0

I've wrote a small program that uses the dbghelp library to print all the symbols for some executable. The main enumeration function that i call is : SymEnumSymbols that should receive a callback that would be called for each symbol. I tried to run the program on kernel32.dll and i have encountered 2 strange issues:

1) There are symbols that are situated in the same address but they are equal in all the fields values of the SYMBOL_INFO structure (besides the unique index filed) - so how i can to distinguish between ? (for example: 0x6b814c23 -StringCopyWorkerW)

2) In some cases there are two symbols with the same characteristics in the same address . (When i opened the file in IDA i saw that there are two exported entries - but one is function and the other isn't (for example :WerGetFlag and WerGetFlagsWorker that are at 0x6b84c840).

Thanks!

here is the code:

#include <windows.h>
#include <dbghelp.h>
#include <stdio.h>

BOOL CALLBACK EnumSymProc(PSYMBOL_INFO pSymInfo,ULONG SymbolSize,PVOID   UserContext)
{
/* Print props of the current symbol */\
printf("%08x", pSymInfo->Address);
printf("|%d", pSymInfo->Tag);
printf("|%08x", pSymInfo->Flags);
printf("|%d", pSymInfo->TypeIndex);
printf("|%s\n", pSymInfo->Name);
return TRUE;
}
void main()
{
  DWORD64 BaseOfDll=0;
  DWORD currOpt = 0;
  HANDLE hProcess = GetCurrentProcess();
  SymInitialize(hProcess, NULL, FALSE);
  BaseOfDll =         SymLoadModule64(hProcess,NULL,"c:\\windows\\system32\\kernel32.dll",NULL,0,0);
  SymEnumSymbols(hProcess, BaseOfDll, NULL, EnumSymProc, NULL);
  SymUnloadModule64(hProcess, BaseOfDll);
  SymCleanup(hProcess);
 }
sborpo
  • 928
  • 7
  • 15
  • 1
    There is a question missing from your question. – IInspectable Sep 08 '16 at 22:49
  • I don't think there's anything stopping an executable from exporting two identical symbols. There certainly isn't anything stopping two symbols from being at the same address, a function can have multiple names or two separate functions can be combined into one during optimization. – Harry Johnston Sep 08 '16 at 23:48
  • Thanks! i have searched this issue after you have commented and saw these optimization , Do you have a clue about the first part of my question ? why there are two same names ? (StringLengthWorkerW) - i don't see any distinction between the symbols. – sborpo Sep 09 '16 at 14:01
  • `why there are two same names ? (StringLengthWorkerW)` - this can happen e.g. if that is an inline function being expanded more than once. – 500 - Internal Server Error Sep 09 '16 at 23:14
  • but on the same address ? this is strange.... I ran Dia2Dump and it outputs me these line: Function: [00014C23][0001:00004C23] StringCopyWorkerW Function: [00014C23][0001:00004C23] StringCopyWorkerW - the same line two times – sborpo Sep 10 '16 at 15:42
  • Possibly a compatibility fix, because some folks imported the symbol by ordinal, rather than name. – IInspectable Sep 10 '16 at 23:31

0 Answers0