{"id":5243,"date":"2013-02-14T07:00:00","date_gmt":"2013-02-14T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2013\/02\/14\/if-you-cant-find-the-function-find-the-caller-and-see-what-the-caller-jumps-to\/"},"modified":"2013-02-14T07:00:00","modified_gmt":"2013-02-14T07:00:00","slug":"if-you-cant-find-the-function-find-the-caller-and-see-what-the-caller-jumps-to","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20130214-00\/?p=5243","title":{"rendered":"If you can’t find the function, find the caller and see what the caller jumps to"},"content":{"rendered":"

\nYou’re debugging a program and\nyou want to set a breakpoint on some function,\nsay,\nnetapi32!Ds­Address­To­Site­NameW<\/CODE>,\nbut when you execute the\nbp netapi32!Ds­Address­To­Site­NameW<\/CODE> command in the debugger,\nthe debugger says that there is no such function.\n<\/P>\n

\nThe\n\nAdvanced Windows Debugging<\/I> book<\/A>\nsays that the bp<\/CODE> command should set a breakpoint\non the function,\nbut the debugger says that the symbol cannot be found.\nI used the x netapi32!*<\/CODE> command to see that\nthe debugger did find a whole bunch of symbols,\nand it says that the symbols were loaded\n(from the\n\npublic symbol store<\/A>),\nbut\nnetapi32!Ds­Address­To­Site­NameW<\/CODE>\nisn’t among them.\nThe MSDN documentation says that Ds­Address­To­Site­NameW<\/CODE> is\nin the netapi32.dll<\/CODE>,\nbut it’s not there!\nI can’t believe you guys stripped that function out\nof the symbol file,\nsince it’s a function that people will\nwant to set a breakpoint on.\n<\/BLOCKQUOTE>\n

\nOkay, first let’s\n\nrule out the conspiracy theory<\/A>.\nThe symbols were not stripped from the public symbols.\nAnd even if they were,\nthat shouldn’t stop you, because after all,\nthe loader<\/I> has to be able to find the function\nwhen it loads your program,\nso it’s gotta be obtainable even without symbols.\n<\/P>\n

\nDon’t be helpless.\nYou already have the tools to figure out where the function is.\n<\/P>\n

\nJust write a program that calls the function,\nthen load it into the debugger and see what the\ndestination of the call<\/CODE> instruction is.\nYou don’t even have to pass valid parameters to the\nfunction call,\nsince you’re never actually executing the code;\nyou’re just looking at it.\n<\/P>\n

\nAnd hey looky-here,\nyou already have a program that calls the function:\nThe program you’re trying to debug!\nSo let’s see where it goes.\n<\/P>\n

\n0:001>u contoso!AwesomeFunction\n…\n00407352 call [contoso!__imp__DsAddressToSiteNameW (0040f104)]\n…\n0:001>u poi 0040f104\nlogoncli!DsAddressToSiteNameW:\n7f014710 push ebp\n7f014711 mov esp, ebp\n…\n<\/PRE>\n
\nThere you go.\nThe code for the function is in logoncli.dll<\/CODE>.\n<\/P>\n
\nWhat happened?\nHow did you end up in logoncli.dll<\/CODE>?\n<\/P>\n
\nWhat you saw was the effect of a\n\nDLL forwarder<\/A>.\nThe code for the function\nDs­Address­To­Site­NameW<\/CODE> doesn’t live in\nnetapi32.dll<\/CODE>.\nInstead,\nnetapi32.dll<\/CODE> has an export table entry that says\n“If anybody comes to me asking for Ds­Address­To­Site­NameW<\/CODE>,\nsend them to\nlogoncli!Ds­Address­To­Site­NameW<\/CODE> instead.”\n<\/P>\n
\nOfficially, the function is in netapi32.dll<\/CODE>\nfor linkage purposes,\nbut internally the function has been forwarded to another DLL\nfor implementation.\nIt’s like a telephone call-forwarding service for DLL functions,\nexcept that instead of forwarding telephone calls,\nit forwards function calls.\nYou publish a phone number in all your marketing materials,\nand behind the scenes, you set up the number to forward\nto the phone of the person responsible for sales.\nThat way,\nif that person quits,\nor the responsibility for selling the product changes,\nyou can just update the call-forwarding table,\nand all the calls get routed to the new person.\n<\/P>\n
\nThat’s what happenned here.\nThe MSDN phone book lists the function as being in\nnetapi32.dll<\/CODE>,\nand whenever a call comes in,\nit gets forwarded to wherever the implementation happens to be.\nAnd the implementation has moved around over time,\nso you should continue calling\nnetapi32!Ds­Address­To­Site­NameW<\/CODE>\nand let the call-forwarding do the work of getting you to\nthe implementation.\n<\/P>\n
\nDon’t start calling logoncli<\/CODE> directly,\nthinking that you’re cutting out the middle man,\nor in a future version of Windows,\nyour program may start failing with a\n“This number is no longer in service” error,\nlike calling the direct office number for\nthe previous sales representative,\nonly to find that he left the company last month.\n<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
You’re debugging a program and you want to set a breakpoint on some function, say, netapi32!Ds­Address­To­Site­NameW, but when you execute the bp netapi32!Ds­Address­To­Site­NameW command in the debugger, the debugger says that there is no such function. The Advanced Windows Debugging book says that the bp command should set a breakpoint on the function, but the […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-5243","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
You’re debugging a program and you want to set a breakpoint on some function, say, netapi32!Ds­Address­To­Site­NameW, but when you execute the bp netapi32!Ds­Address­To­Site­NameW command in the debugger, the debugger says that there is no such function. The Advanced Windows Debugging book says that the bp command should set a breakpoint on the function, but the […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/5243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=5243"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/5243\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=5243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=5243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=5243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}