Get module name with function + offset

Question

Get module name with function + offset

I am trying to figure out how to get the module function + stream offset. Compatible with the way Process Explorer renders a stream in it. Example....

Ntdll! TplsTimerSet + 0x07c0

I can pull out the starting address with no problem and I can also resolve the starting address of the module. I can get the start address to show "ntdll.dll" plus the offset (startaddress - baseaddress), but not the function. So mine looks like this.

Ntdll + 3BC0C

I would like to find what function dll dll dll is taking place. In this case, the Tplstimerset. I know I'll have to calculate the offset difference and function address, but that should be easy. This code can be in C ++ Delphi / Pascal. Thanks in advanced.

+2

function multithreading module process dll

CW 11 Mar At 4:31 am

source to share

1 answer

Steven liang · Answer 1 · 2019-04-12T06:27:51+0000

In Process Explorer -> Options -> Configure Symbols, you can see that symbol files are used to enable functions.

These symbols are from Microsoft, and windbg and Visual Studio use them when debugging.

If you've run windbg and downloaded a single executable, enter "x ntdll! *" To show all ntdll named functions, the asterisk means it matches all.

I assume you need to get the addresses of named functions programmatically, you may need the .pdb file specification .

Get module name with function + offset

More articles: