Writing a simple hello_world.c program, and compile with 32-bit MinGW, the
objdump
can show symbol table using:
objdump -t hello_world.exe
And the symbol table then have an entry for _main
as:
...
[ 32](sec 1)(fl 0x00)(ty 20)(scl 2) (nx 1) 0x00000460 _main
...
However, when loading the hello_world.exe
file in x64dbg
debugger, the
_main
symbol is not shown, as can be seen from the symbol list below
when hello_world
module is selected.
This is annoying, since I would like to create a breakpoint at start of user
code in hello_world
, and using the symbols to jump to the start location
would be very convenient.
Any idea on how to get the _main
symbols included in the symbol list?
While PE has support for storing debug information, the symbol table is mostly an ELF concept.
If you look at the PE sections (use objdump -h) you'll see a lot of extra sections not referenced in the PE directories.
These are used by the binutils to extract the DWARF information and show you, for example, the symbol table.
x64dbg is a pure Windows/PE tool and doesn't understand DWARF.
However, it will show you the address of the PE entry-point (rarely the address of the "main
" itself though) and will put a breakpoint there for you automatically.
The Entry-point is shown under the export symbols of the binary under inspection.
Furthermore, x64dbg will break on 'ntdll` allowing you to reach the entry-point with a ninja use of CTRL+F9 (beware of TLS initialization callbacks).
To get to main
you can step through the code until you find a call to an address in the .text
section or simply a call followed by two calls to cexit
and ExitProcess
.
Also, given the offset of _main
retrieved with objdumpt -t
the VA of _main
is is BASE ADDRESS
+ .text RVA
+ __main OFFSET
.
In my case, this was 4010460h