TwinTechs

How to Find What Function Is At a DLL Offset (without having debug symbols):

This applies to all applications, but this specific example comes from Adobe LiveCycle.  The PDF Generator was crashing mysteriously, producing errors in the event log:

“Faulting application pdfgen.exe, version 1.0.0.1, faulting module ntdll.dll, version 5.2.3790.3959, fault address 0×0002eb5a”

This is a particularly annoying kind of error when its not in an application you control, since you don’t have any idea what 0×0002eb5a means without access to a build with debugging symbols.

To find out more, here’s what you need.

First you need a debugger.  The free option of choice for many people these days is OllyDbg (download here http://www.ollydbg.de/odbg110.zip)

It’s a simple applicaiton, so just extract it to a folder someplace and run it.

Once inside, File > Open, browse to the crashing dll, in this case, c:\windows\system32\ntdll.dll

It will ask if you want LOADLL.exe to load the dll for you, say Yes.

Once inside, note the starting offset.  It will vary based on the dll and the OS, but in my case the first address was 0×78001000, which means the base is at 0×78000000 (the trailing 1000 will be the same on all systems, its the first part you care about).

So, our application is crashing at offset 0×0002eb5a.  The reason its called an ‘offset’, is because it is ‘offset from the base’, so add 0×78000000 to 0×0002eb5a = 0×7802eb5a (Windows Calculator in Hex Mode can help you with this if your base is not an easy one like ours).

Scroll the debugging window to this address.

In OllyDbg, the beginning of each function is labeled with a $ sign.   The address we scrolled to should be in the middle of a function, so scroll up the start of the function (the first $ above it) and write down its starting address.  In this case, the function starts only a few bytes earlier, at 0×0002eb4e.

Open the menu: Debug > Call DLL Export.  On this window at the top there is a drop down labeled Export:, open this and scroll down to find the offset of the function you wrote down.

This should give you the textual name.  In my case, this name was ‘RtlLengthSid’, a quick google for this reveals it is a windows system call for computing the length of a security identifier.

From this, it was an easy leap to see that something in the LiveCycle environment was working with a user account it didn’t support.  This, ultimately, was enough for us to diagnose and fix our problem (by starting WebLogic’s NodeManager as Administrator, rather than Local System, the installation’s default).