解析pdb文件得到未导出变量地址（转）

程序要用到dbghelp.dll中的一些函数
http://msdn.microsoft.com/en-us/library/ms679291%28VS.85%29.aspx
要自己下载系统对应的符号文件

首先是一些初始化的东西：
设置符号选项，调用下面两个函数
   DWORD Options = SymGetOptions(); 
   Options = Options|SYMOPT_DEBUG;
   SymSetOptions(Options);

调用SymInitialize函数进行初始化（这是必须的）
   hProcess = GetCurrentProcess();
   BOOL bRet = SymInitialize(hProcess,0,FALSE);
   if(!bRet)
   {
    printf("SymInitialize error ... ");
   }
可以用函数SymSetSearchPath(hProcess,SymbolPath);设置符号搜索路径

然后用SymLoadModule64加载模块，这里是ntoskrnl.exe
char FileName[256] ;
GetSystemDirectory(FileName,sizeof(FileName));
strcat(FileName,"\ntoskrnl.exe");
BaseOfDll = SymLoadModule64(hProcess,NULL,FileName,NULL,0,0);

BaseOfDll返回加载的基址

然后就可以调用SymEnumSymbols查询符号了
SymEnumSymbols(hProcess,BaseOfDll,0,EnumSymCallBack,0);
参数EnumSymCallBack是一个回调函数，在里面得到未导出函数的VA，

BOOL CALLBACK EnumSymCallBack(PSYMBOL_INFO pSymInfo,ULONG SymbolSize,PVOID UserContext)
/*
   参数pSymInfo结构Name成员是符号名，Address是符号地址（The virtual address of the start of the symbol）
*/
{ 
   if(strcmp((pSymInfo->Name), "PspCreateProcessNotifyRoutine")==0)
   {
    printf("Oh,yeah! %s :%0x ",pSymInfo->Name,pSymInfo->Address);
   }
   return TRUE;
}



完整代码： 
[code]
#include <stdio.h>
#include <windows.h>
#include "dbghelp.h"

#pragma comment(lib,"dbghelp.lib")

BOOL CALLBACK EnumSymCallBack(PSYMBOL_INFO pSymInfo,ULONG SymbolSize,PVOID UserContext);

int main(int argc, char* argv[])
{
HANDLE hProcess;
DWORD64 BaseOfDll;
PIMAGEHLP_SYMBOL pSymbol = NULL;

DWORD Options = SymGetOptions();

Options = Options|SYMOPT_DEBUG;
SymSetOptions(Options);

hProcess = GetCurrentProcess();
BOOL bRet = SymInitialize(hProcess,0,FALSE);
if(!bRet)
{
   printf("SymInitialize error ... ");
}
char SymbolPath[256];
GetCurrentDirectory(sizeof(SymbolPath),SymbolPath);
strcat(SymbolPath,"\symbols");
SymSetSearchPath(hProcess,SymbolPath);

char FileName[256] ;
GetSystemDirectory(FileName,sizeof(FileName));
strcat(FileName,"\ntoskrnl.exe");
BaseOfDll = SymLoadModule64(hProcess,NULL,FileName,NULL,0,0);
if(BaseOfDll == 0)
{
   DWORD nErr = GetLastError();
}
SymEnumSymbols(hProcess,BaseOfDll,0,EnumSymCallBack,0);
SymUnloadModule64(hProcess,BaseOfDll);
SymCleanup(hProcess);
for(;;);

return 0;
}

BOOL CALLBACK EnumSymCallBack(PSYMBOL_INFO pSymInfo,ULONG SymbolSize,PVOID UserContext)
{ 
if(strcmp((pSymInfo->Name), "PspCreateProcessNotifyRoutine")==0)
{
   printf("Oh,yeah! %s :%0x ",pSymInfo->Name,pSymInfo->Address);
}
if(strcmp((pSymInfo->Name), "PspLoadImageNotifyRoutine")==0)
{
   printf("Oh,yeah! %s :%0x ",pSymInfo->Name,pSymInfo->Address);
}
if(strcmp((pSymInfo->Name), "PspCreateThreadNotifyRoutine")==0)
{
   printf("Oh,yeah! %s :%0x ",pSymInfo->Name,pSymInfo->Address);
}
if(strcmp((pSymInfo->Name), "CmpCallBackVector")==0)
{
   printf("Oh,yeah! %s :%0x ",pSymInfo->Name,pSymInfo->Address);
}
if(strcmp((pSymInfo->Name), "KeBugCheckCallBackListHead")==0)
{
   printf("Oh,yeah! %s :%0x ",pSymInfo->Name,pSymInfo->Address);
}

return TRUE;
}

jpg改rar