把这是一些 txt 文件并将其保存在类似c:\myrva.txt 的地方

.foreach ( place { lm1ma ${$arg1} } ){ .printf "Rva for input is %x\n", ${$arg1}-${place} }

并像使用它一样

0:000> $$>a< c:\\rva.txt @edx
Rva for input is 470b4
0:000> ? edx
Evaluate expression: 1997238452 = 770b70b4
0:000> $$>a< c:\\rva.txt .
Rva for input is a04fa
0:000> ? .
Evaluate expression: 1997604090 = 771104fa
0:000> $$>a< c:\\rva.txt 7711050a
Rva for input is a050a

好吧，如果您认为这应该是一个常规的 windbg 命令，您可以编写自己的扩展
并
使用 engextcpp 框架执行 !rva这应该不超过 5 行代码，如下所示

#include <engextcpp.cpp>
class EXT_CLASS : public ExtExtension {
public:
    EXT_COMMAND_METHOD(rva);
};
EXT_DECLARE_GLOBALS();
EXT_COMMAND( rva, "rva", "{;e,d=@$ip;!rva;}" ) {
    ULONG64 inaddr = GetUnnamedArgU64 (0);
    ULONG ModIndex = NULL;
    ULONG64 Modbase = NULL;
    m_Symbols->GetModuleByOffset(inaddr,0,&ModIndex,&Modbase);
    Out("Rva For Inaddress %I64x is %I64X\n" ,inaddr ,(inaddr - Modbase));    
}

编译并链接到

cl /LD /nologo /W4 /Ox  /Zi /EHsc rva.cpp /link /EXPORT:DebugExtensionInitialize /Export:rva /Export:help /RELEASE %linklibs%

并愉快地执行它接受一个参数一个表达式，默认情况下表达式是当前指令指针即 $ip

会话开始时自动加载扩展

windbg -c ".load rva" calc

永远快乐地旅行

0:000> !rva
Rva For Inaddress 776e04f6 is A04F6
0:000> !rva @edx
Rva For Inaddress 776870b4 is 470B4
0:000> !rva ntdll
Rva For Inaddress 77640000 is 0
0:000> !rva calc
Rva For Inaddress 440000 is 0
0:000> !rva calc!WinMain
Rva For Inaddress 441635 is 1635

even some obscure unrealistic expression will work
0:000> !rva @@c++( ( @$proc )->Ldr)
Rva For Inaddress 77717880 is D7880