OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Sunday, December 30 2007 07:52.12 CST

Modified: Wednesday, January 21 2009 17:19.51 CST

Printer Friendly ...

Symbol Type Viewer 32Bit/64Bit v1.0.0.6 beta

Author: YoLeJedi

# Views: 14899

Symbol Type Viewer 32Bit/64Bit Version 1.0.0.6 beta

Symbol Type Viewer is a tool which makes it possible to easily visualize the types which can be defined in the symbols of the modules of the systems Microsoft Windows 32/64bit. Moreover, it makes it possible to convert these informations for the C language (.h) and the disassembler IDA of DataRescue (.idc).

Symbol Type Viewer allows to :
- download the symbols (pdb) very simply.
- sail and visualize in a detailed way the types and their members in the form of tree structure
easily find the unused areas in the structures (padding). These areas are theoretically usable to put personal data there
- translate the structures for the C Language (.h) and for IDA script (.idc) of DataRescue (http://www.datarescue.com/idabase/)
- personalize the formatting: addition of suffix in the names of types, freeze the sizes of structures and members (the pointers become ULONG32 for a 32bit system and UINT64 for a 64bit system)
- apply searchs of texts or regular expressions
- do a batch processing by treating all modules met in a directory and its under-directories. For example: C:\Windows;)

http://www.laboskopia.com/download/SymbolTypeViewer_v1.0_beta.zip

CHRONOLOGY

[+] May 18th, 2008 : Version 1.0.0.6 beta (32Bit / 64Bit)
- [bug] Correction of a problem with �_unnamed� structures included in a member of struct array. Those are not defined during a complete translation to the C format. This problem doesn't appear during a translation to IDA script like with Viewer. (Thank to Damien AUMAITRE)

[+] May 10th, 2008 : Version 1.0.0.5 beta (32Bit / 64Bit)
- [bug] Correction of a problem of identification of bitfield structure inside �union� (Thank to mxatone)
- [bug] Correction of a problem with IDA and the too small member names. IDA does not accept the names lower than 3 characters. To solve that, "__� is automatically added at the end of the names with one or two characters. This is applied only for IDA formatting script.

[+] March 20th, 2008 : Version 1.0.0.4 beta (32Bit / 64Bit)
- Addition of a filter allows to limit the translation scan (Thank to Orkblutt and buri)
- [bug] Correction of a problem of inappropriate error message when the symbols don't contain Types (Thank to Orkblutt and memo5)

[+] February 27th, 2008 : Version 1.0.0.3 beta (32Bit / 64Bit)
- Addition of a function of research starting from a text or a regular expression
- Addition of buttons of navigation keeping in memory the 100 last selections
- Possibility of fixing the size of the pointers in the structures for the C language. This option can be very useful when one wishes to make a work with 32bits processes in an 64bits environment.
- Possibility of personalizing a suffix at the end of all the names of the unions, structures, enumerations and functions. This makes it possible to use the entities formatted in projects while avoiding the conflicts of declaration which can appear.
- All the entities deduced or without name (unnamed) met in the members from the structures have a single name then. In order to give a maximum of information making it possible to identify the role of these entities, it is added to the single name the names of all the members dependant on this entity. Each name of added member is separated by a character �_�
- Addition of Exit menu (Thank to ouadji (most crazy of my friends) -> "An application without Exit menu is not a application. It's like the Camenbert� There doesn't exist Alsatian Camembert cheese..." )
- [bug] Correction of a problem of size of pointers in 64bit structures formatted for IDA script
- [bug] Correction of a problem of principal window refresh under Vista.
- [bug] Correction of a problem when one makes �Brut copy� with the �Format view� panel wich is empty. (Thank to ouadji )

[+] January 15th, 2008 : Version 1.0.0.2 beta (32Bit / 64Bit)
- Symbol Type Viewer is now compatible with the versions 32bits and 64bits of Windows.
- The functions met in the structures are now accessible directly since the tree view.
- Preparing of the tree with icons significant.
- In the format C structures, the unused zones appear now clearly in red. These zones are theoretically available to store personal data.
- [bug] Correction of bad size estimate with certain local structures.

[+] December 29th, 2007 : Version 1.0.0.1 beta (32Bit)
- [bug] Correction of a problem giving (with certain parameters of system appearance) a nonwhite background in the formatted structures view. This can be disturbing. Especially when the background appears in black. (Thank to DarKPhoeniX).
- [bug] Correction of a bad management of the variable system _NT_SYMBOLS_PATH when this one isn't completly in lower case (Thank to Neitsa)

[+] December 28th, 2007 : Version 1.0.0.0 beta (32Bit)
- Initial version

Bugs report : stv(at)laboskopia.com

Thanks and have fun :)

Lionel d'Hauenens

ps: sorry for my so awkward English.

Blog Comments

NeOXQuiCk	Posted: Wednesday, March 5 2008 21:33.46 CST
excelent work..

memo5	Posted: Monday, March 10 2008 18:36.39 CDT
It's a great tool. But some PDB files are not parsed correctly and I get the message Error In ModuleSymbols.Init. I hope this problem will be solved next ver.

YoLeJedi	Posted: Wednesday, March 12 2008 08:22.10 CDT
There exists surely a conflict with the already downloaded pdb. You should provide empty �Symbol Path�. That will impose the remote loading of the good pdb. That should solve your problem.

memo5	Posted: Wednesday, March 12 2008 22:45.32 CDT
I have create new empty dir for symbols files and try it but the same error raised again. Can you try this file please "C:\WINDOWS\system32\drivers\fips.sys". My System is Windows XP SP2 if it can help.

YoLeJedi	Posted: Thursday, March 13 2008 09:57.58 CDT
There is actually a bug when the module hasn't Typedef in its symbols. The error message isn't suited. I will correct that quickly. For your module (C:\WINDOWS\system32\drivers\fips.sys), doesn't seek more. It doesn't contain informations of types. I thank you for the feed-back.

memo5	Posted: Thursday, March 13 2008 14:47.01 CDT
Thnk you YoLeJedi for your tool and for your quick response.

YoLeJedi	Posted: Friday, March 21 2008 16:24.07 CDT
A little new release [+] March 20th, 2008 : Version 1.0.0.4 beta (32Bit / 64Bit) - Addition of a filter allows to limit the translation scan (Thank to Orkblutt and buri) - [bug] Correction of a problem of inappropriate error message when the symbols don't contain Types (Thank to Orkblutt and memo5) memo5 : The problem that you met should be eradicated now. ;)

YoLeJedi

Posted: Monday, May 12 2008 14:23.23 CDT

Version 1.0.0.5 beta (32Bit / 64Bit) : new release

[+] May 10th, 2008 : Version 1.0.0.5 beta (32Bit / 64Bit)
- [bug] Correction of a problem of identification of bitfield structure inside �union� (Thank to mxatone)
- [bug] Correction of a problem with IDA and the too small member names. IDA does not accept the names lower than 3 characters. To solve that, "__� is automatically added at the end of the names with one or two characters. This is applied only for IDA formatting script.

:)

YoLeJedi	Posted: Monday, May 19 2008 08:35.20 CDT
Version 1.0.0.6 beta (32Bit / 64Bit) : new release [+] May 18th, 2008 : Version 1.0.0.6 beta (32Bit / 64Bit) - [bug] Correction of a problem with �_unnamed� structures included in a member of struct array. Those are not defined during a complete translation to the C format. This problem doesn't appear during a translation to IDA script like with Viewer. (Thank to Damien AUMAITRE) :)

There are 31,314 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit