0

Suppose I compile a C/C++ file to binary. Say, the file defines a function foo().

How would I locate this function in the binary? By locating, I mean find the exact position.

I assume the question depends on whether we are considering Windows or Linux, so lets say the executable is in PE format.

Does the compiler erase all naming, so that locating the function by name is impossible? That is, I must do a pattern search in the binary?

I know that DLL's has an export table, which could help in locating the function within, but executables on Windows do not have such table...

Shuzheng
  • 11,288
  • 20
  • 88
  • 186
  • That information is not stored in the binary image. You need a PDB or MAP file. – IInspectable Feb 25 '17 at 18:11
  • What are those files? Never heard of them. – Shuzheng Feb 25 '17 at 18:13
  • [Program Database Files](https://msdn.microsoft.com/en-us/library/yd4f8bd1(v=vs.100).aspx) (aka PDB files). Plus a bit of information on MAP files (see [/MAP linker option](https://msdn.microsoft.com/en-us/library/k7xkk3e2.aspx)). – IInspectable Feb 25 '17 at 18:22
  • My idea was to compile a function with some identifier stored in the binary code of a function (a simple watermark), but it seems that it is harder to extract than expected ;) – Shuzheng Feb 25 '17 at 18:26
  • 1
    This is starting to sound like an [XY problem](http://meta.stackexchange.com/q/66377/205381). What are you ultimately trying to accomplish? – IInspectable Feb 25 '17 at 19:13

1 Answers1

1

.EXE files can export functions and these functions can be used by .DLLs loaded into that process. This is the best option if you are going to load plug-ins and want to provide some kind of plug-in API/SDK. You can then find functions by doing GetProceAddress(GetModuleHandle(0), "MyFunction") in any code that lives inside the process. .DLLs can also link directly to the functions and the loader will resolve them just as if they were exported in a .DLL.

Another option is to embed symbol/debug information in your .EXE and then use the DbgHelp functions to find the function.

You can also get the linker to generate a .MAP file that lists each function and its address but it is mostly useful when manually debugging a process.

Community
  • 1
  • 1
Anders
  • 97,548
  • 12
  • 110
  • 164
  • I thought only Linux allowed executables to export functions? – Shuzheng Feb 26 '17 at 07:05
  • Does the MAP file list the position of the function within the binary or only its RVA (runtime address)? – Shuzheng Feb 26 '17 at 07:07
  • @Shuzheng: You know the answer already. A .MAP file is generated at link time. The linker cannot know, where the module is going to get loaded at runtime. Besides, the "R" in "RVA" is short for "relative". RVA's are module-relative. – IInspectable Feb 26 '17 at 11:44