Develop Reference

SymInitialize/SymFromAddr/SymGetLineFromAddr64 : how to get the correct stack frames for the process being debugged when running under a debugger?

From MSDN,
https://learn.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-syminitialize
BOOL IMAGEAPI SymInitialize(
[in] HANDLE hProcess,
[in, optional] PCSTR UserSearchPath,
[in] BOOL fInvadeProcess
);
Parameters
[in] hProcess
A handle that identifies the caller. This value should be unique and nonzero, but need not
be a process handle. However, if you do use a process handle, be sure to use the correct
handle. If the application is a debugger, use the process handle for the process being
debugged. Do not use the handle returned by GetCurrentProcess when debugging another
process, because calling functions like SymLoadModuleEx can have unexpected results.
This parameter cannot be NULL.
When debugging under the debugger, GetCurrentProcess always returns -1, not the process handle for the process being debugged.
My question is then: how do I get the correct process handle for the process being debugged while running under a debugger?
I solved it by replaceing GetCurrentProces with OpenProcess as shown below:
//HANDLE process = GetCurrentProcess();
DWORD dwPid = GetCurrentProcessId();
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
I realized OpenProcess can give the right process handle being debugged, however still the code below fails to show the correct call stack trace under the debugger. So my real question is how to make the code print out the right call stack even running under a debugger.
void PrintStackTrace();
void *Allocate(std::size_t objSize)
{
PrintStackTrace();
}
int main()
{
Allocate(100);
}
// This function may be called at any point in time to get a print-out of the stack trace.
void PrintStackTrace()
{
tstringstream stream;
stream << _T("Started a stack trace") << std::endl;
void *stack[256];
//HANDLE process = GetCurrentProcess();
DWORD dwPid = GetCurrentProcessId();
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
SymInitialize(process, NULL, TRUE);
WORD numberOfFrames = CaptureStackBackTrace(0, 256, stack, NULL);
SYMBOL_INFO *symbol = (SYMBOL_INFO *)malloc(sizeof(SYMBOL_INFO) + 1024 * sizeof(TCHAR));
memset(symbol, 0, sizeof(SYMBOL_INFO) + 1024 * sizeof(TCHAR));
symbol->MaxNameLen = 1024;
symbol->SizeOfStruct = sizeof(SYMBOL_INFO);
DWORD displacement;
IMAGEHLP_LINE64 *line = (IMAGEHLP_LINE64 *)malloc(sizeof(IMAGEHLP_LINE64));
memset(line, 0, sizeof(IMAGEHLP_LINE64));
line->SizeOfStruct = sizeof(IMAGEHLP_LINE64);
for (int i = 0; i < numberOfFrames; i++)
{
DWORD64 address = (DWORD64)(stack[i]);
if (SymFromAddr(process, address, NULL, symbol))
{
if (SymGetLineFromAddr64(process, address, &displacement, line))
{
stream << _T("\tat ") << symbol->Name << _T(" in ") << line->FileName << _T(": line: ") << std::dec << line->LineNumber << _T(": address: ") << std::hex << symbol->Address << std::endl;
}
else
{
stream << _T("Error from SymGetLineFromAddr64: ") << std::hex << GetLastError() << std::endl;
stream << _T("\tat ") << symbol->Name << _T(": address: ") << std::hex << symbol->Address << std::endl;
}
}
else
{
stream << _T("Error from SymFromAddr: ") << std::hex << GetLastError() << std::endl;
}
}
tstring str = stream.str();
LPCTSTR message = str.c_str();
std::tcout << message;
free(symbol);
free(line);
}
[The output running in Release mode]
at Allocator::Allocate in e:\allocatorex.h : line: 1094 : address: 0x56E857C0
at Allocator::xAllocator::Allocate in e:\allocatorex.h : line: 2105 : address: 0x56E85C40
at PushFramework::IOBuffer::IOBuffer in e:\iobuffer.h : line: 65 : address: 0x56E97ED0
at PushFramework::PhysicalConnectionPool::createImpl in e:\physicalconnectionpool.h : line: 56 : address: 0x56E98D80
at PushFramework::ConnectionContextPool::initialize in e:\connectioncontextpool.h : line: 52 : address: 0x56E98480
at PushFramework::ServerImpl::start in e:\serverimpl.cpp : line: 289 : address: 0x56E99FE0
at tsServerOnline in e:\dllmain.cpp : line: 15156 : address: 0x56E8DB90
at DllMain in e:\dllmain.cpp : line: 12831 : address: 0x56E8B7B0
at dllmain_dispatch in d:\vctools\crt\vcstartup\src\startup\dll_dllmain.cpp : line: 200 : address: 0x56EA178B
at _DllMainCRTStartup in d:\vctools\crt\vcstartup\src\startup\dll_dllmain.cpp : line: 253 : address: 0x56EA18BC
Error from SymGetLineFromAddr64: 0x1E7
at RtlIpv6AddressToStringA : address: 0x77A227B0
Error from SymGetLineFromAddr64: 0x1E7
at RtlActivateActivationContextUnsafeFast : address: 0x779FDC40
Error from SymGetLineFromAddr64: 0x1E7
at RtlEqualUnicodeString : address: 0x77A01280
Error from SymGetLineFromAddr64: 0x1E7
at RtlEqualUnicodeString : address: 0x77A01280
Error from SymGetLineFromAddr64: 0x1E7
at RtlEqualUnicodeString : address: 0x77A01280
Error from SymGetLineFromAddr64: 0x1E7
at RtlCaptureStackContext : address: 0x77A38C40
Error from SymGetLineFromAddr64: 0x1E7
at LdrInitializeThunk : address: 0x77A162F0
Error from SymGetLineFromAddr64: 0x1E7
at LdrInitializeThunk : address: 0x77A162F0
[The output running in Debug mode]
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymFromAddr: 0x1E7
Error from SymGetLineFromAddr64: 0x1E7
at RtlIpv6AddressToStringA : address: 0x77A227B0
Error from SymGetLineFromAddr64: 0x1E7
at RtlActivateActivationContextUnsafeFast : address: 0x779FDC40
Error from SymGetLineFromAddr64: 0x1E7
at RtlEqualUnicodeString : address: 0x77A01280
Error from SymGetLineFromAddr64: 0x1E7
at RtlEqualUnicodeString : address: 0x77A01280
Error from SymGetLineFromAddr64: 0x1E7
at RtlEqualUnicodeString : address: 0x77A01280
Error from SymGetLineFromAddr64: 0x1E7
at RtlCaptureStackContext : address: 0x77A38C40
Error from SymGetLineFromAddr64: 0x1E7
at LdrInitializeThunk : address: 0x77A162F0
Error from SymGetLineFromAddr64: 0x1E7
at LdrInitializeThunk : address: 0x77A162F0
How can I make the output from Debug mode look the same as the Release mode?

How to resolve code line from Mbed crash dump on Windows 10?

An Mbed code is throwing the crash dump below and I wish to find the line corresponding to the given PC. I'm on Windows though, so the simple "addr2line" is not available. I tried addr2line with Ubuntu shell on Windows, but it gives ??:?
What is the best tool on Windows 10 to perform address-to-line resolution from ARM ELF?
++ MbedOS Fault Handler ++
FaultType: HardFault
Context:
R0: 0
R1: 2000A0C8
R2: 1
R3: 14
R4: 20007854
R5: 2000A0
R6: 68
R7: 0
R8: 0
R9: 0
R10: 0
R11: 0
R12: 29FC1
SP : 2000A8B8
LR : 2C007
PC : 2000A0C8
xPSR : 0
PSP : 2000A898
MSP : 2003FFC0
CPUID: 410FC241
HFSR : 40000000
MMFSR: 0
BFSR : 0
UFSR : 2
DFSR : 0
AFSR : 0
Mode : Thread
Priv : Privileged
Stack: PSP
-- MbedOS Fault Handler --

Oracle ASM database is not started in linux after creation

We try to implement ASM database in oracle linux 7 platform
First we installed oracle grid and database installation 11.2.0.1 completed successfully .
