Uninformed: Informative Information for the Uninformed

Vol 1» 2005.May


Loaded Symbols

Time was spent to download and install the Symbols Packages, so let's see what hints they provide. Issue the following within the Command window get a list of all available symbols for WinMine.

x WinMine!*
The e(x)amine command interprets everything to the left of the exclamation point as a regular expression mask for the module name, and everything to the right as a regular expression mask for the symbol name. For more information on regular expression syntax, the reader is encouraged to read the related documents in the reference section [10].

A list of symbols will scroll within the Command window.

...
01003df6 winmine!GetDlgInt = <no type information>
010026a7 winmine!DrawGrid = <no type information>
0100263c winmine!CleanUp = <no type information>
01005b30 winmine!hInst = <no type information>
01003940 winmine!Rnd = <no type information>
01001b81 winmine!DoEnterName = <no type information>
...
From this listing, it is not possible to positively ascertain which symbols represent functions or variables. This is due, as WinDBG has pointed out, to the absence of type information. This is typical of public symbol files. Thankfully, methodologies exist that allow the reader to, at a minimum, distinguish functions from non-functions. Assuming the reader is not well versed reading assemblies, methods requiring that skill set will be for a short time avoided. An alternative technique, examining virtual memory protections, will be investigated that is relatively easy to comprehend and apply,