-1

I'm performing dynamic analysis on a windows VM in QEMU. I would like to look up what function is currently executing inside the Guest OS based on EIP (I just want to have an idea of what the OS is doing).

Is there an equivalent of System.map for windows? When doing a similar task in Linux, that is what I would typically use.

I am aware of the windows symbol packages, but I'm trying to figure out how to do this without using two windows VMs since I don't need full debug information, just function addresses.

I am currently using windows 7

zje
  • 3,824
  • 4
  • 25
  • 31
  • I'm still kinda curious as to what was wrong with this question and would appreciate a comment from the downvoter... – zje Aug 25 '15 at 14:19

1 Answers1

0

After much searching, I could find no such equivalent or software that will provide one.

So I forked an example and now generate the file that I'm looking for: https://github.com/zestrada/Dia2Dump_nm

This uses the Microsoft DIA SDK https://msdn.microsoft.com/en-us/library/x93ctkx8.aspx to parse a PDB file for the kernel, ntkrnlmp.pdb (available: https://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx)

zje
  • 3,824
  • 4
  • 25
  • 31