[panda-users] Doubt about VA of callstack_instr

[Brendan Dolan-Gavitt]

Not every function in a DLL will be exported, so it's expected that
some functions won't match with the above procedure. You may be able
to get the names of non-exported functions by getting the PDB debug
symbols (using, e.g., "symchk.py" from pdbparse).

On Fri, Mar 30, 2018 at 5:57 PM, Giuseppe Laurenza
<laurenza at diag.uniroma1.it> wrote:
> Dear panda-users,
> I want to discover the name of the function  currently called in Windows 7, to do this I wrote my custom plugin.
> During the on_call, I take the virtual address returned by callstack_instr and then I look for the library (through the get_libraries api) that contains this address into the interval of base_address and base_address plus size. Then, to check if it works, I computed the offset of the function subtracting the base address of the library from the virtual_address and check for it into the export table of the DLL, computing the export table through external utilities (pefile and radare2).
> I tried with some function of ntdll.dll and win.dll libraries, but I can’t found any match among the offset computed by me and the address of function extracted from the library.
>
> This is an example code:
> void on_call(CPUState *env, target_ulong pc) {
>     OsiProc *current = get_current_process(env);
>     OsiModules *ms = get_libraries(env, current);
>     for (int i = 0; i < ms->num; i++){
>             unsigned int base = ms->module[i].base;
>             unsigned int size = ms->module[i].size;
>             if(pc>base && pc<(base+size)){
>                 unsigned int function_offset = pc - base;
>             }
>      }
> }
>
>
> Did I do something wrong?
> Thanks for the help
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users



-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering