Skip to content

Commit 95c3f81

Browse files
hakrilhakril
committed
update readme for official unicode + python3 full support
1 parent 8472fd1 commit 95c3f81

File tree

1 file changed

+46
-0
lines changed

1 file changed

+46
-0
lines changed

README.md

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -535,6 +535,52 @@ The local debugger handles
535535
* Standard breakpoint ``int3``
536536
* Hardware Execution breakpoint ``DrX``
537537

538+
### Symbols
539+
540+
Classes around the Symbols APIs of `dbghelp.dll` are also implemented and can be used independently of the Debugger.
541+
The path of `dbghelp.dll` can also be given via the `PFW_DBGHELP_PATH` environment variable.
542+
543+
544+
```python
545+
# Python3
546+
547+
>>> from windows.debug import symbols
548+
>>> # symbols.set_dbghelp_path(MY_DBGHELP_PATH)
549+
>>> symbols.engine.options = 0 # Disable defered load
550+
>>> sh = symbols.VirtualSymbolHandler()
551+
>>> ntmod = sh.load_file(r"c:\windows\system32\ntdll.dll", addr=0x420000)
552+
>>> ntmod
553+
<SymbolModule name="ntdll" type=SymPdb pdb="ntdll.pdb" addr=0x420000>
554+
>>> ntmod.name
555+
'ntdll'
556+
>>> ntmod.path
557+
'c:\\windows\\system32\\ntdll.dll'
558+
>>> ntmod.pdb
559+
'c:\\Symbols\\ntdll.pdb\\8D5D5ED5D5B8AA609A82600C14E3004D1\\ntdll.pdb'
560+
>>> sym = sh["ntdll!LdrLoadDll"]
561+
>>> sym
562+
<SymbolInfoW name="LdrLoadDll" start=0x44a160 tag=SymTagFunction>
563+
>>> sym.fullname
564+
'ntdll!LdrLoadDll'
565+
>>> hex(sym.addr)
566+
'0x44a160'
567+
>>> sh.search("ntdll!*CreateFile")
568+
[<SymbolInfoW name="EtwpCreateFile" start=0x47d9ec tag=SymTagFunction>, <SymbolInfoW name="EtwpCreateFile" start=0x47d9ec tag=SymTagPublicSymbol>, <SymbolInfoW name="NtCreateFile" start=0x4c03e0 tag=SymTagPublicSymbol>, <SymbolInfoW name="ZwCreateFile" start=0x4c03e0 tag=SymTagPublicSymbol>, <SymbolInfoW name="__imp_NtCreateFile" start=0x55cb70 tag=SymTagPublicSymbol>]
569+
# Some types exploration
570+
>>> sh.get_type("ntdll!_PEB")
571+
<SymbolType name="_PEB" tag=_SymTagEnum.SymTagUDT(0xb)>
572+
>>> peb = _
573+
>>> peb = sh.get_type("ntdll!_PEB")
574+
>>> peb
575+
<SymbolType name="_PEB" tag=_SymTagEnum.SymTagUDT(0xb)>
576+
>>> peb.size
577+
2000
578+
>>> peb.children[:3]
579+
[<SymbolType name="InheritedAddressSpace" tag=_SymTagEnum.SymTagData(0x7)>, <SymbolType name="ReadImageFileExecOptions" tag=_SymTagEnum.SymTagData(0x7)>, <SymbolType name="BeingDebugged" tag=_SymTagEnum.SymTagData(0x7)>]
580+
>>> peb.children[2].offset
581+
2
582+
```
583+
538584
### Other stuff (see doc / samples)
539585

540586
- Network

0 commit comments

Comments
 (0)