Parse PDB file to get non-exported variable address

The program needs to use Dbghelp.dll some of the functions in
http://msdn.microsoft.com/en-us/library/ms679291%28VS.85%29.aspx
to download the system's corresponding symbol file yourself

The first is something initialized:
to set the symbol options, call the following two functions
DWORD Options = Symgetoptions ();
Options = options| Symopt_debug;
Symsetoptions (Options);

Call the syminitialize function to initialize (this is required)
hprocess = GetCurrentProcess ();
BOOL BRet = syminitialize (Hprocess,0,false);
if (!bret)
{
printf ("Syminitialize error ... \ n");
}
can use function symsetsearchpath (hprocess,symbolpath); Set Symbol search path

and then useSymLoadModule64Load module, here isNtoskrnl.exe
Char filename[256];
GetSystemDirectory (filename,sizeof (FileName));
strcat (FileName, "\\ntoskrnl.exe");
Baseofdll = SymLoadModule64 (hprocess,null,filename,null,0,0);

Baseofdllreturn the loaded base address

you can then callSymenumsymbolsquery symbols.
Symenumsymbols (hprocess,baseofdll,0,enumsymcallback,0);
ParametersEnumsymcallbackis a callback function that gets the non-exported function inside theVA,

BOOL CALLBACK enumsymcallback (psymbol_info psyminfo,ulong symbolsize,pvoid UserContext)
/*
ParametersPsyminfostructureNamethe member is the symbol name,Addressis the symbolic address (The virtual address of the start of the symbol)
*/
{
if (strcmp ((psyminfo->name), "Pspcreateprocessnotifyroutine") ==0)
{
printf ("oh,yeah! %s:%0x\n ", psyminfo->name,psyminfo->address);
}
return TRUE;
}



Full code:
[Code]
#include <stdio.h>
#include <windows.h>
#include "Dbghelp.h"

#pragma comment (lib, "Dbghelp.lib")

BOOL CALLBACK enumsymcallback (psymbol_info psyminfo,ulong symbolsize,pvoid UserContext);

int main (int argc, char* argv[])
{
HANDLE hprocess;
DWORD64 Baseofdll;
Pimagehlp_symbol Psymbol = NULL;

DWORD Options = Symgetoptions ();

Options = options| Symopt_debug;
Symsetoptions (Options);

hprocess = GetCurrentProcess ();
BOOL BRet = syminitialize (Hprocess,0,false);
if (!bret)
{
printf ("Syminitialize error ... \ n");
}
Char symbolpath[256];
GetCurrentDirectory (sizeof (SymbolPath), SymbolPath);
strcat (SymbolPath, "\\symbols");
Symsetsearchpath (Hprocess,symbolpath);

Char filename[256];
GetSystemDirectory (filename,sizeof (FileName));
strcat (FileName, "\\ntoskrnl.exe");
Baseofdll = SymLoadModule64 (hprocess,null,filename,null,0,0);
if (Baseofdll = = 0)
{
DWORD Nerr = GetLastError ();
}
Symenumsymbols (hprocess,baseofdll,0,enumsymcallback,0);
SymUnloadModule64 (Hprocess,baseofdll);
Symcleanup (hprocess);
for (;;);

return 0;
}

bool CALLBACK enumsymcallback (psymbol_info psyminfo,ulong symbolsize,pvoid UserContext)
{ 
if (strcmp ((psyminfo->name), "Pspcreateprocessnotifyroutine") ==0)
{
    printf ("oh,yeah! %s:%0x\n ", psyminfo->name,psyminfo->address);
}
if (strcmp ((psyminfo->name), "Psploadimagenotifyroutine") ==0)
{
   printf ("oh,yeah! %s:%0x\n ", psyminfo->name,psyminfo->address);
}
if (strcmp ((psyminfo->name), "Pspcreatethreadnotifyroutine") ==0)
{
   printf ("Oh,yeah ! %s:%0x\n ", psyminfo->name,psyminfo->address);
}
if (strcmp ((psyminfo->name), "Cmpcallbackvector") ==0)
{
   printf ("oh,yeah! %s:%0x\n ", psyminfo->name,psyminfo->address);
}
if (strcmp ((psyminfo->name), "Kebugcheckcallbacklisthead") ==0)
{
   printf ("oh,yeah! %s:%0x\n ", psyminfo->name,psyminfo->address);
}

return TRUE;
}

JPG change rar

Parse PDB file to get non-exported variable address (GO)