UID 2
精华
积分 7736
威望 点
宅币 个
贡献 次
宅之契约 份
最后登录 1970-1-1
在线时间 小时
本帖最后由 元始天尊 于 2015-2-24 00:30 编辑
任务:找到windbg pdb符号对应文件夹名长串编码含义?
解决方法是用windbg调试windbg,下断点:
bp kernelbase!CreateFileA "da poi(esp+4);k;gc"
bp kernelbase!CreateFileW "du poi(esp+4);k;gc"
得到如下记录:
0938e15c "d:\symbol\cmd.pdb\A609EC1CBCFF43"
0938e19c "43AEFC312495558D832\cmd.pdb"
ChildEBP RetAddr
04d6a670 70af02cb KERNELBASE!CreateFileW
04d6a6ac 70af1a7e dbghelp!IStreamCRTFile::Create+0x8b
04d6a6d4 70af08c5 dbghelp!MSF_HB::internalOpen+0x2e
04d6a6f0 70ae8d47 dbghelp!MSF::Open+0x35
04d6a724 70ae90df dbghelp!PDB1::OpenEx2W+0xc7
04d6a74c 70af335f dbghelp!PDB::OpenEx2W+0x1f
04d6a770 70a91294 dbghelp!PDBCommon::Open2W+0x1f
04d6a794 70a3af14 dbghelp!CDiaDataSource::loadDataFromPdb+0x44
04d6abf8 70a56f4c dbghelp!diaGetPdb+0x1fc
04d6ae28 70a55bdd dbghelp!GetDebugData+0x230
04d6b2c8 70a55885 dbghelp!modload+0x285
04d6b2f4 70a4c177 dbghelp!LoadSymbols+0x355
04d6b328 70a4d44d dbghelp!ModLoop+0x86
04d6d2e4 70a50ef8 dbghelp!EnumSymbols+0xec
04d6d318 70d0fabf dbghelp!SymEnumSymbolsExW+0x59
04d6d480 70d0fbf7 dbgeng!EnumModuleTypedData+0xef
04d6e170 70d1024c dbgeng!EnumAllModuleTypedData+0xf4
04d6e3b8 70cca72b dbgeng!ParseExamine+0x504
04d6e428 70cca955 dbgeng!ProcessCommands+0x11c3
04d6e488 70c3cdd4 dbgeng!ProcessCommandsAndCatch+0x91
04d6e8f4 70c3cfc5 dbgeng!Execute+0x226
04d6e944 00dde653 dbgeng!DebugClient::ExecuteWide+0x8d
04d6ed08 00ddea93 windbg!ProcessCommand+0x145
04d6fd28 00de0275 windbg!ProcessEngineCommands+0xd1
04d6fd40 7567919f windbg!EngineLoop+0x390
04d6fd4c 77b0b5af KERNEL32!BaseThreadInitThunk+0xe
04d6fd94 77b0b57a ntdll!__RtlUserThreadStart+0x2f
04d6fda4 00000000 ntdll!_RtlUserThreadStart+0x1b
现在来被调试的windbg调试windows\syswow64\cmd.exe
由于有了pdb,分析过程变得极为容易,跟踪便可以知道modload中首次初始化路径cmd.pdb,而diaGetPdb中该地址最终变幻成d:\symbol\cmd.pdb\A609EC1CBCFF4343AEFC312495558D832\cmd.pdb 现在就是要知道A609EC1CBCFF4343AEFC312495558D832从何而来,因此从diaGetPdb入手,跟踪后可以发现dbghelpb把内存中PE的PROCESS_ENTRY结构和文件名以及符号服务器等传给了symsrv.dll,symsrv!SymbolServerWEx完成返回完整路径的任务,这个任务包括:
TestParameters函数检测传入参数合法性
SymbolServerGetIndexStringW函数返回index,也就是这里的A609EC1CBCFF4343AEFC312495558D832
SymbolServerByIndexW根据index返回pdb完整路径
解析出SymbolServerByIndexW的参数:WCHAR *srv, WCHAR *pdbname, BYTE *indexdata, int dword1, int dword2, WCHAR *outpath,PDWORD unknown
解析出SymbolServerGetIndexStringW的参数:WCHAR* srv,WCHAR* pdbname(无路径),BYTE* index ,int dword1,int dword2,WCHAR* formatted,int len,发现index经过变换后即是结果,如wntdll.pdb:
传入:8365a747 c534bc47 a03e6293 a78c675f
结果:47A76583 34C547BC A03E6293 A78C675F2
现有任务变为2个:
1.传入index源自何处?这需要向上层调用寻找
2.末尾2如何计算?这需要分析SymbolServerGetIndexStringW
先来解决问题1:
逐层向上标记参数,symsrv_SymbolServerWEx —> CallSymbolServerGetFile -> symsrvGetFile -> HandleLocatePdbInSymSrvOrLocalStore
到这一层后发现参数只有类指针this,我们需要关注symsrvGetFile的对应参数indexdata,param1,param2,
indexdata位于this+27780处,dword1为*(DWORD*)(this+24624),dword2为0,需要了解这些位置在什么地方进行了改动
在往上层进入了线程回调函数 GetPdbThreadProc,这里需要看看哪里调用的线程,并找到传递的参数之前在哪里改变的,到了DiaLocatePdbMultiThread
.text:6BB78C4F ; __int32 __stdcall DiaLocatePdbMultiThread(wchar_t *, struct _IMGHLP_DEBUG_DATA *, struct _GUID *, struct _GUID *, unsigned __int32, unsigned __int32, const unsigned __int16 *)
.text:6BB78C4F ?DiaLocatePdbMultiThread@@YGJPAU_MODULE_ENTRY@@PAU_IMGHLP_DEBUG_DATA@@PAGPAU_GUID@@KKPBG@Z proc near
.text:6BB78C4F ; CODE XREF: diaGetPdb(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *)+1B9p
.text:6BB78C4F
.text:6BB78C4F indexdata = dword ptr -0F14h
.text:6BB78C4F var_F04 = dword ptr -0F04h
.text:6BB78C4F Memory = dword ptr -0F00h
.text:6BB78C4F var_EFC = dword ptr -0EFCh
.text:6BB78C4F var_EF8 = dword ptr -0EF8h
.text:6BB78C4F var_EF4 = dword ptr -0EF4h
.text:6BB78C4F var_EF0 = dword ptr -0EF0h
.text:6BB78C4F var_EEC = dword ptr -0EECh
.text:6BB78C4F var_EE8 = dword ptr -0EE8h
.text:6BB78C4F var_EE4 = dword ptr -0EE4h
.text:6BB78C4F ExitCode = dword ptr -0EE0h
.text:6BB78C4F lpParameter3 = dword ptr -0EDCh
.text:6BB78C4F dword1__________= dword ptr -0ED8h
.text:6BB78C4F var_ED4 = dword ptr -0ED4h
.text:6BB78C4F var_ED0 = dword ptr -0ED0h
.text:6BB78C4F Src = dword ptr -0ECCh
.text:6BB78C4F var_EC8 = dword ptr -0EC8h
.text:6BB78C4F lpParameter = dword ptr -0EC4h
.text:6BB78C4F var_EC0 = dword ptr -0EC0h
.text:6BB78C4F var_EBC = dword ptr -0EBCh
.text:6BB78C4F var_EB6 = word ptr -0EB6h
.text:6BB78C4F var_EB4 = dword ptr -0EB4h
.text:6BB78C4F var_EB0 = dword ptr -0EB0h
.text:6BB78C4F var_EAC = dword ptr -0EACh
.text:6BB78C4F var_E94 = byte ptr -0E94h
.text:6BB78C4F var_C7C = word ptr -0C7Ch
.text:6BB78C4F var_A6C = word ptr -0A6Ch
.text:6BB78C4F var_864 = word ptr -864h
.text:6BB78C4F var_654 = word ptr -654h
.text:6BB78C4F var_444 = word ptr -444h
.text:6BB78C4F var_234 = word ptr -234h
.text:6BB78C4F Dst = byte ptr -232h
.text:6BB78C4F var_20 = word ptr -20h
.text:6BB78C4F var_4 = dword ptr -4
.text:6BB78C4F arg_0 = dword ptr 8
.text:6BB78C4F arg_4 = dword ptr 0Ch
.text:6BB78C4F arg_8 = dword ptr 10h
.text:6BB78C4F arg_C = dword ptr 14h
.text:6BB78C4F arg_10 = dword ptr 18h
.text:6BB78C4F
.text:6BB78C4F push 0F08h
.text:6BB78C54 mov eax, offset sub_6BC594C5
.text:6BB78C59 call __EH_prolog3_GS
.text:6BB78C5E mov ebx, edx
.text:6BB78C60 mov [ebp+var_F04], ebx
.text:6BB78C66 mov [ebp+var_EBC], ecx
.text:6BB78C6C mov eax, [ebp+arg_4]
.text:6BB78C6F mov esi, 806D0005h
.text:6BB78C74 mov edi, [ebp+arg_0]
.text:6BB78C77 mov [ebp+var_EC0], eax
.text:6BB78C7D xor eax, eax
.text:6BB78C7F push 208h ; Size
.text:6BB78C84 push eax ; Val
.text:6BB78C85 mov [ebp+var_234], ax
.text:6BB78C8C mov [ebp+var_EF0], eax
.text:6BB78C92 lea eax, [ebp+Dst]
.text:6BB78C98 push eax ; Dst
.text:6BB78C99 mov [ebp+Src], edi
.text:6BB78C9F mov [ebp+var_EB0], esi
.text:6BB78CA5 mov [ebp+var_EB4], esi
.text:6BB78CAB call _memset
.text:6BB78CB0 xor eax, eax
.text:6BB78CB2 add esp, 0Ch
.text:6BB78CB5 mov [ebp+var_EE8], eax
.text:6BB78CBB mov [ebp+var_EC8], eax
.text:6BB78CC1 mov [ebp+var_ED0], eax
.text:6BB78CC7 mov [ebp+var_EEC], eax
.text:6BB78CCD mov [ebp+var_EE4], eax
.text:6BB78CD3 mov [ebp+var_4], eax
.text:6BB78CD6 mov [ebp+Memory], eax
.text:6BB78CDC mov [ebp+var_EFC], eax
.text:6BB78CE2 mov [ebp+var_EF8], eax
.text:6BB78CE8 push 20Ah ; Size
.text:6BB78CED push eax ; Val
.text:6BB78CEE lea eax, [ebp+var_E94]
.text:6BB78CF4 mov byte ptr [ebp+var_4], 1
.text:6BB78CF8 push eax ; Dst
.text:6BB78CF9 call _memset
.text:6BB78CFE add esp, 0Ch
.text:6BB78D01 cmp [ebp+arg_8], 0
.text:6BB78D05 jnz short loc_6BB78D42
.text:6BB78D07 lea ecx, [ebx+32h]
.text:6BB78D0A mov edx, offset a_pdb_0 ; ".pdb"
.text:6BB78D0F call ?extmatch@@YGHPBG0@Z ; extmatch(ushort const *,ushort const *)
.text:6BB78D14 test eax, eax
.text:6BB78D16 jnz short loc_6BB78D42
.text:6BB78D18 mov ecx, [ebp+var_EC0]
.text:6BB78D1E call ?ValidGuid@@YGHPAU_GUID@@@Z ; ValidGuid(_GUID *)
.text:6BB78D23 test eax, eax
.text:6BB78D25 jnz short loc_6BB78D42
.text:6BB78D27 test dword_6BC5FB18, 400h
.text:6BB78D31 jz short loc_6BB78D42
.text:6BB78D33 mov dword_6BC5FB1C, 1
.text:6BB78D3D lea eax, [esi+1]
.text:6BB78D40 jmp short loc_6BB78DAA
.text:6BB78D42 ; ---------------------------------------------------------------------------
.text:6BB78D42
.text:6BB78D42 loc_6BB78D42: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+B6j
.text:6BB78D42 ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+C7j ...
.text:6BB78D42 xor eax, eax
.text:6BB78D44 cmp [ebx+0FBCh], eax
.text:6BB78D4A jnz short loc_6BB78D51
.text:6BB78D4C push 13h
.text:6BB78D4E pop eax
.text:6BB78D4F jmp short loc_6BB78DAA
.text:6BB78D51 ; ---------------------------------------------------------------------------
.text:6BB78D51
.text:6BB78D51 loc_6BB78D51: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+FBj
.text:6BB78D51 xor eax, eax
.text:6BB78D53 lea ecx, [ebx+32h]
.text:6BB78D56 mov edx, offset a_pdb_0 ; ".pdb"
.text:6BB78D5B mov [ebp+var_C7C], ax
.text:6BB78D62 call ?extmatch@@YGHPBG0@Z ; extmatch(ushort const *,ushort const *)
.text:6BB78D67 test eax, eax
.text:6BB78D69 jz short loc_6BB78DC4
.text:6BB78D6B lea eax, [ebx+32h]
.text:6BB78D6E push eax ; unsigned __int32
.text:6BB78D6F lea eax, [ebp+var_234]
.text:6BB78D75 push 105h ; SizeInWords
.text:6BB78D7A push eax ; Dst
.text:6BB78D7B call _wcscpy_s
.text:6BB78D80 pop ecx
.text:6BB78D81 pop ecx
.text:6BB78D82 push [ebp+arg_C] ; struct _GUID *
.text:6BB78D85 lea edx, [ebp+var_234]
.text:6BB78D8B mov ecx, ebx
.text:6BB78D8D push [ebp+arg_8] ; struct _GUID *
.text:6BB78D90 push [ebp+var_EC0] ; struct _IMGHLP_DEBUG_DATA *
.text:6BB78D96 call ?diaOpenPdb@@YGJPAU_IMGHLP_DEBUG_DATA@@PBGPAU_GUID@@KKH@Z ; diaOpenPdb(_IMGHLP_DEBUG_DATA *,ushort const *,_GUID *,ulong,ulong,int)
.text:6BB78D9B mov esi, eax
.text:6BB78D9D test esi, esi
.text:6BB78D9F jz loc_6BB78FE4
.text:6BB78DA5
.text:6BB78DA5 loc_6BB78DA5: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+1C1j
.text:6BB78DA5 mov eax, 806D0005h
.text:6BB78DAA
.text:6BB78DAA loc_6BB78DAA: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+F1j
.text:6BB78DAA ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+100j
.text:6BB78DAA xor ebx, ebx
.text:6BB78DAC mov byte ptr [ebp+var_4], bl
.text:6BB78DAF or [ebp+var_4], 0FFFFFFFFh
.text:6BB78DB3 mov [ebp+var_EFC], ebx
.text:6BB78DB9 mov [ebp+var_EF8], ebx
.text:6BB78DBF jmp loc_6BB79CBA
.text:6BB78DC4 ; ---------------------------------------------------------------------------
.text:6BB78DC4
.text:6BB78DC4 loc_6BB78DC4: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+11Aj
.text:6BB78DC4 mov eax, [ebp+var_EBC]
.text:6BB78DCA cmp dword ptr [eax+59BCh], 4
.text:6BB78DD1 jnz short loc_6BB78E41
.text:6BB78DD3 add eax, 55A8h
.text:6BB78DD8 xor ecx, ecx
.text:6BB78DDA cmp [eax], cx
.text:6BB78DDD jz short loc_6BB78E41
.text:6BB78DDF push eax ; unsigned __int32
.text:6BB78DE0 lea eax, [ebp+var_234]
.text:6BB78DE6 push 105h ; SizeInWords
.text:6BB78DEB push eax ; Dst
.text:6BB78DEC call _wcscpy_s
.text:6BB78DF1 pop ecx
.text:6BB78DF2 pop ecx
.text:6BB78DF3 push [ebp+arg_C] ; struct _GUID *
.text:6BB78DF6 lea edx, [ebp+var_234]
.text:6BB78DFC mov ecx, ebx
.text:6BB78DFE push [ebp+arg_8] ; struct _GUID *
.text:6BB78E01 push [ebp+var_EC0] ; struct _IMGHLP_DEBUG_DATA *
.text:6BB78E07 call ?diaOpenPdb@@YGJPAU_IMGHLP_DEBUG_DATA@@PBGPAU_GUID@@KKH@Z ; diaOpenPdb(_IMGHLP_DEBUG_DATA *,ushort const *,_GUID *,ulong,ulong,int)
.text:6BB78E0C mov esi, eax
.text:6BB78E0E test esi, esi
.text:6BB78E10 jnz short loc_6BB78DA5
.text:6BB78E12 mov eax, [ebp+var_EBC]
.text:6BB78E18 push 8
.text:6BB78E1A pop ecx
.text:6BB78E1B mov dword ptr [ebx+0CB0h], 2
.text:6BB78E25 mov [eax+59BCh], ecx
.text:6BB78E2B mov eax, [ebx+0FBCh]
.text:6BB78E31 test eax, eax
.text:6BB78E33 jz loc_6BB79C1B
.text:6BB78E39 mov [eax+14h], ecx
.text:6BB78E3C jmp loc_6BB79C1B
.text:6BB78E41 ; ---------------------------------------------------------------------------
.text:6BB78E41
.text:6BB78E41 loc_6BB78E41: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+182j
.text:6BB78E41 ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+18Ej
.text:6BB78E41 xor eax, eax
.text:6BB78E43 lea edi, [ebp+indexdata]
.text:6BB78E49 stosd
.text:6BB78E4A stosd
.text:6BB78E4B stosd
.text:6BB78E4C stosd
.text:6BB78E4D mov eax, [ebx+0FD4h]
.text:6BB78E53 cmp dword ptr [eax+4], 3
.text:6BB78E57 jnz short loc_6BB78E73
.text:6BB78E59 cmp dword ptr [eax+0Ch], 14h
.text:6BB78E5D jnz short loc_6BB78E73
.text:6BB78E5F mov eax, [eax+8]
.text:6BB78E62 mov [ebp+var_EC0], eax
.text:6BB78E68 mov edx, [eax+10h]
.text:6BB78E6B mov [ebp+dword1__________], edx
.text:6BB78E71 jmp short loc_6BB78E82
.text:6BB78E73 ; ---------------------------------------------------------------------------
.text:6BB78E73
.text:6BB78E73 loc_6BB78E73: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+208j
.text:6BB78E73 ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+20Ej
.text:6BB78E73 mov eax, [ebp+arg_C]
.text:6BB78E76 mov [ebp+dword1__________], eax
.text:6BB78E7C mov eax, [ebp+var_EC0]
.text:6BB78E82
.text:6BB78E82 loc_6BB78E82: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+222j
.text:6BB78E82 mov ecx, [ebp+arg_8]
.text:6BB78E85 test ecx, ecx
.text:6BB78E87 jz short loc_6BB78E91
.text:6BB78E89 mov [ebp+indexdata], ecx
.text:6BB78E8F jmp short loc_6BB78EA7
.text:6BB78E91 ; ---------------------------------------------------------------------------
.text:6BB78E91
.text:6BB78E91 loc_6BB78E91: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+238j
.text:6BB78E91 test eax, eax
.text:6BB78E93 jz short loc_6BB78EA7
.text:6BB78E95 mov esi, eax
.text:6BB78E97 lea edi, [ebp+indexdata]
.text:6BB78E9D movsd
.text:6BB78E9E movsd
.text:6BB78E9F movsd
.text:6BB78EA0 movsd
.text:6BB78EA1 mov esi, [ebp+var_EB0]
.text:6BB78EA7
.text:6BB78EA7 loc_6BB78EA7: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+240j
.text:6BB78EA7 ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+244j
.text:6BB78EA7 mov edi, [ebp+Src]
.text:6BB78EAD lea eax, [ebp+var_A6C]
.text:6BB78EB3 push 101h ; rsize_t
.text:6BB78EB8 push eax ; wchar_t *
.text:6BB78EB9 push 105h ; rsize_t
.text:6BB78EBE lea eax, [ebp+var_864]
.text:6BB78EC4 push eax ; wchar_t *
.text:6BB78EC5 xor eax, eax
.text:6BB78EC7 push eax ; rsize_t
.text:6BB78EC8 push eax ; wchar_t *
.text:6BB78EC9 push eax ; SizeInWords
.text:6BB78ECA push eax ; Dst
.text:6BB78ECB push edi ; Src
.text:6BB78ECC call __wsplitpath_s_downlevel
.text:6BB78ED1 add esp, 24h
.text:6BB78ED4 lea eax, [ebp+var_864]
.text:6BB78EDA push offset a_pdb_0 ; ".pdb"
.text:6BB78EDF push eax
.text:6BB78EE0 push offset aSS_3 ; "%s%s"
.text:6BB78EE5 lea eax, [ebp+var_654]
.text:6BB78EEB push 105h ; SizeInWords
.text:6BB78EF0 push eax ; Dst
.text:6BB78EF1 call _swprintf_s
.text:6BB78EF6 mov edx, dword_6BC5FB18
.text:6BB78EFC add esp, 14h
.text:6BB78EFF test edx, 8000000h
.text:6BB78F05 jz loc_6BB790F2
.text:6BB78F0B test edx, 200000h
.text:6BB78F11 jnz loc_6BB78FF9
.text:6BB78F17 xor ecx, ecx
.text:6BB78F19 cmp [ebx+448h], ecx
.text:6BB78F1F jz loc_6BB78FF9
.text:6BB78F25 lea eax, [ebx+32h]
.text:6BB78F28 cmp [eax], cx
.text:6BB78F2B jz loc_6BB78FF9
.text:6BB78F31 push ecx ; rsize_t
.text:6BB78F32 push ecx ; wchar_t *
.text:6BB78F33 push ecx ; rsize_t
.text:6BB78F34 push ecx ; wchar_t *
.text:6BB78F35 mov esi, 105h
.text:6BB78F3A lea ecx, [ebp+var_444]
.text:6BB78F40 push esi ; rsize_t
.text:6BB78F41 push ecx ; wchar_t *
.text:6BB78F42 push 6 ; SizeInWords
.text:6BB78F44 lea ecx, [ebp+var_20]
.text:6BB78F47 push ecx ; Dst
.text:6BB78F48 push eax ; Src
.text:6BB78F49 call __wsplitpath_s_downlevel
.text:6BB78F4E add esp, 24h
.text:6BB78F51 lea eax, [ebp+var_654]
.text:6BB78F57 push eax
.text:6BB78F58 lea eax, [ebp+var_444]
.text:6BB78F5E push eax
.text:6BB78F5F lea eax, [ebp+var_20]
.text:6BB78F62 push eax
.text:6BB78F63 push offset aSSS ; "%s%s%s"
.text:6BB78F68 lea eax, [ebp+var_234]
.text:6BB78F6E push esi ; SizeInWords
.text:6BB78F6F push eax ; Dst
.text:6BB78F70 call _swprintf_s
.text:6BB78F75 mov edx, [ebx+0D54h]
.text:6BB78F7B lea eax, [ebp+var_234]
.text:6BB78F81 mov ecx, [ebx+8]
.text:6BB78F84 add esp, 18h
.text:6BB78F87 push 104h ; unsigned __int16 *
.text:6BB78F8C push edi ; unsigned __int16 *
.text:6BB78F8D push eax ; void *
.text:6BB78F8E xor eax, eax
.text:6BB78F90 push eax ; unsigned __int16 *
.text:6BB78F91 call ?diaCopyFileToCache@@YGHPAGPAX000K@Z ; diaCopyFileToCache(ushort *,void *,ushort *,ushort *,ushort *,ulong)
.text:6BB78F96 test eax, eax
.text:6BB78F98 jz short loc_6BB78FB5
.text:6BB78F9A push edi ; Src
.text:6BB78F9B lea eax, [ebp+var_234]
.text:6BB78FA1 push esi ; SizeInWords
.text:6BB78FA2 push eax ; Dst
.text:6BB78FA3 call _wcscpy_s
.text:6BB78FA8 add esp, 0Ch
.text:6BB78FAB mov [ebp+var_ED0], 1
.text:6BB78FB5
.text:6BB78FB5 loc_6BB78FB5: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+349j
.text:6BB78FB5 push ecx ; unsigned __int32
.text:6BB78FB6 push [ebp+dword1__________] ; struct _GUID *
.text:6BB78FBC lea edx, [ebp+var_234]
.text:6BB78FC2 mov ecx, ebx
.text:6BB78FC4 push [ebp+arg_8] ; struct _GUID *
.text:6BB78FC7 push [ebp+var_EC0] ; struct _IMGHLP_DEBUG_DATA *
.text:6BB78FCD call ?diaOpenPdb@@YGJPAU_IMGHLP_DEBUG_DATA@@PBGPAU_GUID@@KKH@Z ; diaOpenPdb(_IMGHLP_DEBUG_DATA *,ushort const *,_GUID *,ulong,ulong,int)
.text:6BB78FD2 mov esi, eax
.text:6BB78FD4 mov [ebp+var_EB0], esi
.text:6BB78FDA mov [ebp+var_EB4], esi
.text:6BB78FE0 test esi, esi
.text:6BB78FE2 jnz short loc_6BB78FF3
.text:6BB78FE4
.text:6BB78FE4 loc_6BB78FE4: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+150j
.text:6BB78FE4 mov dword ptr [ebx+0CB0h], 2
.text:6BB78FEE jmp loc_6BB79C1B
.text:6BB78FF3 ; ---------------------------------------------------------------------------
.text:6BB78FF3
.text:6BB78FF3 loc_6BB78FF3: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+393j
.text:6BB78FF3 mov edx, dword_6BC5FB18
.text:6BB78FF9
.text:6BB78FF9 loc_6BB78FF9: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+2C2j
.text:6BB78FF9 ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+2D0j ...
.text:6BB78FF9 mov ecx, edi
.text:6BB78FFB lea eax, [ebp+var_234]
.text:6BB79001
.text:6BB79001 loc_6BB79001: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3EBj
.text:6BB79001 mov bx, [eax]
.text:6BB79004 cmp bx, [ecx]
.text:6BB79007 mov ebx, [ebp+var_F04]
.text:6BB7900D jnz short loc_6BB79040
.text:6BB7900F cmp word ptr [eax], 0
.text:6BB79013 jz short loc_6BB7903C
.text:6BB79015 mov si, [eax+2]
.text:6BB79019 cmp si, [ecx+2]
.text:6BB7901D mov [ebp+var_EB6], si
.text:6BB79024 mov esi, [ebp+var_EB0]
.text:6BB7902A jnz short loc_6BB79040
.text:6BB7902C add eax, 4
.text:6BB7902F add ecx, 4
.text:6BB79032 cmp [ebp+var_EB6], 0
.text:6BB7903A jnz short loc_6BB79001
.text:6BB7903C
.text:6BB7903C loc_6BB7903C: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3C4j
.text:6BB7903C xor eax, eax
.text:6BB7903E jmp short loc_6BB79045
.text:6BB79040 ; ---------------------------------------------------------------------------
.text:6BB79040
.text:6BB79040 loc_6BB79040: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3BEj
.text:6BB79040 ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3DBj
.text:6BB79040 sbb eax, eax
.text:6BB79042 or eax, 1
.text:6BB79045
.text:6BB79045 loc_6BB79045: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3EFj
.text:6BB79045 test eax, eax
.text:6BB79047 jz loc_6BB790EA
.text:6BB7904D test dl, dl
.text:6BB7904F js loc_6BB790EA
.text:6BB79055 push edi ; Src
.text:6BB79056 mov esi, 105h
.text:6BB7905B lea eax, [ebp+var_234]
.text:6BB79061 push esi ; SizeInWords
.text:6BB79062 push eax ; Dst
.text:6BB79063 call _wcscpy_s
.text:6BB79068 add esp, 0Ch
.text:6BB7906B cmp [ebp+var_ED0], 0
.text:6BB79072 jnz short loc_6BB790B1
.text:6BB79074 mov edx, [ebx+0D54h]
.text:6BB7907A lea eax, [ebp+var_234]
.text:6BB79080 mov ecx, [ebx+8]
.text:6BB79083 push 104h ; unsigned __int16 *
.text:6BB79088 push edi ; unsigned __int16 *
.text:6BB79089 push eax ; void *
.text:6BB7908A xor eax, eax
.text:6BB7908C push eax ; unsigned __int16 *
.text:6BB7908D call ?diaCopyFileToCache@@YGHPAGPAX000K@Z ; diaCopyFileToCache(ushort *,void *,ushort *,ushort *,ushort *,ulong)
.text:6BB79092 test eax, eax
.text:6BB79094 jz short loc_6BB790B1
.text:6BB79096 push edi ; Src
.text:6BB79097 lea eax, [ebp+var_234]
.text:6BB7909D push esi ; SizeInWords
.text:6BB7909E push eax ; Dst
.text:6BB7909F call _wcscpy_s
.text:6BB790A4 add esp, 0Ch
.text:6BB790A7 mov [ebp+var_ED0], 1
.text:6BB790B1
.text:6BB790B1 loc_6BB790B1: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+423j
.text:6BB790B1 ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+445j
.text:6BB790B1 push ecx ; unsigned __int32
.text:6BB790B2 push [ebp+dword1__________] ; struct _GUID *
.text:6BB790B8 lea edx, [ebp+var_234]
.text:6BB790BE mov ecx, ebx
.text:6BB790C0 push [ebp+arg_8] ; struct _GUID *
.text:6BB790C3 push [ebp+var_EC0] ; struct _IMGHLP_DEBUG_DATA *
.text:6BB790C9 call ?diaOpenPdb@@YGJPAU_IMGHLP_DEBUG_DATA@@PBGPAU_GUID@@KKH@Z ; diaOpenPdb(_IMGHLP_DEBUG_DATA *,ushort const *,_GUID *,ulong,ulong,int)
.text:6BB790CE mov esi, eax
.text:6BB790D0 mov [ebp+var_EB0], esi
.text:6BB790D6 mov [ebp+var_EB4], esi
.text:6BB790DC test esi, esi
