Find out how windbg obtain stuff like ntdll!LdrpDoDebuggerBreak+0x2c.

OSR_Community_User · December 18, 2011, 9:26pm

Hi all, I dont know if the question is related with the topic, if is not, I’m sorry.

Well the question is: how can windbg obtain something like that “image_name!main+0x28:” when it captures an exception?

I mean, what kind of function (probably it uses dbghelp.dll right?) it uses for this purpose?
How he combine symbols and IAT to display this type of code?

I’m pretty sure that the address of the exception is returned from the DEBUG_EVENT struct with something like that: DebugEvent.u.Exception.ExceptionRecord.ExceptionAddress

but then?

Thanks in advance.

raj_r · December 19, 2011, 1:04pm

i hope you know symbol files (*.pdb ) files contain symbol information related to specific address in a specific binary

for example 0x401000 the classic entry point is Denoted By WinMain or wmain

so if windbg finds that debug.u…whatever contained 0x401000 then it would interpret it as
"yourBinary!Wmain+0

you may check LN list nearest symbol in windbg

or you may check GetExpression and GetSymbol Api in windbg sdk wdbgexts

OSR_Community_User · December 20, 2011, 3:42am

On 12/19/2011 7:03 PM, xxxxx@gmail.com wrote:

symbol files (*.pdb ) files contain symbol information related to
specific address in a specific binary

Exactly.

With the next DLL or application compile, have a MAP file generated.
Look at it. The debugger uses the same information.

Look at the MSDN dbghelp.dll documentation, and ye shall find.