At the time of database creation after reached 86 % is not started , but database is created .
[grid#localhost grid]$ /u01/app/grid/product/11.2.0/grid/bin/srvctl status database -d ram
Database is not running.
[grid#localhost grid]$ /u01/app/grid/product/11.2.0/grid/bin/srvctl start database -d ram
PRCR-1079: Failed to start resource ora.ram.db
CRS-5017: The resource action "ora.ram.db start" encountered the following error:
ORA-01078: failure in processing system parameters
. For details refer to "(:CLSN00107:)" in "/u01/app/grid/product/11.2.0/grid/log/localhost/agent/ohasd/oraagent_grid/oraagent_grid.log".
CRS-2674: Start of 'ora.ram.db' on 'localhost' failed
I Checked below link and proceed the steps:
https://levipereira.wordpress.com/2016/09/01/prcr-1079-crs-5017-ora-01017-dbca-fails-to-create-a-database-in-oracle-restart-environment-12c/
but still not able to start a ASM database
contents of oraagent_grid.log
Oracle Database 11g Clusterware Release 11.2.0.4.0 - Production Copyright 1996, 2011 Oracle. All rights reserved.
2018-07-16 21:26:42.215: [ora.LISTENER.lsnr][3174700800]{0:0:2} [check] execCmd ret = 0
2018-07-16 21:27:09.869: [ AGFW][3187115776]{0:0:2} Agent received the message: AGENT_HB[Engine] ID 12293:115784
2018-07-16 21:27:10.771: [ora.evmd][3174700800]{0:0:2} [check] clsdmc_respget return: status=0, ecode=1
2018-07-16 21:27:10.771: [ora.evmd][3174700800]{0:0:2} [check] DaemonAgent::check returned 0
2018-07-16 21:27:10.771: [ora.evmd][3174700800]{0:0:2} [check] Deep check returned 1
2018-07-16 21:27:32.183: [ora.FRA.dg][3189217024]{0:0:967} [check] CrsCmd::ClscrsCmdData::stat entity 1 statflag 33 useFilter 0
2018-07-16 21:27:32.201: [ora.FRA.dg][3189217024]{0:0:967} [check] DgpAgent::runCheck: asm stat asmRet 0
2018-07-16 21:27:32.202: [ora.FRA.dg][3189217024]{0:0:967} [check] DgpAgent::getConnxn connected
2018-07-16 21:27:32.202: [ora.FRA.dg][3189217024]{0:0:967} [check] DgpAgent::queryDgStatus dgName FRA ret 0
2018-07-16 21:27:40.774: [ora.evmd][3189217024]{0:0:2} [check] clsdmc_respget return: status=0, ecode=1
2018-07-16 21:27:40.774: [ora.evmd][3189217024]{0:0:2} [check] DaemonAgent::check returned 0
2018-07-16 21:27:40.774: [ora.evmd][3189217024]{0:0:2} [check] Deep check returned 1
2018-07-16 21:27:42.116: [ora.LISTENER.lsnr][3189217024]{0:0:2} [check] Utils:execCmd action = 3 flags = 38 ohome = (null) cmdname = lsnrctl.
2018-07-16 21:27:42.219: [ora.LISTENER.lsnr][3189217024]{0:0:2} [check] execCmd ret = 0
2018-07-16 21:28:09.864: [ AGFW][3187115776]{0:0:2} Agent received the message: AGENT_HB[Engine] ID 12293:115800
2018-07-16 21:28:10.776: [ora.evmd][3176802048]{0:0:2} [check] clsdmc_respget return: status=0, ecode=1
2018-07-16 21:28:10.776: [ora.evmd][3176802048]{0:0:2} [check] DaemonAgent::check returned 0
2018-07-16 21:28:10.776: [ora.evmd][3176802048]{0:0:2} [check] Deep check returned 1
2018-07-16 21:28:39.866: [ AGFW][3187115776]{0:0:2} Agent received the message: AGENT_HB[Engine] ID 12293:115808
2018-07-16 21:28:40.778: [ora.evmd][3157808896]{0:0:2} [check] clsdmc_respget return: status=0, ecode=1
2018-07-16 21:28:40.778: [ora.evmd][3157808896]{0:0:2} [check] DaemonAgent::check returned 0
2018-07-16 21:28:40.778: [ora.evmd][3157808896]{0:0:2} [check] Deep check returned 1
2018-07-16 21:28:42.110: [ora.LISTENER.lsnr][3157808896]{0:0:2} [check] Utils:execCmd action = 3 flags = 38 ohome = (null) cmdname = lsnrctl.
