public static Tuple <String, ulong, ulong> FindSymByAddress(ulong Address, String PDBFile, ulong LoadAddr = 0)
{
Tuple <string, ulong, ulong> rv = null;
IDiaSession Session;
IDiaSymbol aSym;
IDiaEnumSymbolsByAddr pEnumAddr;
var foo = new DiaSource();
foo.loadDataFromPdb(PDBFile);
foo.openSession(out Session);
if (Session == null)
{
return(rv);
}
Session.loadAddress = LoadAddr;
Session.getSymbolsByAddr(out pEnumAddr);
if (pEnumAddr == null)
{
return(rv);
}
aSym = pEnumAddr.symbolByVA(Address);
if (aSym == null)
{
return(rv);
}
rv = new Tuple <string, ulong, ulong>(aSym.name, aSym.virtualAddress, aSym.length);
return(rv);
}
public static dynamic xStructInfo(
string PDBFile,
string Struct,
long vAddress = 0,
long[] memRead = null,
Func <long, int, byte[]> GetMem = null,
Func <long, int, long[]> GetMemLong = null,
PropertyChangedEventHandler ExpandoChanged = null
)
{
dynamic Info = null;
IDiaSymbol Master = null;
IDiaEnumSymbols EnumSymbols = null;
IDiaSession Session;
uint compileFetched = 0;
var foo = new DiaSource();
foo.loadDataFromPdb(PDBFile);
foo.openSession(out Session);
if (Session == null)
{
return(null);
}
Session.loadAddress = (ulong)vAddress;
// 10 is regex
Session.globalScope.findChildren(
SymTagEnum.SymTagUDT
,
Struct, 10, out EnumSymbols);
do
{
EnumSymbols.Next(1, out Master, out compileFetched);
if (Master == null)
{
continue;
}
#if DEBUGX
Console.ForegroundColor = ConsoleColor.White;
WriteLine($"Dumping Type [{Master.name}] Len [{Master.length}]");
#endif
Info = new ExpandoObject();
Info.TypeName = Master.name;
Info.Length = Master.length;
Info.vAddress = vAddress;
//StructInfo.Add(Master.name, Info); // Tuple.Create<int, int>(0, (int)Master.length));
xDumpStructs(Info, Master, Master.name, 0, vAddress, memRead, GetMem, GetMemLong, ExpandoChanged);
if (ExpandoChanged != null)
{
((INotifyPropertyChanged)Info).PropertyChanged +=
new PropertyChangedEventHandler(ExpandoChanged);
}
} while (compileFetched == 1);
return(Info);
}
/// <summary>
/// Perform full symbol walk scanning for a struct/member position and length
///
/// TODO: make safe for type collisions in other pdb's
/// </summary>
/// <param name="PDBFile">d:\dev\symbols\ntkrnlmp.pdb\DD08DD42692B43F199A079D60E79D2171\ntkrnlmp.pdb</param>
/// <param name="Struct">_EPROCESS</param>
/// <param name="Member">Pcb.DirectoryTableBase</param>
/// <returns>Tuple of Position & Length </returns>
public Tuple <int, int> StructMemberInfo(string PDBFile, string Struct, string Member)
{
IDiaSession Session;
IDiaSymbol Master = null;
IDiaEnumSymbols EnumSymbols = null;
uint compileFetched = 0;
var result = from symx in StructInfo
where symx.Key.EndsWith(Member)
select symx;
if (result.Count() > 0)
{
return(result.First().Value);
}
var foo = new DiaSource();
foo.loadDataFromPdb(PDBFile);
foo.openSession(out Session);
if (Session == null)
{
return(null);
}
Session.findChildren(Session.globalScope, SymTagEnum.SymTagNull, Struct, 0, out EnumSymbols);
do
{
EnumSymbols.Next(1, out Master, out compileFetched);
if (Master == null)
{
continue;
}
#if DEBUGX
Console.ForegroundColor = ConsoleColor.White;
WriteLine($"Dumping Type [{Master.name}] Len [{Master.length}]");
#endif
if (!StructInfo.ContainsKey(Master.name))
{
StructInfo.Add(Master.name, Tuple.Create <int, int>(0, (int)Master.length));
}
DumpStructs(Master, Master.name, Struct, 0);
} while (compileFetched == 1);
var resultx = (from symx in StructInfo
where symx.Key.EndsWith(Member)
select symx).FirstOrDefault();
return(resultx.Value);
}
public List <Tuple <String, ulong, ulong> > MatchSyms(String Match, String PDBFile, ulong LoadAddr = 0)
{
List <Tuple <String, ulong, ulong> > rv = new List <Tuple <string, ulong, ulong> >();
IDiaSession Session;
IDiaEnumSymbols EnumSymbols = null;
IDiaSymbol Master = null;
uint compileFetched = 0;
var foo = new DiaSource();
foo.loadDataFromPdb(PDBFile);
foo.openSession(out Session);
if (Session == null)
{
return(rv);
}
// 10 is regex
Session.globalScope.findChildren(SymTagEnum.SymTagNull, Match, 10, out EnumSymbols);
if (Session == null)
{
return(rv);
}
Session.loadAddress = LoadAddr;
var GlobalScope = Session.globalScope;
var tot = EnumSymbols.count;
do
{
EnumSymbols.Next(1, out Master, out compileFetched);
if (Master == null)
{
continue;
}
var len = Master.length;
rv.Add(Tuple.Create <String, ulong, ulong>(Master.name, Master.virtualAddress, len));
#if DEBUGX
ForegroundColor = ConsoleColor.White;
WriteLine($"Name = [{Master.name}] VA = {Master.virtualAddress}");
#endif
} while (compileFetched == 1);
return(rv);
}
public dynamic xStructInfo(string PDBFile, string Struct, long[] memRead = null)
{
dynamic Info = null;
IDiaSymbol Master = null;
IDiaEnumSymbols EnumSymbols = null;
IDiaSession Session;
uint compileFetched = 0;
var foo = new DiaSource();
foo.loadDataFromPdb(PDBFile);
foo.openSession(out Session);
if (Session == null)
{
return(null);
}
// 10 is regex
Session.globalScope.findChildren(SymTagEnum.SymTagNull, Struct, 10, out EnumSymbols);
do
{
EnumSymbols.Next(1, out Master, out compileFetched);
if (Master == null)
{
continue;
}
#if DEBUGX
Console.ForegroundColor = ConsoleColor.White;
WriteLine($"Dumping Type [{Master.name}] Len [{Master.length}]");
#endif
Info = new ExpandoObject();
Info.TypeName = Master.name;
Info.Length = Master.length;
//StructInfo.Add(Master.name, Info); // Tuple.Create<int, int>(0, (int)Master.length));
xDumpStructs(Info, Master, Master.name, 0, memRead);
} while (compileFetched == 1);
return(Info);
}
/// <summary>
/// Perform full symbol walk scanning for a struct/member position and length
///
/// TODO: make safe for type collisions in other pdb's
/// </summary>
/// <param name="PDBFile">d:\dev\symbols\ntkrnlmp.pdb\DD08DD42692B43F199A079D60E79D2171\ntkrnlmp.pdb</param>
/// <param name="Struct">_EPROCESS</param>
/// <param name="Member">Pcb.DirectoryTableBase</param>
/// <returns>Tuple of Position & Length </returns>
public static Tuple <int, int> StructMemberInfo(CODEVIEW_HEADER cv, string Struct, string Member)
{
#if !NETSTANDARD2_0
IDiaSession Session;
IDiaSymbol Master = null;
IDiaEnumSymbols EnumSymbols = null;
uint compileFetched = 0;
var result = from symx in StructInfo
where symx.Key.EndsWith(Member)
select symx;
if (result.Count() > 0)
{
return(result.First().Value);
}
#endif
#if NETSTANDARD2_0
IDictionary <string, dynamic> dInfo = null;
dynamic memberInfo = null;
var cnt = Member.Split('.').Length;
var typeInfo = SymAPI.GetType(Struct, cv);
dInfo = typeInfo as IDictionary <string, dynamic>;
if (cnt == 1)
{
memberInfo = dInfo[Member];
}
else
{
for (int i = 0; i < cnt; i++)
{
var path = Member.Split('.')[i];
dInfo = typeInfo as IDictionary <string, dynamic>;
memberInfo = dInfo[path];
if (i < cnt)
{
typeInfo = memberInfo;
}
}
}
dInfo = memberInfo as IDictionary <string, dynamic>;
return(Tuple.Create((int)dInfo["OffsetPos"], (int)dInfo["Length"]));
/* bah, screw this just return the object :\
* var foo = new DiaSource(cv);
* foo.loadDataFromPdb(cv.PDBFullPath);
* foo.openSession(out Session);
*/
#else
var foo = new DiaSource();
foo.loadDataFromPdb(cv.PDBFullPath);
foo.openSession(out Session);
if (Session == null)
{
return(null);
}
Session.findChildren(Session.globalScope, (uint)DebugHelp.SymTagEnum.Null, Struct, 0, out EnumSymbols);
do
{
EnumSymbols.Next(1, out Master, out compileFetched);
if (Master == null)
{
continue;
}
#if DEBUGX
Console.ForegroundColor = ConsoleColor.White;
WriteLine($"Dumping Type [{Master.name}] Len [{Master.length}]");
#endif
if (!StructInfo.ContainsKey(Master.name))
{
StructInfo.Add(Master.name, Tuple.Create <int, int>(0, (int)Master.length));
}
DumpStructs(Master, Master.name, Struct, 0);
} while (compileFetched == 1);
var resultx = (from symx in StructInfo
where symx.Key.EndsWith(Member)
select symx).FirstOrDefault();
return(resultx.Value);
#endif
}