ReactOS  0.4.15-dev-321-g2d9b385
syscalldump.c
Go to the documentation of this file.
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <ctype.h>
4 #define _WINVER 0x501
5 #define SYMOPT_ALLOW_ABSOLUTE_SYMBOLS 0x00000800
6 #include <windows.h>
7 #include <shlwapi.h>
8 #include <dbghelp.h>
9 
10 HANDLE hCurrentProcess;
11 BOOL bX64;
12 
13 #define MAX_SYMBOL_NAME 1024
14 
15 BOOL InitDbgHelp(HANDLE hProcess)
16 {
17  if (!SymInitialize(hProcess, 0, FALSE))
18  return FALSE;
19 
20  SymSetOptions(SymGetOptions() | SYMOPT_ALLOW_ABSOLUTE_SYMBOLS);
21  SymSetOptions(SymGetOptions() & (~SYMOPT_DEFERRED_LOADS));
22  SymSetSearchPath(hProcess, "srv**symbols*http://msdl.microsoft.com/download/symbols");
23  return TRUE;
24 }
25 
26 PVOID
27 ImageSymToVa(HANDLE hProcess, PSYMBOL_INFO pSym, PBYTE pModule, PCSTR Name)
28 {
29  PIMAGE_NT_HEADERS NtHeaders;
30  PVOID p;
31 
32  pSym->SizeOfStruct = sizeof(SYMBOL_INFO);
33  pSym->MaxNameLen = MAX_SYMBOL_NAME-1;
34 
35  if (!SymFromName(hProcess, Name, pSym))
36  {
37  printf("SymGetSymFromName64() failed: %ld\n", GetLastError());
38  return 0;
39  }
40 #if defined(__GNUC__) && \
41  (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__ < 40400)
42  printf("looking up adress for %s: 0x%llx\n", Name, pSym->Address);
43 #else
44  printf("looking up adress for %s: 0x%I64x\n", Name, pSym->Address);
45 #endif
46 
47  NtHeaders = ImageNtHeader(pModule);
48  p = ImageRvaToVa(NtHeaders, pModule, pSym->Address - pSym->ModBase, NULL);
49 
50  return p;
51 }
52 
53 BOOL CALLBACK EnumSymbolsProc(
54  PSYMBOL_INFO pSymInfo,
55  ULONG SymbolSize,
56  PVOID UserContext)
57 {
58  if ((INT_PTR)UserContext == -1)
59  {
60  printf("%s ", pSymInfo->Name);
61  }
62  else
63  {
64  if (!bX64)
65  {
66  printf("%s@%Iu ", pSymInfo->Name, (UINT_PTR)UserContext);
67  }
68  else
69  {
70  printf("%s <+ %Iu> ", pSymInfo->Name, (UINT_PTR)UserContext);
71  }
72  }
73  return TRUE;
74 }
75 
76 int main(int argc, char* argv[])
77 {
78  HANDLE hProcess;
79  CHAR szModuleFileName[MAX_PATH+1];
80  DWORD64 dwModuleBase;
81  HANDLE hFile = 0, hMap = 0;
82  PBYTE pModule = NULL;
83  UINT i;
84  PVOID pW32pServiceTable, pW32pServiceLimit;
85  PBYTE pW32pArgumentTable;
86  PVOID pfnSimpleCall;
87  DWORD dwServiceLimit;
88 
89  struct
90  {
91  SYMBOL_INFO Symbol;
92  CHAR Name[MAX_SYMBOL_NAME];
93  } Sym;
94 
95  printf("Win32k Syscall dumper\n");
96  printf("Copyright (c) Timo Kreuzer 2007-08\n");
97 
98  hProcess = GetCurrentProcess();
99 
100  // try current dir
101  GetCurrentDirectory(MAX_PATH, szModuleFileName);
102  strcat(szModuleFileName, "\\win32k.sys");
103  hFile = CreateFile(szModuleFileName, FILE_READ_DATA, FILE_SHARE_READ, NULL,
104  OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
105  if (hFile != INVALID_HANDLE_VALUE)
106  {
107  goto cont;
108  }
109 
110  // try system dir
111  GetSystemDirectory(szModuleFileName, MAX_PATH);
112  strcat(szModuleFileName, "\\win32k.sys");
113  hFile = CreateFile(szModuleFileName, FILE_READ_DATA, FILE_SHARE_READ, NULL,
114  OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
115  if (hFile == INVALID_HANDLE_VALUE)
116  {
117  printf("CreateFile() failed: %ld!\n", GetLastError());
118  goto cleanup;
119  }
120 
121 cont:
122  printf("Trying to get syscalls from: %s\n", szModuleFileName);
123 
124  if (!InitDbgHelp(hProcess))
125  {
126  printf("SymInitialize() failed\n");
127  goto cleanup;
128  }
129 
130  printf("Loading symbols for %s, please wait...\n", szModuleFileName);
131  dwModuleBase = SymLoadModule64(hProcess, 0, szModuleFileName, 0, 0, 0);
132  if (dwModuleBase == 0)
133  {
134  printf("SymLoadModule64() failed: %ld\n", GetLastError());
135  goto cleanup;
136  }
137 
138  hMap = CreateFileMappingA(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
139  if (!hMap)
140  {
141  printf("CreateFileMapping() failed: %ld\n", GetLastError());
142  goto cleanup;
143  }
144 
145  pModule = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
146  if(!pModule)
147  {
148  printf("MapViewOfFile() failed: %ld\n", GetLastError());
149  goto cleanup;
150  }
151 
152  bX64 = (ImageNtHeader(pModule)->FileHeader.Machine != IMAGE_FILE_MACHINE_I386);
153 
154  pW32pServiceTable = ImageSymToVa(hProcess, &Sym.Symbol, pModule, "W32pServiceTable");
155  pW32pServiceLimit = ImageSymToVa(hProcess, &Sym.Symbol, pModule, "W32pServiceLimit");
156  pW32pArgumentTable = ImageSymToVa(hProcess, &Sym.Symbol, pModule, "W32pArgumentTable");
157 // printf("pW32pServiceTable = %p\n", pW32pServiceTable);
158 // printf("pW32pServiceLimit = %p\n", pW32pServiceLimit);
159 // printf("pW32pArgumentTable = %p\n", pW32pArgumentTable);
160 
161  if (!pW32pServiceTable || !pW32pServiceLimit || !pW32pArgumentTable)
162  {
163  printf("Couldn't find adress!\n");
164  goto cleanup;
165  }
166 
167  dwServiceLimit = *((DWORD*)pW32pServiceLimit);
168 
169  if (!bX64)
170  {
171  DWORD *pdwEntries32 = (DWORD*)pW32pServiceTable;
172 
173  for (i = 0; i < dwServiceLimit; i++)
174  {
175  printf("0x%x:", i+0x1000);
176  SymEnumSymbolsForAddr(hProcess, (DWORD64)pdwEntries32[i], EnumSymbolsProc, (PVOID)(DWORD_PTR)pW32pArgumentTable[i]);
177  printf("\n");
178  }
179  }
180  else
181  {
182  DWORD64 *pdwEntries64 = (DWORD64*)pW32pServiceTable;
183 
184  for (i = 0; i < dwServiceLimit; i++)
185  {
186  printf("0x%x:", i+0x1000);
187  SymEnumSymbolsForAddr(hProcess, (DWORD64)pdwEntries64[i], EnumSymbolsProc, (PVOID)(DWORD_PTR)pW32pArgumentTable[i]);
188  printf("\n");
189  }
190  }
191 
192  /* Dump apfnSimpleCall */
193  printf("\nDumping apfnSimpleCall:\n");
194  pfnSimpleCall = (PVOID*)ImageSymToVa(hProcess, &Sym.Symbol, pModule, "apfnSimpleCall");
195  i = 0;
196 
197  if (bX64)
198  {
199  DWORD64 *pfnSC64 = (DWORD64*)pfnSimpleCall;
200  while (pfnSC64[i] != 0)
201  {
202  printf("0x%x:", i);
203  SymEnumSymbolsForAddr(hProcess, (DWORD64)pfnSC64[i], EnumSymbolsProc, (PVOID)-1);
204  printf("\n");
205  i++;
206  }
207  }
208  else
209  {
210  DWORD *pfnSC32 = (DWORD*)pfnSimpleCall;
211  while (pfnSC32[i] != 0)
212  {
213  printf("0x%x:", i);
214  SymEnumSymbolsForAddr(hProcess, (DWORD64)pfnSC32[i], EnumSymbolsProc, (PVOID)-1);
215  printf("\n");
216  i++;
217  }
218  }
219 
220 cleanup:
221  if (pModule)
222  {
223  UnmapViewOfFile(pModule);
224  }
225  if (hMap)
226  {
227  CloseHandle(hMap);
228  }
229  if (hFile)
230  {
231  CloseHandle(hFile);
232  }
233 
234  return 0;
235 }
bX64
BOOL bX64
Definition: syscalldump.c:11
EnumSymbolsProc
BOOL CALLBACK EnumSymbolsProc(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext)
Definition: syscalldump.c:53
argc
static int argc
Definition: ServiceArgs.c:12
_SYMBOL_INFO::Name
CHAR Name[1]
Definition: compat.h:710
TRUE
#define TRUE
Definition: types.h:120
CloseHandle
#define CloseHandle
Definition: compat.h:407
_SYMBOL_INFO::MaxNameLen
ULONG MaxNameLen
Definition: compat.h:709
MapViewOfFile
#define MapViewOfFile
Definition: compat.h:411
strcat
char * strcat(char *DstString, const char *SrcString)
Definition: utclib.c:568
hCurrentProcess
HANDLE hCurrentProcess
Definition: syscalldump.c:10
SymSetOptions
DWORD WINAPI SymSetOptions(DWORD opts)
Definition: dbghelp.c:443
SYMOPT_ALLOW_ABSOLUTE_SYMBOLS
#define SYMOPT_ALLOW_ABSOLUTE_SYMBOLS
Definition: syscalldump.c:5
CHAR
char CHAR
Definition: xmlstorage.h:175
CALLBACK
#define CALLBACK
Definition: compat.h:27
INVALID_HANDLE_VALUE
#define INVALID_HANDLE_VALUE
Definition: compat.h:400
GetLastError
DWORD WINAPI GetLastError(VOID)
Definition: except.c:1059
hProcess
_In_ BOOL _In_ HANDLE hProcess
Definition: mapping.h:70
_SYMBOL_INFO::Address
ULONG64 Address
Definition: compat.h:704
main
int main(int argc, char *argv[])
Definition: syscalldump.c:76
ImageSymToVa
PVOID ImageSymToVa(HANDLE hProcess, PSYMBOL_INFO pSym, PBYTE pModule, PCSTR Name)
Definition: syscalldump.c:27
INT_PTR
int32_t INT_PTR
Definition: typedefs.h:63
argv
#define argv
Definition: mplay32.c:18
FILE_SHARE_READ
#define FILE_SHARE_READ
Definition: compat.h:125
SYMOPT_DEFERRED_LOADS
#define SYMOPT_DEFERRED_LOADS
Definition: compat.h:647
SymSetSearchPath
BOOL WINAPI SymSetSearchPath(HANDLE hProcess, PCSTR searchPath)
Definition: dbghelp.c:199
_SYMBOL_INFO
Definition: compat.h:694
i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
BOOL
unsigned int BOOL
Definition: ntddk_ex.h:94
_IMAGE_FILE_HEADER::Machine
WORD Machine
Definition: ntddk_ex.h:122
FILE_READ_DATA
#define FILE_READ_DATA
Definition: nt_native.h:628
_IMAGE_NT_HEADERS
Definition: ntddk_ex.h:181
GetCurrentDirectory
#define GetCurrentDirectory
Definition: winbase.h:3645
_SYMBOL_INFO::ModBase
ULONG64 ModBase
Definition: compat.h:701
NULL
