HyperDbg Debugger
Loading...
Searching...
No Matches
Classes | Macros | Typedefs | Functions | Variables
symbol-parser.h File Reference

symbol parser headers More...

Go to the source code of this file.

Classes

struct  _SYMBOL_LOADED_MODULE_DETAILS
 Hold detail about the loaded modules. More...
 

Macros

#define DoNotShowDetailedResult   TRUE
 

Typedefs

typedef struct _SYMBOL_LOADED_MODULE_DETAILS SYMBOL_LOADED_MODULE_DETAILS
 Hold detail about the loaded modules.
 
typedef struct _SYMBOL_LOADED_MODULE_DETAILSPSYMBOL_LOADED_MODULE_DETAILS
 

Functions

 __declspec (dllimport) int pdbex_export(int argc
 
 __declspec (dllexport) VOID SymSetTextMessageCallback(PVOID handler)
 
BOOL SymGetFileParams (const char *FileName, DWORD &FileSize)
 Get symbol file parameters.
 
BOOL SymGetFileSize (const char *FileName, DWORD &FileSize)
 Get symbol file size.
 
VOID SymShowSymbolInfo (UINT64 ModBase)
 Show symbol info.
 
BOOL CALLBACK SymDisplayMaskSymbolsCallback (SYMBOL_INFO *SymInfo, ULONG SymbolSize, PVOID UserContext)
 Callback for showing and enumerating symbols.
 
BOOL CALLBACK SymDeliverDisassemblerSymbolMapCallback (SYMBOL_INFO *SymInfo, ULONG SymbolSize, PVOID UserContext)
 Callback for delivering module!ObjectName to disassembler symbol map.
 
VOID SymShowSymbolDetails (SYMBOL_INFO &SymInfo)
 Show symbols details.
 
const char * SymTagStr (ULONG Tag)
 Interpret different tags for pdbs.
 
BOOLEAN SymbolPdbDownload (std::string SymName, const std::string &GUID, const std::string &SymPath, BOOLEAN IsSilentLoad)
 download pdb file
 

Variables

char ** argv
 
char bool is_struct
 
char bool void * buffer_address
 
const char * PdbFileName
 
const char const char * CustomModuleName
 
CHARFieldName
 
CHAR UINT32FieldOffset
 
UINT64TypeSize
 
PBOOLEAN WasFound
 
char * ResultPath
 
char * PdbFilePath
 
char char * GuidAndAgeDetails
 
char char BOOLEAN Is32BitModule
 
UINT32 StoredLength
 
UINT32 BOOLEAN DownloadIfAvailable
 
UINT32 BOOLEAN const char * SymbolPath
 
UINT32 BOOLEAN const char BOOLEAN IsSilentLoad
 
UINT64 Address
 
UINT64 BOOLEAN IsStruct
 
UINT64 BOOLEAN PVOID BufferAddress
 
UINT64 BOOLEAN PVOID const char * AdditionalParameters
 
UINT32SizeOfField
 
const char * FiledOfStructName
 
const char PBOOLEAN IsStructNamePointerOrNot
 
const char PBOOLEAN PBOOLEAN IsFiledOfStructNamePointerOrNot
 
const char PBOOLEAN PBOOLEAN char ** NewStructOrTypeName
 
const char PBOOLEAN PBOOLEAN char UINT32OffsetOfFieldFromTop
 

Detailed Description

symbol parser headers

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2021-05-29
Copyright
This project is released under the GNU Public License v3.

Macro Definition Documentation

◆ DoNotShowDetailedResult

#define DoNotShowDetailedResult   TRUE

Typedef Documentation

◆ PSYMBOL_LOADED_MODULE_DETAILS

typedef struct _SYMBOL_LOADED_MODULE_DETAILS * PSYMBOL_LOADED_MODULE_DETAILS

◆ SYMBOL_LOADED_MODULE_DETAILS

typedef struct _SYMBOL_LOADED_MODULE_DETAILS SYMBOL_LOADED_MODULE_DETAILS

Hold detail about the loaded modules.

