Question
I am just starting out with Reverse Engineering.
I've created a small C++ ConsoleApplication and I am trying to call the NewFunction via an injected DLL.
https://stackoverflow.com/questions/21478942
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianvoid NewFunction()
{
DWORD dwImageBase = (DWORD)GetModuleHandle(NULL);
std::cout << "ImageBase: " << ToHex(dwImageBase) << std::endl;
std::cout << "NewFunction: " << ToHex((DWORD)&NewFunction) << std::endl;
std::cout << "Offset: " << ToHex((DWORD)&NewFunction - dwImageBase) << std::endl;
}
ImageBase: F90000
NewFunction: FA111D
Offset: 1111D
Now, when I call 0xFA111D with my injected DLL it works as expected and prints it all over again. (DLL calls ImageBase + Offset)
What I can't figure out though is how to get the address of NewFunction with IDA Pro...
Shouldn't at least the offset be the same? Am I missing something crucial here?
Solution
The default settings for the Debug build in Visual Studio include enabling incremental linking. The effect of this is that in the compiled binary, every function call goes via a jump stub (this makes it easier for the linker to update the binary with new code without redoing the complete link step).
&NewFunction is returning the address of that stub and not the actual function's implementation.