smooth NULL
Definition: ftsmooth.c:416
SymInitialize
BOOL WINAPI SymInitialize(HANDLE hProcess, PCSTR UserSearchPath, BOOL fInvadeProcess)
Definition: dbghelp.c:393
NameRec_
Definition: apinames.c:48
FILE_MAP_READ
#define FILE_MAP_READ
Definition: compat.h:436
_IMAGE_NT_HEADERS::FileHeader
IMAGE_FILE_HEADER FileHeader
Definition: ntddk_ex.h:183
OPEN_EXISTING
#define OPEN_EXISTING
Definition: compat.h:435
IMAGE_FILE_MACHINE_I386
#define IMAGE_FILE_MACHINE_I386
Definition: pedump.c:174
Symbol
BOOLEAN Symbol(PVRET pvr)
Definition: symbols.c:2890
SymLoadModule64
DWORD64 WINAPI SymLoadModule64(HANDLE hProcess, HANDLE hFile, PCSTR ImageName, PCSTR ModuleName, DWORD64 BaseOfDll, DWORD SizeOfDll)
Definition: module.c:673
GetCurrentProcess
HANDLE WINAPI GetCurrentProcess(VOID)
Definition: proc.c:1138
MAX_PATH
#define MAX_PATH
Definition: compat.h:26
SYMBOL_INFO
struct _SYMBOL_INFO SYMBOL_INFO
DWORD
unsigned long DWORD
Definition: ntddk_ex.h:95
UINT_PTR
unsigned __int3264 UINT_PTR
Definition: mstsclib_h.h:274
FILE_ATTRIBUTE_NORMAL
#define FILE_ATTRIBUTE_NORMAL
Definition: compat.h:126
_SYMBOL_INFO::SizeOfStruct
ULONG SizeOfStruct
Definition: compat.h:696
DWORD_PTR
uint32_t DWORD_PTR
Definition: typedefs.h:64
hFile
_In_ HANDLE hFile
Definition: mswsock.h:90
GetSystemDirectory
#define GetSystemDirectory
Definition: winbase.h:3682
DWORD64
uint64_t DWORD64
Definition: typedefs.h:66
CreateFile
IN OUT PVCB OUT PDIRENT OUT PBCB IN BOOLEAN CreateFile
Definition: fatprocs.h:904
ImageRvaToVa
PVOID WINAPI ImageRvaToVa(_In_ PIMAGE_NT_HEADERS, _In_ PVOID, _In_ ULONG, _In_opt_ PIMAGE_SECTION_HEADER *)
UINT
unsigned int UINT
Definition: ndis.h:50
PAGE_READONLY
#define PAGE_READONLY
Definition: compat.h:127
SymGetOptions
DWORD WINAPI SymGetOptions(void)
Definition: dbghelp.c:458
InitDbgHelp
BOOL InitDbgHelp(HANDLE hProcess)
Definition: syscalldump.c:15
SymEnumSymbolsForAddr
BOOL WINAPI SymEnumSymbolsForAddr(HANDLE hProcess, DWORD64 Address, PSYM_ENUMERATESYMBOLS_CALLBACK Callback, PVOID pUserContext)
Definition: rosstubs.c:147
ULONG
unsigned int ULONG
Definition: retypes.h:1
SymFromName
BOOL WINAPI SymFromName(HANDLE hProcess, PCSTR Name, PSYMBOL_INFO Symbol)
Definition: symbol.c:1400
cleanup
char * cleanup(char *str)
Definition: wpickclick.c:99
ImageNtHeader
PIMAGE_NT_HEADERS WINAPI ImageNtHeader(_In_ PVOID)
MAX_SYMBOL_NAME
#define MAX_SYMBOL_NAME
Definition: syscalldump.c:13
PCSTR
const char * PCSTR
Definition: typedefs.h:52
p
GLfloat GLfloat p
Definition: glext.h:8902
UnmapViewOfFile
#define UnmapViewOfFile
Definition: compat.h:412
PBYTE
BYTE * PBYTE
Definition: pedump.c:66
CreateFileMappingA
HANDLE NTAPI CreateFileMappingA(IN HANDLE hFile, IN LPSECURITY_ATTRIBUTES lpFileMappingAttributes, IN DWORD flProtect, IN DWORD dwMaximumSizeHigh, IN DWORD dwMaximumSizeLow, IN LPCSTR lpName)
Definition: filemap.c:23
printf
#define printf
Definition: config.h:203