.text:6BB790DE jnz short loc_6BB790F2
.text:6BB790E0 mov dword ptr [ebx+0CB0h], 5
.text:6BB790EA
.text:6BB790EA loc_6BB790EA: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+3F8j
.text:6BB790EA ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+400j
.text:6BB790EA test esi, esi
.text:6BB790EC jz loc_6BB79C1B
.text:6BB790F2
.text:6BB790F2 loc_6BB790F2: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+2B6j
.text:6BB790F2 ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+48Fj
.text:6BB790F2 mov edi, [ebx+8]
.text:6BB790F5 jmp loc_6BB791DE
.text:6BB790FA ; ---------------------------------------------------------------------------
.text:6BB790FA
.text:6BB790FA loc_6BB790FA: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+591j
.text:6BB790FA push ecx ; unsigned __int16 *
.text:6BB790FB lea edx, [ebp+var_444]
.text:6BB79101 mov [ebp+ExitCode], edi
.text:6BB79107 mov ecx, edi
.text:6BB79109 call ?TokenFromSymbolPath@@YGPAGPBGPAGH@Z ; TokenFromSymbolPath(ushort const *,ushort *,int)
.text:6BB7910E cmp [ebp+var_444], 0
.text:6BB79116 mov edi, eax
.text:6BB79118 jz loc_6BB791DE
.text:6BB7911E test dword_6BC5FB18, 10000000h
.text:6BB79128 jnz short loc_6BB7914A
.text:6BB7912A mov eax, [ebp+var_EBC]
.text:6BB79130 lea edx, [ebp+var_444]
.text:6BB79136 mov ecx, [ebx+4]
.text:6BB79139 add eax, 1Eh
.text:6BB7913C push eax ; struct _PROCESS_ENTRY *
.text:6BB7913D call ?CheckTheModuleByPath@@YGHPAU_PROCESS_ENTRY@@PAG1@Z ; CheckTheModuleByPath(_PROCESS_ENTRY *,ushort *,ushort *)
.text:6BB79142 test eax, eax
.text:6BB79144 jnz loc_6BB791DE
.text:6BB7914A
.text:6BB7914A loc_6BB7914A: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+4D9j
.text:6BB7914A push offset ?nothrow@std@@3Unothrow_t@1@B ; struct std::nothrow_t *
.text:6BB7914F push 20Ah ; unsigned int
.text:6BB79154 call ??_U@YAPAXIABUnothrow_t@std@@@Z ; operator new[](uint,std::nothrow_t const &)
.text:6BB79159 mov esi, eax
.text:6BB7915B mov [ebp+lpParameter], esi
.text:6BB79161 pop ecx
.text:6BB79162 pop ecx
.text:6BB79163 test esi, esi
.text:6BB79165 jz loc_6BB79254
.text:6BB7916B push 20Ah ; Size
.text:6BB79170 xor eax, eax
.text:6BB79172 push eax ; Val
.text:6BB79173 push esi ; Dst
.text:6BB79174 call _memset
.text:6BB79179 lea ecx, [ebp+var_444]
.text:6BB7917F add esp, 0Ch
.text:6BB79182 lea edx, [ecx+2]
.text:6BB79185
.text:6BB79185 loc_6BB79185: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+543j
.text:6BB79185 mov ax, [ecx]
.text:6BB79188 add ecx, 2
.text:6BB7918B cmp ax, word ptr [ebp+var_EF0]
.text:6BB79192 jnz short loc_6BB79185
.text:6BB79194 sub ecx, edx
.text:6BB79196 sar ecx, 1
.text:6BB79198 cmp ecx, 104h
.text:6BB7919E ja short loc_6BB7921A
.text:6BB791A0 push 105h ; int
.text:6BB791A5 lea edx, [ebp+var_444] ; Src
.text:6BB791AB mov ecx, esi ; Dst
.text:6BB791AD call _CopyNStringW@16 ; CopyNStringW(x,x,x,x)
.text:6BB791B2 lea eax, [ebp+lpParameter]
.text:6BB791B8 push eax
.text:6BB791B9 lea ecx, [ebp+var_EEC]
.text:6BB791BF call ?Add@?$CSimpleArray@PAG@ATL@@QAEHAAPAG@Z ; ATL::CSimpleArray<ushort *>::Add(ushort * &)
.text:6BB791C4 test eax, eax
.text:6BB791C6 jz short loc_6BB791FB
.text:6BB791C8 lea eax, [ebp+ExitCode]
.text:6BB791CE push eax
.text:6BB791CF lea ecx, [ebp+Memory]
.text:6BB791D5 call ?Add@?$CSimpleArray@PAG@ATL@@QAEHAAPAG@Z ; ATL::CSimpleArray<ushort *>::Add(ushort * &)
.text:6BB791DA test eax, eax
.text:6BB791DC jz short loc_6BB791EB
.text:6BB791DE
.text:6BB791DE loc_6BB791DE: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+4A6j
.text:6BB791DE ; DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+4C9j ...
.text:6BB791DE test edi, edi
.text:6BB791E0 jnz loc_6BB790FA
.text:6BB791E6 jmp loc_6BB7927D
.text:6BB791EB ; ---------------------------------------------------------------------------
.text:6BB791EB
.text:6BB791EB loc_6BB791EB: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+58Dj
.text:6BB791EB call ?spew@@YGHXZ ; spew(void)
.text:6BB791F0 test eax, eax
.text:6BB791F2 jz short loc_6BB7926C
.text:6BB791F4 push offset aWarningCanno_0 ; "Warning: Cannot add the previous path t"...
.text:6BB791F9 jmp short loc_6BB79262
.text:6BB791FB ; ---------------------------------------------------------------------------
.text:6BB791FB
.text:6BB791FB loc_6BB791FB: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+577j
.text:6BB791FB call ?spew@@YGHXZ ; spew(void)
.text:6BB79200 test eax, eax
.text:6BB79202 jz short loc_6BB79213
.text:6BB79204 push offset aWarningCannotA ; "Warning: Cannot add the path token to t"...
.text:6BB79209 push dword ptr [ebx+4] ; struct _PROCESS_ENTRY *
.text:6BB7920C call ?_pwprint@@YAHPAU_PROCESS_ENTRY@@PBGZZ ; _pwprint(_PROCESS_ENTRY *,ushort const *,...)
.text:6BB79211 pop ecx
.text:6BB79212 pop ecx
.text:6BB79213
.text:6BB79213 loc_6BB79213: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+5B3j
.text:6BB79213 mov eax, 806D0003h
.text:6BB79218 jmp short loc_6BB7923F
.text:6BB7921A ; ---------------------------------------------------------------------------
.text:6BB7921A
.text:6BB7921A loc_6BB7921A: ; CODE XREF: DiaLocatePdbMultiThread(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *,ushort *,_GUID *,ulong,ulong,ushort const *)+54Fj
.text:6BB7921A call ?spew@@YGHXZ ; spew(void)
.text:6BB7921F test eax, eax
.text:6BB79221 jz short loc_6BB7923A
.text:6BB79223 lea eax, [ebp+var_444]
.text:6BB79229 push eax
.text:6BB7922A push offset aErrorInvalidPa ; "Error: Invalid Path length: %s.\n"
.text:6BB7922F push dword ptr [ebx+4] ; struct _PROCESS_ENTRY *
.text:6BB79232 call ?_pwprint@@YAHPAU_PROCESS_ENTRY@@PBGZZ ; _pwprint(_PROCESS_ENTRY *,ushort const *,...)
.text:6BB79237 add esp, 0Ch
.......................
.伪代码:
v17 = *(this + 4052);
if ( *(v17 + 4) != 3 || *(v17 + 12) != 20 )
{
dword1__________ = param6;//GUID*
v18 = param4;
}
else
{
v18 = *(v17 + 8);
dword1__________ = *(v18 + 4);
}
if ( param5 )//GUID*
{
indexdata = param5;
}
else if ( v18 )
{
indexdata = *v18;//param+2180
}
复制代码 再向上层看,diaGetPdb中,param4=this+2180 param5=*(this+2172) param6=*(this+2168)
RetrievePdbInfo
this+2180 => thisb+4
this+2172 => 0
this+2168 => thisb+20
thisb=*(DWORD*)(this+3252)
需要知道this+3252何时写入:
.text:6BB971C1 ; int __fastcall ReadHeader(int thisc, unsigned __int32 a2)
.text:6BB971C1 ?ReadHeader@@YGHPAU_IMGHLP_DEBUG_DATA@@K@Z proc near
.text:6BB971C1 ; CODE XREF: imgReadLoaded(_IMGHLP_DEBUG_DATA *)+A8p
.text:6BB971C1 ; imgReadLoaded(_IMGHLP_DEBUG_DATA *)+C2p ...
