Function address in .pdb is different from .exe, why?
I read the address of my main function from a .pdb file using SymEnumSymbols, the value is 0x0100116e0 ,
BOOL CALLBACK SymEnumSymbolsProc(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext )
{
if( pSymInfo != NULL )
{
// Show the symbol
std::string str = pSymInfo->Name;
if (str.find("main")!=-1)
{
int ss=pSymInfo->Address;
}
}
return TRUE;
}
but this function address in VS2008 disassembled code is 004116E0
int _tmain( int argc, const TCHAR* argv[] )
{
004116E0 push ebp
004116E1 mov ebp,esp
...
{
then I tried to check the result by passing 2 different addresses to SymGetSymFromAddr64, I got the same funcitun symbol, only the difference was the PIMAGEHLP_SYMBOL64 address member, one was 100116e0 and the other was 4116E0. I also tried to test it with microsoft dbh.exe, command
load TestSymbolLookup.pdb
TestsymbolLookup [1000000]:n main
addr : 10116e0
name : main
size : b2c
flags : 0
type : 2
modbase: 1000000
value : 0
reg : 0
scope : SymTagExe<1>
tag : SymTagFunction<5>
index :1
my main function address is unique in TestsymbolLookup.exe, but why did I get 2 different responses?
source to share
These addresses are "the same", they differ from each other because one in the PDB is a relative virtual address, and the one you find with the enum proc is virtualized. PDB will always use an address that cannot be hidden on reboot, etc.
If you subtract the base boot address (or at the beginning of the section .code
, depending), you get an RVA. You may find this question helpful to read.
source to share