0

I've been trying to get a better understanding of where my C++ source code ends up in a PE format and how to find specific points in my source code in the PE. For example, I have a simple program which I've compiled with /Od and /ZI flags.

There's one source file with the following functions: main, PrintVector, AddOneToEach.

When I open main.exe in a hex editor, I can correlate addresses and values in the PE image with certain values from dumpbin ./main.exe /headers using PE structure documentation as a reference. For example:

FILE HEADER VALUES
             14C machine (x86)
               7 number of sections
        5E48E9D4 time date stamp Sat Feb 15 23:05:56 2020
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             102 characteristics
                   Executable
                   32 bit word machine

OPTIONAL HEADER VALUES
             10B magic # (PE32)
           14.16 linker version
           9DA00 size of code
           25400 size of initialized data
               0 size of uninitialized data
           4BD1C entry point (0044BD1C) @ILT+19735(_mainCRTStartup)

I know that at address 0x3c, I should find a 4-byte long field that contains the address of the start of the PE Header. I find in little endian format 0x00010000 which translates to 0x00000100. At address 0x00000100, I find the expected little endian value of 0x50450000 per the PE format documentation.

When examining the associated PDB file, I look up the symbol PrintVector via powershell & $dbh ./main.pdb n PrintVector where $dbh = C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbh.exe. The ouput is:

   name : PrintVector
   addr :  1059090
   size : 86
  flags : 0
   type : 2
modbase :  1000000
  value :        0
    reg : 0
  scope : SymTagExe (1)
    tag : SymTagFunction (5)
  index : 1

Given the address value of 0x01059090, my expectation is to be able to find the start of the function PrintVector at address 0x01059090 in main.exe. However, the address range main.exe ends at 0x000cf15f0, which tells my there's something wrong with my understanding of Virtual Addressing and the PE format. My expectation is that I should be able to find the entry point into the function PrintVector somewhere in main.exe based on the address pulled via Dumpbin using DBH on the PDB file. Where is my understanding breaking down?

Joe
  • 587
  • 1
  • 8
  • 15
  • 1
    `1059090 - 1000000 == 59090`. so *rva* of `PrintVector` is `59090`. add this *rva* to actual base address, at which *exe* file mapped at runtime and you got address of `PrintVector` – RbMm Feb 16 '20 at 10:38
  • I see that `0x00059090` is within main.exe's address space, however, when I examine that address, all I see are the values `0xcccccccc` for the first 84-bytes, then in little endian, `0x8bff` for the last 2-bytes for the total size of 86-bytes as reported by dbh. However, when running dbh on the symbol `AddOneToEach`, it points me to `0x01059092 - 0x01000000 == 0x00059092` and I see some reasonable values for bytes there. – Joe Feb 16 '20 at 15:28
  • Also, when using dbh, I see that the addr of `name addonetoeach` is `0x01059020` and it's size is `54` which I'm assuming is in bytes. The `next addonetoeach` reveals that `PrintVector` is the next symbol, but it's address is > 54 bytes from the address of `AddOneToEach` and I'm unsure as to why. – Joe Feb 16 '20 at 15:41

0 Answers0