.text:6BB971C1
.text:6BB971C1 var_390 = dword ptr -390h
.text:6BB971C1 var_38C = dword ptr -38Ch
.text:6BB971C1 var_388 = dword ptr -388h
.text:6BB971C1 var_384 = dword ptr -384h
.text:6BB971C1 var_380 = dword ptr -380h
.text:6BB971C1 var_37C = qword ptr -37Ch
.text:6BB971C1 var_374 = dword ptr -374h
.text:6BB971C1 var_370 = qword ptr -370h
.text:6BB971C1 var_368 = dword ptr -368h
.text:6BB971C1 var_364 = dword ptr -364h
.text:6BB971C1 var_360 = dword ptr -360h
.text:6BB971C1 Buf1 = dword ptr -35Ch
.text:6BB971C1 lpMem = dword ptr -358h
.text:6BB971C1 var_354 = dword ptr -354h
.text:6BB971C1 var_350 = dword ptr -350h
.text:6BB971C1 var_34C = dword ptr -34Ch
.text:6BB971C1 var_348 = dword ptr -348h
.text:6BB971C1 var_33C = dword ptr -33Ch
.text:6BB971C1 dwBytes = dword ptr -338h
.text:6BB971C1 var_334 = qword ptr -334h
.text:6BB971C1 var_32C = qword ptr -32Ch
.text:6BB971C1 var_314 = word ptr -314h
.text:6BB971C1 var_2FC = dword ptr -2FCh
.text:6BB971C1 var_2F8 = dword ptr -2F8h
.text:6BB971C1 var_2F4 = dword ptr -2F4h
.text:6BB971C1 var_2DC = dword ptr -2DCh
.text:6BB971C1 var_2D4 = dword ptr -2D4h
.text:6BB971C1 var_2A4 = byte ptr -2A4h
.text:6BB971C1 var_224 = qword ptr -224h
.text:6BB971C1 var_214 = byte ptr -214h
.text:6BB971C1 var_1E0 = dword ptr -1E0h
.text:6BB971C1 var_1DC = qword ptr -1DCh
.text:6BB971C1 var_1C8 = word ptr -1C8h
.text:6BB971C1 var_1C4 = word ptr -1C4h
.text:6BB971C1 var_1A8 = dword ptr -1A8h
.text:6BB971C1 var_1A4 = dword ptr -1A4h
.text:6BB971C1 var_18C = dword ptr -18Ch
.text:6BB971C1 var_184 = dword ptr -184h
.text:6BB971C1 var_164 = byte ptr -164h
.text:6BB971C1 var_E4 = qword ptr -0E4h
.text:6BB971C1 var_D4 = word ptr -0D4h
.text:6BB971C1 var_D0 = byte ptr -0D0h
.text:6BB971C1 Dst = word ptr -94h
.text:6BB971C1 var_58 = qword ptr -58h
.text:6BB971C1 var_50 = qword ptr -50h
.text:6BB971C1 var_48 = dword ptr -48h
.text:6BB971C1 var_44 = dword ptr -44h
.text:6BB971C1 var_40 = dword ptr -40h
.text:6BB971C1 var_3C = dword ptr -3Ch
.text:6BB971C1 var_38 = dword ptr -38h
.text:6BB971C1 var_34 = dword ptr -34h
.text:6BB971C1 var_30 = dword ptr -30h
.text:6BB971C1 var_2C = dword ptr -2Ch
.text:6BB971C1 ms_exc = CPPEH_RECORD ptr -18h
.text:6BB971C1
.text:6BB971C1 push 380h
.text:6BB971C6 push offset off_6BC5B448
.text:6BB971CB call __SEH_prolog4_GS
.text:6BB971D0 mov ebx, edx
.text:6BB971D2 mov esi, ecx
.text:6BB971D4 xor eax, eax
.text:6BB971D6 mov [ebp+Dst], ax
.text:6BB971DD push 3Eh ; Size
.text:6BB971DF xor edi, edi
.text:6BB971E1 push edi ; Val
.text:6BB971E2 lea eax, [ebp+Dst+2]
.text:6BB971E8 push eax ; Dst
.text:6BB971E9 call _memset
.text:6BB971EE mov dword ptr [ebp+var_1DC], edi
.text:6BB971F4 push 0F4h ; Size
.text:6BB971F9 push edi ; Val
.text:6BB971FA lea eax, [ebp+var_1DC+4]
.text:6BB97200 push eax ; Dst
.text:6BB97201 call _memset
.text:6BB97206 add esp, 18h
.text:6BB97209 mov eax, edi
.text:6BB9720B mov [ebp+lpMem], eax
.text:6BB97211 mov [ebp+var_364], edi
.text:6BB97217 mov dword ptr [ebp+var_370+4], edi
.text:6BB9721D mov [ebp+var_374], edi
.text:6BB97223 mov [ebp+var_360], eax
.text:6BB97229 mov eax, ebx
.text:6BB9722B dec eax
.text:6BB9722C jz loc_6BB972D5
.text:6BB97232 dec eax
.text:6BB97233 jz short loc_6BB97280
.text:6BB97235 dec eax
.text:6BB97236 jz short loc_6BB9723F
.text:6BB97238
.text:6BB97238 loc_6BB97238: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+186j
.text:6BB97238 xor eax, eax
.text:6BB9723A jmp loc_6BB97D4F
.text:6BB9723F ; ---------------------------------------------------------------------------
.text:6BB9723F
.text:6BB9723F loc_6BB9723F: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+75j
.text:6BB9723F mov [ebp+var_350], edi
.text:6BB97245 mov ecx, [esi+86Ch]
.text:6BB9724B call ?MapItRO@@YGPAXPAX@Z ; MapItRO(void *)
.text:6BB97250 mov [esi+870h], eax
.text:6BB97256 cdq
.text:6BB97257 mov edi, eax
.text:6BB97259 mov [ebp+var_34C], edi
.text:6BB9725F mov [ebp+var_354], edx
.text:6BB97265 xor eax, eax
.text:6BB97267 push eax ; lpFileSizeHigh
.text:6BB97268 push dword ptr [esi+86Ch] ; hFile
.text:6BB9726E call ds:__imp__GetFileSize@8 ; GetFileSize(x,x)
.text:6BB97274 mov dword ptr [esi+0CB0h], 3
.text:6BB9727E jmp short loc_6BB972BF
.text:6BB97280 ; ---------------------------------------------------------------------------
.text:6BB97280
.text:6BB97280 loc_6BB97280: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+72j
.text:6BB97280 mov [ebp+var_350], edi
.text:6BB97286 mov ecx, [esi+448h]
.text:6BB9728C call ?MapItRO@@YGPAXPAX@Z ; MapItRO(void *)
.text:6BB97291 mov [esi+450h], eax
.text:6BB97297 cdq
.text:6BB97298 mov edi, eax
.text:6BB9729A mov [ebp+var_34C], eax
.text:6BB972A0 mov [ebp+var_354], edx
.text:6BB972A6 xor eax, eax
.text:6BB972A8 push eax ; lpFileSizeHigh
.text:6BB972A9 push dword ptr [esi+448h] ; hFile
.text:6BB972AF call ds:__imp__GetFileSize@8 ; GetFileSize(x,x)
.text:6BB972B5 mov dword ptr [esi+0CB0h], 2
.text:6BB972BF
.text:6BB972BF loc_6BB972BF: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+BDj
.text:6BB972BF mov dword ptr [ebp+var_37C+4], eax
.text:6BB972C5 mov eax, [ebp+var_350]
.text:6BB972CB mov ecx, [ebp+var_354]
.text:6BB972D1 xor edx, edx
.text:6BB972D3 jmp short loc_6BB97305
.text:6BB972D5 ; ---------------------------------------------------------------------------
.text:6BB972D5
.text:6BB972D5 loc_6BB972D5: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+6Bj
.text:6BB972D5 mov eax, [esi+0D54h]
.text:6BB972DB mov [ebp+var_350], eax
.text:6BB972E1 mov edi, [esi+10h]
.text:6BB972E4 mov [ebp+var_34C], edi
.text:6BB972EA mov ecx, [esi+14h]
.text:6BB972ED mov [ebp+var_354], ecx
.text:6BB972F3 xor edx, edx
.text:6BB972F5 mov dword ptr [ebp+var_37C+4], edx
.text:6BB972FB mov dword ptr [esi+0CB0h], 5
.text:6BB97305
.text:6BB97305 loc_6BB97305: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+112j
.text:6BB97305 mov [esi+0FB8h], edx
.text:6BB9730B mov [ebp+var_390], edx
.text:6BB97311 mov [ebp+var_368], edx
.text:6BB97317 xor edx, edx
.text:6BB97319 mov [ebp+ms_exc.registration.TryLevel], edx
.text:6BB9731C push 2
.text:6BB9731E lea edx, [ebp+var_370]
.text:6BB97324 push edx ; unsigned __int64
.text:6BB97325 xor edx, edx
.text:6BB97327 push edx
.text:6BB97328 push edx ; unsigned __int64
.text:6BB97329 push ecx ; void *
.text:6BB9732A push edi ; struct _IMGHLP_DEBUG_DATA *
.text:6BB9732B mov edx, eax
.text:6BB9732D call ?ReadImageData@@YGKPAU_IMGHLP_DEBUG_DATA@@PAX_K21I@Z ; ReadImageData(_IMGHLP_DEBUG_DATA *,void *,unsigned __int64,unsigned __int64,void *,uint)
.text:6BB97332 test eax, eax
.text:6BB97334 jnz short loc_6BB9734C
.text:6BB97336
.text:6BB97336 loc_6BB97336: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+3FBj
.text:6BB97336 ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+427j ...
.text:6BB97336 mov dword_6BC5FB1C, 6
.text:6BB97340
.text:6BB97340 loc_6BB97340: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+1C1j
.text:6BB97340 ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+1EDj ...
.text:6BB97340 mov [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh
.text:6BB97347 jmp loc_6BB97238
.text:6BB9734C ; ---------------------------------------------------------------------------
.text:6BB9734C
.text:6BB9734C loc_6BB9734C: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+173j
.text:6BB9734C mov [esi+0CA8h], ebx
.text:6BB97352 mov eax, 4944h
.text:6BB97357 mov edx, [ebp+var_350]
.text:6BB9735D cmp word ptr [ebp+var_370], ax
.text:6BB97364 jnz loc_6BB9758F
.text:6BB9736A push 30h
.text:6BB9736C lea eax, [ebp+var_50]
.text:6BB9736F push eax ; unsigned __int64
.text:6BB97370 xor eax, eax
.text:6BB97372 push eax
.text:6BB97373 push eax ; unsigned __int64
.text:6BB97374 push [ebp+var_354] ; void *
.text:6BB9737A push edi ; struct _IMGHLP_DEBUG_DATA *
.text:6BB9737B call ?ReadImageData@@YGKPAU_IMGHLP_DEBUG_DATA@@PAX_K21I@Z ; ReadImageData(_IMGHLP_DEBUG_DATA *,void *,unsigned __int64,unsigned __int64,void *,uint)
.text:6BB97380 test eax, eax
.text:6BB97382 jz short loc_6BB97340
.text:6BB97384 mov eax, 14Ch
.text:6BB97389 mov cx, word ptr [ebp+var_50+4]
.text:6BB9738D cmp cx, ax
.text:6BB97390 jz short loc_6BB973B0
.text:6BB97392 add eax, 38h
.text:6BB97395 cmp cx, ax
.text:6BB97398 jz short loc_6BB973B0
.text:6BB9739A push dword ptr [esi+870h] ; lpBaseAddress
.text:6BB973A0 call ds:__imp__UnmapViewOfFile@4 ; UnmapViewOfFile(x)
.text:6BB973A6 xor eax, eax
.text:6BB973A8 mov [esi+870h], eax
.text:6BB973AE jmp short loc_6BB97340
.text:6BB973B0 ; ---------------------------------------------------------------------------
.text:6BB973B0
.text:6BB973B0 loc_6BB973B0: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+1CFj
.text:6BB973B0 ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+1D7j
.text:6BB973B0 mov eax, [ebp+var_2C]
.text:6BB973B3 mov [esi+0D40h], eax
.text:6BB973B9 mov eax, [ebp+var_44]
.text:6BB973BC mov [esi+24h], eax
.text:6BB973BF mov [esi+30h], cx
.text:6BB973C3 mov eax, [ebp+var_48]
.text:6BB973C6 mov [esi+28h], eax
.text:6BB973C9 movzx eax, word ptr [ebp+var_50+6]
.text:6BB973CD mov [esi+2Ch], eax
.text:6BB973D0 mov eax, [esi+18h]
.text:6BB973D3 or eax, [esi+1Ch]
.text:6BB973D6 jnz short loc_6BB973E5
.text:6BB973D8 mov eax, [ebp+var_40]
.text:6BB973DB mov [esi+18h], eax
.text:6BB973DE xor eax, eax
.text:6BB973E0 mov [esi+1Ch], eax
.text:6BB973E3 jmp short loc_6BB973E7
.text:6BB973E5 ; ---------------------------------------------------------------------------
.text:6BB973E5
.text:6BB973E5 loc_6BB973E5: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+215j
.text:6BB973E5 xor eax, eax
.text:6BB973E7
.text:6BB973E7 loc_6BB973E7: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+222j
.text:6BB973E7 cmp [esi+20h], eax
.text:6BB973EA jnz short loc_6BB973F2
.text:6BB973EC mov eax, [ebp+var_3C]
.text:6BB973EF mov [esi+20h], eax
.text:6BB973F2
.text:6BB973F2 loc_6BB973F2: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+229j
.text:6BB973F2 mov eax, [ebp+var_38]
.text:6BB973F5 mov [ebp+lpMem], eax
.text:6BB973FB imul eax, 28h
.text:6BB973FE mov dword ptr [ebp+var_370+4], eax
.text:6BB97404 mov ecx, eax ; dwBytes
.text:6BB97406 call _pMemAlloc@4 ; pMemAlloc(x)
.text:6BB9740B mov edi, eax
.text:6BB9740D mov [ebp+Buf1], edi
.text:6BB97413 test edi, edi
.text:6BB97415 jz loc_6BB9749E
.text:6BB9741B push dword ptr [ebp+var_370+4]
.text:6BB97421 push edi ; unsigned __int64
.text:6BB97422 xor eax, eax
.text:6BB97424 push eax
.text:6BB97425 push 30h ; unsigned __int64
.text:6BB97427 push [ebp+var_354] ; void *
.text:6BB9742D push [ebp+var_34C] ; struct _IMGHLP_DEBUG_DATA *
.text:6BB97433 mov edx, [ebp+var_350]
.text:6BB97439 call ?ReadImageData@@YGKPAU_IMGHLP_DEBUG_DATA@@PAX_K21I@Z ; ReadImageData(_IMGHLP_DEBUG_DATA *,void *,unsigned __int64,unsigned __int64,void *,uint)
.text:6BB9743E test eax, eax
.text:6BB97440 jz short loc_6BB9749E
.text:6BB97442 push ecx
.text:6BB97443 push [ebp+lpMem]
.text:6BB97449 push edi
.text:6BB9744A lea ecx, [esi+0D18h]
.text:6BB97450 call ?Assign@?$ImageHelpPointerWrapper@U_IMAGE_SECTION_HEADER@@@@QAEXPAXK_N@Z ; ImageHelpPointerWrapper<_IMAGE_SECTION_HEADER>::Assign(void *,ulong,bool)
.text:6BB97455 mov [esi+0D10h], edi
.text:6BB9745B mov eax, [ebp+lpMem]
.text:6BB97461 mov [esi+0D38h], eax
.text:6BB97467 mov eax, [ebp+var_30]
.text:6BB9746A test eax, eax
.text:6BB9746C jz short loc_6BB9749E
.text:6BB9746E xor edx, edx
.text:6BB97470 push 1Ch
.text:6BB97472 pop ecx
.text:6BB97473 div ecx
.text:6BB97475 mov [ebp+var_360], eax
.text:6BB9747B mov [ebp+var_384], eax
.text:6BB97481 imul edx, [ebp+var_38], 28h
.text:6BB97485 mov eax, [ebp+var_34]
.text:6BB97488 add edx, 30h
.text:6BB9748B add eax, edx
.text:6BB9748D mov [ebp+var_368], eax
.text:6BB97493 mov [ebp+var_388], eax
.text:6BB97499 xor edi, edi
.text:6BB9749B inc edi
.text:6BB9749C jmp short loc_6BB974A7
.text:6BB9749E ; ---------------------------------------------------------------------------
.text:6BB9749E
.text:6BB9749E loc_6BB9749E: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+254j
.text:6BB9749E ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+27Fj ...
.text:6BB9749E xor edi, edi
.text:6BB974A0 inc edi
.text:6BB974A1
.text:6BB974A1 loc_6BB974A1: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+6E3j
.text:6BB974A1 ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+712j ...
.text:6BB974A1 mov eax, [ebp+var_368]
.text:6BB974A7
.text:6BB974A7 loc_6BB974A7: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+2DBj
.text:6BB974A7 mov ecx, [ebp+var_360]
.text:6BB974AD
.text:6BB974AD loc_6BB974AD: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+7E0j
.text:6BB974AD push 1Ch
.text:6BB974AF pop edx
.text:6BB974B0 mov [ebp+var_390], edi
.text:6BB974B6 cmp ebx, 2
.text:6BB974B9 jnz short loc_6BB974C7
.text:6BB974BB mov [esi+0D24h], eax
.text:6BB974C1 mov [esi+0D28h], ecx
.text:6BB974C7
.text:6BB974C7 loc_6BB974C7: ; CODE XREF: ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+2F8j
.text:6BB974C7 ; ReadHeader(_IMGHLP_DEBUG_DATA *,ulong)+B75j
.text:6BB974C7 test ecx, ecx
.text:6BB974C9 jz loc_6BB97D42
.text:6BB974CF push edx
.text:6BB974D0 lea ecx, [ebp+var_348]
.text:6BB974D6 push ecx ; unsigned __int64
.text:6BB974D7 xor ecx, ecx
.text:6BB974D9 push ecx
.text:6BB974DA push eax ; unsigned __int64
.text:6BB974DB push [ebp+var_354] ; void *
.text:6BB974E1 push [ebp+var_34C] ; struct _IMGHLP_DEBUG_DATA *
.text:6BB974E7 mov edx, [ebp+var_350]
.text:6BB974ED call ?ReadImageData@@YGKPAU_IMGHLP_DEBUG_DATA@@PAX_K21I@Z ; ReadImageData(_IMGHLP_DEBUG_DATA *,void *,unsigned __int64,unsigned __int64,void *,uint)
.text:6BB974F2 test eax, eax
.text:6BB974F4 jz loc_6BB97340
.text:6BB974FA cmp [ebp+dwBytes], 0
.text:6BB97501 jz loc_6BB97D0C
.text:6BB97507 xor eax, eax
.text:6BB97509 push eax ; unsigned __int32
.text:6BB9750A push ebx ; struct _MODULE_DATA *
.text:6BB9750B mov edx, [ebp+var_33C]
.text:6BB97511 mov ecx, [esi+0FC4h]
.text:6BB97517 call ?imgset@@YGKPAU_MODULE_DATA@@KKK@Z ; imgset(_MODULE_DATA *,ulong,ulong,ulong)
.text:6BB9751C mov eax, [ebp+var_33C]
.text:6BB97522 dec eax
.text:6BB97523 jz loc_6BB97C0E
.text:6BB97529 dec eax
.text:6BB9752A jz loc_6BB97B58
.text:6BB97530 dec eax
.text:6BB97531 dec eax
.text:6BB97532 jnz loc_6BB97C48
.text:6BB97538 mov ecx, dword ptr [ebp+var_334+4]
.text:6BB9753E cmp ecx, dword ptr [ebp+var_37C+4]
.text:6BB97544 jnb loc_6BB97B3E
.text:6BB9754A mov edx, [ebp+var_34C]
.text:6BB97550 cmp [edx+ecx], edi
.text:6BB97553 jnz loc_6BB97C4E
.text:6BB97559 cmp ebx, 3
.text:6BB9755C jnz loc_6BB97AF0
.text:6BB97562 lea eax, [esi+23Ch]
.text:6BB97568 xor edx, edx
.text:6BB9756A cmp [eax], dx
.text:6BB9756D mov edx, [ebp+var_34C]
.text:6BB97573 jnz loc_6BB97C4E
.text:6BB97579 push 105h ; cchWideChar
.text:6BB9757E add edx, 0Ch
.text:6BB97581 add ecx, edx
.text:6BB97583 mov edx, eax
.text:6BB97585 call ?ansi2wcs@@YGHPBDPAGK@Z ; ansi2wcs(char const *,ushort *,ulong)
.text:6BB9758A jmp loc_6BB97C48
.text:6BB9758F ; ---------------------------------------------------------------------------
.text:6BB9758F
............................
复制代码 .
分析结果如下:
int __fastcall ReadHeader(int thisc, unsigned __int32 a2)
{
unsigned __int32 v2; // ebx@1
int v3; // esi@1
QWORD v5; // rax@5
struct _IMGHLP_DEBUG_DATA *pebegin2; // edi@5
DWORD filesize; // eax@5
BYTE *v8; // eax@6
void *v9; // eax@7
void *v10; // ecx@7
unsigned __int64 v11; // ST10_8@9
unsigned __int64 v12; // ST10_8@13
__int16 v13; // cx@14
LPVOID v14; // eax@21
int v15; // edi@21
int v16; // ecx@22
int v17; // edx@24
int v18; // eax@24
char v19; // di@24
int v20; // ecx@27
unsigned __int64 v21; // ST10_8@31
struct _IMGHLP_DEBUG_DATA *v22; // edx@37
unsigned __int64 v23; // ST10_8@42
unsigned __int64 v24; // ST10_8@43
signed int PESIG; // edx@44
int v26; // eax@45
LPVOID v27; // ecx@45
unsigned __int64 v28; // ST10_8@47
unsigned __int64 v29; // ST10_8@50
unsigned __int64 v30; // ST10_8@61
int imagesize; // eax@65
void *v32; // eax@74
LPVOID sectiondata; // eax@74
int v34; // ecx@75
BYTE *v35; // ecx@76
int v36; // ecx@76
const void *secheader; // eax@76
unsigned __int32 v38; // edx@83
unsigned __int64 v39; // ST10_8@84
unsigned __int32 v40; // eax@85
unsigned __int64 v41; // ST10_8@88
LPVOID v42; // eax@98
int v43; // edx@116
unsigned __int32 v44; // [sp-4h] [bp-3A4h]@116
void *v45; // [sp+0h] [bp-3A0h]@0
void *v46; // [sp+0h] [bp-3A0h]@9
unsigned __int32 v47; // [sp+0h] [bp-3A0h]@13
void *v48; // [sp+0h] [bp-3A0h]@42
unsigned __int32 v49; // [sp+0h] [bp-3A0h]@43
void *v50; // [sp+0h] [bp-3A0h]@83
struct _IMAGE_SECTION_HEADER *v51; // [sp+0h] [bp-3A0h]@85
unsigned int v52; // [sp+4h] [bp-39Ch]@0
unsigned int v53; // [sp+4h] [bp-39Ch]@9
unsigned __int32 v54; // [sp+4h] [bp-39Ch]@13
unsigned int v55; // [sp+4h] [bp-39Ch]@42
unsigned __int32 v56; // [sp+4h] [bp-39Ch]@43
unsigned int v57; // [sp+4h] [bp-39Ch]@83
struct _IMAGE_DATA_DIRECTORY *v58; // [sp+4h] [bp-39Ch]@85
int v59; // [sp+14h] [bp-38Ch]@76
int filesize2; // [sp+24h] [bp-37Ch]@74
unsigned __int32 filesize2a; // [sp+24h] [bp-37Ch]@87
DWORD filesize2_4; // [sp+28h] [bp-378h]@7
BYTE *exportpos; // [sp+2Ch] [bp-374h]@1
unsigned __int64 v64; // [sp+30h] [bp-370h]@1
int v65; // [sp+38h] [bp-368h]@9
BYTE *v66; // [sp+3Ch] [bp-364h]@1
unsigned int v67; // [sp+40h] [bp-360h]@1
void *sectiondata_1; // [sp+44h] [bp-35Ch]@21
LPVOID lpMem; // [sp+48h] [bp-358h]@1
void *v70; // [sp+4Ch] [bp-354h]@5
int v71; // [sp+50h] [bp-350h]@5
struct _IMGHLP_DEBUG_DATA *pebegin; // [sp+54h] [bp-34Ch]@5
BYTE v73[28]; // [sp+58h] [bp-348h]@31
BYTE v74[264]; // [sp+74h] [bp-32Ch]@61
unsigned __int64 v75; // [sp+17Ch] [bp-224h]@88
char v76; // [sp+18Ch] [bp-214h]@89
int v77; // [sp+1C0h] [bp-1E0h]@88
BYTE v78[248]; // [sp+1C4h] [bp-1DCh]@1
unsigned __int16 v79[40]; // [sp+2BCh] [bp-E4h]@50
BYTE Dst[64]; // [sp+30Ch] [bp-94h]@1
unsigned __int64 v81; // [sp+350h] [bp-50h]@13
int v82; // [sp+358h] [bp-48h]@17
int v83; // [sp+35Ch] [bp-44h]@17
int v84; // [sp+360h] [bp-40h]@18
int v85; // [sp+364h] [bp-3Ch]@20
void *v86; // [sp+368h] [bp-38h]@21
int v87; // [sp+36Ch] [bp-34h]@24
unsigned int v88; // [sp+370h] [bp-30h]@23
int v89; // [sp+374h] [bp-2Ch]@17
CPPEH_RECORD ms_exc; // [sp+388h] [bp-18h]@9
v2 = a2;
v3 = thisc;
*Dst = 0;
memset(&Dst[2], 0, 0x3Eu);
*v78 = 0;
memset(&v78[4], 0, 0xF4u);
lpMem = 0;
v66 = 0;
HIDWORD(v64) = 0;
exportpos = 0;
v67 = 0;
if ( v2 == 1 )
{
v9 = *(v3 + 3412);
v71 = *(v3 + 3412);
pebegin2 = *(v3 + 16);
pebegin = *(v3 + 16);
v10 = *(v3 + 20);
v70 = *(v3 + 20);
filesize2_4 = 0;
*(v3 + 3248) = 5;
}
else
{
if ( v2 == 2 )
{
v71 = 0;
v8 = MapItRO(*(v3 + 1096), 0);
*(v3 + 1104) = v8;
pebegin2 = v8;
v70 = (v8 >> 32);
pebegin = v8;
filesize = GetFileSize(*(v3 + 1096), 0);
*(v3 + 3248) = 2;
}
else
{
if ( v2 != 3 )
return 0;
v71 = 0;
LODWORD(v5) = MapItRO(*(v3 + 2156), 0);
*(v3 + 2160) = v5;
pebegin2 = v5;
v70 = (v5 >> 32);
pebegin = v5;
filesize = GetFileSize(*(v3 + 2156), 0);
*(v3 + 3248) = 3;
}
filesize2_4 = filesize;
v9 = v71;
v10 = v70;
}
*(v3 + 4024) = 0;
v65 = 0;
ms_exc.registration.TryLevel = 0;
HIDWORD(v11) = 2;
LODWORD(v11) = &v64;
if ( !ReadImageData(v9, pebegin2, v10, 0i64, v11, v45, v52) )// 读取2个字节
goto LABEL_10;
*(v3 + 3240) = v2;
if ( v64 != 'ID' )
{
if ( v64 == 'ZM' ) // 如果是MZ头
{
HIDWORD(v23) = 64;
LODWORD(v23) = Dst;
if ( !ReadImageData(v71, pebegin2, v70, 0i64, v23, v46, v53) )// 读取64字节以取得PE头所在位置
goto LABEL_10;
HIDWORD(v24) = 248;
LODWORD(v24) = v78;
if ( !ReadImageData(v71, pebegin2, v70, *&Dst[60], v24, v48, v55) )// 读取248字节到v93
goto LABEL_10;
PESIG = *v78;
if ( *v78 != 'EP' ) // 如果是PE头
{
v66 = &v78[4];
v26 = *&v78[20] + 24 + *&Dst[60];
v27 = &v78[24];
LABEL_55:
HIDWORD(v64) = v26;
goto LABEL_56;
}
}
else
{
if ( v64 != 0x14C )
{
HIDWORD(v29) = 76;
LODWORD(v29) = v79;
if ( !ReadImageData(v71, pebegin2, v70, 0i64, v29, v46, v53) )
goto LABEL_10;
if ( v79[0] != 332 && v79[0] != 388 && v79[0] != 644 )
goto LABEL_11;
v27 = &v79[10];
v66 = v79;
v26 = v79[8] + 20;
PESIG = *v78;
goto LABEL_55;
}
HIDWORD(v28) = 244;
LODWORD(v28) = &v78[4];
if ( !ReadImageData(v71, pebegin2, v70, 0i64, v28, v46, v53) )
goto LABEL_11;
PESIG = 'ROM ';
*v78 = 'ROM ';
}
v27 = lpMem;
LABEL_56:
if ( v27 )
{
if ( *v27 != 0x107 )
{
*(v3 + 4592) = 11;
goto LABEL_11;
}
v19 = 1;
*(v3 + 3400) = 1;
*(v3 + 1108) = *v27;
*(v3 + 24) = *(v27 + 5);
*(v3 + 28) = 0;
*(v3 + 32) = *(v27 + 1);
*(v3 + 36) = 0;
goto LABEL_74;
}
if ( *&v78[24] != 0x20B ) // IMAGE_OPTIONAL_HEADER32.MAGIC=PE64
{
v66 = &v78[4];
exportpos = &v78[120]; // 导出表位置
*(v3 + 1108) = *&v78[24];
if ( PESIG == 'ROM ' )
HIDWORD(v64) = 244;
else
HIDWORD(v64) = *&Dst[60] + 248; // 第一个节位置
v19 = 1;
if ( v2 == 2 || v2 == 1 )
{
*(v3 + 24) = *&v78[52];
*(v3 + 28) = 0;
*(v3 + 3392) = *&v78[56];
*(v3 + 36) = *&v78[88];
}
imagesize = *&v78[80];
goto LABEL_73;
}
HIDWORD(v30) = 264;
LODWORD(v30) = v74;
if ( ReadImageData(v71, pebegin2, v70, *&Dst[60], v30, v49, v56) )
{
v66 = &v74[4];
exportpos = &v74[136];
HIDWORD(v64) = *&Dst[60] + 264;
*(v3 + 1108) = *&v74[24];
v19 = 1;
*(v3 + 3396) = 1;
if ( v2 == 2 || v2 == 1 )
{
*(v3 + 24) = *&v74[48];
*(v3 + 28) = *&v74[52];
*(v3 + 3392) = *&v74[56];
*(v3 + 36) = *&v74[88];
}
imagesize = *&v74[80];
LABEL_73:
*(v3 + 32) = imagesize;
LABEL_74:
imgset(100, *(v3 + 4036), v2, v2, v49, v56);
v32 = *(v66 + 1); // 得到节个数
lpMem = v32;
filesize2 = 40 * v32;
sectiondata = pMemAlloc(40 * v32);
