Home > Software design >  Why does WinDbg show different function origin than MSDN?
Why does WinDbg show different function origin than MSDN?

Time:08-18

I've been debugging a program where I had to set a breakpoint on CreateProcessAsUserW function. The Microsoft Docs for this function (https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasuserw) state that the function is located (exported) from Advapi32.dll. But WinDbg "states" that the function in located in KernelBase.dll, as far as I correctly understand these results (coming from WinDbg):

0:000> dt advapi32!CreateProc*
0:000> dt kernelbase!CreateProcessAsUser*
00007ffc504da520  KERNELBASE!CreateProcessAsUserA
00007ffc504da550  KERNELBASE!CreateProcessAsUserW

Why is that, why the results are different since both sources are trustworthy?

CodePudding user response:

When WinDbg has symbols for a module it unfortunately ignores forwarded function exports from the PE exports section.

If you start another WinDbg instance without correct symbols for advapi32 you can do bp advapi32!CreateProcessAsUserW etc. This is not a great solution of course.

Just knowing that this happens is usually enough. When you fail to find a function, look in kernelbase (kernel32, advapi32), ntdll (kernel32, user32) or shcore (shlwapi, shell32) instead...

Page link:https//www.codepudding.com/Softwaredesign/514163.html

Prev:Powershell Script to clean up file names
Next:Multithreading vs Multiprocessing in julia
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding