使用 .pdb 中的增量链接函数来实现函数吗?
我正在尝试使用 .pdb 和 DIA SDK 确定 .exe 的静态调用图。不幸的是,当增量链接时,使用 dia2dump 示例时,函数调用的增量蹦床 thunk 不会显示。
如果您运行并链接 dia2dump示例(或简单的此处)打开调试和增量链接后,对 wprintf 或 printf 的调用不会显示在任何函数的符号转储中。但是,如果您禁用增量链接,它们就会这样做。
有没有办法通过DIA获取函数使用的增量蹦床?或者我应该破解 .obj 和 .lib 文件?
I'm trying to determine a static callgraph of an .exe using the .pdb and the DIA SDK. Unfortunately, when linking incrementally, the incremental trampoline thunks called by a function don't show up when using the dia2dump sample.
If you run and link the dia2dump sample (or the simple one here) with debug and incremental linking turned on, calls to wprintf or printf do not show up in any function's symbol dump. However, if you disable incremental linking, they do.
Is there any way to get the incremental trampolines used by a function through DIA? Or should I crack the .obj and .lib files instead?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您如何链接到 CRT?静态还是动态?
我在 VS2010 中编译了示例(使用动态/dll CRT)并将生成的 .exe 加载到 IDA Pro 中。以
Fatal函数(来自示例)为例,其所有printf调用都直接编译为该函数的 .exe 导入条目的引用(即>__imp__printf)。所以这可能就是为什么你没有看到它们出现在你的转储中。如果我使用静态链接到 CRT(增量打开),它会调用 ILT。如果我关闭增量,它会直接调用printf(因为它没有导入它)使用动态 CRT、间接(调用导入)和 ILT(调用间接;我相信你的“蹦床”) printf 函数等的版本仍然存在于增量 .exe 中,但没有对它们的代码引用。
该示例正确地转储了自身的 ILT(下面的 printf 示例),因此我认为当实际调用它们时,它能够将它们正确地转储到函数符号转储中。然而,我在 DIA 的经验有限,所以现在我或多或少都是凭空说出来的。
How are you linking to the CRT? Static or dynamic?
I compiled the sample in VS2010 (with the dynamic/dll CRT) and loaded the resulting .exe into IDA Pro. Taking the
Fatalfunction (from the sample) as an example, all of itsprintfcalls compile directly into references of the .exe's import entry for that function (ie,__imp__printf). So that may be why you're not seeing them show up in your dump. If I use Static linking to the CRT (with incremental on), it calls the ILT. If I turn incremental off, it callsprintfdirectly (since it's not importing it)With the dynamic CRT, the indirect (calls the import) and ILT (calls the indirect; your 'trampoline' I believe) versions of printf function and such still exist in the incremental .exe, but have no code references to them.
The sample correctly dumps the ILTs (printf example below) of itself, so I would figure it would be able to correctly dump them in function symbol dump, when they're actually called. However, my experience with the DIA is limited, so by now I'm more or less talking out of my butt.