Menu
i read the address of my main function from .pdb file by SymEnumSymbols,the value is 0x0100116e0 ,
BOOL CALLBACK SymEnumSymbolsProc(PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext )
{
if( pSymInfo != NULL )
{
// Show the symbol
std::string str = pSymInfo->Name;
if (str.find("main")!=-1)
{
int ss=pSymInfo->Address;
}
}
return TRUE;
}
but this function's address in VS2008's dissamble code is 004116E0
int _tmain( int argc, const TCHAR* argv[] )
{
004116E0 push ebp
004116E1 mov ebp,esp
...
{
then i tried to verify the result by passing the 2 different address to SymGetSymFromAddr64, i got the same funcitun symbol expectedly,the only difference was the address member of PIMAGEHLP_SYMBOL64,one was 100116e0 while the other was 4116E0. i also tried to verify it by microsoft's dbh.exe ,the command is
load TestSymbolLookup.pdb
TestsymbolLookup [1000000]:n main
addr : 10116e0
name : main
size : b2c
flags : 0
type : 2
modbase: 1000000
value : 0
reg : 0
scope : SymTagExe<1>
tag : SymTagFunction<5>
index :1
my main function's address is unique in the TestsymbolLookup.exe,but why did i get 2 different answers???
404
asked Dec 14 '25 20:12
Those addresses are the "same", they differ because the one in the PDB is the relative virtual address, while the one you are finding with the enum proc has be virtualized. The PDB will always use an address that cannot be obscured by rebasing etc.
If you subtract the based loading address (or the start of the .code section depending), you'll get the RVA. This SO question may prove to be useful to read.
150
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
