windbg符号文件夹中像MD5的文件夹名如何生成？

元始天尊 发表于 2015-2-24 00:22:45

本帖最后由元始天尊于 2015-2-24 00:30 编辑

任务：找到windbg pdb符号对应文件夹名长串编码含义？
解决方法是用windbg调试windbg，下断点:
bp kernelbase!CreateFileA "da poi(esp+4);k;gc"
bp kernelbase!CreateFileW "du poi(esp+4);k;gc"
得到如下记录：
0938e15c"d:\symbol\cmd.pdb\A609EC1CBCFF43"
0938e19c"43AEFC312495558D832\cmd.pdb"
ChildEBP RetAddr
04d6a670 70af02cb KERNELBASE!CreateFileW
04d6a6ac 70af1a7e dbghelp!IStreamCRTFile::Create+0x8b
04d6a6d4 70af08c5 dbghelp!MSF_HB::internalOpen+0x2e
04d6a6f0 70ae8d47 dbghelp!MSF::Open+0x35
04d6a724 70ae90df dbghelp!PDB1::OpenEx2W+0xc7
04d6a74c 70af335f dbghelp!PDB::OpenEx2W+0x1f
04d6a770 70a91294 dbghelp!PDBCommon::Open2W+0x1f
04d6a794 70a3af14 dbghelp!CDiaDataSource::loadDataFromPdb+0x44
04d6abf8 70a56f4c dbghelp!diaGetPdb+0x1fc
04d6ae28 70a55bdd dbghelp!GetDebugData+0x230
04d6b2c8 70a55885 dbghelp!modload+0x285
04d6b2f4 70a4c177 dbghelp!LoadSymbols+0x355
04d6b328 70a4d44d dbghelp!ModLoop+0x86
04d6d2e4 70a50ef8 dbghelp!EnumSymbols+0xec
04d6d318 70d0fabf dbghelp!SymEnumSymbolsExW+0x59
04d6d480 70d0fbf7 dbgeng!EnumModuleTypedData+0xef
04d6e170 70d1024c dbgeng!EnumAllModuleTypedData+0xf4
04d6e3b8 70cca72b dbgeng!ParseExamine+0x504
04d6e428 70cca955 dbgeng!ProcessCommands+0x11c3
04d6e488 70c3cdd4 dbgeng!ProcessCommandsAndCatch+0x91
04d6e8f4 70c3cfc5 dbgeng!Execute+0x226
04d6e944 00dde653 dbgeng!DebugClient::ExecuteWide+0x8d
04d6ed08 00ddea93 windbg!ProcessCommand+0x145
04d6fd28 00de0275 windbg!ProcessEngineCommands+0xd1
04d6fd40 7567919f windbg!EngineLoop+0x390
04d6fd4c 77b0b5af KERNEL32!BaseThreadInitThunk+0xe
04d6fd94 77b0b57a ntdll!__RtlUserThreadStart+0x2f
04d6fda4 00000000 ntdll!_RtlUserThreadStart+0x1b

现在来被调试的windbg调试windows\syswow64\cmd.exe
由于有了pdb，分析过程变得极为容易，跟踪便可以知道modload中首次初始化路径cmd.pdb，而diaGetPdb中该地址最终变幻成d:\symbol\cmd.pdb\A609EC1CBCFF4343AEFC312495558D832\cmd.pdb现在就是要知道A609EC1CBCFF4343AEFC312495558D832从何而来，因此从diaGetPdb入手，跟踪后可以发现dbghelpb把内存中PE的PROCESS_ENTRY结构和文件名以及符号服务器等传给了symsrv.dll，symsrv!SymbolServerWEx完成返回完整路径的任务，这个任务包括：
TestParameters函数检测传入参数合法性
SymbolServerGetIndexStringW函数返回index，也就是这里的A609EC1CBCFF4343AEFC312495558D832
SymbolServerByIndexW根据index返回pdb完整路径
解析出SymbolServerByIndexW的参数：WCHAR *srv, WCHAR *pdbname, BYTE *indexdata, int dword1, int dword2, WCHAR *outpath,PDWORD unknown
解析出SymbolServerGetIndexStringW的参数：WCHAR* srv,WCHAR* pdbname(无路径),BYTE* index ,int dword1,int dword2,WCHAR* formatted,int len，发现index经过变换后即是结果，如wntdll.pdb：
传入：8365a747 c534bc47 a03e6293 a78c675f
结果：47A76583 34C547BC A03E6293 A78C675F2
现有任务变为2个：
1.传入index源自何处？这需要向上层调用寻找
2.末尾2如何计算？这需要分析SymbolServerGetIndexStringW

先来解决问题1：
逐层向上标记参数，symsrv_SymbolServerWEx —> CallSymbolServerGetFile -> symsrvGetFile -> HandleLocatePdbInSymSrvOrLocalStore
到这一层后发现参数只有类指针this，我们需要关注symsrvGetFile的对应参数indexdata,param1,param2，
indexdata位于this+27780处，dword1为*(DWORD*)(this+24624)，dword2为0，需要了解这些位置在什么地方进行了改动
在往上层进入了线程回调函数 GetPdbThreadProc，这里需要看看哪里调用的线程，并找到传递的参数之前在哪里改变的，到了DiaLocatePdbMultiThread
.text:6BB78C4F ; __int32 __stdcall DiaLocatePdbMultiThread(wchar_t *, struct _IMGHLP_DEBUG_DATA *, struct _GUID *, struct _GUID *, unsigned __int32, unsigned __int32, const unsigned __int16 *)
.text:6BB78C4F ?DiaLocatePdbMultiThread@@YGJPAU_MODULE_ENTRY@@PAU_IMGHLP_DEBUG_DATA@@PAGPAU_GUID@@KKPBG@Z proc near
.text:6BB78C4F                                     ; CODE XREF: diaGetPdb(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *)+1B9p
.text:6BB78C4F
.text:6BB78C4F indexdata    = dword ptr -0F14h
.text:6BB78C4F var_F04       = dword ptr -0F04h
.text:6BB78C4F Memory       = dword ptr -0F00h
.text:6BB78C4F var_EFC       = dword ptr -0EFCh
.text:6BB78C4F var_EF8       = dword ptr -0EF8h
.text:6BB78C4F var_EF4       = dword ptr -0EF4h
.text:6BB78C4F var_EF0       = dword ptr -0EF0h
.text:6BB78C4F var_EEC       = dword ptr -0EECh
.text:6BB78C4F var_EE8       = dword ptr -0EE8h
.text:6BB78C4F var_EE4       = dword ptr -0EE4h
.text:6BB78C4F ExitCode    = dword ptr -0EE0h
.text:6BB78C4F lpParameter3 = dword ptr -0EDCh
.text:6BB78C4F dword1__________= dword ptr -0ED8h
.text:6BB78C4F var_ED4       = dword ptr -0ED4h
.text:6BB78C4F var_ED0       = dword ptr -0ED0h
.text:6BB78C4F Src          = dword ptr -0ECCh
.text:6BB78C4F var_EC8       = dword ptr -0EC8h
.text:6BB78C4F lpParameter = dword ptr -0EC4h
.text:6BB78C4F var_EC0       = dword ptr -0EC0h
.text:6BB78C4F var_EBC       = dword ptr -0EBCh
.text:6BB78C4F var_EB6       = word ptr -0EB6h
.text:6BB78C4F var_EB4       = dword ptr -0EB4h
.text:6BB78C4F var_EB0       = dword ptr -0EB0h
.text:6BB78C4F var_EAC       = dword ptr -0EACh
.text:6BB78C4F var_E94       = byte ptr -0E94h
.text:6BB78C4F var_C7C       = word ptr -0C7Ch
.text:6BB78C4F var_A6C       = word ptr -0A6Ch
.text:6BB78C4F var_864       = word ptr -864h
.text:6BB78C4F var_654       = word ptr -654h
.text:6BB78C4F var_444       = word ptr -444h
.text:6BB78C4F var_234       = word ptr -234h
.text:6BB78C4F Dst          = byte ptr -232h
.text:6BB78C4F var_20       = word ptr -20h
.text:6BB78C4F var_4       = dword ptr -4
.text:6BB78C4F arg_0       = dword ptr8
.text:6BB78C4F arg_4       = dword ptr0Ch
.text:6BB78C4F arg_8       = dword ptr10h
.text:6BB78C4F arg_C       = dword ptr14h
.text:6BB78C4F arg_10       = dword ptr18h
.text:6BB78C4F
.text:6BB78C4F             push 0F08h
.text:6BB78C54             mov eax, offset sub_6BC594C5
.text:6BB78C59             call __EH_prolog3_GS
.text:6BB78C5E             mov ebx, edx
.text:6BB78C60             mov , ebx
.text:6BB78C66             mov , ecx
.text:6BB78C6C             mov eax,
.text:6BB78C6F             mov esi, 806D0005h
.text:6BB78C74             mov edi,
.text:6BB78C77             mov , eax
.text:6BB78C7D             xor eax, eax
.text:6BB78C7F             push 208h          ; Size
.text:6BB78C84             push eax          ; Val
.text:6BB78C85             mov , ax
.text:6BB78C8C             mov , eax
.text:6BB78C92             lea eax,
.text:6BB78C98             push eax          ; Dst
.text:6BB78C99             mov , edi
.text:6BB78C9F             mov , esi
.text:6BB78CA5             mov , esi
.text:6BB78CAB             call _memset
.text:6BB78CB0             xor eax, eax
.text:6BB78CB2             add esp, 0Ch
.text:6BB78CB5             mov , eax
.text:6BB78CBB             mov , eax
.text:6BB78CC1             mov , eax
.text:6BB78CC7             mov , eax
.text:6BB78CCD             mov , eax
.text:6BB78CD3             mov , eax
.text:6BB78CD6             mov , eax
.text:6BB78CDC             mov , eax
.text:6BB78CE2             mov , eax
.text:6BB78CE8             push 20Ah          ; Size
.text:6BB78CED             push eax          ; Val
.text:6BB78CEE             lea eax,
.text:6BB78CF4             mov byte ptr , 1
.text:6BB78CF8             push eax          ; Dst
.text:6BB78CF9             call _memset
.text:6BB78CFE             add esp, 0Ch
.text:6BB78D01             cmp , 0
.text:6BB78D05             jnz short loc_6BB78D42
.text:6BB78D07             lea ecx,
.text:6BB78D0A             mov edx, offset a_pdb_0 ; ".pdb"
.text:6BB78D0F             call ?extmatch@@YGHPBG0@Z ; extmatch(ushort const *,ushort const *)
.text:6BB78D14             test eax, eax
.text:6BB78D16             jnz short loc_6BB78D42
.text:6BB78D18             mov ecx,
.text:6BB78D1E             call ?ValidGuid@@YGHPAU_GUID@@@Z ; ValidGuid(_GUID *)
.text:6BB78D23             test eax, eax
.text:6BB78D25             jnz short loc_6BB78D42
.text:6BB78D27             test dword_6BC5FB18, 400h
.text:6BB78D31             jz    short loc_6BB78D42
.text:6BB78D33             mov dword_6BC5FB1C, 1
.text:6BB78D3D             lea eax,
.text:6BB78D40             jmp short loc_6BB78DAA
.text:6BB78D42 ; ---------------------------------------------------------------------------
.text:6BB78D42
.text:6BB78D42 loc_6BB78D42:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+B6j
.text:6BB78D42                                     ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+C7j ...
.text:6BB78D42             xor eax, eax
.text:6BB78D44             cmp , eax
.text:6BB78D4A             jnz short loc_6BB78D51
.text:6BB78D4C             push 13h
.text:6BB78D4E             pop eax
.text:6BB78D4F             jmp short loc_6BB78DAA
.text:6BB78D51 ; ---------------------------------------------------------------------------
.text:6BB78D51
.text:6BB78D51 loc_6BB78D51:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+FBj
.text:6BB78D51             xor eax, eax
.text:6BB78D53             lea ecx,
.text:6BB78D56             mov edx, offset a_pdb_0 ; ".pdb"
.text:6BB78D5B             mov , ax
.text:6BB78D62             call ?extmatch@@YGHPBG0@Z ; extmatch(ushort const *,ushort const *)
.text:6BB78D67             test eax, eax
.text:6BB78D69             jz    short loc_6BB78DC4
.text:6BB78D6B             lea eax,
.text:6BB78D6E             push eax          ; unsigned __int32
.text:6BB78D6F             lea eax,
.text:6BB78D75             push 105h          ; SizeInWords
.text:6BB78D7A             push eax          ; Dst
.text:6BB78D7B             call _wcscpy_s
.text:6BB78D80             pop ecx
.text:6BB78D81             pop ecx
.text:6BB78D82             push ; struct _GUID *
.text:6BB78D85             lea edx,
.text:6BB78D8B             mov ecx, ebx
.text:6BB78D8D             push ; struct _GUID *
.text:6BB78D90             push ; struct _IMGHLP_DEBUG_DATA *
.text:6BB78D96             call ?diaOpenPdb@@YGJPAU_IMGHLP_DEBUG_DATA@@PBGPAU_GUID@@KKH@Z ; diaOpenPdb(_IMGHLP_DEBUG_DATA *,ushort const *,_GUID *,ulong,ulong,int)
.text:6BB78D9B             mov esi, eax
.text:6BB78D9D             test esi, esi
.text:6BB78D9F             jz    loc_6BB78FE4
.text:6BB78DA5
.text:6BB78DA5 loc_6BB78DA5:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+1C1j
.text:6BB78DA5             mov eax, 806D0005h
.text:6BB78DAA
.text:6BB78DAA loc_6BB78DAA:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+F1j
.text:6BB78DAA                                     ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+100j
.text:6BB78DAA             xor ebx, ebx
.text:6BB78DAC             mov byte ptr , bl
.text:6BB78DAF             or    , 0FFFFFFFFh
.text:6BB78DB3             mov , ebx
.text:6BB78DB9             mov , ebx
.text:6BB78DBF             jmp loc_6BB79CBA
.text:6BB78DC4 ; ---------------------------------------------------------------------------
.text:6BB78DC4
.text:6BB78DC4 loc_6BB78DC4:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+11Aj
.text:6BB78DC4             mov eax,
.text:6BB78DCA             cmp dword ptr , 4
.text:6BB78DD1             jnz short loc_6BB78E41
.text:6BB78DD3             add eax, 55A8h
.text:6BB78DD8             xor ecx, ecx
.text:6BB78DDA             cmp , cx
.text:6BB78DDD             jz    short loc_6BB78E41
.text:6BB78DDF             push eax          ; unsigned __int32
.text:6BB78DE0             lea eax,
.text:6BB78DE6             push 105h          ; SizeInWords
.text:6BB78DEB             push eax          ; Dst
.text:6BB78DEC             call _wcscpy_s
.text:6BB78DF1             pop ecx
.text:6BB78DF2             pop ecx
.text:6BB78DF3             push ; struct _GUID *
.text:6BB78DF6             lea edx,
.text:6BB78DFC             mov ecx, ebx
.text:6BB78DFE             push ; struct _GUID *
.text:6BB78E01             push ; struct _IMGHLP_DEBUG_DATA *
.text:6BB78E07             call ?diaOpenPdb@@YGJPAU_IMGHLP_DEBUG_DATA@@PBGPAU_GUID@@KKH@Z ; diaOpenPdb(_IMGHLP_DEBUG_DATA *,ushort const *,_GUID *,ulong,ulong,int)
.text:6BB78E0C             mov esi, eax
.text:6BB78E0E             test esi, esi
.text:6BB78E10             jnz short loc_6BB78DA5
.text:6BB78E12             mov eax,
.text:6BB78E18             push 8
.text:6BB78E1A             pop ecx
.text:6BB78E1B             mov dword ptr , 2
.text:6BB78E25             mov , ecx
.text:6BB78E2B             mov eax,
.text:6BB78E31             test eax, eax
.text:6BB78E33             jz    loc_6BB79C1B
.text:6BB78E39             mov , ecx
.text:6BB78E3C             jmp loc_6BB79C1B
.text:6BB78E41 ; ---------------------------------------------------------------------------
.text:6BB78E41
.text:6BB78E41 loc_6BB78E41:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+182j
.text:6BB78E41                                     ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+18Ej
.text:6BB78E41             xor eax, eax
.text:6BB78E43             lea edi,
.text:6BB78E49             stosd
.text:6BB78E4A             stosd
.text:6BB78E4B             stosd
.text:6BB78E4C             stosd
.text:6BB78E4D             mov eax,
.text:6BB78E53             cmp dword ptr , 3
.text:6BB78E57             jnz short loc_6BB78E73
.text:6BB78E59             cmp dword ptr , 14h
.text:6BB78E5D             jnz short loc_6BB78E73
.text:6BB78E5F             mov eax,
.text:6BB78E62             mov , eax
.text:6BB78E68             mov edx,
.text:6BB78E6B             mov , edx
.text:6BB78E71             jmp short loc_6BB78E82
.text:6BB78E73 ; ---------------------------------------------------------------------------
.text:6BB78E73
.text:6BB78E73 loc_6BB78E73:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+208j
.text:6BB78E73                                     ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+20Ej
.text:6BB78E73             mov eax,
.text:6BB78E76             mov , eax
.text:6BB78E7C             mov eax,
.text:6BB78E82
.text:6BB78E82 loc_6BB78E82:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+222j
.text:6BB78E82             mov ecx,
.text:6BB78E85             test ecx, ecx
.text:6BB78E87             jz    short loc_6BB78E91
.text:6BB78E89             mov , ecx
.text:6BB78E8F             jmp short loc_6BB78EA7
.text:6BB78E91 ; ---------------------------------------------------------------------------
.text:6BB78E91
.text:6BB78E91 loc_6BB78E91:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+238j
.text:6BB78E91             test eax, eax
.text:6BB78E93             jz    short loc_6BB78EA7
.text:6BB78E95             mov esi, eax
.text:6BB78E97             lea edi,
.text:6BB78E9D             movsd
.text:6BB78E9E             movsd
.text:6BB78E9F             movsd
.text:6BB78EA0             movsd
.text:6BB78EA1             mov esi,
.text:6BB78EA7
.text:6BB78EA7 loc_6BB78EA7:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+240j
.text:6BB78EA7                                     ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+244j
.text:6BB78EA7             mov edi,
.text:6BB78EAD             lea eax,
.text:6BB78EB3             push 101h          ; rsize_t
.text:6BB78EB8             push eax          ; wchar_t *
.text:6BB78EB9             push 105h          ; rsize_t
.text:6BB78EBE             lea eax,
.text:6BB78EC4             push eax          ; wchar_t *
.text:6BB78EC5             xor eax, eax
.text:6BB78EC7             push eax          ; rsize_t
.text:6BB78EC8             push eax          ; wchar_t *
.text:6BB78EC9             push eax          ; SizeInWords
.text:6BB78ECA             push eax          ; Dst
.text:6BB78ECB             push edi          ; Src
.text:6BB78ECC             call __wsplitpath_s_downlevel
.text:6BB78ED1             add esp, 24h
.text:6BB78ED4             lea eax,
.text:6BB78EDA             push offset a_pdb_0; ".pdb"
.text:6BB78EDF             push eax
.text:6BB78EE0             push offset aSS_3 ; "%s%s"
.text:6BB78EE5             lea eax,
.text:6BB78EEB             push 105h          ; SizeInWords
.text:6BB78EF0             push eax          ; Dst
.text:6BB78EF1             call _swprintf_s
.text:6BB78EF6             mov edx, dword_6BC5FB18
.text:6BB78EFC             add esp, 14h
.text:6BB78EFF             test edx, 8000000h
.text:6BB78F05             jz    loc_6BB790F2
.text:6BB78F0B             test edx, 200000h
.text:6BB78F11             jnz loc_6BB78FF9
.text:6BB78F17             xor ecx, ecx
.text:6BB78F19             cmp , ecx
.text:6BB78F1F             jz    loc_6BB78FF9
.text:6BB78F25             lea eax,
.text:6BB78F28             cmp , cx
.text:6BB78F2B             jz    loc_6BB78FF9
.text:6BB78F31             push ecx          ; rsize_t
.text:6BB78F32             push ecx          ; wchar_t *
.text:6BB78F33             push ecx          ; rsize_t
.text:6BB78F34             push ecx          ; wchar_t *
.text:6BB78F35             mov esi, 105h
.text:6BB78F3A             lea ecx,
.text:6BB78F40             push esi          ; rsize_t
.text:6BB78F41             push ecx          ; wchar_t *
.text:6BB78F42             push 6             ; SizeInWords
.text:6BB78F44             lea ecx,
.text:6BB78F47             push ecx          ; Dst
.text:6BB78F48             push eax          ; Src
.text:6BB78F49             call __wsplitpath_s_downlevel
.text:6BB78F4E             add esp, 24h
.text:6BB78F51             lea eax,
.text:6BB78F57             push eax
.text:6BB78F58             lea eax,
.text:6BB78F5E             push eax
.text:6BB78F5F             lea eax,
.text:6BB78F62             push eax
.text:6BB78F63             push offset aSSS ; "%s%s%s"
.text:6BB78F68             lea eax,
.text:6BB78F6E             push esi          ; SizeInWords
.text:6BB78F6F             push eax          ; Dst
.text:6BB78F70             call _swprintf_s
.text:6BB78F75             mov edx,
.text:6BB78F7B             lea eax,
.text:6BB78F81             mov ecx,
.text:6BB78F84             add esp, 18h
.text:6BB78F87             push 104h          ; unsigned __int16 *
.text:6BB78F8C             push edi          ; unsigned __int16 *
.text:6BB78F8D             push eax          ; void *
.text:6BB78F8E             xor eax, eax
.text:6BB78F90             push eax          ; unsigned __int16 *
.text:6BB78F91             call ?diaCopyFileToCache@@YGHPAGPAX000K@Z ; diaCopyFileToCache(ushort *,void *,ushort *,ushort *,ushort *,ulong)
.text:6BB78F96             test eax, eax
.text:6BB78F98             jz    short loc_6BB78FB5
.text:6BB78F9A             push edi          ; Src
.text:6BB78F9B             lea eax,
.text:6BB78FA1             push esi          ; SizeInWords
.text:6BB78FA2             push eax          ; Dst
.text:6BB78FA3             call _wcscpy_s
.text:6BB78FA8             add esp, 0Ch
.text:6BB78FAB             mov , 1
.text:6BB78FB5
.text:6BB78FB5 loc_6BB78FB5:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+349j
.text:6BB78FB5             push ecx          ; unsigned __int32
.text:6BB78FB6             push ; struct _GUID *
.text:6BB78FBC             lea edx,
.text:6BB78FC2             mov ecx, ebx
.text:6BB78FC4             push ; struct _GUID *
.text:6BB78FC7             push ; struct _IMGHLP_DEBUG_DATA *
.text:6BB78FCD             call ?diaOpenPdb@@YGJPAU_IMGHLP_DEBUG_DATA@@PBGPAU_GUID@@KKH@Z ; diaOpenPdb(_IMGHLP_DEBUG_DATA *,ushort const *,_GUID *,ulong,ulong,int)
.text:6BB78FD2             mov esi, eax
.text:6BB78FD4             mov , esi
.text:6BB78FDA             mov , esi
.text:6BB78FE0             test esi, esi
.text:6BB78FE2             jnz short loc_6BB78FF3
.text:6BB78FE4
.text:6BB78FE4 loc_6BB78FE4:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+150j
.text:6BB78FE4             mov dword ptr , 2
.text:6BB78FEE             jmp loc_6BB79C1B
.text:6BB78FF3 ; ---------------------------------------------------------------------------
.text:6BB78FF3
.text:6BB78FF3 loc_6BB78FF3:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+393j
.text:6BB78FF3             mov edx, dword_6BC5FB18
.text:6BB78FF9
.text:6BB78FF9 loc_6BB78FF9:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+2C2j
.text:6BB78FF9                                     ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+2D0j ...
.text:6BB78FF9             mov ecx, edi
.text:6BB78FFB             lea eax,
.text:6BB79001
.text:6BB79001 loc_6BB79001:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3EBj
.text:6BB79001             mov bx,
.text:6BB79004             cmp bx,
.text:6BB79007             mov ebx,
.text:6BB7900D             jnz short loc_6BB79040
.text:6BB7900F             cmp word ptr , 0
.text:6BB79013             jz    short loc_6BB7903C
.text:6BB79015             mov si,
.text:6BB79019             cmp si,
.text:6BB7901D             mov , si
.text:6BB79024             mov esi,
.text:6BB7902A             jnz short loc_6BB79040
.text:6BB7902C             add eax, 4
.text:6BB7902F             add ecx, 4
.text:6BB79032             cmp , 0
.text:6BB7903A             jnz short loc_6BB79001
.text:6BB7903C
.text:6BB7903C loc_6BB7903C:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3C4j
.text:6BB7903C             xor eax, eax
.text:6BB7903E             jmp short loc_6BB79045
.text:6BB79040 ; ---------------------------------------------------------------------------
.text:6BB79040
.text:6BB79040 loc_6BB79040:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3BEj
.text:6BB79040                                     ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3DBj
.text:6BB79040             sbb eax, eax
.text:6BB79042             or    eax, 1
.text:6BB79045
.text:6BB79045 loc_6BB79045:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3EFj
.text:6BB79045             test eax, eax
.text:6BB79047             jz    loc_6BB790EA
.text:6BB7904D             test dl, dl
.text:6BB7904F             js    loc_6BB790EA
.text:6BB79055             push edi          ; Src
.text:6BB79056             mov esi, 105h
.text:6BB7905B             lea eax,
.text:6BB79061             push esi          ; SizeInWords
.text:6BB79062             push eax          ; Dst
.text:6BB79063             call _wcscpy_s
.text:6BB79068             add esp, 0Ch
.text:6BB7906B             cmp , 0
.text:6BB79072             jnz short loc_6BB790B1
.text:6BB79074             mov edx,
.text:6BB7907A             lea eax,
.text:6BB79080             mov ecx,
.text:6BB79083             push 104h          ; unsigned __int16 *
.text:6BB79088             push edi          ; unsigned __int16 *
.text:6BB79089             push eax          ; void *
.text:6BB7908A             xor eax, eax
.text:6BB7908C             push eax          ; unsigned __int16 *
.text:6BB7908D             call ?diaCopyFileToCache@@YGHPAGPAX000K@Z ; diaCopyFileToCache(ushort *,void *,ushort *,ushort *,ushort *,ulong)
.text:6BB79092             test eax, eax
.text:6BB79094             jz    short loc_6BB790B1
.text:6BB79096             push edi          ; Src
.text:6BB79097             lea eax,
.text:6BB7909D             push esi          ; SizeInWords
.text:6BB7909E             push eax          ; Dst
.text:6BB7909F             call _wcscpy_s
.text:6BB790A4             add esp, 0Ch
.text:6BB790A7             mov , 1
.text:6BB790B1
.text:6BB790B1 loc_6BB790B1:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+423j
.text:6BB790B1                                     ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+445j
.text:6BB790B1             push ecx          ; unsigned __int32
.text:6BB790B2             push ; struct _GUID *
.text:6BB790B8             lea edx,
.text:6BB790BE             mov ecx, ebx
.text:6BB790C0             push ; struct _GUID *
.text:6BB790C3             push ; struct _IMGHLP_DEBUG_DATA *
.text:6BB790C9             call ?diaOpenPdb@@YGJPAU_IMGHLP_DEBUG_DATA@@PBGPAU_GUID@@KKH@Z ; diaOpenPdb(_IMGHLP_DEBUG_DATA *,ushort const *,_GUID *,ulong,ulong,int)
.text:6BB790CE             mov esi, eax
.text:6BB790D0             mov , esi
.text:6BB790D6             mov , esi
.text:6BB790DC             test esi, esi
.text:6BB790DE             jnz short loc_6BB790F2
.text:6BB790E0             mov dword ptr , 5
.text:6BB790EA
.text:6BB790EA loc_6BB790EA:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3F8j
.text:6BB790EA                                     ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+400j
.text:6BB790EA             test esi, esi
.text:6BB790EC             jz    loc_6BB79C1B
.text:6BB790F2
.text:6BB790F2 loc_6BB790F2:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+2B6j
.text:6BB790F2                                     ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+48Fj
.text:6BB790F2             mov edi,
.text:6BB790F5             jmp loc_6BB791DE
.text:6BB790FA ; ---------------------------------------------------------------------------
.text:6BB790FA
.text:6BB790FA loc_6BB790FA:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+591j
.text:6BB790FA             push ecx          ; unsigned __int16 *
.text:6BB790FB             lea edx,
.text:6BB79101             mov , edi
.text:6BB79107             mov ecx, edi
.text:6BB79109             call ?TokenFromSymbolPath@@YGPAGPBGPAGH@Z ; TokenFromSymbolPath(ushort const *,ushort *,int)
.text:6BB7910E             cmp , 0
.text:6BB79116             mov edi, eax
.text:6BB79118             jz    loc_6BB791DE
.text:6BB7911E             test dword_6BC5FB18, 10000000h
.text:6BB79128             jnz short loc_6BB7914A
.text:6BB7912A             mov eax,
.text:6BB79130             lea edx,
.text:6BB79136             mov ecx,
.text:6BB79139             add eax, 1Eh
.text:6BB7913C             push eax          ; struct _PROCESS_ENTRY *
.text:6BB7913D             call ?CheckTheModuleByPath@@YGHPAU_PROCESS_ENTRY@@PAG1@Z ; CheckTheModuleByPath(_PROCESS_ENTRY *,ushort *,ushort *)
.text:6BB79142             test eax, eax
.text:6BB79144             jnz loc_6BB791DE
.text:6BB7914A
.text:6BB7914A loc_6BB7914A:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+4D9j
.text:6BB7914A             push offset ?nothrow@std@@3Unothrow_t@1@B ; struct std::nothrow_t *
.text:6BB7914F             push 20Ah          ; unsigned int
.text:6BB79154             call ??_U@YAPAXIABUnothrow_t@std@@@Z ; operator new[](uint,std::nothrow_t const &)
.text:6BB79159             mov esi, eax
.text:6BB7915B             mov , esi
.text:6BB79161             pop ecx
.text:6BB79162             pop ecx
.text:6BB79163             test esi, esi
.text:6BB79165             jz    loc_6BB79254
.text:6BB7916B             push 20Ah          ; Size
.text:6BB79170             xor eax, eax
.text:6BB79172             push eax          ; Val
.text:6BB79173             push esi          ; Dst
.text:6BB79174             call _memset
.text:6BB79179             lea ecx,
.text:6BB7917F             add esp, 0Ch
.text:6BB79182             lea edx,
.text:6BB79185
.text:6BB79185 loc_6BB79185:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+543j
.text:6BB79185             mov ax,
.text:6BB79188             add ecx, 2
.text:6BB7918B             cmp ax, word ptr
.text:6BB79192             jnz short loc_6BB79185
.text:6BB79194             sub ecx, edx
.text:6BB79196             sar ecx, 1
.text:6BB79198             cmp ecx, 104h
.text:6BB7919E             ja    short loc_6BB7921A
.text:6BB791A0             push 105h          ; int
.text:6BB791A5             lea edx, ; Src
.text:6BB791AB             mov ecx, esi    ; Dst
.text:6BB791AD             call _CopyNStringW@16 ; CopyNStringW(x,x,x,x)
.text:6BB791B2             lea eax,
.text:6BB791B8             push eax
.text:6BB791B9             lea ecx,
.text:6BB791BF             call ?Add@?$CSimpleArray@PAG@ATL@@QAEHAAPAG@Z ; ATL::CSimpleArray<ushort *>::Add(ushort * &)
.text:6BB791C4             test eax, eax
.text:6BB791C6             jz    short loc_6BB791FB
.text:6BB791C8             lea eax,
.text:6BB791CE             push eax
.text:6BB791CF             lea ecx,
.text:6BB791D5             call ?Add@?$CSimpleArray@PAG@ATL@@QAEHAAPAG@Z ; ATL::CSimpleArray<ushort *>::Add(ushort * &)
.text:6BB791DA             test eax, eax
.text:6BB791DC             jz    short loc_6BB791EB
.text:6BB791DE
.text:6BB791DE loc_6BB791DE:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+4A6j
.text:6BB791DE                                     ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+4C9j ...
.text:6BB791DE             test edi, edi
.text:6BB791E0             jnz loc_6BB790FA
.text:6BB791E6             jmp loc_6BB7927D
.text:6BB791EB ; ---------------------------------------------------------------------------
.text:6BB791EB
.text:6BB791EB loc_6BB791EB:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+58Dj
.text:6BB791EB             call ?spew@@YGHXZ ; spew(void)
.text:6BB791F0             test eax, eax
.text:6BB791F2             jz    short loc_6BB7926C
.text:6BB791F4             push offset aWarningCanno_0 ; "Warning: Cannot add the previous path t"...
.text:6BB791F9             jmp short loc_6BB79262
.text:6BB791FB ; ---------------------------------------------------------------------------
.text:6BB791FB
.text:6BB791FB loc_6BB791FB:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+577j
.text:6BB791FB             call ?spew@@YGHXZ ; spew(void)
.text:6BB79200             test eax, eax
.text:6BB79202             jz    short loc_6BB79213
.text:6BB79204             push offset aWarningCannotA ; "Warning: Cannot add the path token to t"...
.text:6BB79209             push dword ptr ; struct _PROCESS_ENTRY *
.text:6BB7920C             call ?_pwprint@@YAHPAU_PROCESS_ENTRY@@PBGZZ ; _pwprint(_PROCESS_ENTRY *,ushort const *,...)
.text:6BB79211             pop ecx
.text:6BB79212             pop ecx
.text:6BB79213
.text:6BB79213 loc_6BB79213:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+5B3j
.text:6BB79213             mov eax, 806D0003h
.text:6BB79218             jmp short loc_6BB7923F
.text:6BB7921A ; ---------------------------------------------------------------------------
.text:6BB7921A
.text:6BB7921A loc_6BB7921A:                         ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+54Fj
.text:6BB7921A             call ?spew@@YGHXZ ; spew(void)
.text:6BB7921F             test eax, eax
.text:6BB79221             jz    short loc_6BB7923A
.text:6BB79223             lea eax,
.text:6BB79229             push eax
.text:6BB7922A             push offset aErrorInvalidPa ; "Error: Invalid Path length: %s.\n"
.text:6BB7922F             push dword ptr ; struct _PROCESS_ENTRY *
.text:6BB79232             call ?_pwprint@@YAHPAU_PROCESS_ENTRY@@PBGZZ ; _pwprint(_PROCESS_ENTRY *,ushort const *,...)
.text:6BB79237             add esp, 0Ch
.......................
.伪代码：
v17 = *(this + 4052);
if ( *(v17 + 4) != 3 || *(v17 + 12) != 20 )
{
dword1__________ = param6;//GUID*
v18 = param4;
}
else
{
v18 = *(v17 + 8);
dword1__________ = *(v18 + 4);
}
if ( param5 )//GUID*
{
indexdata = param5;
}
else if ( v18 )
{
indexdata = *v18;//param+2180
}
再向上层看，diaGetPdb中，param4=this+2180 param5=*(this+2172) param6=*(this+2168)
RetrievePdbInfo
this+2180 => thisb+4
this+2172 => 0
this+2168 => thisb+20
thisb=*(DWORD*)(this+3252)

