Getting used incremental linking thunks from the .pdb for a function?

I'm trying to determine a static callgraph of an .exe using the .pdb and the DIA SDK. Unfortunately, when linking incrementally, the incremental trampoline thunks called by a function don't show up when using the dia2dump sample.

If you run and link the dia2dump sample (or the simple one here) with debug and incremental linking turned on, calls to wprintf or printf do not show up in any function's symbol dump. However, if you disable incremental linking, they do.

Is there any way to get the incremental trampolines used 开发者_Python百科by a function through DIA? Or should I crack the .obj and .lib files instead?

How are you linking to the CRT? Static or dynamic?

I compiled the sample in VS2010 (with the dynamic/dll CRT) and loaded the resulting .exe into IDA Pro. Taking the Fatal function (from the sample) as an example, all of its printf calls compile directly into references of the .exe's import entry for that function (ie, __imp__printf). So that may be why you're not seeing them show up in your dump. If I use Static linking to the CRT (with incremental on), it calls the ILT. If I turn incremental off, it calls printf directly (since it's not importing it)

With the dynamic CRT, the indirect (calls the import) and ILT (calls the indirect; your 'trampoline' I believe) versions of printf function and such still exist in the incremental .exe, but have no code references to them.

The sample correctly dumps the ILTs (printf example below) of itself, so I would figure it would be able to correctly dump them in function symbol dump, when they're actually called. However, my experience with the DIA is limited, so by now I'm more or less talking out of my butt.

0x00011799 (PublicSymbol) @ILT+1940(_printf)