Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

DbgHlp Library and SYMBOL_INFO Request

122 views
Skip to first unread message

Jeffrey Walton

unread,
Jan 24, 2009, 11:27:54 PM1/24/09
to
Hi All,

I recently had an offline conversation regarding some information
provided by the DbgHlp Library. I wanted to share my request with the
group since the folks who maintain DbgHlp are active in M.P.W.

According to MSDN, the SYMBOL_INFO::Size member should be ignored [1].
I'd like to see this member promoted to a first class member that
developers can count on - period. Here are my reasons:

* DbgHlp is the only advertised means to crack the PDB format
* Not all programs which use the library are Debuggers

While we could use Schreiber's Undocumented Windows 2000 Secrets to
help with writing our own Library, I feel it is better to stay with
the vendor's implementation. This means we should use DbgHlp to
interpret the PDB format.

For the second point, all I can say is that there are other classes of
programs (besides debuggers) which use the DbgHlp library. In the
offline conversation, the fellow who I was speaking with is
considering using it for an EXE protector (encrypting and decrypting
functions). He currently parses MAP files. I also use it in a relinker
to defeat IDA Pro's FLIRT engine by modifying and rearranging calls
into standard startup code. In either case, we both use it to
synthesize sizeof(function).

Any consideration would be greatly appreciated,
Jeffrey Walton
Baltimore, MD

[1] SYMBOL_INFO Structure, http://msdn.microsoft.com/en-us/library/ms680686(VS.85).aspx

pat styles [microsoft]

unread,
Jan 27, 2009, 3:02:24 PM1/27/09
to
The documentation is wrong. Go ahead and use the value as long as you have
pdb symbols. If you only have dbg or coff symbols, then the value is
meaningless.

.pat styles [microsoft]

"Jeffrey Walton" <nolo...@gmail.com> wrote in message
news:8a456c35-6154-4238...@x14g2000yqk.googlegroups.com...

Jeffrey Walton

unread,
Jan 28, 2009, 2:49:19 PM1/28/09
to
Hi Pat,

Thanks for the reply (I had my fingers crossed the topic would show up
on your radar).

> The documentation is wrong.
I was wondering when the change occured (i.e., don't use the value).
In the past, documentation was a bit scant at times. But I did not
recall reading that it shuld be ignored.

> If you only have dbg or coff symbols, then the value is
> meaningless.

I was not aware of this information. Thank you again.

Jeff

On Jan 27, 3:02 pm, "pat styles [microsoft]"


<pat.sty...@microsoft.com> wrote:
> The documentation is wrong.  Go ahead and use the value as long as you have
> pdb symbols.  If you only have dbg or coff symbols, then the value is
> meaningless.
>
> .pat styles [microsoft]
>

> "Jeffrey Walton" <noloa...@gmail.com> wrote in message
>
> news:8a456c35-6154-4238...@x14g2000yqk.googlegroups.com...
>
> [ SNIP ]


>
> According to MSDN, the SYMBOL_INFO::Size member should be ignored [1].
> I'd like to see this member promoted to a first class member that
> developers can count on - period. Here are my reasons:
>

> [ SNIP ]
>
> [1] SYMBOL_INFO Structure,http://msdn.microsoft.com/en-us/library/ms680686(VS.85).aspx

0 new messages