else
typedef struct _tagSTACKFRAME {
ADDRESS AddrPC; // program counter
ADDRESS AddrReturn; // return address
ADDRESS AddrFrame; // frame pointer
ADDRESS AddrStack; // stack pointer
PVOID FuncTableEntry; // pointer to pdata/fpo or NULL
DWORD Params[4]; // possible arguments to the function
BOOL Far; // WOW far call
BOOL Virtual; // is this a virtual frame?
DWORD Reserved[3];
KDHELP KdHelp;
ADDRESS AddrBStore; // backing store pointer
} STACKFRAME, *LPSTACKFRAME;
#endif
typedef
BOOL
(__stdcall *PREAD_PROCESS_MEMORY_ROUTINE64)(
HANDLE hProcess,
DWORD64 qwBaseAddress,
PVOID lpBuffer,
DWORD nSize,
LPDWORD lpNumberOfBytesRead
);
typedef
PVOID
(__stdcall *PFUNCTION_TABLE_ACCESS_ROUTINE64)(
HANDLE hProcess,
DWORD64 AddrBase
);
typedef
DWORD64
(__stdcall *PGET_MODULE_BASE_ROUTINE64)(
HANDLE hProcess,
DWORD64 Address
);
typedef
DWORD64
(__stdcall *PTRANSLATE_ADDRESS_ROUTINE64)(
HANDLE hProcess,
HANDLE hThread,
LPADDRESS64 lpaddr
);
BOOL
IMAGEAPI
StackWalk64(
DWORD MachineType,
HANDLE hProcess,
HANDLE hThread,
LPSTACKFRAME64 StackFrame,
PVOID ContextRecord,
PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine,
PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine,
PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine,
PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress
);
#if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64)
#define PREAD_PROCESS_MEMORY_ROUTINE PREAD_PROCESS_MEMORY_ROUTINE64
#define PFUNCTION_TABLE_ACCESS_ROUTINE PFUNCTION_TABLE_ACCESS_ROUTINE64
#define PGET_MODULE_BASE_ROUTINE PGET_MODULE_BASE_ROUTINE64
#define PTRANSLATE_ADDRESS_ROUTINE PTRANSLATE_ADDRESS_ROUTINE64
#define StackWalk StackWalk64
#else
typedef
BOOL
(__stdcall *PREAD_PROCESS_MEMORY_ROUTINE)(
HANDLE hProcess,
DWORD lpBaseAddress,
PVOID lpBuffer,
DWORD nSize,
PDWORD lpNumberOfBytesRead
);
typedef
PVOID
(__stdcall *PFUNCTION_TABLE_ACCESS_ROUTINE)(
HANDLE hProcess,
DWORD AddrBase
);
typedef
DWORD
(__stdcall *PGET_MODULE_BASE_ROUTINE)(
HANDLE hProcess,
DWORD Address
);
typedef
DWORD
(__stdcall *PTRANSLATE_ADDRESS_ROUTINE)(
HANDLE hProcess,
HANDLE hThread,
LPADDRESS lpaddr
);
BOOL
IMAGEAPI
StackWalk(
DWORD MachineType,
HANDLE hProcess,
HANDLE hThread,
LPSTACKFRAME StackFrame,
PVOID ContextRecord,
PREAD_PROCESS_MEMORY_ROUTINE ReadMemoryRoutine,
PFUNCTION_TABLE_ACCESS_ROUTINE FunctionTableAccessRoutine,
PGET_MODULE_BASE_ROUTINE GetModuleBaseRoutine,
PTRANSLATE_ADDRESS_ROUTINE TranslateAddress
);
#endif
#define API_VERSION_NUMBER 9
typedef struct API_VERSION {
USHORT MajorVersion;
USHORT MinorVersion;
USHORT Revision;
USHORT Reserved;
} API_VERSION, *LPAPI_VERSION;
LPAPI_VERSION
IMAGEAPI
ImagehlpApiVersion(
VOID
);
LPAPI_VERSION
IMAGEAPI
ImagehlpApiVersionEx(
LPAPI_VERSION AppVersion
);
DWORD
IMAGEAPI
GetTimestampForLoadedLibrary(
HMODULE Module
);
//
// typedefs for function pointers
//
typedef BOOL
(CALLBACK *PSYM_ENUMMODULES_CALLBACK64)(
PSTR ModuleName,
DWORD64 BaseOfDll,
PVOID UserContext
);
typedef BOOL
(CALLBACK *PSYM_ENUMSYMBOLS_CALLBACK64)(
PSTR SymbolName,
DWORD64 SymbolAddress,
ULONG SymbolSize,
PVOID UserContext
);
typedef BOOL
(CALLBACK *PSYM_ENUMSYMBOLS_CALLBACK64W)(
PWSTR SymbolName,
DWORD64 SymbolAddress,
ULONG SymbolSize,
PVOID UserContext
);
typedef BOOL
(CALLBACK *PENUMLOADED_MODULES_CALLBACK64)(
PSTR ModuleName,
DWORD64 ModuleBase,
ULONG ModuleSize,
PVOID UserContext
);
typedef BOOL
(CALLBACK *PSYMBOL_REGISTERED_CALLBACK64)(
HANDLE hProcess,
ULONG ActionCode,
ULONG64 CallbackData,
ULONG64 UserContext
);
typedef
PVOID
(CALLBACK *PSYMBOL_FUNCENTRY_CALLBACK)(
HANDLE hProcess,
DWORD AddrBase,
PVOID UserContext
);
typedef
PVOID
(CALLBACK *PSYMBOL_FUNCENTRY_CALLBACK64)(
HANDLE hProcess,
ULONG64 AddrBase,
ULONG64 UserContext
);
#if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64)
#define PSYM_ENUMMODULES_CALLBACK PSYM_ENUMMODULES_CALLBACK64
#define PSYM_ENUMSYMBOLS_CALLBACK PSYM_ENUMSYMBOLS_CALLBACK64
