Converting addresses to symbol + offset
ln
(list nearest symbols) should do the trick:
0:000> ln 75da78d7
(75da78c2) USER32!NtUserGetMessage+0x15 | (75da78e2) USER32!GetMessageW
ln
works sometimes, but sometimes it doesn't return the exact symbol. OK for debugging, you can just check, but not optimal for scripting. The best thing I found is using u
for that, the first line should contain the symbol.
Example, ln
returns a symbol which translates to fffff801_1c41000f
instead of fffff801_1c40f000
:
0: kd> ln nt
(fffff801`1c410010) nt!IoStartNextPacket+0xffffffff`ffffffff | (fffff801`1c41004c) nt!IopStartNextPacketByKeyEx
0: kd> ? nt!IoStartNextPacket+0xffffffff`ffffffff
Evaluate expression: -8791324033009 = fffff801`1c41000f
u
returns the correct symbol, nt+0x0
(even though the output is knida convoluted):
0: kd> u nt L1
nt!IoStartNextPacket <PERF> (nt+0x0):
fffff801`1c40f000 4d5a pop r10