Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Search the entire code for a specific call instruction with windbg

Tags:

windbg

Is it possible to search the entire executable memory space to find all the places from which a specific method is called? For example I want to find all functions from where MyApplcation!MyFunction is called. Searching for a specific optcode with "s" command is not an option as in my case call command uses relative code path so optcode is different depending on where call instruction itself is located.

like image 696
pullo_van Avatar asked Jun 09 '16 11:06

pullo_van

2 Answers

0:000> lm m calc 

Browse full module list
start    end        module name
005f0000 006b0000   calc       (pdb symbols)          e:\symbols\calc.pdb
\971D2945E998438C847643A9DB39C88E2\calc.pdb

0:000> $$ lets search who all calls the operator new function within calc memory space

0:000> # op*new 5f0000 l?(6b0000-5f0000)

output

calc!WinMain+0x213:
005f17e7 e89a0a0000      call    calc!operator new (005f2286)
calc!WinMain+0x272:
005f1843 e83e0a0000      call    calc!operator new (005f2286)
calc!operator new+0x26:
005f229d 0f84fcb80200    je      calc!operator new+0x11 (0061db9f)
calc!operator new[]+0x26:
005f32b1 0f8438a90200    je      calc!operator new[]+0x11 (0061dbef)
calc!CCalculatorState::storeAndFire+0x7:
005f33c9 e83becffff      call    calc!operator new (005f2009)
calc!CCalculatorState::storeAndFire+0x76:
005f3437 e84aeeffff      call    calc!operator new (005f2286)
calc!CCalculatorState::storeAndFire+0x8a:
005f3447 e83aeeffff      call    calc!operator new (005f2286)
calc!CUIController::UpdateTwoLineDisplay+0x56:
005f35c7 e8cefcffff      call    calc!operator new[] (005f329a)
calc!ATL::CAutoVectorPtr<ATL::CAtlREMatchContext<ATL::CAtlRECharTraitsW>::MatchGroup>::Allocate+0x7:
005f3a8c e81ae8ffff      call    calc!operator new+0x30 (005f22ab)
calc!ATL::CAutoVectorPtr<ATL::CAtlREMatchContext<ATL::CAtlRECharTraitsW>::MatchGroup>::Allocate+0x27:
005f3aac e8e9f7ffff      call    calc!operator new[] (005f329a)
calc!ATL::CAtlREMatchContext<ATL::CAtlRECharTraitsW>::CAtlREMatchContext<ATL::CAtlRECharTraitsW>+0x7:
005f3b52 e8b2e4ffff      call    calc!operator new (005f2009)
calc!ATL::CAutoVectorPtr<void *>::Allocate+0x7:
like image 142
blabb Avatar answered Nov 15 '22 11:11

blabb

Similar to above answer just elaborating on how to find the text segment start and size.

!dh -f abc.exe
0000000140000000 image base

!dh -s abc.exe
SECTION HEADER #1
   .text name
  124D6A virtual size
    1000 virtual address
  124E00 size of raw data
     400 file pointer to raw data

Add RVA of .text 1000 to image base 140000000 and dissemble the entire text segment
u 140001000 L124D6A

Or
Use # command to find the function in the disassembly
# GetSimpleProtocol 140001000 L124D6A
like image 34
Vineel Avatar answered Nov 15 '22 12:11

Vineel
Sign in to Comment

Related questions

Is there a cap on the number of modules WinDbg can see?
CDB doesn't show the line of code as WinDBG does for callstacks
Agree to the Microsoft Symbol Server dialog [closed]
Is WinDbg still compatible with Windows XP?
Get .pdb file path from windbg
Diagnosing Deadlocks in Win32 Program
Application.Exit didn't kill a message pump?
Why this does not cause a memory leak when event is not unsubscribed
How can I continue after a breakpoint in windbg?
how can i set windbg to automatically download all the symbols?
WinDbg .foreach by reference type and get field value
Are there any compiler options to make x64 release crash dumps more usable?
windbg !gcroot <address> returns no roots
How to skip a line from execution in windbg everytime it hits?
Stepping into MFC source code with Windbg
Run until return with WinDbg
What is _invoke_watson in WinDbg?
Debugging high cpu usage [closed]
Windows Crash Dump call stack only shows wow64
The categories of commands of WinDBG?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!