Function address in .pdb is different from .exe, why?

Question

Function address in .pdb is different from .exe, why?

I read the address of my main function from a .pdb file using SymEnumSymbols, the value is 0x0100116e0 ,

BOOL CALLBACK SymEnumSymbolsProc(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext )
{   
    if( pSymInfo != NULL )
    {
        // Show the symbol      

        std::string str = pSymInfo->Name;
        if (str.find("main")!=-1)
        {
            int ss=pSymInfo->Address;
        }


    }
    return TRUE;
}

but this function address in VS2008 disassembled code is 004116E0

int _tmain( int argc, const TCHAR* argv[] )
{
    004116E0  push        ebp  
    004116E1  mov         ebp,esp 
    ...
{

then I tried to check the result by passing 2 different addresses to SymGetSymFromAddr64, I got the same funcitun symbol, only the difference was the PIMAGEHLP_SYMBOL64 address member, one was 100116e0 and the other was 4116E0. I also tried to test it with microsoft dbh.exe, command

load TestSymbolLookup.pdb
TestsymbolLookup [1000000]:n main
addr   : 10116e0
name   : main
size   : b2c
flags  : 0
type   : 2
modbase: 1000000
value  : 0
reg    : 0
scope  : SymTagExe<1>
tag    : SymTagFunction<5>
index  :1

my main function address is unique in TestsymbolLookup.exe, but why did I get 2 different responses?

+3

c ++ windows winapi windbg dbghelp

user1991149 20 jan. 13 at 15:23

source to share

1 answer

Necrolis · Answer 1 · 2013-01-20T15:45:04+0000

These addresses are "the same", they differ from each other because one in the PDB is a relative virtual address, and the one you find with the enum proc is virtualized. PDB will always use an address that cannot be hidden on reboot, etc.

If you subtract the base boot address (or at the beginning of the section .code

, depending), you get an RVA. You may find this question helpful to read.

Function address in .pdb is different from .exe, why?

More articles: