Question
In the 64 bit editions of Windows 7/8/2012, the ETW kernel tracer provides memory addresses for system call enter events. I would like to map these addresses to something meaningful, like the name of the function that lives at that address: e.g. AcceptConnectPort.
I know I can use ln (List Nearest Symbols) in a kernel debugger session to lookup the symbols at a particular address. What I desire is a way do do this programmatically. Is there a library I can use to look up a symbol at a given a memory address?
Better yet, is there an authoritative reference for the memory offsets for different Windows versions. I found this table, but those numbers don't appear to correspond to any of the memory addresses I have observed.
Solution
In the past, I've worked on a project that needed to do this. We used the DbgHelp API that Andrew mentioned in his comment to download the relevant .PDB files and to look in them for the offsets we needed.
I've since moved on, so I don't have access to look at the source code for that project, but this page is a good place to start.
https://stackoverflow.com/questions/22995259
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian