Three doubts
1)
Suppose I get the call stack as below
user32.dll!_InternalCallWinProc@20() + 0x28 bytes
user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes
user32.dll!_CallWindowProcAorW@24() + 0x51 bytes
user32.dll!_CallWindowProcW@20() + 0x1b bytes
Now what are the bytes mentioned at the end of each function? Like for first statement what is 0x28 bytes.
2) How to put breakpoint on a windows system dll in VS ?
In windbg I can search for a particular function of windows system dll as
>x wininet!*funcA*
with this command I can get the address of this function and can put breakpoint .
Can I do the same in Visual Studio?
3) I don't have Symbol file of a dll. The call stack I am getting in disassembly is
7814XXX0 call dword ptr [__imp__WindowsFuncA@32 (781EXXXXh)]
What is __imp__
in above call stack? Does this mean that this windows function is hooked to some other dll?
1) They are the byte offset of the instruction being executed in that stack frame, relative to the start of the function.
2) Enter something like this into the New Breakpoint dialog:
{,,user32.dll}_SendMessageW@16
where the 16
is the number of bytes of parameters that the function expects (In Win32, this is almost always 4 times the number of parameters). The W
refers to the Unicode version of the API; use A
if you're debugging an ANSI application.
3) __imp__
refers to the DLL import table - the code in the current module is redirected via a JMP
into the real Windows DLL, and the __imp__
symbol refers to that JMP
. These JMP
s live in a table in the DLL or EXE making the call.
For the first part of your question, the byte offsets mentioned are the position in the function during execution that resulted in the subsequent call higher in the stack.
1) They're the offsets from the start of the function to the line that was executing when the stack trace was created.
2 & 3 - dunno. Sorry.