Log in

View Full Version : Symbols for kernel addresses

omega_red
December 8th, 2005, 09:50
Let's say I have a driver that exposes any memory region to some user-mode caller. Now, I want to be able to match arbitrary kernel-mode (code) address with a symbol, ie function name - something like "ln" command in WinDbg. I know how to get exports from specific module. I know how to get symbols from specific PDB file. But, there are two questions:

1. For my arbitrary address, I need to know what module it belongs to. I think I can handle it, perhaps by QuerySystemInformation.
2. How to automatically download matching PDB for this module - if I just request symbols for DLL (using DbgHelp), it gives me only exports, since there is no debug data in windows release DLLs. I've found two threads here dealing with the issue from the perspective of SI. Seems like I may be able to download it from my code, but it requires creating HTTP requests with fake user-agent etc. Is there a simpler way to do it, just using DbgHelp?

Any suggestions?
quasar
December 8th, 2005, 10:32
symsrv.dll?
omega_red
December 8th, 2005, 11:23
OK, stupid mistake (as always) - I didn't have new dbghelp/symserv dll in the exe path, so some old version residing in windows dir was used... It's working now. Next task - finding the proper symbol for some real kernel address...

Code:
#include <windows.h>

#include <stdio.h>

#include <dbghelp.h>



BOOL CALLBACK EnumSymbolsProc(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext)

{

	printf("%08I64x: %08x %s\n", pSymInfo->Address, pSymInfo->Flags, pSymInfo->Name);

	return true;

}



int main()

{

//	char *ModName = "c:\\windows\\system32\\ntdll.dll";

	char *ModName = "c:\\windows\\system32\\ntoskrnl.exe";

	HANDLE hProc = GetCurrentProcess();

//	char buf[1024];

	SymInitialize(hProc, 0, false);

	SymSetOptions(SymGetOptions() | SYMOPT_ALLOW_ABSOLUTE_SYMBOLS);

	SymSetOptions(SymGetOptions() & (~SYMOPT_DEFERRED_LOADS));

//	SymGetSearchPath(hProc, buf, 1023);

	SymSetSearchPath(hProc, "srv**d:\\dbg\\sym*http://msdl.microsoft.com/download/symbols";

	DWORD64 ModBase = SymLoadModule64(hProc, 0, ModName, 0, 0, 0);

	if (ModBase == 0)

	{

		printf("error loading %s: %d", ModName, GetLastError());

		return -1;

	}

	printf("%14s %08I64x %08x\n", ModName, ModBase, GetTimestampForLoadedLibrary((HMODULE)ModBase));

	SymEnumSymbols(hProc, ModBase, 0, EnumSymbolsProc, 0);

	MessageBox(0, 0, 0, 0);



	return 0;

}