Function Documentation

◆ __declspec() [1/2]

__declspec ( dllexport )
17{
18 UNREFERENCED_PARAMETER(RegistryPath);
19 return STATUS_SUCCESS;
20}

◆ __declspec() [2/2]

__declspec ( dllimport )

◆ SymbolPdbDownload()

BOOLEAN SymbolPdbDownload ( std::string SymName,
const std::string & GUID,
const std::string & SymPath,
BOOLEAN IsSilentLoad )

download pdb file

Parameters
BufferToStoreDetailsPointer to a buffer to store the symbols details this buffer will be allocated by this function and needs to be freed by caller
StoredLengthThe length that stored on the BufferToStoreDetails
SymPathThe path of symbols
IsSilentLoadDownload without any message

return BOOLEAN

2064{
2065 vector<string> SplitedSymPath = Split(SymPath, '*');
2066 if (SplitedSymPath.size() < 2)
2067 return FALSE;
2068 if (SplitedSymPath[1].find(":\\") == string::npos)
2069 return FALSE;
2070 if (SplitedSymPath[2].find("http:") == string::npos && SplitedSymPath[2].find("https:") == string::npos)
2071 return FALSE;
2072
2073 string SymDir = SplitedSymPath[1];
2074 string SymDownloadServer = SplitedSymPath[2];
2075 string DownloadURL = SymDownloadServer + "/" + SymName + "/" + GUID + "/" + SymName;
2076 string SymFullDir = SymDir + "\\" + SymName + "\\" + GUID + "\\";
2077 if (!CreateDirectoryRecursive(SymFullDir))
2078 {
2079 if (!IsSilentLoad)
2080 {
2081 ShowMessages("err, unable to create sympath directory '%s'\n", SymFullDir.c_str());
2082 }
2083 return FALSE;
2084 }
2085
2086 if (!IsSilentLoad)
2087 {
2088 ShowMessages("downloading symbol '%s'...", SymName.c_str());
2089 }
2090
2091 HRESULT Result = URLDownloadToFileA(NULL, DownloadURL.c_str(), (SymFullDir + "\\" + SymName).c_str(), 0, NULL);
2092
2093 if (Result == S_OK)
2094 {
2095 if (!IsSilentLoad)
2096 {
2097 ShowMessages("\tdownloaded\n");
2098 }
2099 return TRUE;
2100 }
2101 else
2102 {
2103 if (!IsSilentLoad)
2104 {
2105 ShowMessages("\tcould not be downloaded (%x) \n", Result);
2106 }
2107 }
2108
2109 return FALSE;
2110}
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
IsSilentLoad
UINT32 BOOLEAN const char BOOLEAN IsSilentLoad
Definition HyperDbgScriptImports.h:65
CreateDirectoryRecursive
BOOLEAN CreateDirectoryRecursive(const std::string &Path)
create a directory recursively
Definition common-utils.cpp:54
Split
const vector< string > Split(const string &s, const char &c)
general split command
Definition common.cpp:117
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition symbol-parser.cpp:48

◆ SymDeliverDisassemblerSymbolMapCallback()

BOOL CALLBACK SymDeliverDisassemblerSymbolMapCallback ( SYMBOL_INFO * SymInfo,
ULONG SymbolSize,
PVOID UserContext )

Callback for delivering module!ObjectName to disassembler symbol map.

Parameters
SymInfo
SymbolSize
UserContext
Returns
BOOL
1506{
1507 if (SymInfo != 0 && g_SymbolMapForDisassembler != NULL)
1508 {
1509 //
1510 // Call the remote callback
1511 //
1512 g_SymbolMapForDisassembler(SymInfo->Address, g_CurrentModuleName, SymInfo->Name, SymInfo->Size);
1513 }
1514
1515 //
1516 // Continue enumeration
1517 //
1518 return TRUE;
1519}
g_CurrentModuleName
CHAR * g_CurrentModuleName
Definition symbol-parser.cpp:21
g_SymbolMapForDisassembler
SymbolMapCallback g_SymbolMapForDisassembler
Definition symbol-parser.cpp:23

◆ SymDisplayMaskSymbolsCallback()

BOOL CALLBACK SymDisplayMaskSymbolsCallback ( SYMBOL_INFO * SymInfo,
ULONG SymbolSize,
PVOID UserContext )

Callback for showing and enumerating symbols.

Parameters
SymInfo
SymbolSize
UserContext
Returns
BOOL
1483{
1484 if (SymInfo != 0)
1485 {
1486 SymShowSymbolDetails(*SymInfo);
1487 }
1488
1489 //
1490 // Continue enumeration
1491 //
1492 return TRUE;
1493}
SymShowSymbolDetails
VOID SymShowSymbolDetails(SYMBOL_INFO &SymInfo)
Show symbols details.
Definition symbol-parser.cpp:1529

◆ SymGetFileParams()

BOOL SymGetFileParams ( const char * FileName,
DWORD & FileSize )

Get symbol file parameters.

