Process Hacker
symprv.h
Go to the documentation of this file.
1 #ifndef _PH_SYMPRV_H
2 #define _PH_SYMPRV_H
3 
4 extern PPH_OBJECT_TYPE PhSymbolProviderType;
5 extern PH_CALLBACK PhSymInitCallback;
6 
7 #define PH_MAX_SYMBOL_NAME_LEN 128
8 
9 typedef struct _PH_SYMBOL_PROVIDER
10 {
11  LIST_ENTRY ModulesListHead;
12  PH_QUEUED_LOCK ModulesListLock;
13  HANDLE ProcessHandle;
14  BOOLEAN IsRealHandle;
15  BOOLEAN IsRegistered;
16 
17  PH_INITONCE InitOnce;
18  PH_AVL_TREE ModulesSet;
19  PH_CALLBACK EventCallback;
20 } PH_SYMBOL_PROVIDER, *PPH_SYMBOL_PROVIDER;
21 
22 typedef enum _PH_SYMBOL_RESOLVE_LEVEL
23 {
24  PhsrlFunction,
25  PhsrlModule,
26  PhsrlAddress,
27  PhsrlInvalid
28 } PH_SYMBOL_RESOLVE_LEVEL, *PPH_SYMBOL_RESOLVE_LEVEL;
29 
30 typedef struct _PH_SYMBOL_INFORMATION
31 {
32  ULONG64 Address;
33  ULONG64 ModuleBase;
34  ULONG Index;
35  ULONG Size;
36 } PH_SYMBOL_INFORMATION, *PPH_SYMBOL_INFORMATION;
37 
38 typedef struct _PH_SYMBOL_LINE_INFORMATION
39 {
40  ULONG LineNumber;
41  ULONG64 Address;
42 } PH_SYMBOL_LINE_INFORMATION, *PPH_SYMBOL_LINE_INFORMATION;
43 
44 typedef enum _PH_SYMBOL_EVENT_TYPE
45 {
46  SymbolDeferredSymbolLoadStart = 1,
47  SymbolDeferredSymbolLoadComplete = 2,
48  SymbolDeferredSymbolLoadFailure = 3,
49  SymbolSymbolsUnloaded = 4,
50  SymbolDeferredSymbolLoadCancel = 7
51 } PH_SYMBOL_EVENT_TYPE;
52 
53 typedef struct _PH_SYMBOL_EVENT_DATA
54 {
55  PPH_SYMBOL_PROVIDER SymbolProvider;
56  PH_SYMBOL_EVENT_TYPE Type;
57 
58  ULONG64 BaseAddress;
59  ULONG CheckSum;
60  ULONG TimeStamp;
61  PPH_STRING FileName;
62 } PH_SYMBOL_EVENT_DATA, *PPH_SYMBOL_EVENT_DATA;
63 
64 BOOLEAN
65 NTAPI
66 PhSymbolProviderInitialization(
67  VOID
68  );
69 
70 VOID
71 NTAPI
72 PhSymbolProviderCompleteInitialization(
73  _In_opt_ PVOID DbgHelpBase
74  );
75 
76 PHLIBAPI
77 PPH_SYMBOL_PROVIDER
78 NTAPI
79 PhCreateSymbolProvider(
80  _In_opt_ HANDLE ProcessId
81  );
82 
83 PHLIBAPI
84 BOOLEAN
85 NTAPI
86 PhGetLineFromAddress(
87  _In_ PPH_SYMBOL_PROVIDER SymbolProvider,
88  _In_ ULONG64 Address,
89  _Out_ PPH_STRING *FileName,
90  _Out_opt_ PULONG Displacement,
91  _Out_opt_ PPH_SYMBOL_LINE_INFORMATION Information
92  );
93 
94 PHLIBAPI
95 ULONG64
96 NTAPI
97 PhGetModuleFromAddress(
98  _In_ PPH_SYMBOL_PROVIDER SymbolProvider,
99  _In_ ULONG64 Address,
100  _Out_opt_ PPH_STRING *FileName
101  );
102 
103 PHLIBAPI
104 PPH_STRING
105 NTAPI
106 PhGetSymbolFromAddress(
107  _In_ PPH_SYMBOL_PROVIDER SymbolProvider,
108  _In_ ULONG64 Address,
109  _Out_opt_ PPH_SYMBOL_RESOLVE_LEVEL ResolveLevel,
110  _Out_opt_ PPH_STRING *FileName,
111  _Out_opt_ PPH_STRING *SymbolName,
112  _Out_opt_ PULONG64 Displacement
113  );
114 
115 PHLIBAPI
116 BOOLEAN
117 NTAPI
118 PhGetSymbolFromName(
119  _In_ PPH_SYMBOL_PROVIDER SymbolProvider,
120  _In_ PWSTR Name,
121  _Out_ PPH_SYMBOL_INFORMATION Information
122  );
123 
124 PHLIBAPI
125 BOOLEAN
126 NTAPI
127 PhLoadModuleSymbolProvider(
128  _In_ PPH_SYMBOL_PROVIDER SymbolProvider,
129  _In_ PWSTR FileName,
130  _In_ ULONG64 BaseAddress,
131  _In_ ULONG Size
132  );
133 
134 PHLIBAPI
135 VOID
136 NTAPI
137 PhSetOptionsSymbolProvider(
138  _In_ ULONG Mask,
139  _In_ ULONG Value
140  );
141 
142 PHLIBAPI
143 VOID
144 NTAPI
145 PhSetSearchPathSymbolProvider(
146  _In_ PPH_SYMBOL_PROVIDER SymbolProvider,
147  _In_ PWSTR Path
148  );
149 
150 #ifdef _WIN64
151 NTSTATUS
152 NTAPI
153 PhAccessOutOfProcessFunctionEntry(
154  _In_ HANDLE ProcessHandle,
155  _In_ ULONG64 ControlPc,
156  _Out_ PRUNTIME_FUNCTION Function
157  );
158 #endif
159 
160 ULONG64
161 __stdcall
162 PhGetModuleBase64(
163  _In_ HANDLE hProcess,
164  _In_ DWORD64 dwAddr
165  );
166 
167 PVOID
168 __stdcall
169 PhFunctionTableAccess64(
170  _In_ HANDLE hProcess,
171  _In_ DWORD64 AddrBase
172  );
173 
174 #ifndef _DBGHELP_
175 
176 // Some of the types used below are defined in dbghelp.h.
177 
178 typedef struct _tagSTACKFRAME64 *LPSTACKFRAME64;
179 typedef struct _tagADDRESS64 *LPADDRESS64;
180 
181 typedef BOOL (__stdcall *PREAD_PROCESS_MEMORY_ROUTINE64)(
182  _In_ HANDLE hProcess,
183  _In_ DWORD64 qwBaseAddress,
184  _Out_writes_bytes_(nSize) PVOID lpBuffer,
185  _In_ DWORD nSize,
186  _Out_ LPDWORD lpNumberOfBytesRead
187  );
188 
189 typedef PVOID (__stdcall *PFUNCTION_TABLE_ACCESS_ROUTINE64)(
190  _In_ HANDLE ahProcess,
191  _In_ DWORD64 AddrBase
192  );
193 
194 typedef DWORD64 (__stdcall *PGET_MODULE_BASE_ROUTINE64)(
195  _In_ HANDLE hProcess,
196  _In_ DWORD64 Address
197  );
198 
199 typedef DWORD64 (__stdcall *PTRANSLATE_ADDRESS_ROUTINE64)(
200  _In_ HANDLE hProcess,
201  _In_ HANDLE hThread,
202  _In_ LPADDRESS64 lpaddr
203  );
204 
205 typedef enum _MINIDUMP_TYPE MINIDUMP_TYPE;
206 typedef struct _MINIDUMP_EXCEPTION_INFORMATION *PMINIDUMP_EXCEPTION_INFORMATION;
207 typedef struct _MINIDUMP_USER_STREAM_INFORMATION *PMINIDUMP_USER_STREAM_INFORMATION;
208 typedef struct _MINIDUMP_CALLBACK_INFORMATION *PMINIDUMP_CALLBACK_INFORMATION;
209 
210 #endif
211 
212 PHLIBAPI
213 BOOLEAN
214 NTAPI
215 PhStackWalk(
216  _In_ ULONG MachineType,
217  _In_ HANDLE ProcessHandle,
218  _In_ HANDLE ThreadHandle,
219  _Inout_ LPSTACKFRAME64 StackFrame,
220  _Inout_ PVOID ContextRecord,
221  _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider,
222  _In_opt_ PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine,
223  _In_opt_ PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine,
224  _In_opt_ PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine,
225  _In_opt_ PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress
226  );
227 
228 PHLIBAPI
229 BOOLEAN
230 NTAPI
231 PhWriteMiniDumpProcess(
232  _In_ HANDLE ProcessHandle,
233  _In_ HANDLE ProcessId,
234  _In_ HANDLE FileHandle,
235  _In_ MINIDUMP_TYPE DumpType,
236  _In_opt_ PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
237  _In_opt_ PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
238  _In_opt_ PMINIDUMP_CALLBACK_INFORMATION CallbackParam
239  );
240 
241 // High-level stack walking
242 
243 #define PH_THREAD_STACK_FRAME_I386 0x1
244 #define PH_THREAD_STACK_FRAME_AMD64 0x2
245 #define PH_THREAD_STACK_FRAME_KERNEL 0x4
246 #define PH_THREAD_STACK_FRAME_FPO_DATA_PRESENT 0x100
247 
249 typedef struct _PH_THREAD_STACK_FRAME
250 {
251  PVOID PcAddress;
252  PVOID ReturnAddress;
253  PVOID FrameAddress;
254  PVOID StackAddress;
255  PVOID BStoreAddress;
256  PVOID Params[4];
257  ULONG Flags;
258 } PH_THREAD_STACK_FRAME, *PPH_THREAD_STACK_FRAME;
259 
260 #define PH_WALK_I386_STACK 0x1
261 #define PH_WALK_AMD64_STACK 0x2
262 #define PH_WALK_KERNEL_STACK 0x10
263 
276 typedef BOOLEAN (NTAPI *PPH_WALK_THREAD_STACK_CALLBACK)(
277  _In_ PPH_THREAD_STACK_FRAME StackFrame,
278  _In_opt_ PVOID Context
279  );
280 
281 PHLIBAPI
282 NTSTATUS
283 NTAPI
284 PhWalkThreadStack(
285  _In_ HANDLE ThreadHandle,
286  _In_opt_ HANDLE ProcessHandle,
287  _In_opt_ PCLIENT_ID ClientId,
288  _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider,
289  _In_ ULONG Flags,
290  _In_ PPH_WALK_THREAD_STACK_CALLBACK Callback,
291  _In_opt_ PVOID Context
292  );
293 
294 #endif