5

Trying to find the invocation method of an EventHandler instance, I had to !do it, and then try to find which method _methodPtr was referring to.

_methodPtr was in my case 32c0e0

I figured it out using dd 32c0e0 (which contains the method address).

However, the first thing I tried was to look at unmanaged code at 32c0e0, which was:

0:000> !U 32c0e0 
Unmanaged code
0032c0e0 e8d55cf567      call    mscorwks!PrecodeFixupThunk (68281dba)
   ... etc ...

PrecodeFixupThunk is not an export of mscorwks, and I cant find anyting on google about it. I guess that windbg is resolving the call using mscorwks.pdb...

My question is: What is PrecodeFixupThunk signature ? I can find its asm code using x and !u, but more generally, is there a way to get a function signature using windbg ?

[edit] FYI :

0:000> x /v /t mscorwks!PrecodeFixupThunk
pub global 68281dba    0 <NoType> mscorwks!PrecodeFixupThunk = <no type information>
Olivier
  • 5,578
  • 2
  • 31
  • 46

1 Answers1

2

It depends. You can build module with private symbols or public symbols. Private symbols contain all information about variables, types, functions. Public symbols contain RVA for variables and functions.

MS usually upload only public symbols or public symbols with some type definitions.

see: http://msdn.microsoft.com/en-us/library/windows/hardware/ff553493(v=vs.85).aspx

pykd team
  • 229
  • 1
  • 2
  • Thank you for this informative link. So if I understand well, mscorwks.pdb includes 'PrecodeFixupThunk' method name (and its address mapping), but no further information ? – Olivier Feb 25 '14 at 13:23
  • That's right. And the second: 'Thunk' postfix may note this function generated from assembler code and has not common prologue/epilogue/calling convention. – pykd team Feb 26 '14 at 06:03