Converting addresses to symbol + offset
Asked Answered
E

2

9

In windbg, is there a way to convert an address to a symbol + offset?

eg:

66ef0c17 = MSPTLS!LssbFIsSublineEmpty+0x115f
Exonerate answered 15/9, 2015 at 14:32 Comment(0)
G
8

ln (list nearest symbols) should do the trick:

0:000> ln 75da78d7 
(75da78c2)   USER32!NtUserGetMessage+0x15   |  (75da78e2)   USER32!GetMessageW
Googolplex answered 15/9, 2015 at 15:36 Comment(0)
D
3

ln works sometimes, but sometimes it doesn't return the exact symbol. OK for debugging, you can just check, but not optimal for scripting. The best thing I found is using u for that, the first line should contain the symbol.

Example, ln returns a symbol which translates to fffff801_1c41000f instead of fffff801_1c40f000:

0: kd> ln nt
(fffff801`1c410010)   nt!IoStartNextPacket+0xffffffff`ffffffff   |  (fffff801`1c41004c)   nt!IopStartNextPacketByKeyEx

0: kd> ? nt!IoStartNextPacket+0xffffffff`ffffffff
Evaluate expression: -8791324033009 = fffff801`1c41000f

u returns the correct symbol, nt+0x0 (even though the output is knida convoluted):

0: kd> u nt L1
nt!IoStartNextPacket <PERF> (nt+0x0):
fffff801`1c40f000 4d5a            pop     r10
Derision answered 6/9, 2020 at 15:25 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.