Clever Geek Handbook

Is any instruction pointer described in a specific function?

I have a very tricky problem that I'm trying to solve: let's say I have an arbitrary instruction pointer. I need to find out if the pointer of this instruction is in a specific function (call it "Foo").

One approach to this is to try to find the start and end boundaries of the function and see if the IP is in it. The original estimate is easy to find:

    void * start = & Foo;

The problem is, I don't know how to get the final address of the function (or how "long" the function, in assembly bytes).

Does anyone have any idea how you would get the "length" of the function or a completely different way to do it?

Let's assume there is no SEH or C ++ exception handling in this function. Also note that I am on a win32 platform and have full access to the win32 api.

+2


source to share


5 answers


Take a look at the file *.map

that the linker can generate when linking the program or in the program's debug file ( *.pdb

).



+4


source


It won't work. You are assuming that functions are inherent in memory and that one address will map to one function. The optimizer has a lot of leeway here and can move code from functions around the image.

If you have PDB files you can use something like dbghelp or DIA API to figure it out. For example, SymFromAddr . There may be some ambiguity here, as one address can represent multiple functions.

I've seen code that tries to do this before, with something like:



#pragma optimize("", off)
void Foo()
{
}

void FooEnd()
{
}
#pragma optimize("", on)

And then FooEnd-Foo was used to calculate the length of the Foo function. This approach is incredibly error prone and still makes a lot of assumptions about how exactly the code is generated.

+7


source


Ok, I haven't done an assembly in about 15 years. I didn't do much at the time. Also, it was 680x0 cm.BUT ...

You just don't have to put a shortcut before and after a function, take their addresses, subtract them for the length of the function, and then just compare IPs? I saw how it ended. The latter seems obvious.

If you're doing this in C, look at the debug support first --- ChrisW is on the map with the map files, but also see if your C compiler standard library provides anything for this low-level stuff - most compilers provide tools for stack analysis, etc. .d., for example, although not standard. Otherwise, try just using inline assembly, or wrap the C function with an assembly file and an empty wrapper with these labels.

+2


source


The simplest solution is to store the state variable:

volatile int FOO_is_running = 0;

int Foo( int par ){
  FOO_is_running = 1;

  /* do the work */

  FOO_is_running = 0;
  return 0;
}
+1


source


This is how I do it, but it uses gcc / gdb.

$ gdb ImageWithSymbols

gdb> info line * 0xYourEIPhere

Edit: The formatting gives me the option. Time for another beer.

0


source






More articles:


All Articles