Getting The Size of a C++ Function
I was reading this question because I\'m trying to find the size of a function in a C++ program, It is hinted at that there may be a way that is platform specific. My target
-
It's an old question but still...
For Windows x64, functions all have a function table, which contains the offset and the size of the function. https://docs.microsoft.com/en-us/windows/win32/debug/pe-format . This function table is used for unwinding when an exception is thrown.
That said, this doesn't contain information like inlining, and all the other issues that people already noted...
讨论(0) -
I'm posting this to say two things:
1) Most of the answers given here are really bad and will break easily. If you use the C function pointer (using the function name), in a
debugbuild of your executable, and possibly in other circumstances, it may point to aJMPshim that will not have the function body itself. Here's an example. If I do the following for the function I defined below:FARPROC pfn = (FARPROC)some_function_with_possibility_to_get_its_size_at_runtime;the
pfnI get (for example:0x7FF724241893) will point to this, which is just aJMPinstruction:Additionally, a compiler can nest several of those shims, or branch your function code so that it will have multiple epilogs, or
retinstructions. Heck, it may not even use aretinstruction. Then, there's no guarantee that functions themselves will be compiled and linked in the order you define them in the source code.You can do all that stuff in assembly language, but not in C or C++.
2) So that above was the bad news. The good news is that the answer to the original question is, yes, there's a way (or a hack) to get the exact function size, but it comes with the following limitations:
It works in 64-bit executables on Windows only.
It is obviously Microsoft specific and is not portable.
You have to do this at run-time.
The concept is simple -- utilize the way SEH is implemented in x64 Windows binaries. Compiler adds details of each function into the PE32+ header (into the
IMAGE_DIRECTORY_ENTRY_EXCEPTIONdirectory of the optional header) that you can use to obtain the exact function size. (In case you're wondering, this information is used for catching, handling and unwinding of exceptions in the__try/__except/__finallyblocks.)Here's a quick example:
//You will have to call this when your app initializes and then //cache the size somewhere in the global variable because it will not //change after the executable image is built. size_t fn_size; //Will receive function size in bytes, or 0 if error some_function_with_possibility_to_get_its_size_at_runtime(&fn_size);and then:
#include <Windows.h> //The function itself has to be defined for two types of a call: // 1) when you call it just to get its size, and // 2) for its normal operation bool some_function_with_possibility_to_get_its_size_at_runtime(size_t* p_getSizeOnly = NULL) { //This input parameter will define what we want to do: if(!p_getSizeOnly) { //Do this function's normal work //... return true; } else { //Get this function size //INFO: Works only in 64-bit builds on Windows! size_t nFnSz = 0; //One of the reasons why we have to do this at run-time is //so that we can get the address of a byte inside //the function body... we'll get it as this thread context: CONTEXT context = {0}; RtlCaptureContext(&context); DWORD64 ImgBase = 0; RUNTIME_FUNCTION* pRTFn = RtlLookupFunctionEntry(context.Rip, &ImgBase, NULL); if(pRTFn) { nFnSz = pRTFn->EndAddress - pRTFn->BeginAddress; } *p_getSizeOnly = nFnSz; return false; } }讨论(0) -
Just set PAGE_EXECUTE_READWRITE at the address where you got your function. Then read every byte. When you got byte "0xCC" it means that the end of function is actual_reading_address - 1.
讨论(0) -
What do you mean "size of a function"?
If you mean a function pointer than it is always just 4 bytes for 32bits systems.
If you mean the size of the code than you should just disassemble generated code and find the entry point and closest
retcall. One way to do it is to read the instruction pointer register at the beginning and at the end of your function.If you want to figure out the number of instructions called in the average case for your function you can use profilers and divide the number of retired instructions on the number of calls.
讨论(0) -
below code the get the accurate function block size, it works fine with my test runtime_checks disable _RTC_CheckEsp in debug mode
#pragma runtime_checks("", off) DWORD __stdcall loadDll(char* pDllFullPath) { OutputDebugStringA(pDllFullPath); //OutputDebugStringA("loadDll...................\r\n"); return 0; //return test(pDllFullPath); } #pragma runtime_checks("", restore) DWORD __stdcall getFuncSize_loadDll() { DWORD maxSize=(PBYTE)getFuncSize_loadDll-(PBYTE)loadDll; PBYTE pTail=(PBYTE)getFuncSize_loadDll-1; while(*pTail != 0xC2 && *pTail != 0xC3) --pTail; if (*pTail==0xC2) { //0xC3 : ret //0xC2 04 00 : ret 4 pTail +=3; } return pTail-(PBYTE)loadDll; };讨论(0) -
This can work in very limited scenarios. I use it in part of a code injection utility I wrote. I don't remember where I found the information, but I have the following (C++ in VS2005):
#pragma runtime_checks("", off) static DWORD WINAPI InjectionProc(LPVOID lpvParameter) { // do something return 0; } static DWORD WINAPI InjectionProcEnd() { return 0; } #pragma runtime_checks("", on)And then in some other function I have:
size_t cbInjectionProc = (size_t)InjectionProcEnd - (size_t)InjectionProc;You have to turn off some optimizations and declare the functions as static to get this to work; I don't recall the specifics. I don't know if this is an exact byte count, but it is close enough. The size is only that of the immediate function; it doesn't include any other functions that may be called by that function. Aside from extreme edge cases like this, "the size of a function" is meaningless and useless.
讨论(0)
加载中...
- 热议问题