Debug Interface Access SDKを使ã£ã¦å†…部関数ã®åå‰è§£æ±ºã‚’è¡Œã†
IDAを使ã£ã¦ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã®è§£æžã‚’ã—ã¦ã‚‹ã¨ã„ã¤ã‚‚æ€ã†ã‚“ã§ã™ãŒã€ãƒ‡ãƒãƒƒã‚°æƒ…å ±ã£ã¦ä¾¿åˆ©ã§ã™ã‚ˆã。IDAã¯ã‚¤ãƒ¡ãƒ¼ã‚¸ãƒ•ã‚¡ã‚¤ãƒ«ã‚’ãƒãƒ¼ãƒ‰ã—ãŸå¾Œã«pdbã®æ¤œç´¢ã‚‚è¡Œã£ã¦ã„ã¦ã€ã‚·ãƒ³ãƒœãƒ«æƒ…å ±ã¨ã‹ã®ãƒ©ãƒ™ãƒ«ã‚’自動ã§åŸ‹ã‚込んã§ãã‚Œã¾ã™ã€‚ã“ã‚ŒãŒã‚ã‚‹ãŠã‹ã’ã§ã€ã‚¢ã‚»ãƒ³ãƒ–リをã‚ã¾ã‚Šèªã¾ãªãã¦ã‚‚大体ã®å‹•ä½œã¯ç†è§£ã§ãã¦ã—ã¾ã„ã¾ã™ã€‚今回ã¯ã“ã®pdbを解æžã—ã¦IDAãŒè¡Œã£ã¦ã„ã‚‹(アドレス -> シンボル)ã¨ã¯é€†ã®(シンボル -> アドレス)を自å‰ã§ã‚„ã£ã¦ã¿ãŸã„ã¨æ€ã„ã¾ã™ã€‚
ã¨ã¯è¨€ã£ã¦ã‚‚ã€æ®‹å¿µãªãŒã‚‰pdbã®ä»•æ§˜ã¯éžå…¬é–‹ã§ã™ã€‚(多分)
IDAã¯IMAGEHELP.dllを使ã£ã¦pdbを解æžã—ã¦ã‚‹ã¿ãŸã„ãªã‚“ã§ã™ãŒ(下記å‚ç…§)↓
https://www.hex-rays.com/products/ida/support/idadoc/1374.shtml
æ£ç›´dbghelp.dll(IMAGEHELPã®ç¸®å°ç‰ˆã§ã™)ã‚ãŸã‚Šã®APIã¯ä»•æ§˜å¤‰æ›´ãŒæ¿€ã—ãã€å‹•ä½œãŒä¸å®‰å®šãªã‚¤ãƒ¡ãƒ¼ã‚¸ãŒã‚ã‚‹ã®ã§ã‚ã¾ã‚Šä½¿ã„ãŸããªã„ã§ã™ã€‚何ã‹è‰¯ã„手ã¯ç„¡ã„ã‹ã¨ã„ã‚ã„ã‚調ã¹ã¦ã¿ãŸã¨ã“ã‚ã€Debug Interface Access SDKã¨ã„ã†ç‰©ã‚’見ã¤ã‘ã¾ã—ãŸã€‚ ↓
http://blogs.msdn.com/b/vcblog/archive/2010/01/05/dia-based-stack-walking.aspx
何ã“ã‚Œã€è¶…ホット...
ã¨ã¦ã‚‚良ã•ã’ã ã£ãŸã®ã§ã“れを使ã†äº‹ã«ã—ã¾ã—ãŸã€‚ã¨ã¯ã„ãˆã€DIAã®æ—¥æœ¬èªžè³‡æ–™ãŒã»ã¼çš†ç„¡ã ã£ãŸã®ã§çµæ§‹è‹¦åŠ´ã—ã¾ã—ãŸorz
ã‚ã¨ã€DIA自体ãŒå˜ä½“ã§é…布ã•ã‚Œã¦ã„る訳ã§ã¯ç„¡ãã¦ã€VisualStudioをダウンãƒãƒ¼ãƒ‰ã—ãŸéš›ã«ä¸€ç·’ã«ã¤ã„ã¦æ¥ã‚‹ã¿ãŸã„ã§ã™ã€‚(expressã¯ç„¡ã„ã§ã™)
以下å‚考ã«ã—ãŸã‚µã‚¤ãƒˆ(ã¨ã†ã„ã‹ã»ã¼ä¸¸ãƒ‘クリ
Debug Interface Access SDK
[Win32] [COM] How to read PDB Symbol file using DIA SDK | すなのかたまり
ã“ã‚Œã§(シンボル -> アドレス)変æ›ãŒã§ãるよã†ã«ãªã‚Šã¾ã—ãŸã€‚ã¨ã“ã‚ã§ã“ã‚ŒãŒã§ãã‚‹ã¨ä½•ãŒå¬‰ã—ã„ã®ã‹ã¨è¨€ã†ã¨ã€ãŸã¨ãˆã°DLLインジェクションã§ä»–プãƒã‚»ã‚¹ã«ã‚³ãƒ¼ãƒ‰ã‚’注入ã—ãŸã‚Šã™ã‚‹æ™‚ã«ãã®ãƒ—ãƒã‚»ã‚¹å†…ã®é–¢æ•°ã‚’呼ã³å‡ºã—ãŸã„時ãŒã‚ã‚‹ã¨æ€ã„ã¾ã™ã€‚ã“ã®æ™‚ã€ã„ã¡ã„ã¡ãƒ‡ãƒãƒƒã‚¬ã‚„逆アセンブラãªã©ã§é–¢æ•°ã®å ´æ‰€ã‚’特定ã™ã‚‹ã®ã¯ã‚ã‚“ã©ã†ã§ã™ã€‚ã“ã†ã„ã†æ™‚ã«ã€å†…部関数ã®åå‰è§£æ±º(ã¤ã¾ã‚Š シンボル -> アドレスã®å¤‰æ›)ãŒDLL内ã§è‡ªå‹•ã§ã§ãã‚Œã°ã€å‘¼ã³å‡ºã—ãŸã„関数åを指定ã™ã‚‹ã ã‘ã§è‰¯ããªã‚‹ã®ã§ã¨ã¦ã‚‚楽ã§ã™ã€‚(ã¾ã‚ã‚‚ã£ã¨è‰¯ã„方法ãŒã‚ã‚‹ã®ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ãŒ...
ãŸã¨ãˆã°ã‚²ãƒ¼ãƒ 内ã®Game::Win(void)ã¿ãŸã„ãªé–¢æ•°ã‚’直接DLLã‹ã‚‰åå‰æŒ‡å®šã§å‘¼ã³å‡ºã—ãŸã‚Šã§ãã‚‹ã‚ã‘ã§ã™ã€‚
ã§ã€æ›¸ã„ãŸã‚³ãƒ¼ãƒ‰ãŒã“ã‚“ãªæ„Ÿã˜â†“
#include <windows.h> #include <tlhelp32.h> #include <psapi.h> #include <stdio.h> #include <tchar.h> #include <map> #include "C:\Program Files\Microsoft Visual Studio 12.0\DIA SDK\include\dia2.h" #define DIA_SDK_PATH "C:\\Program Files\\Microsoft Visual Studio 12.0\\DIA SDK\\" #pragma comment (lib, "psapi.lib") typedef HRESULT (__stdcall *DLLGETCLASSOBJECT)( _In_ REFCLSID rclsid, _In_ REFIID riid, _Out_ LPVOID *ppv ); DWORD FindProcessId(TCHAR* processName);//プãƒã‚»ã‚¹å -> PID LPVOID GetBaseAddressFromName(TCHAR* ProcessName);//イメージベースã®å–å¾— BOOL DumpSymbolsFromDll(TCHAR* DllPath, LPCWSTR PdbFile, LPCWSTR SymbolName); VOID DumpSymbols(IDiaEnumSymbols *EnumSymbols); BOOL DumpSymbolsInternal(IDiaDataSource *MsdiaInstance, LPCWSTR PdbFile, LPCWSTR SymbolName); std::map<BSTR,DWORD> NameToRVA;//関数åã¨RVAã®å¯¾å¿œ TCHAR* target_function = TEXT("MyFunction"); DWORD target_RVA = 0; int _tmain(int argc, TCHAR* argv[]){ if(argc < 4){ fprintf(stderr,"%s <pdb file> <symbol pattern> <target process> <target dll>\n",argv[0]); return 1; } TCHAR* dll_path = TEXT("C:\\Program Files\\Microsoft Visual Studio 12.0\\DIA SDK\\bin\\msdia120.dll"); LPVOID baseAddress = GetBaseAddressFromName(argv[3]); DumpSymbolsFromDll(dll_path,argv[1],argv[2]); void (*MyFunc)(void); /*for(std::map<BSTR,DWORD>::iterator it = NameToRVA.begin(); it != NameToRVA.end(); ++it){ wprintf(TEXT("%s %08X\n"),(*it).first,(*it).second); }*/ if(!target_RVA){ fprintf(stderr,"Cannot find function\n"); return 1;} printf("\tBase Address: %08X\n\tRVA: %08X\n",(int)baseAddress,target_RVA); MyFunc = (void(*)())((int)baseAddress + target_RVA - 1);//ベースアドレス + 指定関数ã®RVA printf("\tMyFunction: %08X\n",(int)MyFunc); MyFunc(); } /* プãƒã‚»ã‚¹å -> PID */ DWORD FindProcessId(TCHAR* processName) { PROCESSENTRY32 processInfo; processInfo.dwSize = sizeof(processInfo); HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); if ( processesSnapshot == INVALID_HANDLE_VALUE ) return 0; Process32First(processesSnapshot, &processInfo); if ( !wcscmp(processName,processInfo.szExeFile) ) { CloseHandle(processesSnapshot); return processInfo.th32ProcessID; } while ( Process32Next(processesSnapshot, &processInfo) ) { if ( !wcscmp(processName,processInfo.szExeFile) ) { CloseHandle(processesSnapshot); return processInfo.th32ProcessID; } } CloseHandle(processesSnapshot); return 0; } /* イメージベースã®å–å¾— */ LPVOID GetBaseAddressFromName(TCHAR* ProcessName) { HANDLE hProcess; HMODULE ModuleHandles[1000]; DWORD ModuleNum; DWORD ReturnSize; TCHAR szModule[256]; MODULEINFO ModInfo; DWORD i; DWORD dwProcessId = FindProcessId(ProcessName);//プãƒã‚»ã‚¹å -> PID /* 指定ã•ã‚ŒãŸåå‰ã®ãƒ—ãƒã‚»ã‚¹ãƒãƒ³ãƒ‰ãƒ«ã‚’å–å¾— */ hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); /* ç¾åœ¨ã®ãƒ—ãƒã‚»ã‚¹ã«ãƒãƒ¼ãƒ‰ã•ã‚Œã¦ã„るモジュールã®ä¸€è¦§ã¨æ•°ã‚’å–å¾— */ EnumProcessModules(hProcess, ModuleHandles, sizeof(ModuleHandles), &ReturnSize); ModuleNum = ReturnSize / sizeof(HMODULE); /* å„モジュールã®æƒ…å ±ã‚’è¡¨ç¤º */ for(i=0; i<ModuleNum; i++) { /* モジュールã®ãƒ•ã‚¡ã‚¤ãƒ«åã¨æƒ…å ±ã‚’å–å¾— */ GetModuleBaseName(hProcess, ModuleHandles[i], szModule, sizeof(szModule)); GetModuleInformation(hProcess, ModuleHandles[i], &ModInfo, sizeof(ModInfo)); /* çµæžœã‚’表示 */ wprintf(TEXT("\tName: %s\n"),szModule); wprintf(TEXT("\tBase Address: %p\n"), ModInfo.lpBaseOfDll); wprintf(TEXT("\tSize: %08X\n"), ModInfo.SizeOfImage); wprintf(TEXT("\tEntryPoint: %p\n"), ModInfo.EntryPoint); if(!wcscmp(szModule,ProcessName)) return ModInfo.EntryPoint; } return NULL; } VOID DumpSymbols(IDiaEnumSymbols *EnumSymbols) { HRESULT hr = 0; BOOL Ret = FALSE; ULONG Retrieved = 0; for (;;) { IDiaSymbol *Symbol = NULL; BSTR Name = NULL; BSTR Undecorated = NULL; DWORD Rva = 0; DWORD SymTag = 0; hr = EnumSymbols->Next(1, &Symbol, &Retrieved); if ( Retrieved==0 ) break; hr = Symbol->get_relativeVirtualAddress(&Rva); hr = Symbol->get_name(&Name); hr = Symbol->get_undecoratedName(&Undecorated); hr = Symbol->get_symTag(&SymTag); //wprintf(TEXT("%4d RVA=%08x %-30s %-30s\n"), SymTag, Rva, Name, Undecorated); //NameToRVA[Name] = Rva; if(!wcscmp(Name,target_function)) target_RVA = Rva; if ( Name ) SysFreeString(Name); if ( Undecorated ) SysFreeString(Undecorated); if ( Symbol ) Symbol->Release(); } } BOOL DumpSymbolsInternal(IDiaDataSource *MsdiaInstance, LPCWSTR PdbFile, LPCWSTR SymbolName) { HRESULT hr = 0; BOOL Ret = FALSE; IDiaSession *Session = NULL; IDiaSymbol *Global = NULL; IDiaEnumSymbols *EnumSymbols = NULL; hr = MsdiaInstance->loadDataFromPdb(PdbFile); hr = MsdiaInstance->openSession(&Session); hr = Session->get_globalScope(&Global); hr = Global->findChildren(SymTagNull, SymbolName, nsfRegularExpression, &EnumSymbols); DumpSymbols(EnumSymbols); cleanup: if ( EnumSymbols ) EnumSymbols->Release(); if ( Global ) Global->Release(); if ( Session ) Session->Release(); return Ret; } BOOL DumpSymbolsFromDll(TCHAR* DllPath, LPCWSTR PdbFile, LPCWSTR SymbolName) { HRESULT hr = 0; BOOL Ret = FALSE; HMODULE MsDiaDll = NULL; DLLGETCLASSOBJECT MsDiaDllGetClassObject = NULL; IClassFactory *Factory = NULL; IDiaDataSource *Source = NULL; MsDiaDll = LoadLibrary(DllPath); if ( !MsDiaDll ) { printf("LoadLibrary failed ? 0x%08x\n", GetLastError()); goto cleanup; } MsDiaDllGetClassObject = (DLLGETCLASSOBJECT)GetProcAddress(MsDiaDll, "DllGetClassObject"); if ( !MsDiaDllGetClassObject ) { printf("LoadLibrary failed ? 0x%08x\n", GetLastError()); goto cleanup; } hr = MsDiaDllGetClassObject(__uuidof(DiaSource), __uuidof(IClassFactory), (void**)&Factory); hr = Factory->CreateInstance(NULL, __uuidof(IDiaDataSource), (void**)&Source); Ret = DumpSymbolsInternal(Source, PdbFile, SymbolName); cleanup: if(Source) Source->Release(); if(Factory) Factory->Release(); if(MsDiaDll) FreeLibrary(MsDiaDll); return Ret; }
実行ã™ã‚‹ã¨
Name: test.exe Base Address: 00890000 Size: 00029000 EntryPoint: 008A1235 Base Address: 008A1235 RVA: 00014050 MyFunction: 008B5284
ã“ã‚“ãªæ„Ÿã˜ã§test.exe内ã®MyFunction関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’表示ã—ã¦ãã‚Œã¾ã™ã€‚
今回ã¯ã‚ãã¾ã§DIAã®ç´¹ä»‹ãªã®ã§ã‚ã¾ã‚Šä¸Šè¨˜ã®ã‚³ãƒ¼ãƒ‰ã¯ã‚ã¦ã«ã—ãªã„ã§ãã ã•ã„。
