📄 imagehlp.pas
字号:
ReservedTimeDateStamp: DWORD;
ReservedRomImage: BOOL;
ReservedDebugDirectory: PIMAGE_DEBUG_DIRECTORY;
ReservedNumberOfDebugDirectories: DWORD;
ReservedOriginalFunctionTableBaseAddress: DWORD;
Reserved: array [0..1] of DWORD;
end;
{$EXTERNALSYM _IMAGE_DEBUG_INFORMATION}
IMAGE_DEBUG_INFORMATION = _IMAGE_DEBUG_INFORMATION;
{$EXTERNALSYM IMAGE_DEBUG_INFORMATION}
TImageDebugInformation = IMAGE_DEBUG_INFORMATION;
PImageDebugInformation = PIMAGE_DEBUG_INFORMATION;
function MapDebugInformation(FileHandle: HANDLE; FileName, SymbolPath: PSTR;
ImageBase: DWORD): PIMAGE_DEBUG_INFORMATION; stdcall;
{$EXTERNALSYM MapDebugInformation}
function UnmapDebugInformation(DebugInfo: PIMAGE_DEBUG_INFORMATION): BOOL; stdcall;
{$EXTERNALSYM UnmapDebugInformation}
function SearchTreeForFile(RootPath, InputPathName, OutputPathBuffer: PSTR): BOOL; stdcall;
{$EXTERNALSYM SearchTreeForFile}
function MakeSureDirectoryPathExists(DirPath: PCSTR): BOOL; stdcall;
{$EXTERNALSYM MakeSureDirectoryPathExists}
//
// UnDecorateSymbolName Flags
//
const
UNDNAME_COMPLETE = ($0000); // Enable full undecoration
{$EXTERNALSYM UNDNAME_COMPLETE}
UNDNAME_NO_LEADING_UNDERSCORES = ($0001); // Remove leading underscores from MS extended keywords
{$EXTERNALSYM UNDNAME_NO_LEADING_UNDERSCORES}
UNDNAME_NO_MS_KEYWORDS = ($0002); // Disable expansion of MS extended keywords
{$EXTERNALSYM UNDNAME_NO_MS_KEYWORDS}
UNDNAME_NO_FUNCTION_RETURNS = ($0004); // Disable expansion of return type for primary declaration
{$EXTERNALSYM UNDNAME_NO_FUNCTION_RETURNS}
UNDNAME_NO_ALLOCATION_MODEL = ($0008); // Disable expansion of the declaration model
{$EXTERNALSYM UNDNAME_NO_ALLOCATION_MODEL}
UNDNAME_NO_ALLOCATION_LANGUAGE = ($0010); // Disable expansion of the declaration language specifier
{$EXTERNALSYM UNDNAME_NO_ALLOCATION_LANGUAGE}
UNDNAME_NO_MS_THISTYPE = ($0020); // NYI Disable expansion of MS keywords on the 'this' type for primary declaration
{$EXTERNALSYM UNDNAME_NO_MS_THISTYPE}
UNDNAME_NO_CV_THISTYPE = ($0040); // NYI Disable expansion of CV modifiers on the 'this' type for primary declaration
{$EXTERNALSYM UNDNAME_NO_CV_THISTYPE}
UNDNAME_NO_THISTYPE = ($0060); // Disable all modifiers on the 'this' type
{$EXTERNALSYM UNDNAME_NO_THISTYPE}
UNDNAME_NO_ACCESS_SPECIFIERS = ($0080); // Disable expansion of access specifiers for members
{$EXTERNALSYM UNDNAME_NO_ACCESS_SPECIFIERS}
UNDNAME_NO_THROW_SIGNATURES = ($0100); // Disable expansion of 'throw-signatures' for functions and pointers to functions
{$EXTERNALSYM UNDNAME_NO_THROW_SIGNATURES}
UNDNAME_NO_MEMBER_TYPE = ($0200); // Disable expansion of 'static' or 'virtual'ness of members
{$EXTERNALSYM UNDNAME_NO_MEMBER_TYPE}
UNDNAME_NO_RETURN_UDT_MODEL = ($0400); // Disable expansion of MS model for UDT returns
{$EXTERNALSYM UNDNAME_NO_RETURN_UDT_MODEL}
UNDNAME_32_BIT_DECODE = ($0800); // Undecorate 32-bit decorated names
{$EXTERNALSYM UNDNAME_32_BIT_DECODE}
UNDNAME_NAME_ONLY = ($1000); // Crack only the name for primary declaration;
{$EXTERNALSYM UNDNAME_NAME_ONLY}
// return just [scope::]name. Does expand template params
UNDNAME_NO_ARGUMENTS = ($2000); // Don't undecorate arguments to function
{$EXTERNALSYM UNDNAME_NO_ARGUMENTS}
UNDNAME_NO_SPECIAL_SYMS = ($4000); // Don't undecorate special names (v-table, vcall, vector xxx, metatype, etc)
{$EXTERNALSYM UNDNAME_NO_SPECIAL_SYMS}
function UnDecorateSymbolName(DecoratedName: PCSTR; UnDecoratedName: PSTR;
UndecoratedLength: DWORD; Flags: DWORD): DWORD; stdcall;
{$EXTERNALSYM UnDecorateSymbolName}
//
// StackWalking API
//
type
ADDRESS_MODE = (
AddrMode1616,
AddrMode1632,
AddrModeReal,
AddrModeFlat);
{$EXTERNALSYM ADDRESS_MODE}
TAddressMode = ADDRESS_MODE;
LPADDRESS64 = ^ADDRESS64;
{$EXTERNALSYM PADDRESS64}
_tagADDRESS64 = record
Offset: DWORD64;
Segment: WORD;
Mode: ADDRESS_MODE;
end;
{$EXTERNALSYM _tagADDRESS64}
ADDRESS64 = _tagADDRESS64;
{$EXTERNALSYM ADDRESS64}
TAddress64 = ADDRESS64;
PAddress64 = LPADDRESS64;
LPADDRESS = ^ADDRESS;
{$EXTERNALSYM PADDRESS}
_tagADDRESS = record
Offset: DWORD;
Segment: WORD;
Mode: ADDRESS_MODE;
end;
{$EXTERNALSYM _tagADDRESS}
ADDRESS = _tagADDRESS;
{$EXTERNALSYM ADDRESS}
TAddress = ADDRESS;
PAddress = LPADDRESS;
procedure Address32To64(a32: LPADDRESS; a64: LPADDRESS64);
{$EXTERNALSYM Address32To64}
procedure Address64To32(a64: LPADDRESS64; a32: LPADDRESS);
{$EXTERNALSYM Address64To32}
//
// This structure is included in the STACKFRAME structure,
// and is used to trace through usermode callbacks in a thread's
// kernel stack. The values must be copied by the kernel debugger
// from the DBGKD_GET_VERSION and WAIT_STATE_CHANGE packets.
//
//
// New KDHELP structure for 64 bit system support.
// This structure is preferred in new code.
//
type
PKDHELP64 = ^KDHELP64;
{$EXTERNALSYM PKDHELP64}
_KDHELP64 = record
//
// address of kernel thread object, as provided in the
// WAIT_STATE_CHANGE packet.
//
Thread: DWORD64;
//
// offset in thread object to pointer to the current callback frame
// in kernel stack.
//
ThCallbackStack: DWORD;
//
// offset in thread object to pointer to the current callback backing
// store frame in kernel stack.
//
ThCallbackBStore: DWORD;
//
// offsets to values in frame:
//
// address of next callback frame
NextCallback: DWORD;
// address of saved frame pointer (if applicable)
FramePointer: DWORD;
//
// Address of the kernel function that calls out to user mode
//
KiCallUserMode: DWORD64;
//
// Address of the user mode dispatcher function
//
KeUserCallbackDispatcher: DWORD64;
//
// Lowest kernel mode address
//
SystemRangeStart: DWORD64;
Reserved: array [0..7] of DWORD64;
end;
{$EXTERNALSYM _KDHELP64}
KDHELP64 = _KDHELP64;
{$EXTERNALSYM KDHELP64}
TKdHelp64 = KDHELP64;
//PKdHelp64 = PKDHELP64;
PKDHELP = ^KDHELP;
{$EXTERNALSYM PKDHELP}
_KDHELP = record
//
// address of kernel thread object, as provided in the
// WAIT_STATE_CHANGE packet.
//
Thread: DWORD;
//
// offset in thread object to pointer to the current callback frame
// in kernel stack.
//
ThCallbackStack: DWORD;
//
// offsets to values in frame:
//
// address of next callback frame
NextCallback: DWORD;
// address of saved frame pointer (if applicable)
FramePointer: DWORD;
//
// Address of the kernel function that calls out to user mode
//
KiCallUserMode: DWORD;
//
// Address of the user mode dispatcher function
//
KeUserCallbackDispatcher: DWORD;
//
// Lowest kernel mode address
//
SystemRangeStart: DWORD;
//
// offset in thread object to pointer to the current callback backing
// store frame in kernel stack.
//
ThCallbackBStore: DWORD;
Reserved: array [0..7] of DWORD;
end;
{$EXTERNALSYM _KDHELP}
KDHELP = _KDHELP;
{$EXTERNALSYM KDHELP}
TKdHelp = KDHELP;
//PKdHelp = PKDHELP;
procedure KdHelp32To64(p32: PKDHELP; p64: PKDHELP64);
{$EXTERNALSYM KdHelp32To64}
type
LPSTACKFRAME64 = ^STACKFRAME64;
{$EXTERNALSYM LPSTACKFRAME64}
_tagSTACKFRAME64 = record
AddrPC: ADDRESS64; // program counter
AddrReturn: ADDRESS64; // return address
AddrFrame: ADDRESS64; // frame pointer
AddrStack: ADDRESS64; // stack pointer
AddrBStore: ADDRESS64; // backing store pointer
FuncTableEntry: PVOID; // pointer to pdata/fpo or NULL
Params: array [0..3] of DWORD64; // possible arguments to the function
Far: BOOL; // WOW far call
Virtual: BOOL; // is this a virtual frame?
Reserved: array [0..2] of DWORD64;
KdHelp: KDHELP64;
end;
{$EXTERNALSYM _tagSTACKFRAME64}
STACKFRAME64 = _tagSTACKFRAME64;
{$EXTERNALSYM STACKFRAME64}
TStackFrame64 = STACKFRAME64;
PStackFrame64 = LPSTACKFRAME64;
LPSTACKFRAME = ^STACKFRAME;
{$EXTERNALSYM LPSTACKFRAME}
_tagSTACKFRAME = record
AddrPC: ADDRESS; // program counter
AddrReturn: ADDRESS; // return address
AddrFrame: ADDRESS; // frame pointer
AddrStack: ADDRESS; // stack pointer
FuncTableEntry: PVOID; // pointer to pdata/fpo or NULL
Params: array [0..3] of DWORD; // possible arguments to the function
Far: BOOL; // WOW far call
Virtual: BOOL; // is this a virtual frame?
Reserved: array [0..2] of DWORD;
KdHelp: KDHELP;
AddrBStore: ADDRESS; // backing store pointer
end;
{$EXTERNALSYM _tagSTACKFRAME}
STACKFRAME = _tagSTACKFRAME;
{$EXTERNALSYM STACKFRAME}
TStackFrame = STACKFRAME;
PStackFrame = LPSTACKFRAME;
PREAD_PROCESS_MEMORY_ROUTINE64 = function (hProcess: HANDLE; qwBaseAddress: DWORD64;
lpBuffer: PVOID; nSize: DWORD; var lpNumberOfBytesRead: DWORD): BOOL; stdcall;
{$EXTERNALSYM PREAD_PROCESS_MEMORY_ROUTINE64}
PReadProcessMemoryRoutine64 = PREAD_PROCESS_MEMORY_ROUTINE64;
PFUNCTION_TABLE_ACCESS_ROUTINE64 = function (hProcess: HANDLE;
AddrBase: DWORD64): PVOID; stdcall;
{$EXTERNALSYM PFUNCTION_TABLE_ACCESS_ROUTINE64}
PFunctionTableAccessRoutine64 = PFUNCTION_TABLE_ACCESS_ROUTINE64;
PGET_MODULE_BASE_ROUTINE64 = function (hProcess: HANDLE;
Address: DWORD64): DWORD64; stdcall;
{$EXTERNALSYM PGET_MODULE_BASE_ROUTINE64}
PGetModuleBaseRoutine64 = PGET_MODULE_BASE_ROUTINE64;
PTRANSLATE_ADDRESS_ROUTINE64 = function (hProcess: HANDLE; hThread: HANDLE;
const lpaddr: ADDRESS64): DWORD64; stdcall;
{$EXTERNALSYM PTRANSLATE_ADDRESS_ROUTINE64}
PTranslateAddressRoutine64 = PTRANSLATE_ADDRESS_ROUTINE64;
function StackWalk64(MachineType: DWORD; hProcess: HANDLE; hThread: HANDLE;
var StackFrame: STACKFRAME64; ContextRecord: PVOID;
ReadMemoryRoutine: PREAD_PROCESS_MEMORY_ROUTINE64;
FunctionTableAccessRoutine: PFUNCTION_TABLE_ACCESS_ROUTINE64;
GetModuleBaseRoutine: PGET_MODULE_BASE_ROUTINE64;
TranslateAddress: PTRANSLATE_ADDRESS_ROUTINE64): BOOL; stdcall;
{$EXTERNALSYM StackWalk64}
type
PREAD_PROCESS_MEMORY_ROUTINE = function (hProcess: HANDLE;
lpBaseAddress: DWORD; lpBuffer: PVOID; nSize: DWORD;
var lpNumberOfBytesRead: DWORD): BOOL; stdcall;
{$EXTERNALSYM PREAD_PROCESS_MEMORY_ROUTINE}
PreadProcessMemoryRoutine = PREAD_PROCESS_MEMORY_ROUTINE;
PFUNCTION_TABLE_ACCESS_ROUTINE = function (hProcess: HANDLE; AddrBase: DWORD): PVOID; stdcall;
{$EXTERNALSYM PFUNCTION_TABLE_ACCESS_ROUTINE}
PFunctionTableAccessRoutine = PFUNCTION_TABLE_ACCESS_ROUTINE;
PGET_MODULE_BASE_ROUTINE = function (hProcess: HANDLE; Address: DWORD): DWORD; stdcall;
{$EXTERNALSYM PGET_MODULE_BASE_ROUTINE}
PGetModuleBaseRoutine = PGET_MODULE_BASE_ROUTINE;
PTRANSLATE_ADDRESS_ROUTINE = function (hProcess: HANDLE; hThread: HANDLE;
const lpaddr: ADDRESS): DWORD; stdcall;
{$EXTERNALSYM PTRANSLATE_ADDRESS_ROUTINE}
PTranslateAddressRoutine = PTRANSLATE_ADDRESS_ROUTINE;
function StackWalk(MachineType: DWORD; hProcess: HANDLE; hThread: HANDLE;
var StackFrame: STACKFRAME; ContextRecord: PVOID;
ReadMemoryRoutine: PREAD_PROCESS_MEMORY_ROUTINE;
FunctionTableAccessRoutine: PFUNCTION_TABLE_ACCESS_ROUTINE;
GetModuleBaseRoutine: PGET_MODULE_BASE_ROUTINE;
TranslateAddress: PTRANSLATE_ADDRESS_ROUTINE): BOOL; stdcall;
{$EXTERNALSYM StackWalk}
const
API_VERSION_NUMBER = 9;
{$EXTERNALSYM API_VERSION_NUMBER}
type
LPAPI_VERSION = ^API_VERSION;
{$EXTERNALSYM LPAPI_VERSION}
API_VERSION = record
MajorVersion: USHORT;
MinorVersion: USHORT;
Revision: USHORT;
Reserved: USHORT;
end;
{$EXTERNALSYM API_VERSION}
TApiVersion = API_VERSION;
PApiVersion = LPAPI_VERSION;
function ImagehlpApiVersion: LPAPI_VERSION; stdcall;
{$EXTERNALSYM ImagehlpApiVersion}
function ImagehlpApiVersionEx(const AppVersion: API_VERSION): LPAPI_VERSION; stdcall;
{$EXTERNALSYM ImagehlpApiVersionEx}
function GetTimestampForLoadedLibrary(Module: HMODULE): DWORD; stdcall;
{$EXTERNALSYM GetTimestampForLoadedLibrary}
//
// typedefs for function pointers
//
type
PSYM_ENUMMODULES_CALLBACK64 = function (ModuleName: PSTR; BaseOfDll: DWORD64;
UserContext: PVOID): BOOL; stdcall;
{$EXTERNALSYM PSYM_ENUMMODULES_CALLBACK64}
PSymEnummodulesCallback64 = PSYM_ENUMMODULES_CALLBACK64;
PSYM_ENUMSYMBOLS_CALLBACK64 = function (SymbolName: PSTR; SymbolAddress: DWORD64;
SymbolSize: ULONG; UserContext: PVOID): BOOL; stdcall;
{$EXTERNALSYM PSYM_ENUMSYMBOLS_CALLBACK64}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -