9 HANDLE hCurrentProcess
;
12 #define MAX_SYMBOL_NAME 1024
14 BOOL
InitDbgHelp(HANDLE hProcess
)
16 if (!SymInitialize(hProcess
, 0, FALSE
))
19 SymSetOptions(SymGetOptions() | SYMOPT_ALLOW_ABSOLUTE_SYMBOLS
);
20 SymSetOptions(SymGetOptions() & (~SYMOPT_DEFERRED_LOADS
));
21 SymSetSearchPath(hProcess
, "srv**symbols*http://msdl.microsoft.com/download/symbols");
26 ImageSymToVa(HANDLE hProcess
, PSYMBOL_INFO pSym
, PBYTE pModule
, PCSTR Name
)
28 PIMAGE_NT_HEADERS NtHeaders
;
31 pSym
->SizeOfStruct
= sizeof(SYMBOL_INFO
);
32 pSym
->MaxNameLen
= MAX_SYMBOL_NAME
-1;
34 if (!SymFromName(hProcess
, Name
, pSym
))
36 printf("SymGetSymFromName64() failed: %ld\n", GetLastError());
39 printf("looking up adress for %s: 0x%llx\n", Name
, pSym
->Address
);
41 NtHeaders
= ImageNtHeader(pModule
);
42 p
= ImageRvaToVa(NtHeaders
, pModule
, pSym
->Address
- pSym
->ModBase
, NULL
);
47 BOOL CALLBACK
EnumSymbolsProc(
48 PSYMBOL_INFO pSymInfo
,
52 if ((UINT
)UserContext
== -1)
54 printf("%s ", pSymInfo
->Name
);
60 printf("%s@%d ", pSymInfo
->Name
, (UINT
)UserContext
);
64 printf("%s <+ %d> ", pSymInfo
->Name
, (UINT
)UserContext
);
70 int main(int argc
, char* argv
[])
73 CHAR szModuleFileName
[MAX_PATH
+1];
75 HANDLE hFile
= 0, hMap
= 0;
78 PVOID pW32pServiceTable
, pW32pServiceLimit
;
79 PBYTE pW32pArgumentTable
;
86 CHAR Name
[MAX_SYMBOL_NAME
];
89 printf("Win32k Syscall dumper\n");
90 printf("Copyright (c) Timo Kreuzer 2007-08\n");
92 hProcess
= GetCurrentProcess();
95 GetCurrentDirectory(MAX_PATH
, szModuleFileName
);
96 strcat(szModuleFileName
, "\\win32k.sys");
97 hFile
= CreateFile(szModuleFileName
, FILE_READ_DATA
, FILE_SHARE_READ
, NULL
,
98 OPEN_EXISTING
, FILE_ATTRIBUTE_NORMAL
, NULL
);
99 if (hFile
!= INVALID_HANDLE_VALUE
)
105 GetSystemDirectory(szModuleFileName
, MAX_PATH
);
106 strcat(szModuleFileName
, "\\win32k.sys");
107 hFile
= CreateFile(szModuleFileName
, FILE_READ_DATA
, FILE_SHARE_READ
, NULL
,
108 OPEN_EXISTING
, FILE_ATTRIBUTE_NORMAL
, NULL
);
109 if (hFile
== INVALID_HANDLE_VALUE
)
111 printf("CreateFile() failed: %ld!\n", GetLastError());
116 printf("Trying to get syscalls from: %s\n", szModuleFileName
);
118 if (!InitDbgHelp(hProcess
))
120 printf("SymInitialize() failed\n");
124 printf("Loading symbols for %s, please wait...\n", szModuleFileName
);
125 dwModuleBase
= SymLoadModule64(hProcess
, 0, szModuleFileName
, 0, 0, 0);
126 if (dwModuleBase
== 0)
128 printf("SymLoadModule64() failed: %ld\n", GetLastError());
132 hMap
= CreateFileMappingA(hFile
, NULL
, PAGE_READONLY
, 0, 0, NULL
);
135 printf("CreateFileMapping() failed: %ld\n", GetLastError());
139 pModule
= MapViewOfFile(hMap
, FILE_MAP_READ
, 0, 0, 0);
142 printf("MapViewOfFile() failed: %ld\n", GetLastError());
146 bX64
= (ImageNtHeader(pModule
)->FileHeader
.Machine
!= IMAGE_FILE_MACHINE_I386
);
148 pW32pServiceTable
= ImageSymToVa(hProcess
, &Sym
.Symbol
, pModule
, "W32pServiceTable");
149 pW32pServiceLimit
= ImageSymToVa(hProcess
, &Sym
.Symbol
, pModule
, "W32pServiceLimit");
150 pW32pArgumentTable
= ImageSymToVa(hProcess
, &Sym
.Symbol
, pModule
, "W32pArgumentTable");
151 // printf("pW32pServiceTable = %p\n", pW32pServiceTable);
152 // printf("pW32pServiceLimit = %p\n", pW32pServiceLimit);
153 // printf("pW32pArgumentTable = %p\n", pW32pArgumentTable);
155 if (!pW32pServiceTable
|| !pW32pServiceLimit
|| !pW32pArgumentTable
)
157 printf("Couldn't find adress!\n");
161 dwServiceLimit
= *((DWORD
*)pW32pServiceLimit
);
165 DWORD
*pdwEntries32
= (DWORD
*)pW32pServiceTable
;
167 for (i
= 0; i
< dwServiceLimit
; i
++)
169 printf("0x%x:", i
+0x1000);
170 SymEnumSymbolsForAddr(hProcess
, (DWORD64
)pdwEntries32
[i
], EnumSymbolsProc
, (PVOID
)(DWORD
)pW32pArgumentTable
[i
]);
176 DWORD64
*pdwEntries64
= (DWORD64
*)pW32pServiceTable
;
178 for (i
= 0; i
< dwServiceLimit
; i
++)
180 printf("0x%x:", i
+0x1000);
181 SymEnumSymbolsForAddr(hProcess
, (DWORD64
)pdwEntries64
[i
], EnumSymbolsProc
, (PVOID
)(DWORD
)pW32pArgumentTable
[i
]);
186 /* Dump apfnSimpleCall */
187 printf("\nDumping apfnSimpleCall:\n");
188 pfnSimpleCall
= (PVOID
*)ImageSymToVa(hProcess
, &Sym
.Symbol
, pModule
, "apfnSimpleCall");
193 DWORD64
*pfnSC64
= (DWORD64
*)pfnSimpleCall
;
194 while (pfnSC64
[i
] != 0)
197 SymEnumSymbolsForAddr(hProcess
, (DWORD64
)pfnSC64
[i
], EnumSymbolsProc
, (PVOID
)-1);
204 DWORD
*pfnSC32
= (DWORD
*)pfnSimpleCall
;
205 while (pfnSC32
[i
] != 0)
208 SymEnumSymbolsForAddr(hProcess
, (DWORD64
)pfnSC32
[i
], EnumSymbolsProc
, (PVOID
)-1);
217 UnmapViewOfFile(pModule
);