Kernel: Is it possible to lookup functions symbol name from address in code?

Jorgen_Lundman · March 15, 2024, 3:14am

Having called RtlCaptureStackBackTrace() at some point in my code, and as an example
I call

    for (int i = 0; i < frames; i++) {
        DbgPrint("[%d] %p\n", i, stack[i]);
    }

To print out the addresses. In debugger I can use dt <address> to get function name.

But it would be convenient if I could have

        DbgPrint("[%d] %p\n", i, print_symbol(stack[i]));

where print_symbol(address) returns the function name string.

Is this possible from a Windows Driver? The kernel equivalent of SymFromAddr().

Scott_Noone_OSR · March 27, 2024, 3:15pm

You can't do any of that symbolic name lookup stuff from kernel mode on the target. You could farm if off to user mode I suppose.

Back to doing it from the debugger, best thing I can think is to make them DML links to save you some typing. For example:

    PVOID frames[8];
    USHORT count;
    
    count = RtlCaptureStackBackTrace(0, 8, &frames[0], NULL);
            
    for (ULONG i = 0; i < count; i++) {
        DbgPrint("[%u] <?dml?><exec cmd=\"ln %p\">%p</exec>\n", 
                 i,
                 frames[i],
                 frames[i]);
    }

Gives you clickable links in the output:

It would be nice if there was a way to force the debugger to run these then it sees them but I don't know of any way (aside from maybe writing your own extension)

Jorgen_Lundman · March 29, 2024, 12:10am

Ah neat, that is something at least.
Cheers,

system · April 28, 2024, 12:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.