How does symbol address conversion work? #703
Comments
|
windows_kernel_symbol_to_address using rekall_profile_symbol_to_rva. |
|
The values in the Rekall profile are relative virtual addresses (aka. rva). Windows randomizes where the kernel gets loaded during boot time. LibVMI finds where the kernel base is and does the symbol resolution by adding the rva to the kernel base. |
|
Is rva stored decimal type in rekall json file? In addition is the symbol value (coming from converting process) equal to RIP adress? |
There is an API for that, but only for Linux ATM:
I don't understand your question, can you be more specific ? |
|
Resolving an instruction pointer to a symbol is more complex. If RIP is related to execution of a very large function (that spans many bytes in memory), resolution to a symbol will rarely be direct. Instead, it's necessary to use debug data to create a range tree (or similar) describing valid address regions for each symbol. Only then is it possible to traverse that tree to identify the related symbol. Many sources of symbol data (like rekall profiles) do not export the required information, even though PDB and DWARF objects do include such data. |
I'm trying to figure out how to do symbol to address conversion?
From rekall profile json how lib convert to a RIP adress?
What's the process flow / logic ?
(NtOpenFile to 0xblablablablabla)
Do you have a chance to explain briefly?
The text was updated successfully, but these errors were encountered: