《Undocumented Windows 2000 Secrets》翻譯 --- 2(2)
序號
函數名稱
ImageHlp.DLL
DbgHelp.DLL
1
Bindlmage
N/A
2
BindlmageEx
N/A
3
CheckSumMappedFile
N/A
4
EnumerateLoadedModules
5
EnumerateLoadedModules64
6
ExtensionApiVersion
N/A
7
FindDebuglnfoFile
8
FindDebuglnfoFileEx
9
FindExecutablelmage
10
FindExecutablelmageEx
11
FindFilelnSearchPath
12
GetlmageConfiglnformation
N/A
13
GetlmageUnusedHeaderBytes
N/A
14
GetTimestampForLoadedLibrary
15
ImageAddCertificate
N/A
16
ImageDirectoryEntryToData
17
ImageDirectoryEntryToDataEx
18
ImageEnumerateCertificates
N/A
19
ImageGetCertificateData
N/A
20
ImageGetCertificateHeader
N/A
21
ImageGetDigestStream
N/A
22
ImagehlpApiVersion
23
ImagehlpApiVersionEx
24
ImageLoad
N/A
25
ImageNtHeader
26
ImageRemoveCertificate
N/A
27
ImageRvaToSection
28
ImageRvaToVa
29
ImageUnload
N/A
30
MakeSureDirectoryPathExists
31
MapAndLoad
N/A
32
MapDebuglnformation
33
MapFileAndCheckSumA
N/A
34
MapFileAndCheckSumW
N/A
35
ReBaselmage
N/A
36
ReBaseImage64
N/A
37
RemovePrivateCvSymbolic
N/A
38
RemovePrivateCvSymbolicEx
N/A
39
RemoveRelocations
N/A
40
SearchTreeForFile
41
SetlmageConfiglnformation
N/A
42
SplitSymbols
N/A
43
StackWalk
44
StackWalk64
45
Sym
N/A
46
SymCleanup
47
SymEnumerateModules
48
SymEnumerateModules64
49
SymEnumerateSymbols
50
SymEnumerateSymbols64
51
SymEnumerateSymbolsW
52
SymFunctionTableAccess
53
SymFunctionTa ble Access64
54
SymGetLineFromAddr
55
SymGetLineFromAddr64
56
SymGetLineFromName
57
SymGetLineFromName64
58
SymGetLineNext
59
SymGetLineNext64
60
SymGetLinePrev
61
SymGetLinePrev64
62
SymGetModuleBase
63
SymGetModuleBase64
64
SymGetModulelnfo
65
SymGetModuleInfo64
66
SymGetModulelnfo Ex
67
SymGetModulelnfo Ex64
68
SymGetModulelnfoW
69
SymGetModulelnfo W64
70
SymGetOptions
71
SymGetSearchPath
72
SymGetSymbolInfo
73
SymGetSymbolInfo64
74
SymGetSymFromAddr
75
SymGetSymFromAddr64
76
SymGetSymFromName
77
SymGetSymFromName64
78
SymGetSymNext
79
SymGetSymNext64
80
SymGetSymPrev
81
SymGetSymPrev64
82
Symlnitialize
83
SymLoadModule
84
SymLoadModule64
85
SymMatchFileName
86
SymEnumerateSymbolsW64
87
SymRegisterCallback
88
SymRegisterCallback64
89
SymRegisterFunctionEntryCallback
90
SymRegisterFunctionEntryCallback64
91
SymSetOptions
92
SymSetSearchPath
93
SymUnDName
94
SymUnDName64
95
SymUnloadModule
96
SymUnloadModule64
97
TouchFileTimes
N/A
98
UnDecorateSymbolName
99
UnMapAndLoad
N/A
100
UnmapDebuglnformation
101
UpdateDebuglnfoFile
N/A
102
UpdateDebuglnfoFileEx
N/A
103
WinDbgExtensionDllInit
N/A
在本節的示例代碼中,我會演示如何使用psapi.dll和imagehlp.dll完成如下任務:
l 枚舉所有內核組件和驅動程序
l 枚舉系統當前管理的所有進程
l 枚舉加載到進程地址空間的所有模塊(modules)
l 枚舉一個給定組件的所有符號(如果其符號文件可用的話)
psapi.dll的接口并不像其設計的那樣好。它提供了最小的功能集,盡管它曾試圖增加一些便利性。雖然,它能從內核獲取一些信息但卻扔掉了其中的大多數,只留下很少一部分。
由于psapi.dll和imagehlp.dll的函數并不是標準Win32 API的一部分,它們所需的頭文件和導入庫不會自動包括在Visual C/C++工程中。因此,列表1-2中列出的四個指示符(directives)應該在你的原文件中出現。第一部分是所需的頭文件,剩余部分用于和這兩個DLL中的導出函數建立動態鏈接。
#include <imagehlp.h>
#include <psapi.h>
#pragma comment (linker,”/defaultlib:imagehlp.dll”)
#pragma comment (linker,”/defaultlib:psapi.dll”)
列表1-2增加psapi.dll和imagehlp.dll到Visual C/C++工程
譯注:
其實,也可以采用靜態鏈接,如下:
#pragma comment(lib,”psapi.lib”)
#pragma comment(lib,”imagehlp.lib”)
這樣,就不需要目標平臺必須有這兩個DLL了。
光盤中的示列代碼
在本書的附帶光盤中,有兩個工程是構建與psapi.dll和imagehlp.dll之上。其中一個示例工程是w2k_sym.exe----一個Windows 2000符號瀏覽器,它可以從任意符號文件中提取符號名稱(假如你已經安裝了的話)。它輸出的符號表可以按照名稱、地址和大小來排序,同時接受一個采用通配符的過濾器。作為附送功能,w2k_sym.exe還可列出當前活動的系統模塊/驅動程序的名稱,運行的進程和每個進程加載的模塊。另一個示例工程是調試支持庫w2k_dbg.dll,這個庫包含幾個便于使用的針對psapi.dll和imagehlp.dll的外包函數。w2k_sym.exe完全依賴這個DLL。這些工程的源代碼分別位于光盤的srcw2k_dbg和srcw2k_sym目錄。
表1-2列出了w2k_dbg.dll用到的函數名稱。A./W列表示對ANSI和Unicode的支持情況。稍早提示過,psapi.dll同時支持ANSI和Unicode。不幸的是,imagehlp.dll和dbghelp.dll沒有這么聰明,其中幾個函數只能接受ANSI字符串。這有些煩人,因為Windows 2000的調試程序通常不能運行在Windows 9x上,所以不該限制使用Unicode。若將imagehlp.dll假如你的工程中,你就必須選擇是使用ANSI還是來回轉化Unicode字符串。因為我很討厭在一個可處理16位字符串的系統中使用8位的字符串,所以我選擇后一種方法。w2k_dbg.dll導出的所有函數中涉及的字符串默認都是Unicode。所以,如果你在自己的Windows 2000工程中使用這個DLL不需要再關心字符大小問題。
另一方面,imagehlp.dll和dbghelp.dll有一個psapi.dll沒有的特性:他們同樣適用于Win64----讓每個開發人員恐懼的64位Windows,這是因為沒人知道將Win32程序移植到Win64有多困難。這些DLL導出了Win64 API函數,好吧----或許有一天我們會用到他們。
名稱
A/W
庫
EnumDeviceDrivers
psapi.dll
EnumProcesses
psapi.dll
EnumProcessModules
psapi.dll
GetDeviceDriverFileName
A/W
psapi.dll
GetModuleFileNameEx
A/W
psapi.dll
GetModulelnformation
psapi.dll
ImageLoad
A
imagehlp.dll
ImageUnload
imagehlp.dll
SymCleanup
imagehlp.dll
SymEnumerateSymbols
A/W
imagehlp.dll
Symlnitialize
A
imagehlp.dll
SymLoadModule
A
imagehlp.dll
SymUnloadModule
imagehlp.dll
表1-2; w2k_dbg.dll使用的調試函數
我沒有深入的探究psapi.dll和imagehlp.dll。本書的焦點在于未文檔化的接口,而且在SDK中與這兩個DLL的接口有關的文檔還算不錯。可是,我并不打算完全繞過它們,因為它們和Windows 2000 Native API(將在第2章討論)緊密聯系在一起。而且,psapi.dll是證明為什么未文檔化的接口比文檔化的那個更好的最佳實例。該DLL的接口不僅僅只是看上去的簡單和笨拙---在某些地方它竟然會返回明顯矛盾的數據。如果我不得不編寫一個專業的調試工具來出售,我是不會指望這個DLL的。Windows 2000內核提供了強大、通用和更加合適的調試API函數。然而,這些幾乎都沒有文檔化。幸運的是,微軟提供的許多系統工具都廣泛的使用了這些API,so it has undergone only slight changes across Windows NT versions。是的,如果你使用了這些API,每當發布了新版的NT,你就必須修訂和小心的測試你的軟件,但是它們帶來的好處遠大于這些障礙。
本章隨后的大多數示例代碼都來自w2k_dbg.dll,你可以在光盤的srcw2k_dbgw2k_dbg.c中發現它們。這個DLL封裝了多個步驟,以返回更豐富的信息。數據會以合適的大小、鏈表(包括可選的索引值)返回,以便于對它們進行排序等操作。表1-3列出了w2k_dbg.dll導出的所有API函數。這些函數很多,詳細討論每個函數已經超出了本章的范圍,因此我鼓勵你去參考w2k_sym.exe的源代碼(位于光盤srcw2k_symx),來學習它們的典型用法。
表1-3
函數名稱
描 述
dbgBaseDriver
Return the base address and size of a driver, given its path
dbgBaseModule
Return the base address and size of a DLL module
dbgCrc32Block
Compute the CRC32 of a memory block
dbgCrc32Byte
Bytewise computation of a CRC32
dbgCrc32Start
CRC32 preconditioning
dbgCrc32Stop
CRC32 postconditioning
dbgDriverAdd
Add a driver entry to a list of drivers
dbgDriverAddresses
Return an array of driver addresses (EnumDeviceDrivers ( ) wrapper)
dbgDriverlndex
Create an indexed (and optionally sorted) driver list
dbgDriverList
Create a flat driver list
dbgFileClose
Close a disk file
dbgFileLoad
Load the contents of a disk file to a memory block
dbgFileNew
Create a new disk file
dbgFileOpen
Open an existing disk file
dbgFileRoot
Get the offset of the root token in a file path
dbgFileSave
Save a memory block to a disk file
dbgFileUnload
Free a memory block created by dbgFileLoad ( )
dbglndexCompare
Compare two entrIEs referenced by an index (used by dbgindexsort ( ) )
dbglndexCreate
Create a pointer index on an object list
dbglndexCreateEx
Create a sorted pointer index on an object list
dbglndexDestroy
Free the memory used by an index and its associated list
dbglndexDestroyEx
Free the memory used by a two-dimensional index and its associated lists
dbglndexList
Create a flat copy of a list from its index
dbglndexListEx
Create a flat copy of a two-dimensional list from its index
dbglndexReverse
Reverse the order of the list entries referenced by an index
dbglndexSave
Save the memory image of an indexed list to a disk file
dbglndexSaveEx
Save the memory image of a two-dimensional indexed list to a disk file
dbglndexSort
Sort the list entries referenced by an index by address, size, ID, or name
dbgListCreate
Create an empty list
dbgListCreateEx
Create an empty list with reserved space
dbgListDestroy
Free the memory used by a list
dbgListFinish
Terminate a sequentially built list and trim any unused memory
dbgListlndex
Create a pointer index on an object list
dbgListLoad
Create a list from a disk file image
dbgListNext
Update the list header after adding an entry
dbgListResize
Reserve memory for additional list entries
dbgListSave
Save the memory image of a list to a disk file
dbgMemory
Align Round up a byte count to the next 64-bit boundary
dbgMemoryAlignEx
Round up a string character count to the next 64-bit boundary
dbgMemoryBase
Query the internal base address of a heap memory block
dbgMemoryBaseEx
Query the internal base address of an individually tagged heap memory block
dbgMemoryCreate
Allocate a memory block from the heap
dbgMemoryCreateEx
Allocate an individually tagged memory block from the heap
dbgMemoryDestroy
Return a memory block to the heap
dbgMemoryDestroyEx
Return an individually tagged memory block to the heap
dbgMemoryReset
Reset the memory usage statistics
dbgMemoryResize
Change the allocated size of a heap memory block
dbgMemoryResizeEx
Change the allocated size of an individually tagged heap memory block
dbgMemoryStatus
Query the memory usage statistics
dbgMemory
Track Update the memory usage statistics
dbgModulelndex
Create an indexed (and optionally sorted) process module sub-list
dbgModuleList
Create a flat process module sub-list
dbgPathDriver
Build a default driver path specification
dbgPathFile
Get the offset of the file name token in a file path
dbgPrivilegeDebug
Request the debug privilege for the calling process
dbgPrivilegeSet
Request the specified privilege for the calling process
dbgProcessAdd
Add a process entry to a list of processes
dbgProcessGuess
Guess the default display name of an anonymous system process
dbgProcessIds
Return an array of process IDs (EnumProcesses ( ) wrapper)
dbgProcessIndex
Create an indexed (and optionally sorted) process list
dbgProcessIndexEx
Create a two-dimensional indexed (and optionally sorted) process/module list
dbgProcessList
Create a flat process list
dbgProcessModules
Return a list of process module handles (EnumProcessModules ( )wrapper)
dbgSizeDivide
Divide a byte count by a power of two, optionally rounding up or down
dbgSizeKB
Convert bytes to KB, optionally rounding up or down
dbgSizeMB
Convert bytes to MB, optionally rounding up or down
dbgStringAnsi
Convert a Unicode string to ANSI
dbgStringDay
Get the name of a day given a day-of-week number
dbgStringMatch
Apply a wildcard filter to a string
dbgSymbolCallback
Add a symbol entry to a list of symbols (called by SymEnumerateSymbols ( ) )
dbgSymbolIndex
Create an indexed (and optionally sorted) symbol list
dbgSymbolList
Create a flat symbol list
dbgSymbolLoad
Load a module's symbol table
dbgSymbolLookup
Look up a symbol name and optional offset given a memory address
dbgSymbolUnload
Unload a module's symbol table
網公網安備