需要知道this+3252何时写入：
.text:6BB971C1 ; int __fastcall ReadHeader(int thisc, unsigned __int32 a2)
.text:6BB971C1 ?ReadHeader@@YGHPAU_IMGHLP_DEBUG_DATA@@K@Z proc near
.text:6BB971C1                                     ; CODE XREF: imgReadLoaded(_IMGHLP_DEBUG_DATA *)+A8p
.text:6BB971C1                                     ; imgReadLoaded(_IMGHLP_DEBUG_DATA *)+C2p ...
.text:6BB971C1
.text:6BB971C1 var_390       = dword ptr -390h
.text:6BB971C1 var_38C       = dword ptr -38Ch
.text:6BB971C1 var_388       = dword ptr -388h
.text:6BB971C1 var_384       = dword ptr -384h
.text:6BB971C1 var_380       = dword ptr -380h
.text:6BB971C1 var_37C       = qword ptr -37Ch
.text:6BB971C1 var_374       = dword ptr -374h
.text:6BB971C1 var_370       = qword ptr -370h
.text:6BB971C1 var_368       = dword ptr -368h
.text:6BB971C1 var_364       = dword ptr -364h
.text:6BB971C1 var_360       = dword ptr -360h
.text:6BB971C1 Buf1          = dword ptr -35Ch
.text:6BB971C1 lpMem       = dword ptr -358h
.text:6BB971C1 var_354       = dword ptr -354h
.text:6BB971C1 var_350       = dword ptr -350h
.text:6BB971C1 var_34C       = dword ptr -34Ch
.text:6BB971C1 var_348       = dword ptr -348h
.text:6BB971C1 var_33C       = dword ptr -33Ch
.text:6BB971C1 dwBytes       = dword ptr -338h
.text:6BB971C1 var_334       = qword ptr -334h
.text:6BB971C1 var_32C       = qword ptr -32Ch
.text:6BB971C1 var_314       = word ptr -314h
.text:6BB971C1 var_2FC       = dword ptr -2FCh
.text:6BB971C1 var_2F8       = dword ptr -2F8h
.text:6BB971C1 var_2F4       = dword ptr -2F4h
.text:6BB971C1 var_2DC       = dword ptr -2DCh
.text:6BB971C1 var_2D4       = dword ptr -2D4h
.text:6BB971C1 var_2A4       = byte ptr -2A4h
.text:6BB971C1 var_224       = qword ptr -224h
.text:6BB971C1 var_214       = byte ptr -214h
.text:6BB971C1 var_1E0       = dword ptr -1E0h
.text:6BB971C1 var_1DC       = qword ptr -1DCh
.text:6BB971C1 var_1C8       = word ptr -1C8h
.text:6BB971C1 var_1C4       = word ptr -1C4h
.text:6BB971C1 var_1A8       = dword ptr -1A8h
.text:6BB971C1 var_1A4       = dword ptr -1A4h
.text:6BB971C1 var_18C       = dword ptr -18Ch
.text:6BB971C1 var_184       = dword ptr -184h
.text:6BB971C1 var_164       = byte ptr -164h
.text:6BB971C1 var_E4       = qword ptr -0E4h
.text:6BB971C1 var_D4       = word ptr -0D4h
.text:6BB971C1 var_D0       = byte ptr -0D0h
.text:6BB971C1 Dst          = word ptr -94h
.text:6BB971C1 var_58       = qword ptr -58h
.text:6BB971C1 var_50       = qword ptr -50h
.text:6BB971C1 var_48       = dword ptr -48h
.text:6BB971C1 var_44       = dword ptr -44h
.text:6BB971C1 var_40       = dword ptr -40h
.text:6BB971C1 var_3C       = dword ptr -3Ch
.text:6BB971C1 var_38       = dword ptr -38h
.text:6BB971C1 var_34       = dword ptr -34h
.text:6BB971C1 var_30       = dword ptr -30h
.text:6BB971C1 var_2C       = dword ptr -2Ch
.text:6BB971C1 ms_exc       = CPPEH_RECORD ptr -18h
.text:6BB971C1
.text:6BB971C1             push 380h
.text:6BB971C6             push offset off_6BC5B448
.text:6BB971CB             call __SEH_prolog4_GS
.text:6BB971D0             mov ebx, edx
.text:6BB971D2             mov esi, ecx
.text:6BB971D4             xor eax, eax
.text:6BB971D6             mov , ax
.text:6BB971DD             push 3Eh          ; Size
.text:6BB971DF             xor edi, edi
.text:6BB971E1             push edi          ; Val
.text:6BB971E2             lea eax,
.text:6BB971E8             push eax          ; Dst
.text:6BB971E9             call _memset
.text:6BB971EE             mov dword ptr , edi
.text:6BB971F4             push 0F4h          ; Size
.text:6BB971F9             push edi          ; Val
.text:6BB971FA             lea eax,
.text:6BB97200             push eax          ; Dst
.text:6BB97201             call _memset
.text:6BB97206             add esp, 18h
.text:6BB97209             mov eax, edi
.text:6BB9720B             mov , eax
.text:6BB97211             mov , edi
.text:6BB97217             mov dword ptr , edi
.text:6BB9721D             mov , edi
.text:6BB97223             mov , eax
.text:6BB97229             mov eax, ebx
.text:6BB9722B             dec eax
.text:6BB9722C             jz    loc_6BB972D5
.text:6BB97232             dec eax
.text:6BB97233             jz    short loc_6BB97280
.text:6BB97235             dec eax
.text:6BB97236             jz    short loc_6BB9723F
.text:6BB97238
.text:6BB97238 loc_6BB97238:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+186j
.text:6BB97238             xor eax, eax
.text:6BB9723A             jmp loc_6BB97D4F
.text:6BB9723F ; ---------------------------------------------------------------------------
.text:6BB9723F
.text:6BB9723F loc_6BB9723F:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+75j
.text:6BB9723F             mov , edi
.text:6BB97245             mov ecx,
.text:6BB9724B             call ?MapItRO@@YGPAXPAX@Z ; MapItRO(void *)
.text:6BB97250             mov , eax
.text:6BB97256             cdq
.text:6BB97257             mov edi, eax
.text:6BB97259             mov , edi
.text:6BB9725F             mov , edx
.text:6BB97265             xor eax, eax
.text:6BB97267             push eax          ; lpFileSizeHigh
.text:6BB97268             push dword ptr ; hFile
.text:6BB9726E             call ds:__imp__GetFileSize@8 ; GetFileSize(x,x)
.text:6BB97274             mov dword ptr , 3
.text:6BB9727E             jmp short loc_6BB972BF
.text:6BB97280 ; ---------------------------------------------------------------------------
.text:6BB97280
.text:6BB97280 loc_6BB97280:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+72j
.text:6BB97280             mov , edi
.text:6BB97286             mov ecx,
.text:6BB9728C             call ?MapItRO@@YGPAXPAX@Z ; MapItRO(void *)
.text:6BB97291             mov , eax
.text:6BB97297             cdq
.text:6BB97298             mov edi, eax
.text:6BB9729A             mov , eax
.text:6BB972A0             mov , edx
.text:6BB972A6             xor eax, eax
.text:6BB972A8             push eax          ; lpFileSizeHigh
.text:6BB972A9             push dword ptr ; hFile
.text:6BB972AF             call ds:__imp__GetFileSize@8 ; GetFileSize(x,x)
.text:6BB972B5             mov dword ptr , 2
.text:6BB972BF
.text:6BB972BF loc_6BB972BF:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+BDj
.text:6BB972BF             mov dword ptr , eax
.text:6BB972C5             mov eax,
.text:6BB972CB             mov ecx,
.text:6BB972D1             xor edx, edx
.text:6BB972D3             jmp short loc_6BB97305
.text:6BB972D5 ; ---------------------------------------------------------------------------
.text:6BB972D5
.text:6BB972D5 loc_6BB972D5:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+6Bj
.text:6BB972D5             mov eax,
.text:6BB972DB             mov , eax
.text:6BB972E1             mov edi,
.text:6BB972E4             mov , edi
.text:6BB972EA             mov ecx,
.text:6BB972ED             mov , ecx
.text:6BB972F3             xor edx, edx
.text:6BB972F5             mov dword ptr , edx
.text:6BB972FB             mov dword ptr , 5
.text:6BB97305
.text:6BB97305 loc_6BB97305:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+112j
.text:6BB97305             mov , edx
.text:6BB9730B             mov , edx
.text:6BB97311             mov , edx
.text:6BB97317             xor edx, edx
.text:6BB97319             mov , edx
.text:6BB9731C             push 2
.text:6BB9731E             lea edx,
.text:6BB97324             push edx          ; unsigned __int64
.text:6BB97325             xor edx, edx
.text:6BB97327             push edx
.text:6BB97328             push edx          ; unsigned __int64
.text:6BB97329             push ecx          ; void *
.text:6BB9732A             push edi          ; struct _IMGHLP_DEBUG_DATA *
.text:6BB9732B             mov edx, eax
.text:6BB9732D             call ?ReadImageData@@YGKPAU_IMGHLP_DEBUG_DATA@@PAX_K21I@Z ; ReadImageData(_IMGHLP_DEBUG_DATA *,void *,unsigned __int64,unsigned __int64,void *,uint)
.text:6BB97332             test eax, eax
.text:6BB97334             jnz short loc_6BB9734C
.text:6BB97336
.text:6BB97336 loc_6BB97336:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+3FBj
.text:6BB97336                                     ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+427j ...
.text:6BB97336             mov dword_6BC5FB1C, 6
.text:6BB97340
.text:6BB97340 loc_6BB97340:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+1C1j
.text:6BB97340                                     ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+1EDj ...
.text:6BB97340             mov , 0FFFFFFFEh
.text:6BB97347             jmp loc_6BB97238
.text:6BB9734C ; ---------------------------------------------------------------------------
.text:6BB9734C
.text:6BB9734C loc_6BB9734C:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+173j
.text:6BB9734C             mov , ebx
.text:6BB97352             mov eax, 4944h
.text:6BB97357             mov edx,
.text:6BB9735D             cmp word ptr , ax
.text:6BB97364             jnz loc_6BB9758F
.text:6BB9736A             push 30h
.text:6BB9736C             lea eax,
.text:6BB9736F             push eax          ; unsigned __int64
.text:6BB97370             xor eax, eax
.text:6BB97372             push eax
.text:6BB97373             push eax          ; unsigned __int64
.text:6BB97374             push ; void *
.text:6BB9737A             push edi          ; struct _IMGHLP_DEBUG_DATA *
.text:6BB9737B             call ?ReadImageData@@YGKPAU_IMGHLP_DEBUG_DATA@@PAX_K21I@Z ; ReadImageData(_IMGHLP_DEBUG_DATA *,void *,unsigned __int64,unsigned __int64,void *,uint)
.text:6BB97380             test eax, eax
.text:6BB97382             jz    short loc_6BB97340
.text:6BB97384             mov eax, 14Ch
.text:6BB97389             mov cx, word ptr
.text:6BB9738D             cmp cx, ax
.text:6BB97390             jz    short loc_6BB973B0
.text:6BB97392             add eax, 38h
.text:6BB97395             cmp cx, ax
.text:6BB97398             jz    short loc_6BB973B0
.text:6BB9739A             push dword ptr ; lpBaseAddress
.text:6BB973A0             call ds:__imp__UnmapViewOfFile@4 ; UnmapViewOfFile(x)
.text:6BB973A6             xor eax, eax
.text:6BB973A8             mov , eax
.text:6BB973AE             jmp short loc_6BB97340
.text:6BB973B0 ; ---------------------------------------------------------------------------
.text:6BB973B0
.text:6BB973B0 loc_6BB973B0:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+1CFj
.text:6BB973B0                                     ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+1D7j
.text:6BB973B0             mov eax,
.text:6BB973B3             mov , eax
.text:6BB973B9             mov eax,
.text:6BB973BC             mov , eax
.text:6BB973BF             mov , cx
.text:6BB973C3             mov eax,
.text:6BB973C6             mov , eax
.text:6BB973C9             movzx eax, word ptr
.text:6BB973CD             mov , eax
.text:6BB973D0             mov eax,
.text:6BB973D3             or    eax,
.text:6BB973D6             jnz short loc_6BB973E5
.text:6BB973D8             mov eax,
.text:6BB973DB             mov , eax
.text:6BB973DE             xor eax, eax
.text:6BB973E0             mov , eax
.text:6BB973E3             jmp short loc_6BB973E7
.text:6BB973E5 ; ---------------------------------------------------------------------------
.text:6BB973E5
.text:6BB973E5 loc_6BB973E5:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+215j
.text:6BB973E5             xor eax, eax
.text:6BB973E7
.text:6BB973E7 loc_6BB973E7:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+222j
.text:6BB973E7             cmp , eax
.text:6BB973EA             jnz short loc_6BB973F2
.text:6BB973EC             mov eax,
.text:6BB973EF             mov , eax
.text:6BB973F2
.text:6BB973F2 loc_6BB973F2:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+229j
.text:6BB973F2             mov eax,
.text:6BB973F5             mov , eax
.text:6BB973FB             imul eax, 28h
.text:6BB973FE             mov dword ptr , eax
.text:6BB97404             mov ecx, eax    ; dwBytes
.text:6BB97406             call _pMemAlloc@4 ; pMemAlloc(x)
.text:6BB9740B             mov edi, eax
.text:6BB9740D             mov , edi
.text:6BB97413             test edi, edi
.text:6BB97415             jz    loc_6BB9749E
.text:6BB9741B             push dword ptr
.text:6BB97421             push edi          ; unsigned __int64
.text:6BB97422             xor eax, eax
.text:6BB97424             push eax
.text:6BB97425             push 30h          ; unsigned __int64
.text:6BB97427             push ; void *
.text:6BB9742D             push ; struct _IMGHLP_DEBUG_DATA *
.text:6BB97433             mov edx,
.text:6BB97439             call ?ReadImageData@@YGKPAU_IMGHLP_DEBUG_DATA@@PAX_K21I@Z ; ReadImageData(_IMGHLP_DEBUG_DATA *,void *,unsigned __int64,unsigned __int64,void *,uint)
.text:6BB9743E             test eax, eax
.text:6BB97440             jz    short loc_6BB9749E
.text:6BB97442             push ecx
.text:6BB97443             push
.text:6BB97449             push edi
.text:6BB9744A             lea ecx,
.text:6BB97450             call ?Assign@?$ImageHelpPointerWrapper@U_IMAGE_SECTION_HEADER@@@@QAEXPAXK_N@Z ; ImageHelpPointerWrapper<_IMAGE_SECTION_HEADER>::Assign(void *,ulong,bool)
.text:6BB97455             mov , edi
.text:6BB9745B             mov eax,
.text:6BB97461             mov , eax
.text:6BB97467             mov eax,
.text:6BB9746A             test eax, eax
.text:6BB9746C             jz    short loc_6BB9749E
.text:6BB9746E             xor edx, edx
.text:6BB97470             push 1Ch
.text:6BB97472             pop ecx
.text:6BB97473             div ecx
.text:6BB97475             mov , eax
.text:6BB9747B             mov , eax
.text:6BB97481             imul edx, , 28h
.text:6BB97485             mov eax,
.text:6BB97488             add edx, 30h
.text:6BB9748B             add eax, edx
.text:6BB9748D             mov , eax
.text:6BB97493             mov , eax
.text:6BB97499             xor edi, edi
.text:6BB9749B             inc edi
.text:6BB9749C             jmp short loc_6BB974A7
.text:6BB9749E ; ---------------------------------------------------------------------------
.text:6BB9749E
.text:6BB9749E loc_6BB9749E:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+254j
.text:6BB9749E                                     ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+27Fj ...
.text:6BB9749E             xor edi, edi
.text:6BB974A0             inc edi
.text:6BB974A1
.text:6BB974A1 loc_6BB974A1:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+6E3j
.text:6BB974A1                                     ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+712j ...
.text:6BB974A1             mov eax,
.text:6BB974A7
.text:6BB974A7 loc_6BB974A7:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+2DBj
.text:6BB974A7             mov ecx,
.text:6BB974AD
.text:6BB974AD loc_6BB974AD:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+7E0j
.text:6BB974AD             push 1Ch
.text:6BB974AF             pop edx
.text:6BB974B0             mov , edi
.text:6BB974B6             cmp ebx, 2
.text:6BB974B9             jnz short loc_6BB974C7
.text:6BB974BB             mov , eax
.text:6BB974C1             mov , ecx
.text:6BB974C7
.text:6BB974C7 loc_6BB974C7:                         ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+2F8j
.text:6BB974C7                                     ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+B75j
.text:6BB974C7             test ecx, ecx
.text:6BB974C9             jz    loc_6BB97D42
.text:6BB974CF             push edx
.text:6BB974D0             lea ecx,
.text:6BB974D6             push ecx          ; unsigned __int64
.text:6BB974D7             xor ecx, ecx
.text:6BB974D9             push ecx
.text:6BB974DA             push eax          ; unsigned __int64
.text:6BB974DB             push ; void *
.text:6BB974E1             push ; struct _IMGHLP_DEBUG_DATA *
.text:6BB974E7             mov edx,
.text:6BB974ED             call ?ReadImageData@@YGKPAU_IMGHLP_DEBUG_DATA@@PAX_K21I@Z ; ReadImageData(_IMGHLP_DEBUG_DATA *,void *,unsigned __int64,unsigned __int64,void *,uint)
.text:6BB974F2             test eax, eax
.text:6BB974F4             jz    loc_6BB97340
.text:6BB974FA             cmp , 0
.text:6BB97501             jz    loc_6BB97D0C
.text:6BB97507             xor eax, eax
.text:6BB97509             push eax          ; unsigned __int32
.text:6BB9750A             push ebx          ; struct _MODULE_DATA *
.text:6BB9750B             mov edx,
.text:6BB97511             mov ecx,
.text:6BB97517             call ?imgset@@YGKPAU_MODULE_DATA@@KKK@Z ; imgset(_MODULE_DATA *,ulong,ulong,ulong)
.text:6BB9751C             mov eax,
.text:6BB97522             dec eax
.text:6BB97523             jz    loc_6BB97C0E
.text:6BB97529             dec eax
.text:6BB9752A             jz    loc_6BB97B58
.text:6BB97530             dec eax
.text:6BB97531             dec eax
.text:6BB97532             jnz loc_6BB97C48
.text:6BB97538             mov ecx, dword ptr
.text:6BB9753E             cmp ecx, dword ptr
.text:6BB97544             jnb loc_6BB97B3E
.text:6BB9754A             mov edx,
.text:6BB97550             cmp , edi
.text:6BB97553             jnz loc_6BB97C4E
.text:6BB97559             cmp ebx, 3
.text:6BB9755C             jnz loc_6BB97AF0
.text:6BB97562             lea eax,
.text:6BB97568             xor edx, edx
.text:6BB9756A             cmp , dx
.text:6BB9756D             mov edx,
.text:6BB97573             jnz loc_6BB97C4E
.text:6BB97579             push 105h          ; cchWideChar
.text:6BB9757E             add edx, 0Ch
.text:6BB97581             add ecx, edx
.text:6BB97583             mov edx, eax
.text:6BB97585             call ?ansi2wcs@@YGHPBDPAGK@Z ; ansi2wcs(char const *,ushort *,ulong)
.text:6BB9758A             jmp loc_6BB97C48
.text:6BB9758F ; ---------------------------------------------------------------------------
.text:6BB9758F
............................
.

分析结果如下：
int __fastcall ReadHeader(int thisc, unsigned __int32 a2)
{
unsigned __int32 v2; // ebx@1
int v3; // esi@1
QWORD v5; // rax@5
struct _IMGHLP_DEBUG_DATA *pebegin2; // edi@5
DWORD filesize; // eax@5
BYTE *v8; // eax@6
void *v9; // eax@7
void *v10; // ecx@7
unsigned __int64 v11; // ST10_8@9
unsigned __int64 v12; // ST10_8@13
__int16 v13; // cx@14
LPVOID v14; // eax@21
int v15; // edi@21
int v16; // ecx@22
int v17; // edx@24
int v18; // eax@24
char v19; // di@24
int v20; // ecx@27
unsigned __int64 v21; // ST10_8@31
struct _IMGHLP_DEBUG_DATA *v22; // edx@37
unsigned __int64 v23; // ST10_8@42
unsigned __int64 v24; // ST10_8@43
signed int PESIG; // edx@44
int v26; // eax@45
LPVOID v27; // ecx@45
unsigned __int64 v28; // ST10_8@47
unsigned __int64 v29; // ST10_8@50
unsigned __int64 v30; // ST10_8@61
int imagesize; // eax@65
void *v32; // eax@74
LPVOID sectiondata; // eax@74
int v34; // ecx@75
BYTE *v35; // ecx@76
int v36; // ecx@76
const void *secheader; // eax@76
unsigned __int32 v38; // edx@83
unsigned __int64 v39; // ST10_8@84
unsigned __int32 v40; // eax@85
unsigned __int64 v41; // ST10_8@88
LPVOID v42; // eax@98
int v43; // edx@116
unsigned __int32 v44; // @116
void *v45; // @0
void *v46; // @9
unsigned __int32 v47; // @13
void *v48; // @42
unsigned __int32 v49; // @43
void *v50; // @83
struct _IMAGE_SECTION_HEADER *v51; // @85
unsigned int v52; // @0
unsigned int v53; // @9
unsigned __int32 v54; // @13
unsigned int v55; // @42
unsigned __int32 v56; // @43
unsigned int v57; // @83
struct _IMAGE_DATA_DIRECTORY *v58; // @85
int v59; // @76
int filesize2; // @74
unsigned __int32 filesize2a; // @87
DWORD filesize2_4; // @7
BYTE *exportpos; // @1
unsigned __int64 v64; // @1
int v65; // @9
BYTE *v66; // @1
unsigned int v67; // @1
void *sectiondata_1; // @21
LPVOID lpMem; // @1
void *v70; // @5
int v71; // @5
struct _IMGHLP_DEBUG_DATA *pebegin; // @5
BYTE v73; // @31
BYTE v74; // @61
unsigned __int64 v75; // @88
char v76; // @89
int v77; // @88
BYTE v78; // @1
unsigned __int16 v79; // @50
BYTE Dst; // @1
unsigned __int64 v81; // @13
int v82; // @17
int v83; // @17
int v84; // @18
int v85; // @20
void *v86; // @21
int v87; // @24
unsigned int v88; // @23
int v89; // @17
CPPEH_RECORD ms_exc; // @9

