CODEWITHSUNDEEP
c++winapiportable-executablecoffdeclspec
functionhunter
functionhunter

Reputation: 15

Locating functions with IDIA SDK - strange results

I am trying to locate a specific function in a .pdb file. Originally I compiled a simple "hello, world" program, and analyzed the name of the functions using the IDiaSymbol::get_name method, but I couldn't locate my function.

After this, I tried including a __declspec(naked) void myFunction(void){} function in my helloworld.pdb file, in order to use the IDiaSymbol::get_isNaked method to locate my function, however, when I did this, nothing at all was printed - entailing there are no naked functions in my code.

//After initialization, creating instance, etc
IDiaEnumSymbols* pUnknown = NULL;
        if (pTable->QueryInterface(__uuidof(IDiaEnumSymbols), (void**) &pUnknown) == S_OK) {
            printf("Supports Symbol module\n");
            CComPtr<IDiaSymbol> pSymbol;
            int counter = 0;
            for (LONG i = 0; i < blongTableCount; i++)
            {
                if (pUnknown->Item(i, &pSymbol) != S_OK) {
                    fprintf(stderr, "Error: pUnknown->Item");
                }

                
                BOOL isFunction;
                if (pSymbol->get_function(&isFunction) == S_OK) {
                    if (isFunction == TRUE) {
                        counter += 1;
                        printf("Number of functions: %d", counter);

                        //With the following I could not find my functions
                        BSTR symName;
                        if (pSymbol->get_name(&symName) == S_OK) {
                            printf("Name of symbol: %S\n", symName);
                        }
                        
                        //Check for naked functions - I included a declspec(naked) function for testing.
                        BOOL pFlag;
                        if (pSymbol->get_isNaked(&pFlag) == S_OK) {
                            printf("This is a naked function");
                        }
                    }
                }

                pSymbol = NULL;

            }
        }

EDIT: Included my simple .pdb program below (was a "hello world program", now contains a simple __declspec(naked) function):

#include <iostream>

__declspec(naked) void myFunction(void) {
    
    __asm {
        ret
    }

}

int main()
{
    myFunction();
    return 0;
}

What I expected from parsing the symbol table: The same results you would get when parsing an ELF file on *NIX - a symbol table containing the actual names I wrote for my function, so something like ".text myFunction"

What is actually printed out: Many Winapi functions and other assembler created functions, probably due to optimizing out of my function.

Example:

Name of symbol: main
Name of symbol: __acrt_thread_attach
Name of symbol: _RTC_NumErrors
Name of symbol: ReadNoFence64
Name of symbol: __setusermatherr
Name of symbol: _RTC_SetErrorFuncW
Name of symbol: IsProcessorFeaturePresent
Name of symbol: GetLastError
Name of symbol: __acrt_initialize

Upvotes: 0

Views: 81

Answers (0)

Related Questions