Data Structures
struct	_PH_SYMBOL_PROVIDER

struct	_PH_SYMBOL_INFORMATION

struct	_PH_SYMBOL_LINE_INFORMATION

struct	_PH_SYMBOL_EVENT_DATA

struct	_PH_THREAD_STACK_FRAME
	Contains information about a thread stack frame. More...

Macros
#define	PH_MAX_SYMBOL_NAME_LEN 128

#define	PH_THREAD_STACK_FRAME_I386 0x1

#define	PH_THREAD_STACK_FRAME_AMD64 0x2

#define	PH_THREAD_STACK_FRAME_KERNEL 0x4

#define	PH_THREAD_STACK_FRAME_FPO_DATA_PRESENT 0x100

#define	PH_WALK_I386_STACK 0x1

#define	PH_WALK_AMD64_STACK 0x2

#define	PH_WALK_KERNEL_STACK 0x10

Typedefs
typedef struct _PH_SYMBOL_PROVIDER	PH_SYMBOL_PROVIDER

typedef struct _PH_SYMBOL_PROVIDER *	PPH_SYMBOL_PROVIDER

typedef enum _PH_SYMBOL_RESOLVE_LEVEL	PH_SYMBOL_RESOLVE_LEVEL

typedef enum _PH_SYMBOL_RESOLVE_LEVEL *	PPH_SYMBOL_RESOLVE_LEVEL

typedef struct _PH_SYMBOL_INFORMATION	PH_SYMBOL_INFORMATION

typedef struct _PH_SYMBOL_INFORMATION *	PPH_SYMBOL_INFORMATION

typedef struct _PH_SYMBOL_LINE_INFORMATION	PH_SYMBOL_LINE_INFORMATION

typedef struct _PH_SYMBOL_LINE_INFORMATION *	PPH_SYMBOL_LINE_INFORMATION

typedef enum _PH_SYMBOL_EVENT_TYPE	PH_SYMBOL_EVENT_TYPE

typedef struct _PH_SYMBOL_EVENT_DATA	PH_SYMBOL_EVENT_DATA

typedef struct _PH_SYMBOL_EVENT_DATA *	PPH_SYMBOL_EVENT_DATA

typedef struct _tagSTACKFRAME64 *	LPSTACKFRAME64

typedef struct _tagADDRESS64 *	LPADDRESS64

typedef BOOL(__stdcall *	PREAD_PROCESS_MEMORY_ROUTINE64 )(_In_ HANDLE hProcess, _In_ DWORD64 qwBaseAddress, _Out_writes_bytes_(nSize) PVOID lpBuffer, _In_ DWORD nSize, _Out_ LPDWORD lpNumberOfBytesRead)

typedef PVOID(__stdcall *	PFUNCTION_TABLE_ACCESS_ROUTINE64 )(_In_ HANDLE ahProcess, _In_ DWORD64 AddrBase)

typedef DWORD64(__stdcall *	PGET_MODULE_BASE_ROUTINE64 )(_In_ HANDLE hProcess, _In_ DWORD64 Address)

typedef DWORD64(__stdcall *	PTRANSLATE_ADDRESS_ROUTINE64 )(_In_ HANDLE hProcess, _In_ HANDLE hThread, _In_ LPADDRESS64 lpaddr)

typedef enum _MINIDUMP_TYPE	MINIDUMP_TYPE

typedef struct _MINIDUMP_EXCEPTION_INFORMATION *	PMINIDUMP_EXCEPTION_INFORMATION

typedef struct _MINIDUMP_USER_STREAM_INFORMATION *	PMINIDUMP_USER_STREAM_INFORMATION

typedef struct _MINIDUMP_CALLBACK_INFORMATION *	PMINIDUMP_CALLBACK_INFORMATION

typedef struct _PH_THREAD_STACK_FRAME	PH_THREAD_STACK_FRAME
	Contains information about a thread stack frame.

typedef struct _PH_THREAD_STACK_FRAME *	PPH_THREAD_STACK_FRAME

typedef BOOLEAN(NTAPI *	PPH_WALK_THREAD_STACK_CALLBACK )(_In_ PPH_THREAD_STACK_FRAME StackFrame, _In_opt_ PVOID Context)
	A callback function passed to PhWalkThreadStack() and called for each stack frame.

Enumerations
enum	_PH_SYMBOL_RESOLVE_LEVEL { PhsrlFunction, PhsrlModule, PhsrlAddress, PhsrlInvalid }

enum	_PH_SYMBOL_EVENT_TYPE { SymbolDeferredSymbolLoadStart = 1, SymbolDeferredSymbolLoadComplete = 2, SymbolDeferredSymbolLoadFailure = 3, SymbolSymbolsUnloaded = 4, SymbolDeferredSymbolLoadCancel = 7 }

Functions
BOOLEAN NTAPI	PhSymbolProviderInitialization (VOID)

VOID NTAPI	PhSymbolProviderCompleteInitialization (_In_opt_ PVOID DbgHelpBase)

PHLIBAPI PPH_SYMBOL_PROVIDER NTAPI	PhCreateSymbolProvider (_In_opt_ HANDLE ProcessId)

PHLIBAPI BOOLEAN NTAPI	PhGetLineFromAddress (_In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ ULONG64 Address, _Out_ PPH_STRING *FileName, _Out_opt_ PULONG Displacement, _Out_opt_ PPH_SYMBOL_LINE_INFORMATION Information)

PHLIBAPI ULONG64 NTAPI	PhGetModuleFromAddress (_In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ ULONG64 Address, _Out_opt_ PPH_STRING *FileName)

PHLIBAPI PPH_STRING NTAPI	PhGetSymbolFromAddress (_In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ ULONG64 Address, _Out_opt_ PPH_SYMBOL_RESOLVE_LEVEL ResolveLevel, _Out_opt_ PPH_STRING FileName, _Out_opt_ PPH_STRING SymbolName, _Out_opt_ PULONG64 Displacement)

PHLIBAPI BOOLEAN NTAPI	PhGetSymbolFromName (_In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PWSTR Name, _Out_ PPH_SYMBOL_INFORMATION Information)

PHLIBAPI BOOLEAN NTAPI	PhLoadModuleSymbolProvider (_In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PWSTR FileName, _In_ ULONG64 BaseAddress, _In_ ULONG Size)

PHLIBAPI VOID NTAPI	PhSetOptionsSymbolProvider (_In_ ULONG Mask, _In_ ULONG Value)

PHLIBAPI VOID NTAPI	PhSetSearchPathSymbolProvider (_In_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ PWSTR Path)

ULONG64 __stdcall	PhGetModuleBase64 (_In_ HANDLE hProcess, _In_ DWORD64 dwAddr)

PVOID __stdcall	PhFunctionTableAccess64 (_In_ HANDLE hProcess, _In_ DWORD64 AddrBase)

PHLIBAPI BOOLEAN NTAPI	PhStackWalk (_In_ ULONG MachineType, _In_ HANDLE ProcessHandle, _In_ HANDLE ThreadHandle, _Inout_ LPSTACKFRAME64 StackFrame, _Inout_ PVOID ContextRecord, _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_opt_ PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine, _In_opt_ PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine, _In_opt_ PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine, _In_opt_ PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress)

PHLIBAPI BOOLEAN NTAPI	PhWriteMiniDumpProcess (_In_ HANDLE ProcessHandle, _In_ HANDLE ProcessId, _In_ HANDLE FileHandle, _In_ MINIDUMP_TYPE DumpType, _In_opt_ PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, _In_opt_ PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, _In_opt_ PMINIDUMP_CALLBACK_INFORMATION CallbackParam)

PHLIBAPI NTSTATUS NTAPI	PhWalkThreadStack (_In_ HANDLE ThreadHandle, _In_opt_ HANDLE ProcessHandle, _In_opt_ PCLIENT_ID ClientId, _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider, _In_ ULONG Flags, _In_ PPH_WALK_THREAD_STACK_CALLBACK Callback, _In_opt_ PVOID Context)
	Walks a thread's stack.

Variables
PPH_OBJECT_TYPE	PhSymbolProviderType

PH_CALLBACK	PhSymInitCallback

Macro Definition Documentation

#define PH_MAX_SYMBOL_NAME_LEN 128

Definition at line 7 of file symprv.h.

#define PH_THREAD_STACK_FRAME_AMD64 0x2

Definition at line 244 of file symprv.h.

#define PH_THREAD_STACK_FRAME_FPO_DATA_PRESENT 0x100

Definition at line 246 of file symprv.h.

#define PH_THREAD_STACK_FRAME_I386 0x1

Definition at line 243 of file symprv.h.

#define PH_THREAD_STACK_FRAME_KERNEL 0x4

Definition at line 245 of file symprv.h.

#define PH_WALK_AMD64_STACK 0x2

Definition at line 261 of file symprv.h.

#define PH_WALK_I386_STACK 0x1

Definition at line 260 of file symprv.h.

#define PH_WALK_KERNEL_STACK 0x10

Definition at line 262 of file symprv.h.

Typedef Documentation

typedef struct _tagADDRESS64* LPADDRESS64

Definition at line 179 of file symprv.h.

typedef struct _tagSTACKFRAME64* LPSTACKFRAME64

Definition at line 178 of file symprv.h.

typedef enum _MINIDUMP_TYPE MINIDUMP_TYPE

Definition at line 205 of file symprv.h.

typedef PVOID(__stdcall * PFUNCTION_TABLE_ACCESS_ROUTINE64)(_In_ HANDLE ahProcess, _In_ DWORD64 AddrBase)

Definition at line 189 of file symprv.h.

typedef DWORD64(__stdcall * PGET_MODULE_BASE_ROUTINE64)(_In_ HANDLE hProcess, _In_ DWORD64 Address)

Definition at line 194 of file symprv.h.

typedef struct _PH_SYMBOL_EVENT_DATA PH_SYMBOL_EVENT_DATA

typedef enum _PH_SYMBOL_EVENT_TYPE PH_SYMBOL_EVENT_TYPE

typedef struct _PH_SYMBOL_INFORMATION PH_SYMBOL_INFORMATION

typedef struct _PH_SYMBOL_LINE_INFORMATION PH_SYMBOL_LINE_INFORMATION

typedef struct _PH_SYMBOL_PROVIDER PH_SYMBOL_PROVIDER

typedef enum _PH_SYMBOL_RESOLVE_LEVEL PH_SYMBOL_RESOLVE_LEVEL

typedef struct _PH_THREAD_STACK_FRAME PH_THREAD_STACK_FRAME

Contains information about a thread stack frame.

typedef struct _MINIDUMP_CALLBACK_INFORMATION* PMINIDUMP_CALLBACK_INFORMATION

Definition at line 208 of file symprv.h.

typedef struct _MINIDUMP_EXCEPTION_INFORMATION* PMINIDUMP_EXCEPTION_INFORMATION

Definition at line 206 of file symprv.h.

typedef struct _MINIDUMP_USER_STREAM_INFORMATION* PMINIDUMP_USER_STREAM_INFORMATION

Definition at line 207 of file symprv.h.

typedef struct _PH_SYMBOL_EVENT_DATA * PPH_SYMBOL_EVENT_DATA

typedef struct _PH_SYMBOL_INFORMATION * PPH_SYMBOL_INFORMATION

typedef struct _PH_SYMBOL_LINE_INFORMATION * PPH_SYMBOL_LINE_INFORMATION

typedef struct _PH_SYMBOL_PROVIDER * PPH_SYMBOL_PROVIDER

typedef enum _PH_SYMBOL_RESOLVE_LEVEL * PPH_SYMBOL_RESOLVE_LEVEL

typedef struct _PH_THREAD_STACK_FRAME * PPH_THREAD_STACK_FRAME

typedef BOOLEAN(NTAPI * PPH_WALK_THREAD_STACK_CALLBACK)(_In_ PPH_THREAD_STACK_FRAME StackFrame, _In_opt_ PVOID Context)

A callback function passed to PhWalkThreadStack() and called for each stack frame.

Parameters

StackFrame	A structure providing information about the stack frame.
Context	A user-defined value passed to PhWalkThreadStack().

Returns: TRUE to continue the stack walk, FALSE to stop.

Definition at line 276 of file symprv.h.

typedef BOOL(__stdcall * PREAD_PROCESS_MEMORY_ROUTINE64)(_In_ HANDLE hProcess, _In_ DWORD64 qwBaseAddress, _Out_writes_bytes_(nSize) PVOID lpBuffer, _In_ DWORD nSize, _Out_ LPDWORD lpNumberOfBytesRead)

Definition at line 181 of file symprv.h.

typedef DWORD64(__stdcall * PTRANSLATE_ADDRESS_ROUTINE64)(_In_ HANDLE hProcess, _In_ HANDLE hThread, _In_ LPADDRESS64 lpaddr)

Definition at line 199 of file symprv.h.

Enumeration Type Documentation

enum _PH_SYMBOL_EVENT_TYPE

Enumerator:

SymbolDeferredSymbolLoadStart
SymbolDeferredSymbolLoadComplete
SymbolDeferredSymbolLoadFailure
SymbolSymbolsUnloaded
SymbolDeferredSymbolLoadCancel

Definition at line 44 of file symprv.h.

enum _PH_SYMBOL_RESOLVE_LEVEL

Enumerator:

PhsrlFunction
PhsrlModule
PhsrlAddress
PhsrlInvalid

Definition at line 22 of file symprv.h.

Function Documentation

PHLIBAPI PPH_SYMBOL_PROVIDER NTAPI PhCreateSymbolProvider ( _In_opt_ HANDLE ProcessId )

Definition at line 153 of file symprv.c.

PVOID __stdcall PhFunctionTableAccess64	(	_In_ HANDLE	hProcess,
		_In_ DWORD64	AddrBase
	)

Definition at line 1370 of file symprv.c.

PHLIBAPI BOOLEAN NTAPI PhGetLineFromAddress	(	_In_ PPH_SYMBOL_PROVIDER	SymbolProvider,
		_In_ ULONG64	Address,
		_Out_ PPH_STRING *	FileName,
		_Out_opt_ PULONG	Displacement,
		_Out_opt_ PPH_SYMBOL_LINE_INFORMATION	Information
	)

Definition at line 349 of file symprv.c.

ULONG64 __stdcall PhGetModuleBase64	(	_In_ HANDLE	hProcess,
		_In_ DWORD64	dwAddr
	)

Definition at line 1333 of file symprv.c.

PHLIBAPI ULONG64 NTAPI PhGetModuleFromAddress	(	_In_ PPH_SYMBOL_PROVIDER	SymbolProvider,
		_In_ ULONG64	Address,
		_Out_opt_ PPH_STRING *	FileName
	)

Definition at line 423 of file symprv.c.

PHLIBAPI PPH_STRING NTAPI PhGetSymbolFromAddress	(	_In_ PPH_SYMBOL_PROVIDER	SymbolProvider,
		_In_ ULONG64	Address,
		_Out_opt_ PPH_SYMBOL_RESOLVE_LEVEL	ResolveLevel,
		_Out_opt_ PPH_STRING *	FileName,
		_Out_opt_ PPH_STRING *	SymbolName,
		_Out_opt_ PULONG64	Displacement
	)

Definition at line 537 of file symprv.c.

PHLIBAPI BOOLEAN NTAPI PhGetSymbolFromName	(	_In_ PPH_SYMBOL_PROVIDER	SymbolProvider,
		_In_ PWSTR	Name,
		_Out_ PPH_SYMBOL_INFORMATION	Information
	)

Definition at line 767 of file symprv.c.

PHLIBAPI BOOLEAN NTAPI PhLoadModuleSymbolProvider	(	_In_ PPH_SYMBOL_PROVIDER	SymbolProvider,
		_In_ PWSTR	FileName,
		_In_ ULONG64	BaseAddress,
		_In_ ULONG	Size
	)

Definition at line 841 of file symprv.c.

PHLIBAPI VOID NTAPI PhSetOptionsSymbolProvider	(	_In_ ULONG	Mask,
		_In_ ULONG	Value
	)

Definition at line 935 of file symprv.c.

PHLIBAPI VOID NTAPI PhSetSearchPathSymbolProvider	(	_In_ PPH_SYMBOL_PROVIDER	SymbolProvider,
		_In_ PWSTR	Path
	)

Definition at line 957 of file symprv.c.

PHLIBAPI BOOLEAN NTAPI PhStackWalk	(	_In_ ULONG	MachineType,
		_In_ HANDLE	ProcessHandle,
		_In_ HANDLE	ThreadHandle,
		_Inout_ LPSTACKFRAME64	StackFrame,
		_Inout_ PVOID	ContextRecord,
		_In_opt_ PPH_SYMBOL_PROVIDER	SymbolProvider,
		_In_opt_ PREAD_PROCESS_MEMORY_ROUTINE64	ReadMemoryRoutine,
		_In_opt_ PFUNCTION_TABLE_ACCESS_ROUTINE64	FunctionTableAccessRoutine,
		_In_opt_ PGET_MODULE_BASE_ROUTINE64	GetModuleBaseRoutine,
		_In_opt_ PTRANSLATE_ADDRESS_ROUTINE64	TranslateAddress
	)

Definition at line 1396 of file symprv.c.

VOID NTAPI PhSymbolProviderCompleteInitialization ( _In_opt_ PVOID DbgHelpBase )

Definition at line 104 of file symprv.c.

BOOLEAN NTAPI PhSymbolProviderInitialization ( VOID )

Definition at line 95 of file symprv.c.

PHLIBAPI NTSTATUS NTAPI PhWalkThreadStack	(	_In_ HANDLE	ThreadHandle,
		_In_opt_ HANDLE	ProcessHandle,
		_In_opt_ PCLIENT_ID	ClientId,
		_In_opt_ PPH_SYMBOL_PROVIDER	SymbolProvider,
		_In_ ULONG	Flags,
		_In_ PPH_WALK_THREAD_STACK_CALLBACK	Callback,
		_In_opt_ PVOID	Context
	)

Walks a thread's stack.

Parameters

ThreadHandle	A handle to a thread. The handle must have THREAD_QUERY_LIMITED_INFORMATION, THREAD_GET_CONTEXT and THREAD_SUSPEND_RESUME access. The handle can have any access for kernel stack walking.
ProcessHandle	A handle to the thread's parent process. The handle must have PROCESS_QUERY_INFORMATION and PROCESS_VM_READ access. If a symbol provider is being used, pass its process handle and specify the symbol provider in SymbolProvider.
ClientId	The client ID identifying the thread.
SymbolProvider	The associated symbol provider.
Flags	A combination of flags. `PH_WALK_I386_STACK` Walks the x86 stack. On AMD64 systems this flag walks the WOW64 stack. `PH_WALK_AMD64_STACK` Walks the AMD64 stack. On x86 systems this flag is ignored. `PH_WALK_KERNEL_STACK` Walks the kernel stack. This flag is ignored if there is no active KProcessHacker connection.
Callback	A callback function which is executed for each stack frame.
Context	A user-defined value to pass to the callback function.

Definition at line 1538 of file symprv.c.

PHLIBAPI BOOLEAN NTAPI PhWriteMiniDumpProcess	(	_In_ HANDLE	ProcessHandle,
		_In_ HANDLE	ProcessId,
		_In_ HANDLE	FileHandle,
		_In_ MINIDUMP_TYPE	DumpType,
		_In_opt_ PMINIDUMP_EXCEPTION_INFORMATION	ExceptionParam,
		_In_opt_ PMINIDUMP_USER_STREAM_INFORMATION	UserStreamParam,
		_In_opt_ PMINIDUMP_CALLBACK_INFORMATION	CallbackParam
	)

Definition at line 1449 of file symprv.c.

Variable Documentation

PPH_OBJECT_TYPE PhSymbolProviderType

Definition at line 57 of file symprv.c.

PH_CALLBACK PhSymInitCallback

Data Structures

Macros

Typedefs

Enumerations

Functions

Variables

Macro Definition Documentation

Typedef Documentation

Enumeration Type Documentation

Function Documentation

Variable Documentation