dd/d52/syscalldump_8c_source.html

#include <stdio.h>

#include <stdlib.h>

#include <ctype.h>

#define _WINVER 0x501

#define SYMOPT_ALLOW_ABSOLUTE_SYMBOLS 0x00000800

#include <windows.h>

#include <shlwapi.h>

#include <dbghelp.h>


HANDLE hCurrentProcess;

BOOL bX64;


#define MAX_SYMBOL_NAME     1024


BOOL InitDbgHelp(HANDLE hProcess)

{

    if (!SymInitialize(hProcess, 0, FALSE))

        return FALSE;


    SymSetOptions(SymGetOptions() | SYMOPT_ALLOW_ABSOLUTE_SYMBOLS);

    SymSetOptions(SymGetOptions() & (~SYMOPT_DEFERRED_LOADS));

    SymSetSearchPath(hProcess, "srv**symbols*http://msdl.microsoft.com/download/symbols");

    return TRUE;

}


PVOID

ImageSymToVa(HANDLE hProcess, PSYMBOL_INFO pSym, PBYTE pModule, PCSTR Name)

{

    PIMAGE_NT_HEADERS NtHeaders;

    PVOID p;


    pSym->SizeOfStruct = sizeof(SYMBOL_INFO);

    pSym->MaxNameLen = MAX_SYMBOL_NAME-1;


    if (!SymFromName(hProcess, Name, pSym))

    {

        printf("SymGetSymFromName64() failed: %ld\n", GetLastError());

        return 0;

    }

#if defined(__GNUC__) && \

    (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__ < 40400)

    printf("looking up adress for %s: 0x%llx\n", Name, pSym->Address);

#else

    printf("looking up adress for %s: 0x%I64x\n", Name, pSym->Address);

#endif


    NtHeaders = ImageNtHeader(pModule);

    p = ImageRvaToVa(NtHeaders, pModule, pSym->Address - pSym->ModBase, NULL);


    return p;

}


BOOL CALLBACK EnumSymbolsProc(

    PSYMBOL_INFO pSymInfo,

    ULONG SymbolSize,

    PVOID UserContext)

{

    if ((INT_PTR)UserContext == -1)

    {

        printf("%s ", pSymInfo->Name);

    }

    else

    {

        if (!bX64)

        {

            printf("%s@%Iu ", pSymInfo->Name, (UINT_PTR)UserContext);

        }

        else

        {

            printf("%s <+ %Iu> ", pSymInfo->Name, (UINT_PTR)UserContext);

        }

    }

    return TRUE;

}


int main(int argc, char* argv[])

{

    HANDLE hProcess;

    CHAR szModuleFileName[MAX_PATH+1];

    DWORD64 dwModuleBase;

    HANDLE hFile = 0, hMap = 0;

    PBYTE pModule = NULL;

    UINT i;

    PVOID pW32pServiceTable, pW32pServiceLimit;

    PBYTE pW32pArgumentTable;

    PVOID pfnSimpleCall;

    DWORD dwServiceLimit;


    struct

    {

        SYMBOL_INFO Symbol;

        CHAR        Name[MAX_SYMBOL_NAME];

    } Sym;


    printf("Win32k Syscall dumper\n");

    printf("Copyright (c) Timo Kreuzer 2007-08\n");


    hProcess = GetCurrentProcess();


    // try current dir

    GetCurrentDirectory(MAX_PATH, szModuleFileName);

    strcat(szModuleFileName, "\\win32k.sys");

    hFile = CreateFile(szModuleFileName, FILE_READ_DATA, FILE_SHARE_READ, NULL,

              OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,  NULL);

    if (hFile != INVALID_HANDLE_VALUE)

    {

        goto cont;

    }


    // try system dir

    GetSystemDirectory(szModuleFileName, MAX_PATH);

    strcat(szModuleFileName, "\\win32k.sys");

    hFile = CreateFile(szModuleFileName, FILE_READ_DATA, FILE_SHARE_READ, NULL,

              OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,  NULL);

    if (hFile == INVALID_HANDLE_VALUE)

