1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <ctype.h>
4 #define _WINVER 0x501
5 #define SYMOPT_ALLOW_ABSOLUTE_SYMBOLS 0x00000800
6 #include <windows.h>
7 #include <shlwapi.h>
8 #include <dbghelp.h>
9
10 HANDLE hCurrentProcess;
11 BOOL bX64;
12
13 #define MAX_SYMBOL_NAME 1024
14
InitDbgHelp(HANDLE hProcess)15 BOOL InitDbgHelp(HANDLE hProcess)
16 {
17 if (!SymInitialize(hProcess, 0, FALSE))
18 return FALSE;
19
20 SymSetOptions(SymGetOptions() | SYMOPT_ALLOW_ABSOLUTE_SYMBOLS);
21 SymSetOptions(SymGetOptions() & (~SYMOPT_DEFERRED_LOADS));
22 SymSetSearchPath(hProcess, "srv**symbols*http://msdl.microsoft.com/download/symbols");
23 return TRUE;
24 }
25
26 PVOID
ImageSymToVa(HANDLE hProcess,PSYMBOL_INFO pSym,PBYTE pModule,PCSTR Name)27 ImageSymToVa(HANDLE hProcess, PSYMBOL_INFO pSym, PBYTE pModule, PCSTR Name)
28 {
29 PIMAGE_NT_HEADERS NtHeaders;
30 PVOID p;
31
32 pSym->SizeOfStruct = sizeof(SYMBOL_INFO);
33 pSym->MaxNameLen = MAX_SYMBOL_NAME-1;
34
35 if (!SymFromName(hProcess, Name, pSym))
36 {
37 printf("SymGetSymFromName64() failed: %ld\n", GetLastError());
38 return 0;
39 }
40 #if defined(__GNUC__) && \
41 (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__ < 40400)
42 printf("looking up address for %s: 0x%llx\n", Name, pSym->Address);
43 #else
44 printf("looking up address for %s: 0x%I64x\n", Name, pSym->Address);
45 #endif
46
47 NtHeaders = ImageNtHeader(pModule);
48 p = ImageRvaToVa(NtHeaders, pModule, pSym->Address - pSym->ModBase, NULL);
49
50 return p;
51 }
52
EnumSymbolsProc(PSYMBOL_INFO pSymInfo,ULONG SymbolSize,PVOID UserContext)53 BOOL CALLBACK EnumSymbolsProc(
54 PSYMBOL_INFO pSymInfo,
55 ULONG SymbolSize,
56 PVOID UserContext)
57 {
58 if ((INT_PTR)UserContext == -1)
59 {
60 printf("%s ", pSymInfo->Name);
61 }
62 else
63 {
64 if (!bX64)
65 {
66 printf("%s@%Iu ", pSymInfo->Name, (UINT_PTR)UserContext);
67 }
68 else
69 {
70 printf("%s <+ %Iu> ", pSymInfo->Name, (UINT_PTR)UserContext);
71 }
72 }
73 return TRUE;
74 }
75
main(int argc,char * argv[])76 int main(int argc, char* argv[])
77 {
78 HANDLE hProcess;
79 CHAR szModuleFileName[MAX_PATH+1];
80 DWORD64 dwModuleBase;
81 HANDLE hFile = 0, hMap = 0;
82 PBYTE pModule = NULL;
83 UINT i;
84 PVOID pW32pServiceTable, pW32pServiceLimit;
85 PBYTE pW32pArgumentTable;
86 PVOID pfnSimpleCall;
87 DWORD dwServiceLimit;
88
89 struct
90 {
91 SYMBOL_INFO Symbol;
92 CHAR Name[MAX_SYMBOL_NAME];
93 } Sym;
94
95 printf("Win32k Syscall dumper\n");
96 printf("Copyright (c) Timo Kreuzer 2007-08\n");
97
98 hProcess = GetCurrentProcess();
99
100 // try current dir
101 GetCurrentDirectory(MAX_PATH, szModuleFileName);
102 strcat(szModuleFileName, "\\win32k.sys");
103 hFile = CreateFile(szModuleFileName, FILE_READ_DATA, FILE_SHARE_READ, NULL,
104 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
105 if (hFile != INVALID_HANDLE_VALUE)
106 {
107 goto cont;
108 }
109
110 // try system dir
111 GetSystemDirectory(szModuleFileName, MAX_PATH);
112 strcat(szModuleFileName, "\\win32k.sys");
113 hFile = CreateFile(szModuleFileName, FILE_READ_DATA, FILE_SHARE_READ, NULL,
114 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
115 if (hFile == INVALID_HANDLE_VALUE)
116 {
117 printf("CreateFile() failed: %ld!\n", GetLastError());
118 goto cleanup;
119 }
120
121 cont:
122 printf("Trying to get syscalls from: %s\n", szModuleFileName);
123
124 if (!InitDbgHelp(hProcess))
125 {
126 printf("SymInitialize() failed\n");
127 goto cleanup;
128 }
129
130 printf("Loading symbols for %s, please wait...\n", szModuleFileName);
131 dwModuleBase = SymLoadModule64(hProcess, 0, szModuleFileName, 0, 0, 0);
132 if (dwModuleBase == 0)
133 {
134 printf("SymLoadModule64() failed: %ld\n", GetLastError());
135 goto cleanup;
136 }
137
138 hMap = CreateFileMappingA(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
139 if (!hMap)
140 {
141 printf("CreateFileMapping() failed: %ld\n", GetLastError());
142 goto cleanup;
143 }
144
145 pModule = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
146 if(!pModule)
147 {
148 printf("MapViewOfFile() failed: %ld\n", GetLastError());
149 goto cleanup;
150 }
151
152 bX64 = (ImageNtHeader(pModule)->FileHeader.Machine != IMAGE_FILE_MACHINE_I386);
153
154 pW32pServiceTable = ImageSymToVa(hProcess, &Sym.Symbol, pModule, "W32pServiceTable");
155 pW32pServiceLimit = ImageSymToVa(hProcess, &Sym.Symbol, pModule, "W32pServiceLimit");
156 pW32pArgumentTable = ImageSymToVa(hProcess, &Sym.Symbol, pModule, "W32pArgumentTable");
157 // printf("pW32pServiceTable = %p\n", pW32pServiceTable);
158 // printf("pW32pServiceLimit = %p\n", pW32pServiceLimit);
159 // printf("pW32pArgumentTable = %p\n", pW32pArgumentTable);
160
161 if (!pW32pServiceTable || !pW32pServiceLimit || !pW32pArgumentTable)
162 {
163 printf("Couldn't find address!\n");
164 goto cleanup;
165 }
166
167 dwServiceLimit = *((DWORD*)pW32pServiceLimit);
168
169 if (!bX64)
170 {
171 DWORD *pdwEntries32 = (DWORD*)pW32pServiceTable;
172
173 for (i = 0; i < dwServiceLimit; i++)
174 {
175 printf("0x%x:", i+0x1000);
176 SymEnumSymbolsForAddr(hProcess, (DWORD64)pdwEntries32[i], EnumSymbolsProc, (PVOID)(DWORD_PTR)pW32pArgumentTable[i]);
177 printf("\n");
178 }
179 }
180 else
181 {
182 DWORD64 *pdwEntries64 = (DWORD64*)pW32pServiceTable;
183
184 for (i = 0; i < dwServiceLimit; i++)
185 {
186 printf("0x%x:", i+0x1000);
187 SymEnumSymbolsForAddr(hProcess, (DWORD64)pdwEntries64[i], EnumSymbolsProc, (PVOID)(DWORD_PTR)pW32pArgumentTable[i]);
188 printf("\n");
189 }
190 }
191
192 /* Dump apfnSimpleCall */
193 printf("\nDumping apfnSimpleCall:\n");
194 pfnSimpleCall = (PVOID*)ImageSymToVa(hProcess, &Sym.Symbol, pModule, "apfnSimpleCall");
195 i = 0;
196
197 if (bX64)
198 {
199 DWORD64 *pfnSC64 = (DWORD64*)pfnSimpleCall;
200 while (pfnSC64[i] != 0)
201 {
202 printf("0x%x:", i);
203 SymEnumSymbolsForAddr(hProcess, (DWORD64)pfnSC64[i], EnumSymbolsProc, (PVOID)-1);
204 printf("\n");
205 i++;
206 }
207 }
208 else
209 {
210 DWORD *pfnSC32 = (DWORD*)pfnSimpleCall;
211 while (pfnSC32[i] != 0)
212 {
213 printf("0x%x:", i);
214 SymEnumSymbolsForAddr(hProcess, (DWORD64)pfnSC32[i], EnumSymbolsProc, (PVOID)-1);
215 printf("\n");
216 i++;
217 }
218 }
219
220 cleanup:
221 if (pModule)
222 {
223 UnmapViewOfFile(pModule);
224 }
225 if (hMap)
226 {
227 CloseHandle(hMap);
228 }
229 if (hFile)
230 {
231 CloseHandle(hFile);
232 }
233
234 return 0;
235 }
236