On 03/07/2020 20:34, Corinna Vinschen wrote:
The problem is in the opposite direction.
We have the actual base address the DLL was loaded at in the process being
dumped, and it's filename, from the LOAD_DLL_DEBUG_EVENT event.
(To my amazement) we then read that DLL using bfd, and examine it for
sections with the 'CODE' or 'DEBUGGING' flags, the address ranges
corresponding to which we believe we want to exclude from the dump.
Unfortunately, these addresses are based on the ImageBase in the PE header.
If that's different to the actual base address the PE was loaded at, we need
to adjust these addresses appropriately. But libbfd doesn't appear to
provide a public interface to get at the ImageBase.
Ok, but you have the filename, so you can map the file and read it's
header and thus imagebase. Still not nice, sure... but it would work
without guessing, I guess? :)
So, I misread this as "look in the header that's already mapped by the
Windows loader", but it seems that the ImageBase in that has been
modified to the actual load address (not that there are any guarantee
about it even existing).
I'm really struggling to see all this complexity as actually needed,
though. See follow up patches which just remove it all.
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
