问题
I am just starting out with Reverse Engineering.
I've created a small C++ ConsoleApplication and I am trying to call the NewFunction via an injected DLL.
void NewFunction()
{
DWORD dwImageBase = (DWORD)GetModuleHandle(NULL);
std::cout << "ImageBase: " << ToHex(dwImageBase) << std::endl;
std::cout << "NewFunction: " << ToHex((DWORD)&NewFunction) << std::endl;
std::cout << "Offset: " << ToHex((DWORD)&NewFunction - dwImageBase) << std::endl;
}
Example Output:
ImageBase: F90000
NewFunction: FA111D
Offset: 1111D
Now, when I call 0xFA111D with my injected DLL it works as expected and prints it all over again. (DLL calls ImageBase + Offset)
What I can't figure out though is how to get the address of NewFunction with IDA Pro...
In IDA:
- the function is located at: 0x4133F0
- Imagebase is: 0x400000
- The calculated offset is: 0x133F0
Shouldn't at least the offset be the same? Am I missing something crucial here?
回答1:
The default settings for the Debug build in Visual Studio include enabling incremental linking. The effect of this is that in the compiled binary, every function call goes via a jump stub (this makes it easier for the linker to update the binary with new code without redoing the complete link step).
&NewFunction is returning the address of that stub and not the actual function's implementation.
来源:https://stackoverflow.com/questions/21478942/re-ida-finding-function-offset