From 11fd323620edf945f4bc0aeae924f6cd8b61becf Mon Sep 17 00:00:00 2001
From: BeneficialCode <3123132899@qq.com>
Date: Fri, 3 Jan 2025 20:19:26 +0800
Subject: [PATCH] Enable the SE_DEBUG_NAME privilege

---
 PdbParser/SymbolHandler.cpp | 15 +++++++++------
 PdbParser/SymbolHandler.h   |  2 +-
 WinArk/SymbolHelper.cpp     | 32 +++++++++++++++++++++++---------
 WinArk/WinArk.cpp           | 20 ++++++++++++++++++++
 WinArk/WinArk.vcxproj       |  1 +
 5 files changed, 54 insertions(+), 16 deletions(-)

diff --git a/PdbParser/SymbolHandler.cpp b/PdbParser/SymbolHandler.cpp
index 95bbecb..a590cb7 100644
--- a/PdbParser/SymbolHandler.cpp
+++ b/PdbParser/SymbolHandler.cpp
@@ -71,10 +71,8 @@ SymbolHandler::~SymbolHandler() {
 		::CloseHandle(m_hProcess);
 }
 
-ULONG64 SymbolHandler::LoadSymbolsForModule(PCSTR moduleName,DWORD64 baseAddress,DWORD dllSize) {
-	_address = SymLoadModule64(m_hProcess, nullptr, moduleName, moduleName, baseAddress, dllSize);
-	if (_address == 0)
-		_address = SymLoadModuleEx(m_hProcess, nullptr, moduleName, nullptr, baseAddress, dllSize, nullptr, 0);
+ULONG64 SymbolHandler::LoadSymbolsForModule(PCSTR imageName, PCSTR moduleName, DWORD64 baseAddress,DWORD dllSize) {
+	_address = SymLoadModuleEx(m_hProcess, nullptr, imageName, nullptr, baseAddress, dllSize, nullptr, 0);
 	return _address;
 }
 
@@ -152,7 +150,7 @@ DWORD64 SymbolHandler::LoadKernelModule(DWORD64 address) {
 			fullpath.Replace("\\SystemRoot\\", "%SystemRoot%\\");
 			if (fullpath.Mid(1, 2) == "??")
 				fullpath = fullpath.Mid(4);
-			return LoadSymbolsForModule(fullpath, (DWORD64)module.ImageBase);
+			return LoadSymbolsForModule(fullpath, nullptr, (DWORD64)module.ImageBase);
 		}
 	}
 
@@ -245,7 +243,12 @@ IMAGEHLP_MODULE SymbolHandler::GetModuleInfo(DWORD64 address) {
 ULONG_PTR SymbolHandler::GetSymbolAddressFromName(PCSTR name) {
 	auto symbol = std::make_unique<ImagehlpSymbol>();
 	auto info = symbol->GetSymbolInfo();
-	::SymGetSymFromName(m_hProcess, name, info);
+	BOOL success = ::SymGetSymFromName64(m_hProcess, name, info);
+	if (!success) {
+		DWORD error = ::GetLastError();
+		std::string value = to_string(error);
+		OutputDebugStringA(value.c_str());	
+	}
 	return info->Address;
 }
 
diff --git a/PdbParser/SymbolHandler.h b/PdbParser/SymbolHandler.h
index 6413606..6ac6029 100644
--- a/PdbParser/SymbolHandler.h
+++ b/PdbParser/SymbolHandler.h
@@ -187,7 +187,7 @@ class SymbolHandler final{
 	~SymbolHandler();
 
 	HANDLE GetHandle() const;
-	ULONG64 LoadSymbolsForModule(PCSTR moduleName, DWORD64 baseAddress = 0, DWORD dllSize = 0);
+	ULONG64 LoadSymbolsForModule(PCSTR imageName,PCSTR moduleName, DWORD64 baseAddress = 0, DWORD dllSize = 0);
 	
 	ULONG_PTR GetSymbolAddressFromName(PCSTR name);
 
diff --git a/WinArk/SymbolHelper.cpp b/WinArk/SymbolHelper.cpp
index 64b36da..90d0a89 100644
--- a/WinArk/SymbolHelper.cpp
+++ b/WinArk/SymbolHelper.cpp
@@ -44,12 +44,17 @@ void SymbolHelper::Init() {
 	_win32kPdb = pdbFile;
 	_win32kModule = std::string(pdbName, 0, pdbName.find("."));
 
+	std::string moduleName = std::string(pdbName, 0, pdbName.find("."));
+
+
 #ifdef _WIN64
 	_win32kBase = (DWORD64)win32kBase;
 #else
 	_win32kBase = (DWORD32)win32kBase;
 #endif
 
+	_win32k.LoadSymbolsForModule(_win32kPdb.c_str(), moduleName.c_str(), _win32kBase, _win32kSize);
+
 	void* kernelBase = Helpers::GetKernelBase();
 	size = Helpers::GetKernelImageSize();
 
