9 HANDLE hCurrentProcess
;
12 #define MAX_SYMBOL_NAME 1024
14 BOOL
InitDbgHelp(HANDLE hProcess
)
16 if (!SymInitialize(hProcess
, 0, FALSE
))
19 SymSetOptions(SymGetOptions() | SYMOPT_ALLOW_ABSOLUTE_SYMBOLS
);
20 SymSetOptions(SymGetOptions() & (~SYMOPT_DEFERRED_LOADS
));
21 SymSetSearchPath(hProcess
, "srv**symbols*http://msdl.microsoft.com/download/symbols");
26 ImageSymToVa(HANDLE hProcess
, PSYMBOL_INFO pSym
, PBYTE pModule
, PCSTR Name
)
28 PIMAGE_NT_HEADERS NtHeaders
;
31 pSym
->SizeOfStruct
= sizeof(SYMBOL_INFO
);
32 pSym
->MaxNameLen
= MAX_SYMBOL_NAME
-1;
34 if (!SymFromName(hProcess
, Name
, pSym
))
36 printf("SymGetSymFromName64() failed: %ld\n", GetLastError());
39 #if defined(__GNUC__) && \
40 (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__ < 40400)
41 printf("looking up adress for %s: 0x%llx\n", Name
, pSym
->Address
);
43 printf("looking up adress for %s: 0x%I64x\n", Name
, pSym
->Address
);
46 NtHeaders
= ImageNtHeader(pModule
);
47 p
= ImageRvaToVa(NtHeaders
, pModule
, pSym
->Address
- pSym
->ModBase
, NULL
);
52 BOOL CALLBACK
EnumSymbolsProc(
53 PSYMBOL_INFO pSymInfo
,
57 if ((UINT
)UserContext
== -1)
59 printf("%s ", pSymInfo
->Name
);
65 printf("%s@%d ", pSymInfo
->Name
, (UINT
)UserContext
);
69 printf("%s <+ %d> ", pSymInfo
->Name
, (UINT
)UserContext
);
75 int main(int argc
, char* argv
[])
78 CHAR szModuleFileName
[MAX_PATH
+1];
80 HANDLE hFile
= 0, hMap
= 0;
83 PVOID pW32pServiceTable
, pW32pServiceLimit
;
84 PBYTE pW32pArgumentTable
;
91 CHAR Name
[MAX_SYMBOL_NAME
];
94 printf("Win32k Syscall dumper\n");
95 printf("Copyright (c) Timo Kreuzer 2007-08\n");
97 hProcess
= GetCurrentProcess();
100 GetCurrentDirectory(MAX_PATH
, szModuleFileName
);
101 strcat(szModuleFileName
, "\\win32k.sys");
102 hFile
= CreateFile(szModuleFileName
, FILE_READ_DATA
, FILE_SHARE_READ
, NULL
,
103 OPEN_EXISTING
, FILE_ATTRIBUTE_NORMAL
, NULL
);
104 if (hFile
!= INVALID_HANDLE_VALUE
)
110 GetSystemDirectory(szModuleFileName
, MAX_PATH
);
111 strcat(szModuleFileName
, "\\win32k.sys");
112 hFile
= CreateFile(szModuleFileName
, FILE_READ_DATA
, FILE_SHARE_READ
, NULL
,
113 OPEN_EXISTING
, FILE_ATTRIBUTE_NORMAL
, NULL
);
114 if (hFile
== INVALID_HANDLE_VALUE
)
116 printf("CreateFile() failed: %ld!\n", GetLastError());
121 printf("Trying to get syscalls from: %s\n", szModuleFileName
);
123 if (!InitDbgHelp(hProcess
))
125 printf("SymInitialize() failed\n");
129 printf("Loading symbols for %s, please wait...\n", szModuleFileName
);
130 dwModuleBase
= SymLoadModule64(hProcess
, 0, szModuleFileName
, 0, 0, 0);
131 if (dwModuleBase
== 0)
133 printf("SymLoadModule64() failed: %ld\n", GetLastError());
137 hMap
= CreateFileMappingA(hFile
, NULL
, PAGE_READONLY
, 0, 0, NULL
);
140 printf("CreateFileMapping() failed: %ld\n", GetLastError());
144 pModule
= MapViewOfFile(hMap
, FILE_MAP_READ
, 0, 0, 0);
147 printf("MapViewOfFile() failed: %ld\n", GetLastError());
151 bX64
= (ImageNtHeader(pModule
)->FileHeader
.Machine
!= IMAGE_FILE_MACHINE_I386
);
153 pW32pServiceTable
= ImageSymToVa(hProcess
, &Sym
.Symbol
, pModule
, "W32pServiceTable");
154 pW32pServiceLimit
= ImageSymToVa(hProcess
, &Sym
.Symbol
, pModule
, "W32pServiceLimit");
155 pW32pArgumentTable
= ImageSymToVa(hProcess
, &Sym
.Symbol
, pModule
, "W32pArgumentTable");
156 // printf("pW32pServiceTable = %p\n", pW32pServiceTable);
157 // printf("pW32pServiceLimit = %p\n", pW32pServiceLimit);
158 // printf("pW32pArgumentTable = %p\n", pW32pArgumentTable);
160 if (!pW32pServiceTable
|| !pW32pServiceLimit
|| !pW32pArgumentTable
)
162 printf("Couldn't find adress!\n");
166 dwServiceLimit
= *((DWORD
*)pW32pServiceLimit
);
170 DWORD
*pdwEntries32
= (DWORD
*)pW32pServiceTable
;
172 for (i
= 0; i
< dwServiceLimit
; i
++)
174 printf("0x%x:", i
+0x1000);
175 SymEnumSymbolsForAddr(hProcess
, (DWORD64
)pdwEntries32
[i
], EnumSymbolsProc
, (PVOID
)(DWORD
)pW32pArgumentTable
[i
]);
181 DWORD64
*pdwEntries64
= (DWORD64
*)pW32pServiceTable
;
183 for (i
= 0; i
< dwServiceLimit
; i
++)
185 printf("0x%x:", i
+0x1000);
186 SymEnumSymbolsForAddr(hProcess
, (DWORD64
)pdwEntries64
[i
], EnumSymbolsProc
, (PVOID
)(DWORD
)pW32pArgumentTable
[i
]);
191 /* Dump apfnSimpleCall */
192 printf("\nDumping apfnSimpleCall:\n");
193 pfnSimpleCall
= (PVOID
*)ImageSymToVa(hProcess
, &Sym
.Symbol
, pModule
, "apfnSimpleCall");
198 DWORD64
*pfnSC64
= (DWORD64
*)pfnSimpleCall
;
199 while (pfnSC64
[i
] != 0)
202 SymEnumSymbolsForAddr(hProcess
, (DWORD64
)pfnSC64
[i
], EnumSymbolsProc
, (PVOID
)-1);
209 DWORD
*pfnSC32
= (DWORD
*)pfnSimpleCall
;
210 while (pfnSC32
[i
] != 0)
213 SymEnumSymbolsForAddr(hProcess
, (DWORD64
)pfnSC32
[i
], EnumSymbolsProc
, (PVOID
)-1);
222 UnmapViewOfFile(pModule
);