sectiondata_1 = sectiondata;
if ( sectiondata && ReadImageData(v71, pebegin, v70, HIDWORD(v64), __PAIR__(filesize2, sectiondata), v47, v54) )// 读取所有节数据
{
ImageHelpPointerWrapper<_IMAGE_SECTION_HEADER>::Assign((v3 + 3352), sectiondata_1, lpMem, v34);
*(v3 + 3340) = sectiondata_1;
*(v3 + 3380) = lpMem;
v35 = v66;
*(v3 + 48) = *v66;
*(v3 + 40) = *(v35 + 1);
*(v3 + 44) = *(v35 + 9);
imgset(101, *(v3 + 4036), v2, v2, v47, v54);
v36 = 0;
v59 = 0;
secheader = sectiondata_1;
while ( v36 < lpMem )
{
if ( *(v3 + 3400) && !(*(v66 + 9) & 0x200) )
{
if ( !memcmp(secheader, ".rdata", 7u) )// 遇到.rdata不再读取节信息
{
v20 = 1;
v67 = 1;
v18 = *(sectiondata_1 + 3);
v65 = *(sectiondata_1 + 3);
goto LABEL_28;
}
secheader = sectiondata_1;
}
v38 = SectionContains(secheader, v71, exportpos, v47, v54);// 计算导出表在文件中的位置
if ( v38 )
{
*(v3 + 3944) = v2;
*(v3 + 4048) = *(exportpos + 1);
*(v3 + 4040) = *exportpos;
*(v3 + 4044) = 0;
HIDWORD(v39) = 40;
LODWORD(v39) = v3 + 3984;
ReadImageData(v71, pebegin, v70, v38, v39, v50, v57);// 读40字节
}
v40 = SectionContains(sectiondata_1, v71, exportpos + 12, v50, v57);// 计算调试信息在文件中的位置
if ( v40 )
{
v65 = v40; // v65=调试信息偏移
v67 = *(exportpos + 13) / 28u; // 调试信息个数
}
filesize2a = SectionContains(sectiondata_1, v71, exportpos + 28, v51, v58);// 计算CLR信息在文件中的位置
if ( filesize2a )
{
memset(&v75, 0, 0x48u);
HIDWORD(v41) = 72;
LODWORD(v41) = &v75;
ReadImageData(v71, pebegin, v70, filesize2a, v41, v47, v54);
if ( v77 || v76 & 1 )
*(v3 + 4648) = 1;
}
v36 = v59++ + 1;
secheader = sectiondata_1 + 40; // 取下一个section头
sectiondata_1 = sectiondata_1 + 40;
}
}
goto LABEL_26;
}
LABEL_10:
dword_6BC5FB1C = 6;
LABEL_11:
ms_exc.registration.TryLevel = -2;
return 0;
}
HIDWORD(v12) = 48;
LODWORD(v12) = &v81;
if ( !ReadImageData(v71, pebegin2, v70, 0i64, v12, v46, v53) )
goto LABEL_11;
v13 = WORD2(v81);
if ( WORD2(v81) != 332 && WORD2(v81) != 388 )
{
UnmapViewOfFile(*(v3 + 2160));
*(v3 + 2160) = 0;
goto LABEL_11;
}
*(v3 + 3392) = v89;
*(v3 + 36) = v83;
*(v3 + 48) = v13;
*(v3 + 40) = v82;
*(v3 + 44) = WORD3(v81);
if ( !*(v3 + 24) )
{
*(v3 + 24) = v84;
*(v3 + 28) = 0;
}
if ( !*(v3 + 32) )
*(v3 + 32) = v85;
lpMem = v86;
HIDWORD(v64) = 40 * v86;
v14 = pMemAlloc(40 * v86);
v15 = v14;
sectiondata_1 = v14;
if ( v14 )
{
if ( ReadImageData(v71, pebegin, v70, 0x30ui64, __PAIR__(HIDWORD(v64), v14), v47, v54) )
{
ImageHelpPointerWrapper<_IMAGE_SECTION_HEADER>::Assign((v3 + 3352), v15, lpMem, v16);
*(v3 + 3344) = v15;
*(v3 + 3384) = lpMem;
if ( v88 )
{
v67 = v88 / 0x1C;
v17 = 40 * v86 + 48;
v18 = v17 + v87;
v65 = v17 + v87;
v19 = 1;
goto LABEL_27;
}
}
}
v19 = 1;
LABEL_26:
v18 = v65;
LABEL_27:
v20 = v67;
LABEL_28:
if ( v2 == 2 )
{
*(v3 + 3364) = v18;
*(v3 + 3368) = v20;
}
while ( v20 )
{
HIDWORD(v21) = 28;
LODWORD(v21) = v73;
if ( !ReadImageData(v71, pebegin, v70, v18, v21, v47, v54) )// 逐个读取调试信息
goto LABEL_11;
if ( *&v73[16] ) // IMAGE_DEBUG_DIRECTORY.SizeOfData
{
imgset(*&v73[12], *(v3 + 4036), v2, 0, v47, v54);
if ( *&v73[12] == 1 )
{
if ( *&v73[24] < filesize2_4 )
{
ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 3264), (pebegin + *&v73[24]), *&v73[16], v19);
*(v3 + 3948) = v2;
goto LABEL_95;
}
*(v3 + 4024) = 1;
}
else
{
if ( *&v73[12] == 2 )
{
if ( v71 )
{
if ( !*&v73[20] )
goto LABEL_11;
v42 = pMemAlloc(*&v73[16]);
lpMem = v42;
if ( !v42 )
goto LABEL_108;
if ( !ReadImageData(v71, pebegin, v70, *&v73[20], __PAIR__(*&v73[16], v42), v47, v54) )
{
pMemFree(lpMem);
goto LABEL_11;
}
ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 0xCB4), lpMem, *&v73[16], 0);
}
else
{
if ( *&v73[24] >= filesize2_4 ) // IMAGE_OPTIONAL_HEADER.PointerToRawData 此处就是我们要的数据了
goto LABEL_108;
ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 0xCB4), (pebegin + *&v73[24]), *&v73[16], 1);
}
*(v3 + 3952) = v2;
RetrievePdbInfo(v3, v3);
goto LABEL_95;
}
if ( *&v73[12] != 4 )
goto LABEL_108;
if ( *&v73[24] < filesize2_4 )
{
v22 = pebegin;
if ( *(pebegin + *&v73[24]) != 1 )
goto LABEL_109;
if ( v2 == 3 )
{
v22 = pebegin;
if ( !*(v3 + 572) )
{
ansi2wcs(0x105, v47, v54);
goto LABEL_108;
}
LABEL_109:
if ( *&v73[24] >= filesize2_4 )
goto LABEL_120;
if ( *&v73[12] != 3 )
{
if ( *&v73[12] == 5 )
{
*(v3 + 3972) = v2;
v44 = v2;
v43 = 5;
}
else
{
if ( *&v73[12] == 7 )
{
ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 3316), (v22 + *&v73[24]), *&v73[16] >> 3, v19);
*(v3 + 3964) = v2;
}
else
{
if ( *&v73[12] != 8 )
goto LABEL_120;
ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 3328), (v22 + *&v73[24]), *&v73[16] >> 3, v19);
*(v3 + 3968) = v2;
}
LABEL_118:
v44 = v2;
v43 = *&v73[12];
}
imgset(v43, *(v3 + 4036), 0, v44, v47, v54);
goto LABEL_120;
}
ImageHelpPointerWrapper<_OMAP>::Assign((v3 + 3280), (v22 + *&v73[24]), *&v73[16] >> 4, v19);
*(v3 + 3960) = v2;
goto LABEL_118;
}
if ( *(v66 + 9) & 0x200 )
{
ansi2wcs(0x105, v47, v54);
*(v3 + 2164) = *&v73[4];
}
else
{
ansi2wcs(0x105, v47, v54);
}
}
LABEL_95:
imgset(*&v73[12], *(v3 + 4036), 0, v2, v47, v54);
}
LABEL_108:
v22 = pebegin;
goto LABEL_109;
}
LABEL_120:
v18 = v65 + 28;
v65 += 28;
v20 = v67-- - 1;
}
return 1;
}
复制代码
可以看到dbghelp!ReadHeader读取文件,解析PE格式,然后提取其中的debug区信息,标志RSDS后存放的GUID即为我们要找的数据
0293cbd4 52 53 44 53 83 65 a7 47-c5 34 bc 47 a0 3e 62 93 RSDS.e.G.4.G.>b.
0293cbe4 a7 8c 67 5f 02 00 00 00-77 6e 74 64 6c 6c 2e 70 ..g_....wntdll.p
0293cbf4 64 62 00 00 00 00 00 00-00 00 00 00 f6 c1 03 75 db.............u
0293cc04 0d 39 71 0c 75 08 8b 41-04 3b 46 08 74 4d 83 26 .9q.u..A.;F.tM.&
0293cc14 00 83 66 04 00 eb 42 90-90 90 90 90 8b ff 55 8b ..f...B.......U.
0293cc24 ec 51 53 8b 5d 08 57 8b-7d 0c 3b 7b 10 0f 87 02 .QS.].W.}.;{....
0293cc34 01 00 00 8b 43 0c 56 8d-73 20 3b c7 73 0e 83 c6 ....C.V.s ;.s...
0293cc44 10 03 c0 eb f5 90 90 90-90 90 90 90 8b ce e8 99 ................
解决任务2的重点在于SymbolServerGetIndexStringW,
来看他的内部调用:
CatStrID 将前面BYTE* index经过一定变换转换成字符串
CatStrDWORD 将前面int dword1添加到字符串结尾
CatStrDWORD 将前面int dword2添加到字符串结尾
CatStrID中实现大概是这样:
switch(gptype)
{
case 2:
CatStrDWORD(buf,id);
break;
case 4:
CatStrDWORD(buf,*(DWORD*)id);
break;
case 8:
CatStrGUID(buf,id);//我们用到的case
break;
case 0x10:
CatStrOldGUID(buf,id);
break;
case 0x400000:
wcscpy_s(buf,id);
}
CatStrDWORD中实现大概是这样:
if(dwordn)
{
sprintf(buf,"%s%d",index,dwordn);
}
http://blog.163.com/hanyinlong@1 ... 486201363111524114/
剩下的懒得写了,现在大家知道windbg怎样查符号了吧!