2018-07-16 21:28:42.213: [ora.LISTENER.lsnr][3157808896]{0:0:2} [check] execCmd ret = 0
2018-07-16 21:29:09.868: [ AGFW][3187115776]{0:0:2} Agent received the message: AGENT_HB[Engine] ID 12293:115816
2018-07-16 21:29:10.780: [ora.evmd][3159910144]{0:0:2} [check] clsdmc_respget return: status=0, ecode=1
2018-07-16 21:29:10.780: [ora.evmd][3159910144]{0:0:2} [check] DaemonAgent::check returned 0
2018-07-16 21:29:10.780: [ora.evmd][3159910144]{0:0:2} [check] Deep check returned 1
2018-07-16 21:29:39.869: [ AGFW][3187115776]{0:0:2} Agent received the message: AGENT_HB[Engine] ID 12293:115824
2018-07-16 21:29:40.772: [ora.evmd][3189217024]{0:0:2} [check] clsdmc_respget return: status=0, ecode=1
2018-07-16 21:29:40.772: [ora.evmd][3189217024]{0:0:2} [check] DaemonAgent::check returned 0
2018-07-16 21:29:40.772: [ora.evmd][3189217024]{0:0:2} [check] Deep check returned 1
2018-07-16 21:29:42.114: [ora.LISTENER.lsnr][3189217024]{0:0:2} [check] Utils:execCmd action = 3 flags = 38 ohome = (null) cmdname = lsnrctl.
2018-07-16 21:29:42.217: [ora.LISTENER.lsnr][3189217024]{0:0:2} [check] execCmd ret = 0
2018-07-16 21:30:10.778: [ora.evmd][3176802048]{0:0:2} [check] clsdmc_respget return: status=0, ecode=1
2018-07-16 21:30:10.778: [ora.evmd][3176802048]{0:0:2} [check] DaemonAgent::check returned 0
2018-07-16 21:30:10.778: [ora.evmd][3176802048]{0:0:2} [check] Deep check returned 1
2018-07-16 21:30:39.863: [ AGFW][3187115776]{0:0:2} Agent received the message: AGENT_HB[Engine] ID 12293:115838
2018-07-16 21:30:40.775: [ora.evmd][3176802048]{0:0:2} [check] clsdmc_respget return: status=0, ecode=1
2018-07-16 21:30:40.775: [ora.evmd][3176802048]{0:0:2} [check] DaemonAgent::check returned 0
2018-07-16 21:30:40.775: [ora.evmd][3176802048]{0:0:2} [check] Deep check returned 1
2018-07-16 21:30:42.118: [ora.LISTENER.lsnr][3176802048]{0:0:2} [check] Utils:execCmd action = 3 flags = 38 ohome = (null) cmdname = lsnrctl.
2018-07-16 21:30:42.221: [ora.LISTENER.lsnr][3176802048]{0:0:2} [check] execCmd ret = 0
2018-07-16 21:31:09.865: [ AGFW][3187115776]{0:0:2} Agent received the message: AGENT_HB[Engine] ID 12293:115846
2018-07-16 21:31:10.777: [ora.evmd][3157808896]{0:0:2} [check] clsdmc_respget return: status=0, ecode=1
2018-07-16 21:31:10.777: [ora.evmd][3157808896]{0:0:2} [check] DaemonAgent::check returned 0
2018-07-16 21:31:10.777: [ora.evmd][3157808896]{0:0:2} [check] Deep check returned 1

For ASM database startup issue in linux , we need to apply a patch for oracle database 11.2.0.4
Patch : 16870214
After applying this patch , Database is able to start . please note it

DB2 10.1 FP4 DB2START gives error

I installed DB2 10.1 FP4 on Windows server 2012 R2 successfully.
