SymFromAddr使用C#

我试图看看如何使用C#中的SymFromAddr。 这是我得到的。 问题是, DbgHelp.SymFromAddr(processHandle, (ulong)threadAddress, ref displacement, ref symbolInfo)返回错误87.我在做什么错了? *做了一个微调。 现在已经填充了SizeOfStruct。 但没有结果。

 static void GetThreadList(int processId, IntPtr processHandle) { Console.WriteLine(string.Format("Process Id: {0:X4}", processId)); var threadCollection = Process.GetProcessById(processId).Threads.OfType<ProcessThread>(); foreach (ProcessThread processThread in threadCollection) { ulong dwAddress = (ulong)ThreadStartAddress(processThread.Id, processHandle); Console.WriteLine(" Thread Id: {0:X4}, Start Address: {1:X16}", processThread.Id, dwAddress); } } static IntPtr ThreadStartAddress(int threadId, IntPtr processHandle) { var threadHandle = DbgHelp.OpenThread(DbgHelp.ThreadAccess.QueryInformation, false, threadId); if (threadHandle == IntPtr.Zero) throw new Win32Exception(); IntPtr threadAddress = IntPtr.Zero; var buf = Marshal.AllocHGlobal(IntPtr.Size); try { var result = DbgHelp.NtQueryInformationThread(threadHandle, DbgHelp.ThreadInfoClass.ThreadQuerySetWin32StartAddress, buf, IntPtr.Size, IntPtr.Zero); if (0 != result) throw new Win32Exception(string.Format("NtQueryInformationThread failed; NTSTATUS = {0:X8}", result)); threadAddress = Marshal.ReadIntPtr(buf); unsafe { ulong displacement = 0; uint symsetOptStatus = DbgHelp.SymSetOptions(DbgHelp.SymOpt.UNDNAME | DbgHelp.SymOpt.DEFERRED_LOADS); // Returns 6. if (!DbgHelp.SymInitialize(threadHandle, null, true)) { // SymInitialize failed with error C000000B. Console.WriteLine("SymInitialize returned error : {0:X16}.\n", Marshal.GetLastWin32Error()); } DbgHelp.SYMBOL_INFO symbolInfo = new DbgHelp.SYMBOL_INFO(); //symbolInfo.SizeOfStruct = (uint)Marshal.SizeOf(symbolInfo); //symbolInfo.MaxNameLen = DbgHelp.MAX_SYM_NAME; //const int maxNameLen = 512; //int bufferSize = Marshal.SizeOf(typeof(DbgHelp.SYMBOL_INFO)) + (DbgHelp.MAX_SYM_NAME * 2); //var buffer = Marshal.AllocHGlobal(bufferSize); //DbgHelp.SYMBOL_INFO symbolInfo = (DbgHelp.SYMBOL_INFO)buffer; symbolInfo.SizeOfStruct = (uint)Marshal.SizeOf(typeof(DbgHelp.SYMBOL_INFO)); symbolInfo.MaxNameLen = DbgHelp.MAX_SYM_NAME -1; if (DbgHelp.SymFromAddr(processHandle, (ulong)threadAddress, ref displacement, ref symbolInfo)) { // SymFromAddr returned success. return threadAddress; } else { // SymFromAddr failed with error 87. Console.WriteLine("SymFromAddr returned error : {0}.\n", Marshal.GetLastWin32Error()); return threadAddress; } } } finally { DbgHelp.CloseHandle(threadHandle); Marshal.FreeHGlobal(buf); } } 

尝试:

  const int maxNameLen = 512; int bufferSize = sizeof(SYMBOL_INFO) + maxNameLen*2; buffer = (byte*)Marshal.AllocHGlobal(bufferSize); symbolInfo = (SYMBOL_INFO*)buffer; symbolInfo->SizeOfStruct = (uint)sizeof(SYMBOL_INFO); symbolInfo->MaxNameLen = maxNameLen - 1; 

我看到的唯一方法是编写一个非托管的c ++包装器来阅读符号信息。