[panda-users] Doubt about VA of callstack_instr

[Giuseppe Laurenza]

Dear panda-users,
I want to discover the name of the function  currently called in Windows 7, to do this I wrote my custom plugin.
During the on_call, I take the virtual address returned by callstack_instr and then I look for the library (through the get_libraries api) that contains this address into the interval of base_address and base_address plus size. Then, to check if it works, I computed the offset of the function subtracting the base address of the library from the virtual_address and check for it into the export table of the DLL, computing the export table through external utilities (pefile and radare2). 
I tried with some function of ntdll.dll and win.dll libraries, but I can’t found any match among the offset computed by me and the address of function extracted from the library.

This is an example code:
void on_call(CPUState *env, target_ulong pc) {
    OsiProc *current = get_current_process(env);
    OsiModules *ms = get_libraries(env, current);
    for (int i = 0; i < ms->num; i++){
            unsigned int base = ms->module[i].base;
            unsigned int size = ms->module[i].size;
            if(pc>base && pc<(base+size)){
		unsigned int function_offset = pc - base;
            }
     }
}


Did I do something wrong?
Thanks for the help