2

imagine this bogus program:

void foo ( void )
{
    // anything
}

int main ()
{
    foo ();
    return 0;
}

When compiled in debug mode with Visual Studio, the compiler builds some kind of "function map" or however it is called.

Thus when you for example follow foo () in a debugger, or just try to retrieve the offset of the function via &foo, you find yourself in a "list" of jmp's, which will when you follow them again lead you to the actual function body.

My question is: Is there a possibility to disable this for single choosen functions so that &foo returns the address to the function body, not the jmp. Ofcourse without disabling debug mode.

If not, which flag enables/disables this for the entire program ?

Thanks in advance !

Edit for user SigTerm: enter image description here

Andy
  • 176
  • 1
  • 1
  • 10
  • "you find yourself" As far as I know, this doesn't happen, and there is no "list of jumps". Unless you can support your point with some serious examples, I'd have to say that you're probably misunderstanding something very fundamental. – SigTerm Jun 02 '12 at 01:49
  • Added a picture now ... Im sorry for assuming that someone who would successfully answer my question should know what im talking about ... After all I don't know the correct terminology, thats why im here and not on google ... – Andy Jun 02 '12 at 03:08
  • This is not possible. This would be too much work for the loader when dynamically loadable modules are involved where every call to a function in a dynamically loaded module would need to be patched. Instead it is convenient to simply patch a single jmp instruction in the Import Address Table. This is also the case for executables which is not guaranteed to load at any particular address. – Superman Jun 02 '12 at 03:17
  • @Superman: This isn't a dll, that's a program. – SigTerm Jun 02 '12 at 03:32
  • @Andy: "Im debugging through functions in the executable itself to copy them out" Very bad idea. Even assembler has coding style, and by copying out code generated by machine (which has no brain) you'll learn less. – SigTerm Jun 02 '12 at 04:12
  • All im doing is saving me the work for the compiler so I only have to write the linker to bind dependencies in these functions .. I am ofcourse only using functions/buffers/etc which are registered to that linker I was talking about, if the intent of your comment is to warn me about blindly copying out functions which depend on whatever dependency in the PE ^^ And well I'll think I learn enough regarding ASM/calling conventions/parameters/local variables/etc if I have to teach them to my linker, but thanks for your concern ^^ – Andy Jun 02 '12 at 04:25

1 Answers1

10

Turn off "incremental linking"

Your question is a lot like this one Address of function is not actual code address

Community
  • 1
  • 1
dsmtoday
  • 747
  • 1
  • 6
  • 13