Parameters
FileName
BaseAddr
FileSize
Returns
BOOL
1221{
1222 //
1223 // Check parameters
1224 //
1225 if (FileName == 0)
1226 {
1227 return FALSE;
1228 }
1229
1230 //
1231 // Determine the extension of the file
1232 //
1233 char FileExt[_MAX_EXT] = {0};
1234
1235 _splitpath(FileName, NULL, NULL, NULL, FileExt);
1236
1237 //
1238 // Is it .PDB file?
1239 //
1240 if (strcmp(FileExt, (".pdb")) == 0 || strcmp(FileExt, (".PDB")) == 0)
1241 {
1242 //
1243 // Yes, it is a .PDB file
1244 // Determine its size, and use a dummy base address
1245 //
1246
1247 if (!SymGetFileSize(FileName, FileSize))
1248 {
1249 return FALSE;
1250 }
1251 }
1252 else
1253 {
1254 //
1255 // It is not a .PDB file
1256 // Base address and file size can be 0
1257 //
1258 FileSize = 0;
1259 return FALSE;
1260 }
1261
1262 return TRUE;
1263}
SymGetFileSize
BOOL SymGetFileSize(const char *FileName, DWORD &FileSize)
Get symbol file size.
Definition symbol-parser.cpp:1274

◆ SymGetFileSize()

BOOL SymGetFileSize ( const char * FileName,
DWORD & FileSize )

Get symbol file size.

Parameters
FileName
FileSize
Returns
BOOL
1275{
1276 //
1277 // Check parameters
1278 //
1279 if (FileName == 0)
1280 {
1281 return FALSE;
1282 }
1283
1284 //
1285 // Open the file
1286 //
1287 HANDLE hFile = CreateFileA(FileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
1288
1289 if (hFile == INVALID_HANDLE_VALUE)
1290 {
1291 ShowMessages("err, unable to open symbol file (%x)\n", GetLastError());
1292 return FALSE;
1293 }
1294
1295 //
1296 // Obtain the size of the file
1297 //
1298 FileSize = GetFileSize(hFile, NULL);
1299
1300 if (FileSize == INVALID_FILE_SIZE)
1301 {
1302 ShowMessages("err, unable to get symbol file size (%x)\n", GetLastError());
1303
1304 //
1305 // and continue ...
1306 //
1307 }
1308
1309 //
1310 // Close the file
1311 //
1312 if (!CloseHandle(hFile))
1313 {
1314 ShowMessages("err, unable to close symbol file (%x)\n", GetLastError());
1315
1316 //
1317 // and continue ...
1318 //
1319 }
1320
1321 return (FileSize != INVALID_FILE_SIZE);
1322}

◆ SymShowSymbolDetails()

VOID SymShowSymbolDetails ( SYMBOL_INFO & SymInfo)

Show symbols details.

Parameters
SymInfo
Returns
VOID
1530{
1531 if (g_CurrentModuleName == NULL)
1532 {
1533 //
1534 // Name Address
1535 //
1536 ShowMessages("%s ", SymSeparateTo64BitValue(SymInfo.Address).c_str());
1537 }
1538 else
1539 {
1540 //
1541 // Module!Name Address
1542 //
1543 ShowMessages("%s %s!", SymSeparateTo64BitValue(SymInfo.Address).c_str(), g_CurrentModuleName);
1544 }
1545
1546 //
1547 // Name
1548 //
1549 ShowMessages("%s\n", SymInfo.Name);
1550
1551#ifndef DoNotShowDetailedResult
1552
1553 //
1554 // Size
1555 //
1556 ShowMessages(" size: %u", SymInfo.Size);
1557
1558 //
1559 // Kind of symbol (tag)
1560 //
1561 ShowMessages(" symbol: %s ", SymTagStr(SymInfo.Tag));
1562
1563#endif // !DoNotShowDetailedResult
1564}
SymSeparateTo64BitValue
string SymSeparateTo64BitValue(UINT64 Value)
add ` between 64 bit values and convert them to string
Definition symbol-parser.cpp:1198
SymTagStr
const char * SymTagStr(ULONG Tag)
Interpret different tags for pdbs.
Definition symbol-parser.cpp:1574

◆ SymShowSymbolInfo()

VOID SymShowSymbolInfo ( UINT64 ModuleBase)

Show symbol info.

Parameters
ModuleBase
Returns
VOID
1333{
1334 //
1335 // Get module information
1336 //
1337 IMAGEHLP_MODULE64 ModuleInfo;
1338
1339 memset(&ModuleInfo, 0, sizeof(ModuleInfo));
1340
1341 ModuleInfo.SizeOfStruct = sizeof(ModuleInfo);
1342
1343 BOOL Ret = SymGetModuleInfo64(GetCurrentProcess(), ModuleBase, &ModuleInfo);
1344
1345 if (!Ret)
1346 {
1347 ShowMessages("err, unable to get symbol file information (%x)\n",
1348 GetLastError());
1349 return;
1350 }
1351
1352 //
1353 // Display information about symbols
1354 // Kind of symbols
1355 //
1356 switch (ModuleInfo.SymType)
1357 {
1358 case SymNone:
1359 ShowMessages("no symbols available for the module\n");
1360 break;
1361
1362 case SymExport:
1363 ShowMessages("loaded symbols: Exports\n");
1364 break;
1365
1366 case SymCoff:
1367 ShowMessages("loaded symbols: COFF\n");
1368 break;
1369
1370 case SymCv:
1371 ShowMessages("loaded symbols: CodeView\n");
1372 break;
1373
1374 case SymSym:
1375 ShowMessages("loaded symbols: SYM\n");
1376 break;
1377
1378 case SymVirtual:
1379 ShowMessages("loaded symbols: Virtual\n");
1380 break;
1381
1382 case SymPdb:
1383 ShowMessages("loaded symbols: PDB\n");
1384 break;
1385
1386 case SymDia:
1387 ShowMessages("loaded symbols: DIA\n");
1388 break;
1389
1390 case SymDeferred:
1391
1392 //
1393 // not actually loaded
1394 //
1395 ShowMessages("loaded symbols: Deferred\n");
1396 break;
1397
1398 default:
1399 ShowMessages("loaded symbols: Unknown format\n");
1400 break;
1401 }
1402
1403 //
1404 // Image name
1405 //
1406 if (ModuleInfo.ImageName[0] != '\0')
1407 {
1408 ShowMessages("image name: %s\n", ModuleInfo.ImageName);
1409 }
1410
1411 //
1412 // Loaded image name
1413 //
1414 if (ModuleInfo.LoadedImageName[0] != '\0')
1415 {
1416 ShowMessages("loaded image name: %s\n", ModuleInfo.LoadedImageName);
1417 }
1418
1419 //
1420 // Loaded PDB name
1421 //
1422 if (ModuleInfo.LoadedPdbName[0] != '\0')
1423 {
1424 ShowMessages("PDB file name: %s\n", ModuleInfo.LoadedPdbName);
1425 }
1426
1427 //
1428 // Is debug information unmatched?
1429 // (It can only happen if the debug information is contained
1430 // in a separate file (.DBG or .PDB)
1431 //
1432 if (ModuleInfo.PdbUnmatched || ModuleInfo.DbgUnmatched)
1433 {
1434 ShowMessages("warning, unmatched symbols\n");
1435 }
1436
1437 //
1438 // *** Contents ***
1439 //
1440
1441 //
1442 // Line numbers available?
1443 //
1444 ShowMessages("line numbers: %s\n",
1445 ModuleInfo.LineNumbers ? "available" : "not available");
1446
1447 //
1448 // Global symbols available?
1449 //
1450 ShowMessages("global symbols: %s\n",
1451 ModuleInfo.GlobalSymbols ? "available" : "not available");
1452
1453 //
1454 // Type information available?
1455 //
1456 ShowMessages("type information: %s\n",
1457 ModuleInfo.TypeInfo ? ("Available") : ("Not available"));
1458
1459 //
1460 // Source indexing available?
1461 //
1462 ShowMessages("source indexing: %s\n",
1463 ModuleInfo.SourceIndexed ? "yes" : "no");
1464
1465 //
1466 // Public symbols available?
1467 //
1468 ShowMessages("public symbols: %s\n",
1469 ModuleInfo.Publics ? "available" : "not available");
1470}
BOOL
int BOOL
Definition BasicTypes.h:23

◆ SymTagStr()

const char * SymTagStr ( ULONG Tag)

Interpret different tags for pdbs.

Parameters
Tag
Returns
const char *
1575{
1576 switch (Tag)
1577 {
1578 case SymTagNull:
1579 return ("Null");
1580
1581 case SymTagExe:
1582 return ("Exe");
1583
1584 case SymTagCompiland:
1585 return ("Compiland");
1586
1587 case SymTagCompilandDetails:
1588 return ("CompilandDetails");
1589
1590 case SymTagCompilandEnv:
1591 return ("CompilandEnv");
1592
1593 case SymTagFunction:
1594 return ("Function");
1595
1596 case SymTagBlock:
1597 return ("Block");
1598
1599 case SymTagData:
1600 return ("Data");
1601
1602 case SymTagAnnotation:
1603 return ("Annotation");
1604
1605 case SymTagLabel:
1606 return ("Label");
1607
1608 case SymTagPublicSymbol:
1609 return ("PublicSymbol");
1610
1611 case SymTagUDT:
1612 return ("UDT");
1613
1614 case SymTagEnum:
1615 return ("Enum");
1616
1617 case SymTagFunctionType:
1618 return ("FunctionType");
1619
1620 case SymTagPointerType:
1621 return ("PointerType");
1622
1623 case SymTagArrayType:
1624 return ("ArrayType");
1625
1626 case SymTagBaseType:
1627 return ("BaseType");
1628
1629 case SymTagTypedef:
1630 return ("Typedef");
1631
1632 case SymTagBaseClass:
1633 return ("BaseClass");
1634
1635 case SymTagFriend:
1636 return ("Friend");
1637
1638 case SymTagFunctionArgType:
1639 return ("FunctionArgType");
1640
1641 case SymTagFuncDebugStart:
1642 return ("FuncDebugStart");
1643
1644 case SymTagFuncDebugEnd:
1645 return ("FuncDebugEnd");
1646
1647 case SymTagUsingNamespace:
1648 return ("UsingNamespace");
1649
1650 case SymTagVTableShape:
1651 return ("VTableShape");
1652
1653 case SymTagVTable:
1654 return ("VTable");
1655
1656 case SymTagCustom:
1657 return ("Custom");
1658
1659 case SymTagThunk:
1660 return ("Thunk");
1661
1662 case SymTagCustomType:
1663 return ("CustomType");
1664
1665 case SymTagManagedType:
1666 return ("ManagedType");
1667
1668 case SymTagDimension:
1669 return ("Dimension");
1670
1671 default:
1672 return ("Unknown");
1673 }
1674
1675 return ("");
1676}
Tag
POOL_TYPE SIZE_T ULONG Tag
Definition Hooks.h:168

Variable Documentation

◆ AdditionalParameters

UINT64 BOOLEAN PVOID const char* AdditionalParameters

◆ Address

UINT64 Address

◆ argv

char** argv

◆ buffer_address

char bool void* buffer_address

◆ BufferAddress

UINT64 BOOLEAN PVOID BufferAddress

◆ CustomModuleName

const char const char* CustomModuleName

◆ DownloadIfAvailable

UINT32 BOOLEAN DownloadIfAvailable

◆ FieldName

CHAR* FieldName

◆ FieldOffset

CHAR UINT32* FieldOffset

◆ FiledOfStructName

const char* FiledOfStructName

◆ GuidAndAgeDetails

char char* GuidAndAgeDetails

◆ Is32BitModule

char char BOOLEAN Is32BitModule

◆ is_struct

char bool is_struct

◆ IsFiledOfStructNamePointerOrNot

const char PBOOLEAN PBOOLEAN IsFiledOfStructNamePointerOrNot

◆ IsSilentLoad

UINT32 BOOLEAN const char BOOLEAN IsSilentLoad

◆ IsStruct

UINT64 BOOLEAN IsStruct

◆ IsStructNamePointerOrNot

const char PBOOLEAN IsStructNamePointerOrNot

◆ NewStructOrTypeName

const char PBOOLEAN PBOOLEAN char** NewStructOrTypeName

◆ OffsetOfFieldFromTop

const char PBOOLEAN PBOOLEAN char UINT32* OffsetOfFieldFromTop

◆ PdbFileName

const char* PdbFileName

◆ PdbFilePath

char* PdbFilePath

◆ ResultPath

char* ResultPath

◆ SizeOfField

const char PBOOLEAN PBOOLEAN char UINT32 UINT32* SizeOfField

◆ StoredLength

UINT32 StoredLength

◆ SymbolPath

UINT32 BOOLEAN const char* SymbolPath

◆ TypeSize

UINT64* TypeSize

◆ WasFound

PBOOLEAN WasFound