    {

        printf("CreateFile() failed: %ld!\n", GetLastError());

        goto cleanup;

    }


cont:

    printf("Trying to get syscalls from: %s\n", szModuleFileName);


    if (!InitDbgHelp(hProcess))

    {

        printf("SymInitialize() failed\n");

        goto cleanup;

    }


    printf("Loading symbols for %s, please wait...\n", szModuleFileName);

    dwModuleBase = SymLoadModule64(hProcess, 0, szModuleFileName, 0, 0, 0);

    if (dwModuleBase == 0)

    {

        printf("SymLoadModule64() failed: %ld\n", GetLastError());

        goto cleanup;

    }


    hMap = CreateFileMappingA(hFile, NULL, PAGE_READONLY, 0, 0, NULL);

    if (!hMap)

    {

        printf("CreateFileMapping() failed: %ld\n", GetLastError());

        goto cleanup;

    }


    pModule = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);

    if(!pModule)

    {

        printf("MapViewOfFile() failed: %ld\n", GetLastError());

        goto cleanup;

    }


    bX64 = (ImageNtHeader(pModule)->FileHeader.Machine != IMAGE_FILE_MACHINE_I386);


    pW32pServiceTable = ImageSymToVa(hProcess, &Sym.Symbol, pModule, "W32pServiceTable");

    pW32pServiceLimit = ImageSymToVa(hProcess, &Sym.Symbol, pModule, "W32pServiceLimit");

    pW32pArgumentTable = ImageSymToVa(hProcess, &Sym.Symbol, pModule, "W32pArgumentTable");

//  printf("pW32pServiceTable = %p\n", pW32pServiceTable);

//  printf("pW32pServiceLimit = %p\n", pW32pServiceLimit);

//  printf("pW32pArgumentTable = %p\n", pW32pArgumentTable);


    if (!pW32pServiceTable || !pW32pServiceLimit || !pW32pArgumentTable)

    {

        printf("Couldn't find adress!\n");

        goto cleanup;

    }


    dwServiceLimit = *((DWORD*)pW32pServiceLimit);


    if (!bX64)

    {

        DWORD *pdwEntries32 = (DWORD*)pW32pServiceTable;


        for (i = 0; i < dwServiceLimit; i++)

        {

            printf("0x%x:", i+0x1000);

            SymEnumSymbolsForAddr(hProcess, (DWORD64)pdwEntries32[i], EnumSymbolsProc, (PVOID)(DWORD_PTR)pW32pArgumentTable[i]);

            printf("\n");

        }

    }

    else

    {

        DWORD64 *pdwEntries64 = (DWORD64*)pW32pServiceTable;


        for (i = 0; i < dwServiceLimit; i++)

        {

            printf("0x%x:", i+0x1000);

            SymEnumSymbolsForAddr(hProcess, (DWORD64)pdwEntries64[i], EnumSymbolsProc, (PVOID)(DWORD_PTR)pW32pArgumentTable[i]);

            printf("\n");

        }

    }


    /* Dump apfnSimpleCall */

    printf("\nDumping apfnSimpleCall:\n");

    pfnSimpleCall = (PVOID*)ImageSymToVa(hProcess, &Sym.Symbol, pModule, "apfnSimpleCall");

    i = 0;


    if (bX64)

    {

        DWORD64 *pfnSC64 = (DWORD64*)pfnSimpleCall;

        while (pfnSC64[i] != 0)

        {

            printf("0x%x:", i);

            SymEnumSymbolsForAddr(hProcess, (DWORD64)pfnSC64[i], EnumSymbolsProc, (PVOID)-1);

            printf("\n");

            i++;

        }

    }

    else

    {

        DWORD *pfnSC32 = (DWORD*)pfnSimpleCall;

        while (pfnSC32[i] != 0)

        {

            printf("0x%x:", i);

            SymEnumSymbolsForAddr(hProcess, (DWORD64)pfnSC32[i], EnumSymbolsProc, (PVOID)-1);

            printf("\n");

            i++;

        }

    }


cleanup:

    if (pModule)

    {

        UnmapViewOfFile(pModule);

    }

    if (hMap)

    {

        CloseHandle(hMap);

    }

    if (hFile)

    {

        CloseHandle(hFile);

    }


    return 0;

}

argc
static int argc
Definition: ServiceArgs.c:12

strcat
char * strcat(char *DstString, const char *SrcString)
Definition: utclib.c:568

Symbol
Definition: Symbol.h:9

dbghelp.h

ImageNtHeader
PIMAGE_NT_HEADERS WINAPI ImageNtHeader(_In_ PVOID)

ImageRvaToVa
PVOID WINAPI ImageRvaToVa(_In_ PIMAGE_NT_HEADERS, _In_ PVOID, _In_ ULONG, _In_opt_ PIMAGE_SECTION_HEADER *)

NULL
#define NULL
Definition: types.h:112

TRUE
#define TRUE
Definition: types.h:120

FALSE
#define FALSE
Definition: types.h:117

CloseHandle
#define CloseHandle
Definition: compat.h:739

PAGE_READONLY
#define PAGE_READONLY
Definition: compat.h:138

SymInitialize
BOOL WINAPI SymInitialize(HANDLE hProcess, PCSTR UserSearchPath, BOOL fInvadeProcess)
Definition: dbghelp.c:534

UnmapViewOfFile
#define UnmapViewOfFile
Definition: compat.h:746

OPEN_EXISTING
#define OPEN_EXISTING
Definition: compat.h:775

INVALID_HANDLE_VALUE
#define INVALID_HANDLE_VALUE
Definition: compat.h:731

GetCurrentProcess
#define GetCurrentProcess()
Definition: compat.h:759

SYMBOL_INFO
struct _SYMBOL_INFO SYMBOL_INFO

MAX_PATH
#define MAX_PATH
Definition: compat.h:34

SYMOPT_DEFERRED_LOADS
#define SYMOPT_DEFERRED_LOADS
Definition: compat.h:989

FILE_MAP_READ
#define FILE_MAP_READ
Definition: compat.h:776

FILE_ATTRIBUTE_NORMAL
#define FILE_ATTRIBUTE_NORMAL
Definition: compat.h:137

CALLBACK
#define CALLBACK
Definition: compat.h:35

SymSetOptions
DWORD WINAPI SymSetOptions(DWORD opts)
Definition: dbghelp.c:585

MapViewOfFile
#define MapViewOfFile
Definition: compat.h:745

FILE_SHARE_READ
#define FILE_SHARE_READ
Definition: compat.h:136

SymSetSearchPath
BOOL WINAPI SymSetSearchPath(HANDLE hProcess, PCSTR searchPath)
Definition: dbghelp.c:263

SymGetOptions
DWORD WINAPI SymGetOptions(void)
Definition: dbghelp.c:600

SymLoadModule64
DWORD64 WINAPI SymLoadModule64(HANDLE hProcess, HANDLE hFile, PCSTR ImageName, PCSTR ModuleName, DWORD64 BaseOfDll, DWORD SizeOfDll)
Definition: module.c:878

cleanup
static void cleanup(void)
Definition: main.c:1335

main
int main()
Definition: test.c:6

CreateFileMappingA
HANDLE NTAPI CreateFileMappingA(IN HANDLE hFile, IN LPSECURITY_ATTRIBUTES lpFileMappingAttributes, IN DWORD flProtect, IN DWORD dwMaximumSizeHigh, IN DWORD dwMaximumSizeLow, IN LPCSTR lpName)
Definition: filemap.c:23

BOOL
unsigned int BOOL
Definition: ntddk_ex.h:94

DWORD
unsigned long DWORD
Definition: ntddk_ex.h:95

printf
#define printf
Definition: freeldr.h:94

p
GLfloat GLfloat p
Definition: glext.h:8902

i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248

void
Definition: nsiface.idl:2307

hProcess
_In_ BOOL _In_ HANDLE hProcess
Definition: mapping.h:71

argv
#define argv
Definition: mplay32.c:18

UINT_PTR
unsigned __int3264 UINT_PTR
Definition: mstsclib_h.h:274

hFile
_In_ HANDLE hFile
Definition: mswsock.h:90

UINT
unsigned int UINT
Definition: ndis.h:50

FILE_READ_DATA
#define FILE_READ_DATA
Definition: nt_native.h:628

IMAGE_FILE_MACHINE_I386
#define IMAGE_FILE_MACHINE_I386
Definition: pedump.c:174

PBYTE
BYTE * PBYTE
Definition: pedump.c:66

SymEnumSymbolsForAddr
BOOL WINAPI SymEnumSymbolsForAddr(HANDLE hProcess, DWORD64 Address, PSYM_ENUMERATESYMBOLS_CALLBACK Callback, PVOID pUserContext)
Definition: rosstubs.c:147

shlwapi.h

NameRec_
Definition: apinames.c:49

_IMAGE_FILE_HEADER::Machine
WORD Machine
Definition: ntddk_ex.h:122

_IMAGE_NT_HEADERS
Definition: ntddk_ex.h:181

_IMAGE_NT_HEADERS::FileHeader
IMAGE_FILE_HEADER FileHeader
Definition: ntddk_ex.h:183

_SYMBOL_INFO
Definition: compat.h:1037

_SYMBOL_INFO::ModBase
ULONG64 ModBase
Definition: compat.h:1043

_SYMBOL_INFO::SizeOfStruct
ULONG SizeOfStruct
Definition: compat.h:1038

_SYMBOL_INFO::Name
CHAR Name[1]
Definition: compat.h:1052

_SYMBOL_INFO::Address
ULONG64 Address
Definition: compat.h:1046

_SYMBOL_INFO::MaxNameLen
ULONG MaxNameLen
Definition: compat.h:1051

SymFromName
BOOL WINAPI SymFromName(HANDLE hProcess, PCSTR Name, PSYMBOL_INFO Symbol)
Definition: symbol.c:1392

bX64
BOOL bX64
Definition: syscalldump.c:11

InitDbgHelp
BOOL InitDbgHelp(HANDLE hProcess)
Definition: syscalldump.c:15

SYMOPT_ALLOW_ABSOLUTE_SYMBOLS
#define SYMOPT_ALLOW_ABSOLUTE_SYMBOLS
Definition: syscalldump.c:5

MAX_SYMBOL_NAME
#define MAX_SYMBOL_NAME
Definition: syscalldump.c:13

ImageSymToVa
PVOID ImageSymToVa(HANDLE hProcess, PSYMBOL_INFO pSym, PBYTE pModule, PCSTR Name)
Definition: syscalldump.c:27

hCurrentProcess
HANDLE hCurrentProcess
Definition: syscalldump.c:10

EnumSymbolsProc
BOOL CALLBACK EnumSymbolsProc(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext)
Definition: syscalldump.c:53

INT_PTR
int32_t INT_PTR
Definition: typedefs.h:64

DWORD_PTR
uint32_t DWORD_PTR
Definition: typedefs.h:65

DWORD64
uint64_t DWORD64
Definition: typedefs.h:67

PCSTR
const char * PCSTR
Definition: typedefs.h:52

ULONG
uint32_t ULONG
Definition: typedefs.h:59

GetSystemDirectory
#define GetSystemDirectory
Definition: winbase.h:3713

GetLastError
DWORD WINAPI GetLastError(void)
Definition: except.c:1040

CreateFile
#define CreateFile
Definition: winbase.h:3620

GetCurrentDirectory
#define GetCurrentDirectory
Definition: winbase.h:3676

CHAR
char CHAR
Definition: xmlstorage.h:175