I wanted to perform static analysis on the Win32 function CreateFileW, so I loaded kernel32.dll using WinDbg and perform the command uf kernel32!CreateFileW.
But I am seeing the following output instead.
0:000> uf kernel32!CreateFileW Flow analysis was incomplete, some code may be missing kernel32!CreateFileW: 00000001`80024b60 ff2582d50500 jmp qword ptr [kernel32!_imp_CreateFileW (00000001`800820e8)] 0:000> uf kernel32!_imp_CreateFileW No code found, aborting Did I made any mistake?
kernel32!CreateFileW is just a thunk in latest windows which can be observed by the import call
jmp qword ptr [kernel32!_imp_CreateFileW (00000001`800820e8)] The Function is implemented in kernelbase!CreateFileW
You cannot disassemble a pointer like you do
uf kernel32!_imp_CreateFileW x64 uses RIP relative Addressing
you have to add the size of instruction to the Symbols Address and add the Relative Address in the Instruction and dereference the pointer to get the correct value for performing uf
Address Of Symbol
0:000> x KERNEL32!CreateFileW 00007ffb`d7744b60 KERNEL32!CreateFileW (CreateFileW) length of instruction = 6 (ff25eac50500)
0:000> u KERNEL32!CreateFileW l1 KERNEL32!CreateFileW: 00007ffb`d7744b60 ff25eac50500 jmp qword ptr [KERNEL32!_imp_CreateFileW (00007ffb`d77a1150)] Rip Relative Constant in instruction
0:000> ? dwo(KERNEL32!CreateFileW+2) Evaluate expression: 378346 = 00000000`0005c5ea addup and dereference the vale and perform uf on that offset
0:000> ln poi(dwo(KERNEL32!CreateFileW+2)+KERNEL32!CreateFileW+6) (00007ffb`d6db9d30) KERNELBASE!CreateFileW | (00007ffb`d6db9db0) KERNELBASE!CreateFileInternal Exact matches: 0:000> windbg already resolves the pointer either 00000001800820e8 in your post or 00007ffbd77a1150 in my answer
you can directly dereference it to perform uf on the resultant offset
0:000> ln poi(00007ffb`d77a1150) (00007ffb`d6db9d30) KERNELBASE!CreateFileW | (00007ffb`d6db9db0) KERNELBASE!CreateFileInternal Exact matches: 