根据线程的eip信息来获取当前的函数地址解决方案

根据线程的eip信息来获取当前的函数地址

C/C++ code

    CONTEXT context;    HANDLE hThread = GetCurrentThread();    HANDLE hProc = GetCurrentProcess();    BOOL ret = false;    context.ContextFlags = CONTEXT_FULL;    ret =  GetThreadContext(hThread,&context);    STACKFRAME64 sf={0};    sf.AddrPC.Mode= AddrModeFlat;    sf.AddrPC.Offset = context.Eip;    sf.AddrStack.Mode = AddrModeFlat;    sf.AddrStack.Offset = context.Esp;    sf.AddrFrame.Mode = AddrModeFlat;    sf.AddrFrame.Offset = context.Ebp;    DWORD64 placement;    IMAGEHLP_SYMBOL64 *symbol_info  = (IMAGEHLP_SYMBOL64 *)malloc(sizeof(IMAGEHLP_SYMBOL64) + 1024);    memset(symbol_info,0,sizeof(IMAGEHLP_SYMBOL64) + 1024);    symbol_info->SizeOfStruct = sizeof(IMAGEHLP_SYMBOL64);    symbol_info->MaxNameLength = 1024;    ret = StackWalk64(IMAGE_FILE_MACHINE_I386,hProc,hThread,&sf,&context,NULL,SymFunctionTableAccess64,SymGetModuleBase64,NULL);    cout<<GetLastError()<<endl;        ret = SymGetSymFromAddr64(hProc,sf.AddrPC.Offset,&placement,symbol_info);    cout<<GetLastError()<<endl;

SymGetSymFormAddr64总是返回false，怎么回事？getlasterror在StackWalk64后是无效的句柄，但是那个句柄是使用GetCurrentProc获得的，也不是因为是伪句柄的关系，因为我看别人的程序也是使用getcurrentproc的

[解决办法]
还是那句话:仔细看msdn.
过分的自信是错误的根源

StackWalk64第二个参数:
hProcess 
A handle to the process for which the stack trace is generated. If the caller supplies a valid callback pointer for the ReadMemoryRoutine parameter, then this value does not have to be a valid process handle. It can be a token that is unique and consistently the same for all calls to the StackWalk64 function. If the symbol handler is used with StackWalk64, use the same process handles for the calls to each function.


SymGetSymFromAddr64第一个参数:
Parameters
hProcess 
A handle to the process that was originally passed to the SymInitialize function.

查看更多 下一篇