|
序号 |
函数名称 |
ImageHlp.DLL |
DbgHelp.DLL |
|
1 |
Bindlmage |
N/A |
|
|
2 |
BindlmageEx |
N/A |
|
|
3 |
CheckSumMappedFile |
N/A |
|
|
4 |
EnumerateLoadedModules |
||
|
5 |
EnumerateLoadedModules64 |
||
|
6 |
ExtensionApiVersion |
N/A |
|
|
7 |
FindDebuglnfoFile |
||
|
8 |
FindDebuglnfoFileEx |
||
|
9 |
FindExecutablelmage |
||
|
10 |
FindExecutablelmageEx |
||
|
11 |
FindFilelnSearchPath |
||
|
12 |
GetlmageConfiglnformation |
N/A |
|
|
13 |
GetlmageUnusedHeaderBytes |
N/A |
|
|
14 |
GetTimestampForLoadedLibrary |
||
|
15 |
ImageAddCertificate |
N/A |
|
|
16 |
ImageDirectoryEntryToData |
||
|
17 |
ImageDirectoryEntryToDataEx |
||
|
18 |
ImageEnumerateCertificates |
N/A |
|
|
19 |
ImageGetCertificateData |
N/A |
|
|
20 |
ImageGetCertificateHeader |
N/A |
|
|
21 |
ImageGetDigestStream |
N/A |
|
|
22 |
ImagehlpApiVersion |
||
|
23 |
ImagehlpApiVersionEx |
||
|
24 |
ImageLoad |
N/A |
|
|
25 |
ImageNtHeader |
||
|
26 |
ImageRemoveCertificate |
N/A |
|
|
27 |
ImageRvaToSection |
||
|
28 |
ImageRvaToVa |
||
|
29 |
ImageUnload |
N/A |
|
|
30 |
MakeSureDirectoryPathExists |
||
|
31 |
MapAndLoad |
N/A |
|
|
32 |
MapDebuglnformation |
||
|
33 |
MapFileAndCheckSumA |
N/A |
|
|
34 |
MapFileAndCheckSumW |
N/A |
|
|
35 |
ReBaselmage |
N/A |
|
|
36 |
ReBaseImage64 |
N/A |
|
|
37 |
RemovePrivateCvSymbolic |
N/A |
|
|
38 |
RemovePrivateCvSymbolicEx |
N/A |
|
|
39 |
RemoveRelocations |
N/A |
|
|
40 |
SearchTreeForFile |
||
|
41 |
SetlmageConfiglnformation |
N/A |
|
|
42 |
SplitSymbols |
N/A |
|
|
43 |
StackWalk |
||
|
44 |
StackWalk64 |
||
|
45 |
Sym |
N/A |
|
|
46 |
SymCleanup |
||
|
47 |
SymEnumerateModules |
||
|
48 |
SymEnumerateModules64 |
||
|
49 |
SymEnumerateSymbols |
||
|
50 |
SymEnumerateSymbols64 |
||
|
51 |
SymEnumerateSymbolsW |
||
|
52 |
SymFunctionTableAccess |
||
|
53 |
SymFunctionTa ble Access64 |
||
|
54 |
SymGetLineFromAddr |
||
|
55 |
SymGetLineFromAddr64 |
||
|
56 |
SymGetLineFromName |
||
|
57 |
SymGetLineFromName64 |
||
|
58 |
SymGetLineNext |
||
|
59 |
SymGetLineNext64 |
||
|
60 |
SymGetLinePrev |
||
|
61 |
SymGetLinePrev64 |
||
|
62 |
SymGetModuleBase |
||
|
63 |
SymGetModuleBase64 |
||
|
64 |
SymGetModulelnfo |
||
|
65 |
SymGetModuleInfo64 |
||
|
66 |
SymGetModulelnfo Ex |
||
|
67 |
SymGetModulelnfo Ex64 |
||
|
68 |
SymGetModulelnfoW |
||
|
69 |
SymGetModulelnfo W64 |
||
|
70 |
SymGetOptions |
||
|
71 |
SymGetSearchPath |
||
|
72 |
SymGetSymbolInfo |
||
|
73 |
SymGetSymbolInfo64 |
||
|
74 |
SymGetSymFromAddr |
||
|
75 |
SymGetSymFromAddr64 |
||
|
76 |
SymGetSymFromName |
||
|
77 |
SymGetSymFromName64 |
||
|
78 |
SymGetSymNext |
||
|
79 |
SymGetSymNext64 |
||
|
80 |
SymGetSymPrev |
||
|
81 |
SymGetSymPrev64 |
||
|
82 |
Symlnitialize |
||
|
83 |
SymLoadModule |
||
|
84 |
SymLoadModule64 |
||
|
85 |
SymMatchFileName |
||
|
86 |
SymEnumerateSymbolsW64 |
||
|
87 |
SymRegisterCallback |
||
|
88 |
SymRegisterCallback64 |
||
|
89 |
SymRegisterFunctionEntryCallback |
||
|
90 |
SymRegisterFunctionEntryCallback64 |
||
|
91 |
SymSetOptions |
||
|
92 |
SymSetSearchPath |
||
|
93 |
SymUnDName |
||
|
94 |
SymUnDName64 |
||
|
95 |
SymUnloadModule |
||
|
96 |
SymUnloadModule64 |
||
|
97 |
TouchFileTimes |
N/A |
|
|
98 |
UnDecorateSymbolName |
||
|
99 |
UnMapAndLoad |
N/A |
|
|
100 |
UnmapDebuglnformation |
||
|
101 |
UpdateDebuglnfoFile |
N/A |
|
|
102 |
UpdateDebuglnfoFileEx |
N/A |
|
|
103 |
WinDbgExtensionDllInit |
N/A |
在本节的示例代码中,我会演示如何使用psapi.dll和imagehlp.dll完成如下任务:
l 枚举所有内核组件和驱动程序
l 枚举系统当前管理的所有进程
l 枚举加载到进程地址空间的所有模块(modules)
l 枚举一个给定组件的所有符号(如果其符号文件可用的话)
psapi.dll的接口并不像其设计的那样好。它提供了最小的功能集,尽管它曾试图增加一些便利性。虽然,它能从内核获取一些信息但却扔掉了其中的大多数,只留下很少一部分。
由于psapi.dll和imagehlp.dll的函数并不是标准Win32 API的一部分,它们所需的头文件和导入库不会自动包括在Visual C/C++工程中。因此,列表1-2中列出的四个指示符(directives)应该在你的原文件中出现。第一部分是所需的头文件,剩余部分用于和这两个DLL中的导出函数建立动态链接。
#include <imagehlp.h>
#include <psapi.h>
#pragma comment (linker,”/defaultlib:imagehlp.dll”)
#pragma comment (linker,”/defaultlib:psapi.dll”)
列表1-2增加psapi.dll和imagehlp.dll到Visual C/C++工程
译注:
其实,也可以采用静态链接,如下:
#pragma comment(lib,”psapi.lib”)
#pragma comment(lib,”imagehlp.lib”)
这样,就不需要目标平台必须有这两个DLL了。
光盘中的示列代码
在本书的附带光盘中,有两个工程是构建与psapi.dll和imagehlp.dll之上。其中一个示例工程是w2k_sym.exe----一个Windows 2000符号浏览器,它可以从任意符号文件中提取符号名称(假如你已经安装了的话)。它输出的符号表可以按照名称、地址和大小来排序,同时接受一个采用通配符的过滤器。作为附送功能,w2k_sym.exe还可列出当前活动的系统模块/驱动程序的名称,运行的进程和每个进程加载的模块。另一个示例工程是调试支持库w2k_dbg.dll,这个库包含几个便于使用的针对psapi.dll和imagehlp.dll的外包函数。w2k_sym.exe完全依赖这个DLL。这些工程的源代码分别位于光盘的srcw2k_dbg和srcw2k_sym目录。
表1-2列出了w2k_dbg.dll用到的函数名称。A./W列表示对ANSI和Unicode的支持情况。稍早提示过,psapi.dll同时支持ANSI和Unicode。不幸的是,imagehlp.dll和dbghelp.dll没有这么聪明,其中几个函数只能接受ANSI字符串。这有些烦人,因为Windows 2000的调试程序通常不能运行在Windows 9x上,所以不该限制使用Unicode。若将imagehlp.dll假如你的工程中,你就必须选择是使用ANSI还是来回转化Unicode字符串。因为我很讨厌在一个可处理16位字符串的系统中使用8位的字符串,所以我选择后一种方法。w2k_dbg.dll导出的所有函数中涉及的字符串默认都是Unicode。所以,如果你在自己的Windows 2000工程中使用这个DLL不需要再关心字符大小问题。
另一方面,imagehlp.dll和dbghelp.dll有一个psapi.dll没有的特性:他们同样适用于Win64----让每个开发人员恐惧的64位Windows,这是因为没人知道将Win32程序移植到Win64有多困难。这些DLL导出了Win64 API函数,好吧----或许有一天我们会用到他们。
|
名称 |
A/W |
库 |
|
EnumDeviceDrivers |
psapi.dll |
|
|
EnumProcesses |
psapi.dll |
|
|
EnumProcessModules |
psapi.dll |
|
|
GetDeviceDriverFileName |
A/W |
psapi.dll |
|
GetModuleFileNameEx |
A/W |
psapi.dll |
|
GetModulelnformation |
psapi.dll |
|
|
ImageLoad |
A |
imagehlp.dll |
|
ImageUnload |
imagehlp.dll |
|
|
SymCleanup |
imagehlp.dll |
|
|
SymEnumerateSymbols |
A/W |
imagehlp.dll |
|
Symlnitialize |
A |
imagehlp.dll |
|
SymLoadModule |
A |
imagehlp.dll |
|
SymUnloadModule |
imagehlp.dll |
表1-2; w2k_dbg.dll使用的调试函数