@@ -66,6 +71,8 @@ void SymbolHelper::Init() {
 #else
 	_kernelBase = (DWORD)kernelBase;
 #endif
+	moduleName = std::string(pdbName, 0, pdbName.find("."));
+	_kernel.LoadSymbolsForModule(_kernelPdb.c_str(), moduleName.c_str(), _kernelBase, _kernelSize);
 
 	void* flgmgrBase = Helpers::GetKernelModuleBase("fltmgr.sys");
 	size = Helpers::GetKernelModuleImageSize("fltmgr.sys");
@@ -82,6 +89,8 @@ void SymbolHelper::Init() {
 #else
 	_fltmgrBase = (DWORD)flgmgrBase;
 #endif
+	moduleName = std::string(pdbName, 0, pdbName.find("."));
+	_fltmgr.LoadSymbolsForModule(_fltmgrPdb.c_str(), moduleName.c_str(), _fltmgrBase, _fltmgrSize);
 
 	void* ciBase = Helpers::GetKernelModuleBase("ci.dll");
 	size = Helpers::GetKernelModuleImageSize("ci.dll");
@@ -98,13 +107,8 @@ void SymbolHelper::Init() {
 #else
 	_ciBase = (DWORD)ciBase;
 #endif
-
-	_win32k.LoadSymbolsForModule(_win32kPdb.c_str(), _win32kBase, _win32kSize);
-	_kernel.LoadSymbolsForModule(_kernelPdb.c_str(), _kernelBase, _kernelSize);
-	_fltmgr.LoadSymbolsForModule(_fltmgrPdb.c_str(), _fltmgrBase, _fltmgrSize);
-	_ci.LoadSymbolsForModule(_ciPdb.c_str(), _ciBase, _ciSize);
-
-
+	moduleName = std::string(pdbName, 0, pdbName.find("."));
+	_ci.LoadSymbolsForModule(_ciPdb.c_str(), moduleName.c_str(), _ciBase, _ciSize);
 }
 
 std::unique_ptr<SymbolInfo> SymbolHelper::GetSymbolFromAddress(DWORD64 address, PDWORD64 offset) {
@@ -118,13 +122,23 @@ std::unique_ptr<SymbolInfo> SymbolHelper::GetSymbolFromAddress(DWORD64 address,
 // https://blog.csdn.net/xiaoxinjiang/article/details/7013488
 ULONG64 SymbolHelper::GetKernelSymbolAddressFromName(PCSTR name) {
 	std::string symbolName = _kernelModule + "!" + name;
-	return _kernel.GetSymbolAddressFromName(symbolName.c_str());
+	ULONG64 addr = _kernel.GetSymbolAddressFromName(symbolName.c_str());
+	if (addr == 0) {
+		OutputDebugStringA(symbolName.c_str());
+		abort();
+	}
+	return addr;
 }
 
 ULONG64 SymbolHelper::GetWin32kSymbolAddressFromName(PCSTR name) {
 	// https://stackoverflow.com/questions/4867159/how-do-you-use-symloadmoduleex-to-load-a-pdb-file
 	std::string symbolName = _win32kModule + "!" + name;
-	return _win32k.GetSymbolAddressFromName(symbolName.c_str());
+	ULONG64 addr = _win32k.GetSymbolAddressFromName(symbolName.c_str());
+	if (addr == 0) {
+		OutputDebugStringA(symbolName.c_str());
+		abort();
+	}
+	return addr;
 }
 
 DWORD SymbolHelper::GetKernelStructMemberOffset(std::string name, std::string memberName) {
diff --git a/WinArk/WinArk.cpp b/WinArk/WinArk.cpp
index 036ecd8..36498d8 100644
--- a/WinArk/WinArk.cpp
+++ b/WinArk/WinArk.cpp
@@ -99,6 +99,24 @@ bool RemoveNotifyIcon() {
 	return Shell_NotifyIcon(NIM_DELETE, &notifyIcon);
 }
 
+bool EnableDebugPrivilege() {
+	HANDLE hToken;
+	if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
+		return false;
+
+	TOKEN_PRIVILEGES tp;
+	tp.PrivilegeCount = 1;
+	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+	if (!::LookupPrivilegeValue(nullptr, SE_DEBUG_NAME, &tp.Privileges[0].Luid))
+		return false;
+
+	auto success = ::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), nullptr, nullptr);
+	auto error = ::GetLastError();
+	::CloseHandle(hToken);
+
+	return success && error == ERROR_SUCCESS;
+}
+
 int Run(LPTSTR lpstrCmdLine = nullptr, int nCmdShow = SW_SHOWDEFAULT) {
 	CMessageLoop theLoop;
 	_Module.AddMessageLoop(&theLoop);
@@ -237,6 +255,8 @@ int WINAPI _tWinMain(HINSTANCE hInstance, HINSTANCE /*hPrevInstance*/, LPTSTR lp
 
 	SecurityHelper::EnablePrivilege(SE_SYSTEM_ENVIRONMENT_NAME, true);
 
+	EnableDebugPrivilege();
+
 	if (CheckInstall(lpstrCmdLine))
 		return 0;
 
diff --git a/WinArk/WinArk.vcxproj b/WinArk/WinArk.vcxproj
index c3a4df7..c0c1128 100644
--- a/WinArk/WinArk.vcxproj
+++ b/WinArk/WinArk.vcxproj
@@ -47,6 +47,7 @@
     <UseDebugLibraries>false</UseDebugLibraries>
     <PlatformToolset>v142</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">