v2 = a2;
v3 = thisc;
*Dst = 0;
memset(&Dst, 0, 0x3Eu);
*v78 = 0;
memset(&v78, 0, 0xF4u);
lpMem = 0;
v66 = 0;
HIDWORD(v64) = 0;
exportpos = 0;
v67 = 0;
if ( v2 == 1 )
{
v9 = *(v3 + 3412);
v71 = *(v3 + 3412);
pebegin2 = *(v3 + 16);
pebegin = *(v3 + 16);
v10 = *(v3 + 20);
v70 = *(v3 + 20);
filesize2_4 = 0;
*(v3 + 3248) = 5;
}
else
{
if ( v2 == 2 )
{
   v71 = 0;
   v8 = MapItRO(*(v3 + 1096), 0);
   *(v3 + 1104) = v8;
   pebegin2 = v8;
   v70 = (v8 >> 32);
   pebegin = v8;
   filesize = GetFileSize(*(v3 + 1096), 0);
   *(v3 + 3248) = 2;
}
else
{
   if ( v2 != 3 )
   return 0;
   v71 = 0;
   LODWORD(v5) = MapItRO(*(v3 + 2156), 0);
   *(v3 + 2160) = v5;
   pebegin2 = v5;
   v70 = (v5 >> 32);
   pebegin = v5;
   filesize = GetFileSize(*(v3 + 2156), 0);
   *(v3 + 3248) = 3;
}
filesize2_4 = filesize;
v9 = v71;
v10 = v70;
}
*(v3 + 4024) = 0;
v65 = 0;
ms_exc.registration.TryLevel = 0;
HIDWORD(v11) = 2;
LODWORD(v11) = &v64;
if ( !ReadImageData(v9, pebegin2, v10, 0i64, v11, v45, v52) )// 读取2个字节
goto LABEL_10;
*(v3 + 3240) = v2;
if ( v64 != 'ID' )
{
if ( v64 == 'ZM' )                      // 如果是MZ头
{
   HIDWORD(v23) = 64;
   LODWORD(v23) = Dst;
   if ( !ReadImageData(v71, pebegin2, v70, 0i64, v23, v46, v53) )// 读取64字节以取得PE头所在位置
   goto LABEL_10;
   HIDWORD(v24) = 248;
   LODWORD(v24) = v78;
   if ( !ReadImageData(v71, pebegin2, v70, *&Dst, v24, v48, v55) )// 读取248字节到v93
   goto LABEL_10;
   PESIG = *v78;
   if ( *v78 != 'EP' )                   // 如果是PE头
   {
   v66 = &v78;
   v26 = *&v78 + 24 + *&Dst;
   v27 = &v78;
LABEL_55:
   HIDWORD(v64) = v26;
   goto LABEL_56;
   }
}
else
{
   if ( v64 != 0x14C )
   {
   HIDWORD(v29) = 76;
   LODWORD(v29) = v79;
   if ( !ReadImageData(v71, pebegin2, v70, 0i64, v29, v46, v53) )
      goto LABEL_10;
   if ( v79 != 332 && v79 != 388 && v79 != 644 )
      goto LABEL_11;
   v27 = &v79;
   v66 = v79;
   v26 = v79 + 20;
   PESIG = *v78;
   goto LABEL_55;
   }
   HIDWORD(v28) = 244;
   LODWORD(v28) = &v78;
   if ( !ReadImageData(v71, pebegin2, v70, 0i64, v28, v46, v53) )
   goto LABEL_11;
   PESIG = 'ROM ';
   *v78 = 'ROM ';
}
v27 = lpMem;
LABEL_56:
if ( v27 )
{
   if ( *v27 != 0x107 )
   {
   *(v3 + 4592) = 11;
   goto LABEL_11;
   }
   v19 = 1;
   *(v3 + 3400) = 1;
   *(v3 + 1108) = *v27;
   *(v3 + 24) = *(v27 + 5);
   *(v3 + 28) = 0;
   *(v3 + 32) = *(v27 + 1);
   *(v3 + 36) = 0;
   goto LABEL_74;
}
if ( *&v78 != 0x20B )                // IMAGE_OPTIONAL_HEADER32.MAGIC=PE64
{
   v66 = &v78;
   exportpos = &v78;                // 导出表位置
   *(v3 + 1108) = *&v78;
   if ( PESIG == 'ROM ' )
   HIDWORD(v64) = 244;
   else
   HIDWORD(v64) = *&Dst + 248;       // 第一个节位置
   v19 = 1;
   if ( v2 == 2 || v2 == 1 )
   {
   *(v3 + 24) = *&v78;
   *(v3 + 28) = 0;
   *(v3 + 3392) = *&v78;
   *(v3 + 36) = *&v78;
   }
   imagesize = *&v78;
   goto LABEL_73;
}
HIDWORD(v30) = 264;
LODWORD(v30) = v74;
if ( ReadImageData(v71, pebegin2, v70, *&Dst, v30, v49, v56) )
{
   v66 = &v74;
   exportpos = &v74;
   HIDWORD(v64) = *&Dst + 264;
   *(v3 + 1108) = *&v74;
   v19 = 1;
   *(v3 + 3396) = 1;
   if ( v2 == 2 || v2 == 1 )
   {
   *(v3 + 24) = *&v74;
   *(v3 + 28) = *&v74;
   *(v3 + 3392) = *&v74;
   *(v3 + 36) = *&v74;
   }
   imagesize = *&v74;
LABEL_73:
   *(v3 + 32) = imagesize;
LABEL_74:
   imgset(100, *(v3 + 4036), v2, v2, v49, v56);
   v32 = *(v66 + 1);                      // 得到节个数
   lpMem = v32;
   filesize2 = 40 * v32;
   sectiondata = pMemAlloc(40 * v32);
   sectiondata_1 = sectiondata;
   if ( sectiondata && ReadImageData(v71, pebegin, v70, HIDWORD(v64), __PAIR__(filesize2, sectiondata), v47, v54) )// 读取所有节数据
   {
   ImageHelpPointerWrapper<_IMAGE_SECTION_HEADER>::Assign((v3 + 3352), sectiondata_1, lpMem, v34);
   *(v3 + 3340) = sectiondata_1;
   *(v3 + 3380) = lpMem;
   v35 = v66;
   *(v3 + 48) = *v66;
   *(v3 + 40) = *(v35 + 1);
   *(v3 + 44) = *(v35 + 9);
   imgset(101, *(v3 + 4036), v2, v2, v47, v54);
   v36 = 0;
   v59 = 0;
   secheader = sectiondata_1;
   while ( v36 < lpMem )
   {
      if ( *(v3 + 3400) && !(*(v66 + 9) & 0x200) )
      {
         if ( !memcmp(secheader, ".rdata", 7u) )// 遇到.rdata不再读取节信息
         {
         v20 = 1;
         v67 = 1;
         v18 = *(sectiondata_1 + 3);
         v65 = *(sectiondata_1 + 3);
         goto LABEL_28;
         }
         secheader = sectiondata_1;
      }
      v38 = SectionContains(secheader, v71, exportpos, v47, v54);// 计算导出表在文件中的位置
      if ( v38 )
      {
         *(v3 + 3944) = v2;
         *(v3 + 4048) = *(exportpos + 1);
         *(v3 + 4040) = *exportpos;
         *(v3 + 4044) = 0;
         HIDWORD(v39) = 40;
         LODWORD(v39) = v3 + 3984;
         ReadImageData(v71, pebegin, v70, v38, v39, v50, v57);// 读40字节
      }
      v40 = SectionContains(sectiondata_1, v71, exportpos + 12, v50, v57);// 计算调试信息在文件中的位置
      if ( v40 )
      {
         v65 = v40;                      // v65=调试信息偏移
         v67 = *(exportpos + 13) / 28u;    // 调试信息个数
      }
      filesize2a = SectionContains(sectiondata_1, v71, exportpos + 28, v51, v58);// 计算CLR信息在文件中的位置
      if ( filesize2a )
      {
         memset(&v75, 0, 0x48u);
         HIDWORD(v41) = 72;
         LODWORD(v41) = &v75;
         ReadImageData(v71, pebegin, v70, filesize2a, v41, v47, v54);
         if ( v77 || v76 & 1 )
         *(v3 + 4648) = 1;
      }
      v36 = v59++ + 1;
      secheader = sectiondata_1 + 40;    // 取下一个section头
      sectiondata_1 = sectiondata_1 + 40;
   }
   }
   goto LABEL_26;
}
LABEL_10:
dword_6BC5FB1C = 6;
LABEL_11:
ms_exc.registration.TryLevel = -2;
return 0;
}
HIDWORD(v12) = 48;
LODWORD(v12) = &v81;
if ( !ReadImageData(v71, pebegin2, v70, 0i64, v12, v46, v53) )
goto LABEL_11;
v13 = WORD2(v81);
if ( WORD2(v81) != 332 && WORD2(v81) != 388 )
{
UnmapViewOfFile(*(v3 + 2160));
*(v3 + 2160) = 0;
goto LABEL_11;
}
*(v3 + 3392) = v89;
*(v3 + 36) = v83;
*(v3 + 48) = v13;
*(v3 + 40) = v82;
*(v3 + 44) = WORD3(v81);
if ( !*(v3 + 24) )
{
*(v3 + 24) = v84;
*(v3 + 28) = 0;
}
if ( !*(v3 + 32) )
*(v3 + 32) = v85;
lpMem = v86;
HIDWORD(v64) = 40 * v86;
v14 = pMemAlloc(40 * v86);
v15 = v14;
sectiondata_1 = v14;
if ( v14 )
{
if ( ReadImageData(v71, pebegin, v70, 0x30ui64, __PAIR__(HIDWORD(v64), v14), v47, v54) )
{
   ImageHelpPointerWrapper<_IMAGE_SECTION_HEADER>::Assign((v3 + 3352), v15, lpMem, v16);
   *(v3 + 3344) = v15;
   *(v3 + 3384) = lpMem;
   if ( v88 )
   {
   v67 = v88 / 0x1C;
   v17 = 40 * v86 + 48;
   v18 = v17 + v87;
   v65 = v17 + v87;
   v19 = 1;
   goto LABEL_27;
   }
}
}
v19 = 1;
LABEL_26:
v18 = v65;
LABEL_27:
v20 = v67;
LABEL_28:
if ( v2 == 2 )
{
*(v3 + 3364) = v18;
*(v3 + 3368) = v20;
}
while ( v20 )
{
HIDWORD(v21) = 28;
LODWORD(v21) = v73;
if ( !ReadImageData(v71, pebegin, v70, v18, v21, v47, v54) )// 逐个读取调试信息
   goto LABEL_11;
if ( *&v73 )                         // IMAGE_DEBUG_DIRECTORY.SizeOfData
{
   imgset(*&v73, *(v3 + 4036), v2, 0, v47, v54);
   if ( *&v73 == 1 )
   {
   if ( *&v73 < filesize2_4 )
   {
      ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 3264), (pebegin + *&v73), *&v73, v19);
      *(v3 + 3948) = v2;
      goto LABEL_95;
   }
   *(v3 + 4024) = 1;
   }
   else
   {
   if ( *&v73 == 2 )
   {
      if ( v71 )
      {
         if ( !*&v73 )
         goto LABEL_11;
         v42 = pMemAlloc(*&v73);
         lpMem = v42;
         if ( !v42 )
         goto LABEL_108;
         if ( !ReadImageData(v71, pebegin, v70, *&v73, __PAIR__(*&v73, v42), v47, v54) )
         {
         pMemFree(lpMem);
         goto LABEL_11;
         }
         ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 0xCB4), lpMem, *&v73, 0);
      }
      else
      {
         if ( *&v73 >= filesize2_4 ) // IMAGE_OPTIONAL_HEADER.PointerToRawData 此处就是我们要的数据了
         goto LABEL_108;
         ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 0xCB4), (pebegin + *&v73), *&v73, 1);
      }
      *(v3 + 3952) = v2;
      RetrievePdbInfo(v3, v3);
      goto LABEL_95;
   }
   if ( *&v73 != 4 )
      goto LABEL_108;
   if ( *&v73 < filesize2_4 )
   {
      v22 = pebegin;
      if ( *(pebegin + *&v73) != 1 )
         goto LABEL_109;
      if ( v2 == 3 )
      {
         v22 = pebegin;
         if ( !*(v3 + 572) )
         {
         ansi2wcs(0x105, v47, v54);
         goto LABEL_108;
         }
LABEL_109:
         if ( *&v73 >= filesize2_4 )
         goto LABEL_120;
         if ( *&v73 != 3 )
         {
         if ( *&v73 == 5 )
         {
            *(v3 + 3972) = v2;
            v44 = v2;
            v43 = 5;
         }
         else
         {
            if ( *&v73 == 7 )
            {
               ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 3316), (v22 + *&v73), *&v73 >> 3, v19);
               *(v3 + 3964) = v2;
            }
            else
            {
               if ( *&v73 != 8 )
               goto LABEL_120;
               ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 3328), (v22 + *&v73), *&v73 >> 3, v19);
               *(v3 + 3968) = v2;
            }
LABEL_118:
            v44 = v2;
            v43 = *&v73;
         }
         imgset(v43, *(v3 + 4036), 0, v44, v47, v54);
         goto LABEL_120;
         }
         ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 3280), (v22 + *&v73), *&v73 >> 4, v19);
         *(v3 + 3960) = v2;
         goto LABEL_118;
      }
      if ( *(v66 + 9) & 0x200 )
      {
         ansi2wcs(0x105, v47, v54);
         *(v3 + 2164) = *&v73;
      }
      else
      {
         ansi2wcs(0x105, v47, v54);
      }
   }
LABEL_95:
   imgset(*&v73, *(v3 + 4036), 0, v2, v47, v54);
   }
LABEL_108:
   v22 = pebegin;
   goto LABEL_109;
}
LABEL_120:
v18 = v65 + 28;
v65 += 28;
v20 = v67-- - 1;
}
return 1;
}

可以看到dbghelp!ReadHeader读取文件，解析PE格式，然后提取其中的debug区信息，标志RSDS后存放的GUID即为我们要找的数据
0293cbd452 53 44 53 83 65 a7 47-c5 34 bc 47 a0 3e 62 93RSDS.e.G.4.G.>b.
0293cbe4a7 8c 67 5f 02 00 00 00-77 6e 74 64 6c 6c 2e 70..g_....wntdll.p
0293cbf464 62 00 00 00 00 00 00-00 00 00 00 f6 c1 03 75db.............u
0293cc040d 39 71 0c 75 08 8b 41-04 3b 46 08 74 4d 83 26.9q.u..A.;F.tM.&
0293cc1400 83 66 04 00 eb 42 90-90 90 90 90 8b ff 55 8b..f...B.......U.
0293cc24ec 51 53 8b 5d 08 57 8b-7d 0c 3b 7b 10 0f 87 02.QS.].W.}.;{....
0293cc3401 00 00 8b 43 0c 56 8d-73 20 3b c7 73 0e 83 c6....C.V.s ;.s...
0293cc4410 03 c0 eb f5 90 90 90-90 90 90 90 8b ce e8 99................

解决任务2的重点在于SymbolServerGetIndexStringW，
来看他的内部调用:
CatStrID 将前面BYTE* index经过一定变换转换成字符串
CatStrDWORD 将前面int dword1添加到字符串结尾
CatStrDWORD 将前面int dword2添加到字符串结尾

CatStrID中实现大概是这样：
switch(gptype)
{
case 2:
CatStrDWORD(buf,id);
break;
case 4:
CatStrDWORD(buf,*(DWORD*)id);
break;
case 8:
CatStrGUID(buf,id);//我们用到的case
break;
case 0x10:
CatStrOldGUID(buf,id);
break;
case 0x400000:
wcscpy_s(buf,id);
}

CatStrDWORD中实现大概是这样：
if(dwordn)
{
sprintf(buf,"%s%d",index,dwordn);
}

http://blog.163.com/hanyinlong@126/blog/static/99751486201363111524114/
剩下的懒得写了，现在大家知道windbg怎样查符号了吧！

元始天尊 发表于 2015-2-24 00:32:10

参考资料http://blog.163.com/hanyinlong@126/blog/static/99751486201363111524114/

0x01810 发表于 2015-2-24 08:39:01

学习了~~

页: [1]

技术宅的结界's Archiver

windbg符号文件夹中像MD5的文件夹名如何生成？