我没有深入的探究psapi.dll和imagehlp.dll。本书的焦点在于未文档化的接口,而且在SDK中与这两个DLL的接口有关的文档还算不错。可是,我并不打算完全绕过它们,因为它们和Windows 2000 Native API(将在第2章讨论)紧密联系在一起。而且,psapi.dll是证明为什么未文档化的接口比文档化的那个更好的最佳实例。该DLL的接口不仅仅只是看上去的简单和笨拙---在某些地方它竟然会返回明显矛盾的数据。如果我不得不编写一个专业的调试工具来出售,我是不会指望这个DLL的。Windows 2000内核提供了强大、通用和更加合适的调试API函数。然而,这些几乎都没有文档化。幸运的是,微软提供的许多系统工具都广泛的使用了这些API,so it has undergone only slight changes across Windows NT versions。是的,如果你使用了这些API,每当发布了新版的NT,你就必须修订和小心的测试你的软件,但是它们带来的好处远大于这些障碍。
本章随后的大多数示例代码都来自w2k_dbg.dll,你可以在光盘的srcw2k_dbgw2k_dbg.c中发现它们。这个DLL封装了多个步骤,以返回更丰富的信息。数据会以合适的大小、链表(包括可选的索引值)返回,以便于对它们进行排序等操作。表1-3列出了w2k_dbg.dll导出的所有API函数。这些函数很多,详细讨论每个函数已经超出了本章的范围,因此我鼓励你去参考w2k_sym.exe的源代码(位于光盘srcw2k_symx),来学习它们的典型用法。
表1-3
| 函数名称 |
描 述 |
| dbgBaseDriver |
Return the base address and size of a driver, given its path |
| dbgBaseModule |
Return the base address and size of a DLL module |
| dbgCrc32Block |
Compute the CRC32 of a memory block |
| dbgCrc32Byte |
Bytewise computation of a CRC32 |
| dbgCrc32Start |
CRC32 preconditioning |
| dbgCrc32Stop |
CRC32 postconditioning |
| dbgDriverAdd |
Add a driver entry to a list of drivers |
| dbgDriverAddresses |
Return an array of driver addresses (EnumDeviceDrivers ( ) wrapper) |
| dbgDriverlndex |
Create an indexed (and optionally sorted) driver list |
| dbgDriverList |
Create a flat driver list |
| dbgFileClose |
Close a disk file |
| dbgFileLoad |
Load the contents of a disk file to a memory block |
| dbgFileNew |
Create a new disk file |
| dbgFileOpen |
Open an existing disk file |
| dbgFileRoot |
Get the offset of the root token in a file path |
| dbgFileSave |
Save a memory block to a disk file |
| dbgFileUnload |
Free a memory block created by dbgFileLoad ( ) |
| dbglndexCompare |
Compare two entrIEs referenced by an index (used by dbgindexsort ( ) ) |
| dbglndexCreate |
Create a pointer index on an object list |
| dbglndexCreateEx |
Create a sorted pointer index on an object list |
| dbglndexDestroy |
Free the memory used by an index and its associated list |
| dbglndexDestroyEx |
Free the memory used by a two-dimensional index and its associated lists |
| dbglndexList |
Create a flat copy of a list from its index |
| dbglndexListEx |
Create a flat copy of a two-dimensional list from its index |
| dbglndexReverse |
Reverse the order of the list entries referenced by an index |
| dbglndexSave |
Save the memory image of an indexed list to a disk file |
| dbglndexSaveEx |
Save the memory image of a two-dimensional indexed list to a disk file |
| dbglndexSort |
Sort the list entries referenced by an index by address, size, ID, or name |
| dbgListCreate |
Create an empty list |
| dbgListCreateEx |
Create an empty list with reserved space |
| dbgListDestroy |
Free the memory used by a list |
| dbgListFinish |
Terminate a sequentially built list and trim any unused memory |
| dbgListlndex |
Create a pointer index on an object list |
| dbgListLoad |
Create a list from a disk file image |
| dbgListNext |
Update the list header after adding an entry |
| dbgListResize |
Reserve memory for additional list entries |
| dbgListSave |
Save the memory image of a list to a disk file |
| dbgMemory |
Align Round up a byte count to the next 64-bit boundary |
| dbgMemoryAlignEx |
Round up a string character count to the next 64-bit boundary |
| dbgMemoryBase |
Query the internal base address of a heap memory block |
| dbgMemoryBaseEx |
Query the internal base address of an individually tagged heap memory block |
| dbgMemoryCreate |
Allocate a memory block from the heap |
| dbgMemoryCreateEx |
Allocate an individually tagged memory block from the heap |
| dbgMemoryDestroy |
Return a memory block to the heap |
| dbgMemoryDestroyEx |
Return an individually tagged memory block to the heap |
| dbgMemoryReset |
Reset the memory usage statistics |
| dbgMemoryResize |
Change the allocated size of a heap memory block |
| dbgMemoryResizeEx |
Change the allocated size of an individually tagged heap memory block |
| dbgMemoryStatus |
Query the memory usage statistics |
| dbgMemory |
Track Update the memory usage statistics |
| dbgModulelndex |
Create an indexed (and optionally sorted) process module sub-list |
| dbgModuleList |
Create a flat process module sub-list |
| dbgPathDriver |
Build a default driver path specification |
| dbgPathFile |
Get the offset of the file name token in a file path |
| dbgPrivilegeDebug |
Request the debug privilege for the calling process |
| dbgPrivilegeSet |
Request the specified privilege for the calling process |
| dbgProcessAdd |
Add a process entry to a list of processes |
| dbgProcessGuess |
Guess the default display name of an anonymous system process |
| dbgProcessIds |
Return an array of process IDs (EnumProcesses ( ) wrapper) |
| dbgProcessIndex |
Create an indexed (and optionally sorted) process list |
| dbgProcessIndexEx |
Create a two-dimensional indexed (and optionally sorted) process/module list |
| dbgProcessList |
Create a flat process list |
| dbgProcessModules |
Return a list of process module handles (EnumProcessModules ( )wrapper) |
| dbgSizeDivide |
Divide a byte count by a power of two, optionally rounding up or down |
| dbgSizeKB |
Convert bytes to KB, optionally rounding up or down |
| dbgSizeMB |
Convert bytes to MB, optionally rounding up or down |
| dbgStringAnsi |
Convert a Unicode string to ANSI |
| dbgStringDay |
Get the name of a day given a day-of-week number |
| dbgStringMatch |
Apply a wildcard filter to a string |
| dbgSymbolCallback |
Add a symbol entry to a list of symbols (called by SymEnumerateSymbols ( ) ) |
| dbgSymbolIndex |
Create an indexed (and optionally sorted) symbol list |
| dbgSymbolList |
Create a flat symbol list |
| dbgSymbolLoad |
Load a module's symbol table |
| dbgSymbolLookup |
Look up a symbol name and optional offset given a memory address |
| dbgSymbolUnload |
Unload a module's symbol table |
标签:
