Reputation: 110
RE - IDA finding function offset
I am just starting out with Reverse Engineering.
I've created a small C++ ConsoleApplication and I am trying to call the NewFunction via an injected DLL.
void NewFunction()
{
DWORD dwImageBase = (DWORD)GetModuleHandle(NULL);
std::cout << "ImageBase: " << ToHex(dwImageBase) << std::endl;
std::cout << "NewFunction: " << ToHex((DWORD)&NewFunction) << std::endl;
std::cout << "Offset: " << ToHex((DWORD)&NewFunction - dwImageBase) << std::endl;
}
Example Output:
ImageBase: F90000
NewFunction: FA111D
Offset: 1111D
Now, when I call 0xFA111D with my injected DLL it works as expected and prints it all over again. (DLL calls ImageBase + Offset)
What I can't figure out though is how to get the address of NewFunction with IDA Pro...
In IDA:
- the function is located at: 0x4133F0
- Imagebase is: 0x400000
- The calculated offset is: 0x133F0
Shouldn't at least the offset be the same? Am I missing something crucial here?
Upvotes: 2
Views: 5884
Answers (1)
Reputation: 25288
The default settings for the Debug build in Visual Studio include enabling incremental linking. The effect of this is that in the compiled binary, every function call goes via a jump stub (this makes it easier for the linker to update the binary with new code without redoing the complete link step).
&NewFunction is returning the address of that stub and not the actual function's implementation.
Upvotes: 5
Related Questions
- Memory address, knowing the offsets and the base address of a dll how can I obtain the memory adress to set values
- Call a member function with offset address from Dll
- How to read AddressOfEntryPoint in memory
- DLL injection and reading memory by offset
- Windbg + IDA: calculate an address in a module
- How to determine memory address of non-exported function in windows executable process?
- IDA Pro Dereference Pointer from a Register and a Constant offset
- Figuring out the memory layout of objects without debugging a running program?
- Finding a function's address in C++
- Confusing function