I've wrote a small program that uses the dbghelp library to print all the symbols for some executable. The main enumeration function that i call is : SymEnumSymbols that should receive a callback that would be called for each symbol. I tried to run the program on kernel32.dll and i have encountered 2 strange issues:
1) There are symbols that are situated in the same address but they are equal in all the fields values of the SYMBOL_INFO structure (besides the unique index filed) - so how i can to distinguish between ? (for example: 0x6b814c23 -StringCopyWorkerW)
2) In some cases there are two symbols with the same characteristics in the same address . (When i opened the file in IDA i saw that there are two exported entries - but one is function and the other isn't (for example :WerGetFlag and WerGetFlagsWorker that are at 0x6b84c840).
Thanks!
here is the code:
#include <windows.h>
#include <dbghelp.h>
#include <stdio.h>
BOOL CALLBACK EnumSymProc(PSYMBOL_INFO pSymInfo,ULONG SymbolSize,PVOID UserContext)
{
/* Print props of the current symbol */\
printf("%08x", pSymInfo->Address);
printf("|%d", pSymInfo->Tag);
printf("|%08x", pSymInfo->Flags);
printf("|%d", pSymInfo->TypeIndex);
printf("|%s\n", pSymInfo->Name);
return TRUE;
}
void main()
{
DWORD64 BaseOfDll=0;
DWORD currOpt = 0;
HANDLE hProcess = GetCurrentProcess();
SymInitialize(hProcess, NULL, FALSE);
BaseOfDll = SymLoadModule64(hProcess,NULL,"c:\\windows\\system32\\kernel32.dll",NULL,0,0);
SymEnumSymbols(hProcess, BaseOfDll, NULL, EnumSymProc, NULL);
SymUnloadModule64(hProcess, BaseOfDll);
SymCleanup(hProcess);
}