#define PSYM_ENUMSYMBOLS_CALLBACKW PSYM_ENUMSYMBOLS_CALLBACK64W
#define PENUMLOADED_MODULES_CALLBACK PENUMLOADED_MODULES_CALLBACK64
#define PSYMBOL_REGISTERED_CALLBACK PSYMBOL_REGISTERED_CALLBACK64
#define PSYMBOL_FUNCENTRY_CALLBACK PSYMBOL_FUNCENTRY_CALLBACK64
#else
typedef BOOL
(CALLBACK *PSYM_ENUMMODULES_CALLBACK)(
PSTR ModuleName,
ULONG BaseOfDll,
PVOID UserContext
);
typedef BOOL
(CALLBACK *PSYM_ENUMSYMBOLS_CALLBACK)(
PSTR SymbolName,
ULONG SymbolAddress,
ULONG SymbolSize,
PVOID UserContext
);
typedef BOOL
(CALLBACK *PSYM_ENUMSYMBOLS_CALLBACKW)(
PWSTR SymbolName,
ULONG SymbolAddress,
ULONG SymbolSize,
PVOID UserContext
);
typedef BOOL
(CALLBACK *PENUMLOADED_MODULES_CALLBACK)(
PSTR ModuleName,
ULONG ModuleBase,
ULONG ModuleSize,
PVOID UserContext
);
typedef BOOL
(CALLBACK *PSYMBOL_REGISTERED_CALLBACK)(
HANDLE hProcess,
ULONG ActionCode,
PVOID CallbackData,
PVOID UserContext
);
#endif
//
// flags found in SYMBOL_INFO.Flags
//
#define SYMFLAG_VALUEPRESENT 0x00000001
#define SYMFLAG_REGISTER 0x00000008
#define SYMFLAG_REGREL 0x00000010
#define SYMFLAG_FRAMEREL 0x00000020
#define SYMFLAG_PARAMETER 0x00000040
#define SYMFLAG_LOCAL 0x00000080
#define SYMFLAG_CONSTANT 0x00000100
#define SYMFLAG_EXPORT 0x00000200
#define SYMFLAG_FORWARDER 0x00000400
#define SYMFLAG_FUNCTION 0x00000800
#define SYMFLAG_VIRTUAL 0x00001000
#define SYMFLAG_THUNK 0x00002000
#define SYMFLAG_TLSREL 0x00004000
//
// symbol type enumeration
//
typedef enum {
SymNone = 0,
SymCoff,
SymCv,
SymPdb,
SymExport,
SymDeferred,
SymSym, // .sym file
SymDia,
SymVirtual,
NumSymTypes
} SYM_TYPE;
//
// symbol data structure
//
typedef struct _IMAGEHLP_SYMBOL64 {
DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_SYMBOL64)
DWORD64 Address; // virtual address including dll base address
DWORD Size; // estimated size of symbol, can be zero
DWORD Flags; // info about the symbols, see the SYMF defines
DWORD MaxNameLength; // maximum size of symbol name in 'Name'
CHAR Name[1]; // symbol name (null terminated string)
} IMAGEHLP_SYMBOL64, *PIMAGEHLP_SYMBOL64;
typedef struct _IMAGEHLP_SYMBOL64_PACKAGE {
IMAGEHLP_SYMBOL64 sym;
CHAR name[MAX_SYM_NAME + 1];
} IMAGEHLP_SYMBOL64_PACKAGE, *PIMAGEHLP_SYMBOL64_PACKAGE;
#if !defined(_IMAGEHLP_SOURCE_) && defined(_IMAGEHLP64)
#define IMAGEHLP_SYMBOL IMAGEHLP_SYMBOL64
#define PIMAGEHLP_SYMBOL PIMAGEHLP_SYMBOL64
#define IMAGEHLP_SYMBOL_PACKAGE IMAGEHLP_SYMBOL64_PACKAGE
#define PIMAGEHLP_SYMBOL_PACKAGE PIMAGEHLP_SYMBOL64_PACKAGE
#else
typedef struct _IMAGEHLP_SYMBOL {
DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_SYMBOL)
DWORD Address; // virtual address including dll base address
DWORD Size; // estimated size of symbol, can be zero
DWORD Flags; // info about the symbols, see the SYMF defines
DWORD MaxNameLength; // maximum size of symbol name in 'Name'
CHAR Name[1]; // symbol name (null terminated string)
} IMAGEHLP_SYMBOL, *PIMAGEHLP_SYMBOL;
typedef struct _IMAGEHLP_SYMBOL_PACKAGE {
IMAGEHLP_SYMBOL sym;
CHAR name[MAX_SYM_NAME + 1];
} IMAGEHLP_SYMBOL_PACKAGE, *PIMAGEHLP_SYMBOL_PACKAGE;
#endif
//
// module data structure
//
typedef struct _IMAGEHLP_MODULE64 {
DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_MODULE64)
DWORD64 BaseOfImage; // base load address of module
DWORD ImageSize; // virtual size of the loaded module
DWORD TimeDateStamp; // date/time stamp from pe header
DWORD CheckSum; // checksum from the pe header
DWORD NumSyms; // number of symbols in the symbol table
SYM_TYPE SymType; // type of symbols loaded
CHAR ModuleName[32]; // module name
CHAR ImageName[256]; // image name
CHAR LoadedImageName[256]; // symbol file name
} IMAGEHLP_MODULE64, *PIMAGEHLP_MODULE64;
typedef struct _IMAGEHLP_MODULE64W {
DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_MODULE64)
DWORD64 BaseOfImage; // base load address of module
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -