LoadPdb added to my modified cmdline plugin
 anonymouse <any_anonymouse yahoo com> |
Tuesday, April 24 2007 01:35.16 CDT |
i have added one more command Loadpdb to my modified cmdline plugin
with this addition you can now simply load any pdb symbols in ollydbg
usage alt+f1
type in loadpdb "FULL PATH TO YOUR EXECUTABLE"
a sample entry below
loadpdb c:\windows\system32\ntdll.dll
before using this plugin you have to set the environment variable _NT_SYMBOL_PATH
this plugin will look for symbols only in that path nowhere else
a sample _NT_SYMBOL_PATH will look like
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
where SRV is mandatory if you want to download symbols from microsoft symbol server on the fly
the path embedded in between ** is your downstream store
you can specify any directory you want
the url following the asterisk * is the url to ms symbol server
also you would need the current redistributable of dbghlp.dll and symsrv.dll (available in as of date current windbg version 6.6.7.5 installation) in ollydbg directory
these two are the only prerequsites
i have mailed pedram the latest source and compiled binary
will update this blog post when ever they are avialble in download section
im all ears for any suggestion to improve this additional commands
my thanks goes to matt pietrek for his excellent article as well as sample code dbghelpdemo article available in msdn magazine sample code available in his personal website wheaty.net
the latest addedd code is below
typedef enum {
SymNone = 0,
SymCoff,
SymCv,
SymPdb,
SymExport,
SymDeferred,
SymSym, // .sym file
SymDia,
SymVirtual,
NumSymTypes
} SYM_TYPE;
typedef struct _IMAGEHLP_MODULE {
DWORD SizeOfStruct; // set to sizeof(IMAGEHLP_MODULE)
DWORD BaseOfImage; // base load address of module
DWORD ImageSize; // virtual size of the loaded module
DWORD TimeDateStamp; // date/time stamp from pe header
DWORD CheckSum; // checksum from the pe header
DWORD NumSyms; // number of symbols in the symbol table
SYM_TYPE SymType; // type of symbols loaded
CHAR ModuleName[32]; // module name
CHAR ImageName[256]; // image name
CHAR LoadedImageName[256]; // symbol file name
} IMAGEHLP_MODULE, *PIMAGEHLP_MODULE;
/*
typedef struct _SYMBOL_INFO {
ULONG SizeOfStruct;
ULONG TypeIndex; // Type Index of symbol
ULONG64 Reserved[2];
ULONG Index;
ULONG Size;
ULONG64 ModBase; // Base Address of module comtaining this symbol
ULONG Flags;
ULONG64 Value; // Value of symbol, ValuePresent should be 1
ULONG64 Address; // Address of symbol including base address of module
ULONG Register; // register holding value or pointer to value
ULONG Scope; // scope of the symbol
ULONG Tag; // pdb classification
ULONG NameLen; // Actual length of name
ULONG MaxNameLen;
CHAR Name[1]; // Name of symbol
} SYMBOL_INFO, *PSYMBOL_INFO;
*/
//this original above commented out structure definition was butchered by me
//fubared for making it work with ollydbg see below
// fubared symbol info structure
typedef struct _SYMBOL_INFO {
ULONG SizeOfStruct;
CHAR butchered[0x34];
ULONG Address;
CHAR butcheredagain[0x18];
CHAR Name[1];
}SYMBOL_INFO, *PSYMBOL_INFO;
typedef BOOL (CALLBACK *PSYM_ENUMERATESYMBOLS_CALLBACK)(
PSYMBOL_INFO pSymInfo,
ULONG SymbolSize,
PVOID UserContext
);
typedef BOOL (WINAPI *PSymInitialize)(
HANDLE hProcess,
PCSTR UserSearchPath,
BOOL fInvadeProcess
);
typedef DWORD (WINAPI *PSymLoadModule)(
HANDLE hProcess,
HANDLE hFile,
PCSTR ImageName,
PCSTR ModuleName,
DWORD BaseOfDll,
DWORD SizeOfDll
);
typedef BOOL (WINAPI *PSymGetModuleInfo)(
HANDLE hProcess,
DWORD dwAddr,
PIMAGEHLP_MODULE ModuleInfo
);
typedef BOOL (WINAPI *PSymEnumSymbols)(
HANDLE hProcess,
ULONG64 BaseOfDll,
PCSTR Mask,
PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback,
PVOID UserContext
);
typedef BOOL (WINAPI *PSymUnloadModule)(
HANDLE hProcess,
DWORD BaseOfDll
);
typedef BOOL (WINAPI *PSymCleanup)(
HANDLE hProcess
);
typedef DWORD (WINAPI *PSymSetOptions)(
DWORD SymOptions
);
BOOL CALLBACK SYM_ENUMERATESYMBOLS_CALLBACK(
PSYMBOL_INFO pSymInfo,
ULONG SymbolSize,
PVOID UserContext
);
int Loadpdb(char *answer,ulong parm)
{
PSYM_ENUMERATESYMBOLS_CALLBACK psymcallback = SYM_ENUMERATESYMBOLS_CALLBACK;
PSymInitialize psyminit;
PSymLoadModule psymloadmodule;
PSymGetModuleInfo psymgetmoduleinfo;
PSymEnumSymbols psymenumsymbols;
PSymUnloadModule psymunloadmodule;
PSymSetOptions psymsetoptions;
PSymCleanup psymcleanup;
HINSTANCE dbghlp_dll;
HANDLE hProcess;
DWORD dbgpid;
DWORD dwModuleBase;
IMAGEHLP_MODULE im;
CHAR filename[TEXTLEN];
CHAR lpname[] = {"_NT_SYMBOL_PATH"};
CHAR lpbuffer[4];
DWORD nsize = (sizeof(lpbuffer)-1);
DWORD dwretfake;
DWORD dwret;
char *hMem;
dwretfake = GetEnvironmentVariable(lpname,lpbuffer,nsize);
if((dwretfake ==0))
{
MessageBox(NULL,"YOU have to set _NT_SYMBOL_PATH to load pdbs from this plugin","ERROR",NULL);
return 1;
}
else if((dwretfake > nsize))
{
hMem = (CHAR *)VirtualAlloc(NULL,(dwretfake+100),MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
dwret = GetEnvironmentVariable(lpname,hMem,dwretfake+10);
}
Addtolist(0,1,"%x %s",dwret,hMem);
memset(&im,0,sizeof(im)); // see comment below this sets only 0 for 239 bytes
im.SizeOfStruct = 0x23c; // hack coz of packed struct i think enum SYM_TYPE Is proabbly treated a 1 byte
// whereas default is probably (dword align) 4 bytes so sizeof for me return 0x239 while dbghlp checks for 0x23c
strncpy(filename,string,(TEXTLEN-1));
dbgpid = Plugingetvalue(VAL_PROCESSID);
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dbgpid);
dbghlp_dll = LoadLibrary("dbghelp.dll");
if((dbghlp_dll))
{
psyminit = (PSymInitialize) GetProcAddress(dbghlp_dll,"SymInitialize");
psymloadmodule = (PSymLoadModule) GetProcAddress(dbghlp_dll,"SymLoadModule");
psymsetoptions = (PSymSetOptions) GetProcAddress(dbghlp_dll,"SymSetOptions");
psymgetmoduleinfo = (PSymGetModuleInfo) GetProcAddress(dbghlp_dll,"SymGetModuleInfo");
psymenumsymbols = (PSymEnumSymbols) GetProcAddress(dbghlp_dll,"SymEnumSymbols");
psymunloadmodule = (PSymUnloadModule) GetProcAddress(dbghlp_dll,"SymUnloadModule");
psymcleanup = (PSymCleanup) GetProcAddress(dbghlp_dll,"SymCleanup");
if((psyminit) && (psymloadmodule) && (psymsetoptions) && (psymgetmoduleinfo) && (psymenumsymbols) && (psymunloadmodule) &&(psymcleanup) )
{
Addtolist(0,1,"dbghelp dll loaded and address retrieved");
}
else
{
Addtolist(0,1,"dbghelp loaded but get proc failed");
VirtualFree(hMem,0,MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
}
else
{
Addtolist(0,1,"load lib failed");
VirtualFree(hMem,0,MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
if ( !psyminit( hProcess, hMem, FALSE ) )
{
Addtolist(0,1, "SymInitialize failed" );
VirtualFree(hMem,0,MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
psymsetoptions(0x80000003);
dwModuleBase = psymloadmodule( hProcess, 0, filename, 0,0,0);
if ( !dwModuleBase )
{
Addtolist(0,1, "SymLoadModuleFailed" );
VirtualFree(hMem,0,MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
psymgetmoduleinfo( hProcess, dwModuleBase, &im );
if ( im.SymType == SymExport )
{
Addtolist(0,1, "Only Export symbols - skipping");
VirtualFree(hMem,0,MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}
if ( im.SymType == SymNone )
{
Addtolist(0,1, "No Symbols - skipping");
VirtualFree(hMem,0,MEM_RELEASE);
CloseHandle(hProcess);
return FALSE;
}
psymenumsymbols( hProcess, dwModuleBase, 0, psymcallback, 0 );
psymunloadmodule( hProcess, dwModuleBase );
psymcleanup( hProcess );
VirtualFree(hMem,0,MEM_RELEASE);
CloseHandle(hProcess);
return 0;
}
#pragma argsused
BOOL CALLBACK SYM_ENUMERATESYMBOLS_CALLBACK( PSYMBOL_INFO pSymInfo, ULONG SymbolSize, PVOID UserContext )
{
Insertname(pSymInfo->Address,NM_LIBRARY,pSymInfo->Name);
return TRUE;
}
without that sample this code would have been impossible atleast for me :)
pedram has updated the download section today you can find the latest source and binary here
https://www.openrce.org/downloads/download_file/206
any comments suggestion criticisms are welcome
Comments
| thepope | Posted: Friday, October 2 2009 20:07.25 CDT |
| I tried to use your plugin but it says "Unrecognized command: LOADPDB" Any suggestions? | |