When I try to start database using db2start I am getting below error.
DB2 : The service has returned a service-specific error code.
SQL1042C An unexpected system error occurred. SQLSTATE=58004
db2diag.log has below error.
2015-05-14-16.34.51.630000+540 I95881F1126 LEVEL: Error
PID : 4728 TID : 4996 PROC : db2syscs.exe
INSTANCE: DB2 NODE : 000
HOSTNAME: <Machine name>
EDUID : 4996 EDUNAME: db2sysc
FUNCTION: DB2 Common, Cryptography, cryptDynamicLoadGSKitCrypto, probe:998
MESSAGE : ECF=0x90000076=-1879048074=ECF_LIB_CANNOT_LOAD
Cannot load the specified library
DATA #1 : unsigned integer, 4 bytes
70
DATA #2 : String, 48 bytes
D:\PROGRA~1\IBM\SQLLIB\bin\icc64\gsk8iccs_64.dll
CALLSTCK:
[0] 0x00007FF93D9642A4 pdOSSeLoggingCallback + 0x134
[1] 0x00007FF93EF1033E ossLog + 0x15E
[2] 0x00007FF93EF1023B ossLog + 0x5B
[3] 0x00007FF91D8E75ED cryptDynamicLoadGSKitCrypto + 0x65D
[4] 0x00007FF91D8E6724 cryptContextRealInit + 0x144
[5] 0x00007FF91D8E6337 cryptContextInit + 0x117
[6] 0x00007FF91C9002E5 sqloRunInstance + 0x1C5
[7] 0x00007FF691442700 0x00007FF691442700 + 0x0
[8] 0x00007FF691441974 0x00007FF691441974 + 0x0
[9] 0x00007FF946B516AD BaseThreadInitThunk + 0xD
[10] 0x00007FF946D04629 RtlUserThreadStart + 0x1D
2015-05-14-16.34.51.834000+540 I97009F922 LEVEL: Error
PID : 4728 TID : 4996 PROC : db2syscs.exe
INSTANCE: DB2 NODE : 000
HOSTNAME: <Machine name>
EDUID : 4996 EDUNAME: db2sysc
FUNCTION: DB2 Common, Cryptography, cryptContextInit, probe:105
MESSAGE : ECF=0x90000076=-1879048074=ECF_LIB_CANNOT_LOAD
Cannot load the specified library
DATA #1 : Hex integer, 4 bytes
0x90000076
CALLSTCK:
[0] 0x00007FF93D9642A4 pdOSSeLoggingCallback + 0x134
[1] 0x00007FF93EF1033E ossLog + 0x15E
[2] 0x00007FF93EF1023B ossLog + 0x5B
[3] 0x00007FF91D8E63D5 cryptContextInit + 0x1B5
[4] 0x00007FF91C9002E5 sqloRunInstance + 0x1C5
[5] 0x00007FF691442700 0x00007FF691442700 + 0x0
[6] 0x00007FF691441974 0x00007FF691441974 + 0x0
[7] 0x00007FF946B516AD BaseThreadInitThunk + 0xD
[8] 0x00007FF946D04629 RtlUserThreadStart + 0x1D
2015-05-14-16.34.51.834000+540 I97933F426 LEVEL: Severe
PID : 4728 TID : 4996 PROC : db2syscs.exe
INSTANCE: DB2 NODE : 000
HOSTNAME: <Machine name>
EDUID : 4996 EDUNAME: db2sysc
FUNCTION: DB2 UDB, oper system services, sqloRunInstance, probe:50
MESSAGE : ECF=0x90000076=-1879048074=ECF_LIB_CANNOT_LOAD
Cannot load the specified library
2015-05-14-16.34.51.834000+540 I98361F529 LEVEL: Severe
PID : 4728 TID : 4996 PROC : db2syscs.exe
INSTANCE: DB2 NODE : 000
HOSTNAME: <Machine name>
EDUID : 4996 EDUNAME: db2sysc
FUNCTION: DB2 UDB, base sys utilities, DB2main, probe:2263
MESSAGE : SQL1042C An unexpected system error occurred.
Any help is appreciate.

How to get field names and offsets of a struct using dbghlp and pdb

I would like to dump the fields and offsets of structures in the same way as windbg's dt command. Let's say for example I would like to dump the _PEB structure which is in the Microsoft Public symbols (since windbg's DT command works).
From MSDN documentation I understood that the SymFromName function should be able to do this, below the is the code I've tried that fails on SymFromName with LastError 126 (The specified module could not be found).
From the registered Callback I get the following output:
CBA_SET_OPTIONS
CBA_SET_OPTIONS
CBA_SET_OPTIONS
CBA_EVENT: code 0 desc DBGHELP: Symbol Search Path: symsrv*symsrv.dll*C:\Symbols*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: symsrv*symsrv.dll*C:\Symbols*http://msdl.microsoft.com/download/symbols
CBA_DEFERRED_SYMBOL_LOAD_START: C:\Windows\Sysnative\ntdll.dll
CBA_DEFERRED_SYMBOL_LOAD_PARTIAL: C:\Windows\Sysnative\ntdll.dll
CBA_EVENT: code 0 desc DBGHELP: No header for C:\Windows\Sysnative\ntdll.dll. Searching for image on disk
DBGHELP: No header for C:\Windows\Sysnative\ntdll.dll. Searching for image on disk
CBA_EVENT: code 0 desc DBGHELP: C:\Windows\Sysnative\ntdll.dll - OK
DBGHELP: C:\Windows\Sysnative\ntdll.dll - OK
CBA_DEFERRED_SYMBOL_LOAD_COMPLETE: C:\Windows\Sysnative\ntdll.dll
CBA_EVENT: code 0 desc DBGHELP: ntdll - public symbols
C:\Symbols\ntdll.pdb\823B51C37A764AF7BA1558B42B627FAC2\ntdll.pdb
DBGHELP: ntdll - public symbols
C:\Symbols\ntdll.pdb\823B51C37A764AF7BA1558B42B627FAC2\ntdll.pdb
The Code:
const
Index: THandle =1;
Size = (SizeOf(SYMBOL_INFO)-1 + MAX_SYM_NAME * SizeOf(TCHAR) + SizeOf(ULONG64) -1) div SizeOf(ULONG64);
var
Symbol: String;
Filename: String;
Path: String;
dwBaseAddress: DWORD;
im: IMAGEHLP_MODULE64;
Buffer: array[0..Size] of ULONG64;
pSymbol: PSYMBOL_INFO;
SymbolName: array[0..MAX_SYM_NAME-1] of Char;
begin
ZeroMemory(#SymbolName, SizeOf(SymbolName));
SymbolName := '_PEB';
Filename := 'C:\Windows\Sysnative\ntdll.dll';
Path := 'symsrv*symsrv.dll*C:\Symbols*http://msdl.microsoft.com/download/symbols';
{ Initialize }
Win32Check(SymInitialize(Index, nil, False));
{ Register callback to get some debug info }
Win32Check(SymRegisterCallback64(Index, DbgHelpCallback, 0));
{ Set Options }
SymSetOptions(SymGetOptions or SYMOPT_UNDNAME);
SymSetOptions(SymGetOptions or SYMOPT_DEBUG);
SymSetOptions(SymGetOptions or SYMOPT_LOAD_ANYTHING);
{ Set Symbol Path }
Win32Check(SymSetSearchPathW(Index, PChar(Path)));
{ Load Module }
dwBaseAddress := SymLoadModuleExW(Index, 0, PChar(Filename), nil, 0, 0, nil, 0);
Win32Check(dwBaseAddress > 0);
ZeroMemory(#im, SizeOf(im));
im.SizeOfStruct := SizeOf(im);
Win32Check(SymGetModuleInfoW64(Index, dwBaseAddress, im));
ZeroMemory(#Buffer, SizeOf(Buffer));
pSymbol := PSYMBOL_INFO(#Buffer);
pSymbol^.SizeOfStruct := SizeOf(SYMBOL_INFO);
pSymbol^.MaxNameLen := MAX_SYM_NAME;
Win32Check(SymFromNameW(Index, Symbolname, pSymbol));
Win32Check(SymUnloadModule64(Index, dwBaseAddress));
Win32Check(SymCleanup(Index));

I got it to work by using SymGetTypeFromName to get the Symbol Index and then use SymGetTypeInfo to get the details:
const
Index: THandle =1;
Size = (SizeOf(SYMBOL_INFO)-1 + MAX_SYM_NAME * SizeOf(TCHAR) + SizeOf(ULONG64) -1) div SizeOf(ULONG64);
var
Filename: String;
Path: String;
dwBaseAddress: array[0..0] of DWORD;
im: IMAGEHLP_MODULE64;
Buffer: array[0..Size] of ULONG64;
pSymbol: PSYMBOL_INFO;
SymbolName: array[0..MAX_SYM_NAME-1] of Char;
i: Integer;
ChildParams: TI_FINDCHILDREN_PARAMS;
dwOffset: DWORD;
pSymName: PChar;
begin
ZeroMemory(#SymbolName, SizeOf(SymbolName));
SymbolName := '_PEB';
Filename := 'C:\Windows\System32\ntdll.dll';
Path := 'symsrv*symsrv.dll*C:\Symbols*http://msdl.microsoft.com/download/symbols';
{ Initialize }
Win32Check(SymInitialize(Index, nil, False));
{ Register callback to get some debug info }
Win32Check(SymRegisterCallback64(Index, DbgHelpCallback, 0));
{ Set Options }
SymSetOptions(SymGetOptions or SYMOPT_UNDNAME);
SymSetOptions(SymGetOptions or SYMOPT_DEBUG);
SymSetOptions(SymGetOptions or SYMOPT_LOAD_ANYTHING);
{ Set Symbol Path }
Win32Check(SymSetSearchPathW(Index, PChar(Path)));
{ Load Module }
dwBaseAddress[0] := SymLoadModuleExW(Index, 0, PChar(Filename), nil, 0, 0, nil, 0);
ZeroMemory(#im, SizeOf(im));
im.SizeOfStruct := SizeOf(im);
for i := 0 to Length(dwBaseAddress)-1 do
begin
SymGetModuleInfoW64(Index, dwBaseAddress[i], im);
end;
ZeroMemory(#Buffer, SizeOf(Buffer));
pSymbol := PSYMBOL_INFO(#Buffer);
pSymbol^.SizeOfStruct := SizeOf(SYMBOL_INFO);
pSymbol^.MaxNameLen := MAX_SYM_NAME;
{ Get Type Info by Symbol Name (we need the index) }
Win32Check(SymGetTypeFromNameW(Index, dwBaseAddress[0], SymbolName, pSymbol));
{ Get Child Count }
ZeroMemory(#ChildParams, SizeOf(ChildParams));
Win32Check(SymGetTypeInfo(Index, dwBaseAddress[0], pSymbol^.TypeIndex, TI_GET_CHILDRENCOUNT, #ChildParams.Count));
{ Get Child Info }
// TODO: Caller must reserve memory for the ChildId array (Count * SizeOf(ULONG))
Win32Check(SymGetTypeInfo(Index, dwBaseAddress[0], pSymbol^.TypeIndex, TI_FINDCHILDREN, #ChildParams));
for i := ChildParams.Start to ChildParams.Count - 1 do
begin
{ Get Child Name }
Win32Check(SymGetTypeInfo(Index, dwBaseAddress[0], {pSymbol^.TypeIndex + }ChildParams.ChildId[i], TI_GET_SYMNAME, #pSymName));
{ Get Child Offset }
Win32Check(SymGetTypeInfo(Index, dwBaseAddress[0], {pSymbol^.TypeIndex + }ChildParams.ChildId[i], TI_GET_OFFSET, #dwOffset));
Memo1.Lines.Add(Format('+0x%.3x %s', [dwOffset, pSymName]));
LocalFree(Cardinal(pSymName));
end;
for i := 0 to Length(dwBaseAddress)-1 do
begin
Win32Check(SymUnloadModule64(Index, dwBaseAddress[i]));
end;
Win32Check(SymCleanup(Index));
end;
and this is the output:
+0x000 InheritedAddressSpace
+0x001 ReadImageFileExecOptions
+0x002 BeingDebugged
+0x003 BitField
+0x003 ImageUsesLargePages
+0x003 IsProtectedProcess
+0x003 IsLegacyProcess
+0x003 IsImageDynamicallyRelocated
+0x003 SkipPatchingUser32Forwarders
+0x003 SpareBits
+0x004 Mutant
+0x008 ImageBaseAddress
+0x00C Ldr
+0x010 ProcessParameters
+0x014 SubSystemData
+0x018 ProcessHeap
+0x01C FastPebLock
+0x020 AtlThunkSListPtr
+0x024 IFEOKey
+0x028 CrossProcessFlags
+0x028 ProcessInJob
+0x028 ProcessInitializing
+0x028 ProcessUsingVEH
+0x028 ProcessUsingVCH
+0x028 ProcessUsingFTH
+0x028 ReservedBits0
+0x02C KernelCallbackTable
+0x02C UserSharedInfoPtr
+0x030 SystemReserved
+0x034 AtlThunkSListPtr32
+0x038 ApiSetMap
+0x03C TlsExpansionCounter
+0x040 TlsBitmap
+0x044 TlsBitmapBits
+0x04C ReadOnlySharedMemoryBase
+0x050 HotpatchInformation
+0x054 ReadOnlyStaticServerData
+0x058 AnsiCodePageData
+0x05C OemCodePageData
+0x060 UnicodeCaseTableData
+0x064 NumberOfProcessors
+0x068 NtGlobalFlag
+0x070 CriticalSectionTimeout
+0x078 HeapSegmentReserve
+0x07C HeapSegmentCommit
+0x080 HeapDeCommitTotalFreeThreshold
+0x084 HeapDeCommitFreeBlockThreshold
+0x088 NumberOfHeaps
+0x08C MaximumNumberOfHeaps
+0x090 ProcessHeaps
+0x094 GdiSharedHandleTable
+0x098 ProcessStarterHelper
+0x09C GdiDCAttributeList
+0x0A0 LoaderLock
+0x0A4 OSMajorVersion
+0x0A8 OSMinorVersion
+0x0AC OSBuildNumber
+0x0AE OSCSDVersion
+0x0B0 OSPlatformId
+0x0B4 ImageSubsystem
+0x0B8 ImageSubsystemMajorVersion
+0x0BC ImageSubsystemMinorVersion
+0x0C0 ActiveProcessAffinityMask
+0x0C4 GdiHandleBuffer
+0x14C PostProcessInitRoutine
+0x150 TlsExpansionBitmap
+0x154 TlsExpansionBitmapBits
+0x1D4 SessionId
+0x1D8 AppCompatFlags
+0x1E0 AppCompatFlagsUser
+0x1E8 pShimData
+0x1EC AppCompatInfo
+0x1F0 CSDVersion
+0x1F8 ActivationContextData
+0x1FC ProcessAssemblyStorageMap
+0x200 SystemDefaultActivationContextData
+0x204 SystemAssemblyStorageMap
+0x208 MinimumStackCommit
+0x20C FlsCallback
+0x210 FlsListHead
+0x218 FlsBitmap
+0x21C FlsBitmapBits
+0x22C FlsHighIndex
+0x230 WerRegistrationData
+0x234 WerShipAssertPtr
+0x238 pContextData
+0x23C pImageHeaderHash
+0x240 TracingFlags
+0x240 HeapTracingEnabled
+0x240 CritSecTracingEnabled
+0x240 SpareTracingBits
Now on to the next step: use Delphi 2010's RTTI and use this mechanism to compare offsets (this helps me converting headers for the Jedi ApiLib).

I'm not exactly an expert in these things, but the leading underscore in C namemangling is sometimes supposed to be part of the binary format.
Does it work if you remove the leading underscore?