Implement symbol retrieval for method parameters

Author: qtc-de

src/rpc.v

@@ -111,6 +111,7 @@ pub struct RpcMethod {
 	offset u32
 	pub mut:
 	name string
+	symbols []string
 }
 
 // RpcType is used to determine the type if RPC servers that are associated with a process.
@@ -319,9 +320,7 @@ pub fn (mut pi RpvProcessInformation) update(mut resolver SymbolResolver)!
 			for mut method in intf_info.methods
 			{
 				method.name = resolver.load_symbol(intf_info.location.path, method.addr) or { method.name }
-
-				// TODO
-				resolver.load_symbols(intf_info.location.path, method.addr)
+				method.symbols = resolver.load_symbols(intf_info.location.path, method.addr) or { []string{} }
 			}
 
 			if intf_info.sec_callback.addr != &voidptr(0)
@@ -651,15 +650,16 @@ pub fn (interface_info RpcInterfaceBasicInfo) enrich_h(process_handle win.HANDLE
 			base := win.read_proc_mem_s[usize](process_handle, unsafe { midl_server_info.DispatchTable + ctr }) or { break }
 			fmt := win.read_proc_mem_s[u16](process_handle, unsafe { &u16(midl_server_info.FmtStringOffset) + ctr }) or { break }
 
-			// TODO
-			resolver.load_symbols(location_info.path, u64(base))
+			name := resolver.load_symbol(location_info.path, u64(base)) or { 'Proc${ctr}' }
+			symbols := resolver.load_symbols(location_info.path, u64(base)) or { []string{} }
 
 			unsafe {
 				rpc_methods << RpcMethod {
 					addr: voidptr(base)
 					fmt: voidptr(&u8(midl_server_info.ProcString) + fmt)
 					offset:  u32(usize(base) - usize(location_info.base))
-					name: resolver.load_symbol(location_info.path, u64(base)) or { 'Proc${ctr}' }
+					name: name
+					symbols: symbols
 				}
 			}
 		}

src/symbol-resolver.v

@@ -11,6 +11,7 @@ import toml
 pub struct SymbolResolver {
 	mut:
 	symbols map[string][]Symbol
+	params map[string][]SymbolSet
 	uuids map[string]InterfaceData
 	has_pdb bool
 	pdb_resolver win.PdbResolver
@@ -27,6 +28,13 @@ struct Symbol {
 	offset u64
 }
 
+// SymbolSet represents a set of symbols like method parameter names.
+struct SymbolSet {
+	mut:
+	names []string
+	offset u64
+}
+
 // InterfaceData is used to associate names with RPC interfaces. Moreover, the struct
 // contains notes for the interface itself and for associated RPC methods.
 struct InterfaceData {
@@ -134,11 +142,21 @@ pub fn (resolver SymbolResolver) load_symbol(location string, offset u64)? strin
 	return none
 }
 
-// load_symbols attempts to resolve the location + offset information to a symbol
-// name. If successful, the symbol name is returned. If the symbol cannot be found
-// the function returns none.
+// load_symbols attempts to resolve function parameter names from the specified location
+// and offset.
 pub fn (resolver SymbolResolver) load_symbols(location string, offset u64)? []string
 {
+	if location in resolver.params
+	{
+		for symbol_set in resolver.params[location]
+		{
+			if symbol_set.offset == offset
+			{
+				return symbol_set.names
+			}
+		}
+	}
+
 	if resolver.has_pdb
 	{
 		return resolver.pdb_resolver.load_symbols(offset) or { return none }

win/interop.v

@@ -174,6 +174,20 @@ pub struct C.COMM_FAULT_OFFSETS {
 	FaultOffset u16
 }
 
+@[typedef]
+pub struct C.IMAGEHLP_STACK_FRAME {
+  InstructionOffset  ULONG64
+  ReturnOffset		 ULONG64
+  FrameOffset		 ULONG64
+  StackOffset		 ULONG64
+  BackingStoreOffset ULONG64
+  FuncTableEntry	 ULONG64
+  Params[4]			 ULONG64
+  Reserved[5]		 ULONG64
+  Virtual			 BOOL
+  Reserved2			 ULONG
+}
+
 // C.GUID represents the well known GUID struct from widows. In rpv,
 // it is used for different purposes. Mainly to identify RPC interfaces,
 // that all contain GUIDs as part of their internal definition.
@@ -1938,6 +1952,8 @@ fn C.SHGetFileInfoA(path &char, file_attrs DWORD, fileinfo &C.SHFILEINFOA, file_
 fn C.SymCleanup(process_handle HANDLE)
 fn C.SymFromAddr(process_handle HANDLE, address DWORD64, displacement &DWORD64, symbol &SymbolInfoV) bool
 fn C.SymEnumSymbolsForAddr(process_handle HANDLE, address DWORD64, callback fn(&SymbolInfoV, ULONG), context voidptr) bool
+fn C.SymEnumSymbols(process_handle HANDLE, base ULONG64, mask &char, callback fn(&SymbolInfoV, ULONG), context voidptr) bool
+fn C.SymSetContext(process_handle HANDLE, frame &C.IMAGEHLP_STACK_FRAME, context voidptr) bool
 fn C.SymInitialize(process_handle HANDLE, search_path &char, invade_process BOOL) bool
 fn C.SymLoadModuleEx(process_handle HANDLE, file_handle HANDLE, image PCSTR, mod PCSTR, dll_base u64, dll_size u32, data voidptr, flags u32) u64
 fn C.SymUnloadModule(process_handle HANDLE, module_base u32)

win/pdb-resolver.v

@@ -76,15 +76,24 @@ pub fn (context PdbResolver) load_symbol(symbol u64)! string
 pub fn (context PdbResolver) load_symbols(symbol u64)! []string
 {
 	symbols := []string{}
+	symbols_ref := &symbols
 
-	symbol_closure := fn [symbols] (symbol_info &SymbolInfoV, symbol_size u32) {
+	frame := C.IMAGEHLP_STACK_FRAME{
+		InstructionOffset: symbol
+	}
+
+	if !C.SymSetContext(context.process_handle, &frame, &voidptr(0))
+	{
+		return error('Unable to set symbol context to 0x${symbol}')
+	}
+
+	symbol_closure := fn [symbols_ref] (symbol_info &SymbolInfoV, symbol_size u32) {
 		unsafe {
-			symbols << "Dummy"
-			println('[+] Closure Test: ${cstring_to_vstring(&char(symbol_info.name[..].data))}')
+			symbols_ref << cstring_to_vstring(&char(symbol_info.name[..].data))
 		}
 	}
 
-	if !C.SymEnumSymbolsForAddr(context.process_handle, symbol, symbol_closure, &voidptr(0))
+	if !C.SymEnumSymbols(context.process_handle, 0, &voidptr(0), symbol_closure, &voidptr(0))
 	{
 		return error('Unable to resolve symbols at 0x${symbol} via SymEnumSymbolsForAddr')
 	}