0

I'm using the symEnumSymbol function from dbghelp library to get details about any malloc symbols in an executable. One of the arguments that I need to pass is a callback functoin with the following signature:

BOOL CALLBACK EnumSymProc( 
    PSYMBOL_INFO pSymInfo,   
    ULONG SymbolSize,      
    PVOID UserContext);

And I want to extract all the data I can from those parameters.

The Windows Dev Center provide this insufficient description about the second:

SymbolSize: The size of the symbol, in bytes. The size is calculated and is actually a guess. In some cases, this value can be zero.

I've implemented the callback in the following way:

BOOL CALLBACK EnumSymCallback(
PSYMBOL_INFO pSymInfo,
ULONG SymbolSize,
PVOID UserContext)
{
    UNREFERENCED_PARAMETER(UserContext);
    printf("Hello from symEnumSymbols!\n");
    printf("%08X %4u %s\n", (unsigned int)pSymInfo->Address, SymbolSize, pSymInfo->Name);
    return TRUE;
}

and I call SymEnumSymbols with those arguments:

if (!SymEnumSymbols(
    GetCurrentProcess(),            // handler to the process.
    0,
    "*!malloc",         // combination of the last two lines means: Enumerate every 'malloc' symbol in every loaded module - we might change this...
    EnumSymCallback,        
    NULL                // argument for the callback.
))
{
    printf("SymEnumSymbols failed :-(\n");
    DWORD error = GetLastError();
    printf("SymEnumSymbols returned error : %d\n", error);
    return FALSE;
}
printf("SymEnumSymbols succeeded :-)\n");

and I got this output: [EDIT: I just added enumeration for free ]

Hello from symEnumSymbols!
766300D0   16 malloc
Hello from symEnumSymbols!
0F9BE340   32 malloc
Hello from symEnumSymbols!
7662E0F0   48 free
Hello from symEnumSymbols!
0F9BDFA0   80 free
SymEnumSymbols succeeded :-)

As you can see, in the first time malloc symbol size is 16 and in the second 32. I'm not sure how I got two malloc in the first place since my executable supposed to have only one (I wrote the source) but assuming the other one is coming from the compiler or something - what are those sizes? and why they are different?!

I can guess it specify a 32 bit command or a 16 command, but I realy don't have a clue and this not maiking sense with free results. Thanks for any help!

Z E Nir
  • 332
  • 1
  • 2
  • 15
  • Looking through the code I use for stack traces I always pass 0 for that parameter and never use it. I do use the PSYMBOL_INFO::Size member to figure out if a basic type is a short or an int, but that seems to be all. – Retired Ninja Dec 27 '18 at 16:46
  • okay, thanks for that. but here I got wierd and unconsistent sizes: 16, 32, 48, 80... I hope you can help with that because I'm confuse... – Z E Nir Dec 27 '18 at 17:23

1 Answers1

0

Taken from the docs.

[in] SymbolSize

The size of the symbol, in bytes. The size is calculated and is actually a guess. In some cases, this value can be zero.

That descrpition looks confusing. I personally don't use SymbolSize but gather specifically ask for the symbol length when requried.

There are different types of symbols like Function symbols to UDT symbols (describes the layout of a struct or class). The SymbolSize makes sense for UDT symbol but for a function symbol I have no idea what the SymbolSize may mean. The code size of the function itself? The fact that it says "is actually a guess", I would take that it's not that useful.

Shane Powell
  • 13,698
  • 2
  • 49
  • 61