OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, April 24 2007 01:35.16 CDT Modified: Sunday, April 29 2007 10:56.35 CDT

Printer Friendly ...

LoadPdb added to my modified cmdline plugin

Author: anonymouse

# Views: 14607

i have added one more command Loadpdb to my modified cmdline plugin

with this addition you can now simply load any pdb symbols in ollydbg

usage alt+f1

type in loadpdb "FULL PATH TO YOUR EXECUTABLE"
a sample entry below
loadpdb c:\windows\system32\ntdll.dll

before using this plugin you have to set the environment variable _NT_SYMBOL_PATH

this plugin will look for symbols only in that path nowhere else

a sample _NT_SYMBOL_PATH will look like

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

where SRV is mandatory if you want to download symbols from microsoft symbol server on the fly

the path embedded in between ** is your downstream store

you can specify any directory you want

the url following the asterisk * is the url to ms symbol server

also you would need the current redistributable of dbghlp.dll and symsrv.dll (available in as of date current windbg version 6.6.7.5 installation) in ollydbg directory

these two are the only prerequsites

i have mailed pedram the latest source and compiled binary

will update this blog post when ever they are avialble in download section

im all ears for any suggestion to improve this additional commands

my thanks goes to matt pietrek for his excellent article as well as sample code dbghelpdemo article available in msdn magazine sample code available in his personal website wheaty.net

the latest addedd code is below



typedef enum {

    SymNone = 0,

    SymCoff,

    SymCv,

    SymPdb,

    SymExport,

    SymDeferred,

    SymSym,       // .sym file

    SymDia,

    SymVirtual,

    NumSymTypes

} SYM_TYPE;



typedef struct _IMAGEHLP_MODULE {

    DWORD    SizeOfStruct;           // set to sizeof(IMAGEHLP_MODULE)

    DWORD    BaseOfImage;            // base load address of module

    DWORD    ImageSize;              // virtual size of the loaded module

    DWORD    TimeDateStamp;          // date/time stamp from pe header

    DWORD    CheckSum;               // checksum from the pe header

    DWORD    NumSyms;                // number of symbols in the symbol table

    SYM_TYPE SymType;                // type of symbols loaded

    CHAR     ModuleName[32];         // module name

    CHAR     ImageName[256];         // image name

    CHAR     LoadedImageName[256];   // symbol file name

} IMAGEHLP_MODULE, *PIMAGEHLP_MODULE;





/*

typedef struct _SYMBOL_INFO {

    ULONG       SizeOfStruct;

    ULONG       TypeIndex;        // Type Index of symbol

    ULONG64     Reserved[2];

    ULONG       Index;

    ULONG       Size;

    ULONG64     ModBase;          // Base Address of module comtaining this symbol

    ULONG       Flags;

    ULONG64     Value;            // Value of symbol, ValuePresent should be 1

    ULONG64     Address;          // Address of symbol including base address of module

    ULONG       Register;         // register holding value or pointer to value

    ULONG       Scope;            // scope of the symbol

    ULONG       Tag;              // pdb classification

    ULONG       NameLen;          // Actual length of name

    ULONG       MaxNameLen;

    CHAR        Name[1];          // Name of symbol

} SYMBOL_INFO, *PSYMBOL_INFO;



*/





//this original above commented out structure definition was butchered by me 

//fubared for making it work with ollydbg see below





// fubared symbol info structure 

typedef struct _SYMBOL_INFO {

    ULONG       SizeOfStruct;

    CHAR	butchered[0x34];

    ULONG       Address;

    CHAR	butcheredagain[0x18];

    CHAR	Name[1];

}SYMBOL_INFO, *PSYMBOL_INFO;









typedef BOOL 	(CALLBACK	*PSYM_ENUMERATESYMBOLS_CALLBACK)(

	PSYMBOL_INFO 	pSymInfo,

	ULONG		SymbolSize,

	PVOID 		UserContext

);



typedef BOOL 	(WINAPI		*PSymInitialize)(

	HANDLE 		hProcess,

	PCSTR 		UserSearchPath,

 	BOOL 		fInvadeProcess

);



typedef DWORD	(WINAPI		*PSymLoadModule)(

	HANDLE 		hProcess,

	HANDLE 		hFile,

	PCSTR 		ImageName,

	PCSTR 		ModuleName,

	DWORD 		BaseOfDll,

	DWORD 		SizeOfDll

);



typedef BOOL 	(WINAPI		*PSymGetModuleInfo)(

	HANDLE 		hProcess,

	DWORD 		dwAddr,

	PIMAGEHLP_MODULE ModuleInfo

);



typedef BOOL	(WINAPI		*PSymEnumSymbols)(

	HANDLE 		hProcess,

	ULONG64 	BaseOfDll,

	PCSTR 		Mask,

	PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback,

	PVOID UserContext

);



typedef BOOL 	(WINAPI		*PSymUnloadModule)(

	HANDLE 		hProcess,

	DWORD 		BaseOfDll

);



typedef BOOL 	(WINAPI		*PSymCleanup)(

	HANDLE 		hProcess

);



typedef DWORD 	(WINAPI		*PSymSetOptions)(

	DWORD 		SymOptions

);



BOOL CALLBACK SYM_ENUMERATESYMBOLS_CALLBACK(

	PSYMBOL_INFO	pSymInfo,

	ULONG 		SymbolSize,

	PVOID 		UserContext

);







int Loadpdb(char *answer,ulong parm)



{

	PSYM_ENUMERATESYMBOLS_CALLBACK	psymcallback = SYM_ENUMERATESYMBOLS_CALLBACK;

	

	PSymInitialize			psyminit;

	PSymLoadModule			psymloadmodule;

	PSymGetModuleInfo		psymgetmoduleinfo;

	PSymEnumSymbols			psymenumsymbols;

	PSymUnloadModule		psymunloadmodule;

	PSymSetOptions			psymsetoptions;

	PSymCleanup			psymcleanup;

	

	HINSTANCE			dbghlp_dll;

	HANDLE				hProcess; 

	DWORD				dbgpid;

	DWORD 				dwModuleBase;

	IMAGEHLP_MODULE			im;

	CHAR 				filename[TEXTLEN];

	CHAR				lpname[] = {"_NT_SYMBOL_PATH"};

	CHAR				lpbuffer[4];

	DWORD				nsize = (sizeof(lpbuffer)-1);

	DWORD				dwretfake;

	DWORD				dwret;

	char 				*hMem;

		





	dwretfake	= GetEnvironmentVariable(lpname,lpbuffer,nsize);

	if((dwretfake ==0))

	{

		MessageBox(NULL,"YOU have to set _NT_SYMBOL_PATH to load pdbs from this plugin","ERROR",NULL);

		return 1;

	}

	else if((dwretfake > nsize))

	{

		

		hMem		= (CHAR *)VirtualAlloc(NULL,(dwretfake+100),MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE); 

		dwret		= GetEnvironmentVariable(lpname,hMem,dwretfake+10);

	}

	Addtolist(0,1,"%x %s",dwret,hMem);



	memset(&im,0,sizeof(im));	// see comment below this sets only 0 for 239 bytes 



	im.SizeOfStruct = 0x23c;	// hack coz of packed struct i think  enum SYM_TYPE Is proabbly treated a 1 byte

					// whereas default is probably (dword align) 4 bytes so sizeof for me return 0x239 while dbghlp checks for 0x23c



	strncpy(filename,string,(TEXTLEN-1)); 

	dbgpid		= Plugingetvalue(VAL_PROCESSID);

	hProcess	= OpenProcess(PROCESS_ALL_ACCESS,FALSE,dbgpid);

	

	dbghlp_dll = LoadLibrary("dbghelp.dll");

	

	if((dbghlp_dll))

	{

		psyminit 		= (PSymInitialize) 	GetProcAddress(dbghlp_dll,"SymInitialize");

		psymloadmodule		= (PSymLoadModule) 	GetProcAddress(dbghlp_dll,"SymLoadModule");

		psymsetoptions		= (PSymSetOptions)	GetProcAddress(dbghlp_dll,"SymSetOptions");

		psymgetmoduleinfo	= (PSymGetModuleInfo)	GetProcAddress(dbghlp_dll,"SymGetModuleInfo");

		psymenumsymbols		= (PSymEnumSymbols)	GetProcAddress(dbghlp_dll,"SymEnumSymbols");

		psymunloadmodule	= (PSymUnloadModule)	GetProcAddress(dbghlp_dll,"SymUnloadModule");

		psymcleanup		= (PSymCleanup)		GetProcAddress(dbghlp_dll,"SymCleanup");

		if((psyminit) && (psymloadmodule) && (psymsetoptions) && (psymgetmoduleinfo) && (psymenumsymbols) && (psymunloadmodule) &&(psymcleanup) )

		{

			Addtolist(0,1,"dbghelp dll loaded and address retrieved");

		}

		else

		{

			Addtolist(0,1,"dbghelp loaded but get proc failed");

			VirtualFree(hMem,0,MEM_RELEASE);

			CloseHandle(hProcess);

			return 1;

		}

	}

	else

	{

		Addtolist(0,1,"load lib failed");

		VirtualFree(hMem,0,MEM_RELEASE);

		CloseHandle(hProcess);

		return 1;

	}

		



    if ( !psyminit( hProcess, hMem, FALSE ) )

    {

       	Addtolist(0,1, "SymInitialize failed" );

	VirtualFree(hMem,0,MEM_RELEASE);

	CloseHandle(hProcess);

        return 1;

    }

	

	psymsetoptions(0x80000003);

	dwModuleBase = psymloadmodule( hProcess, 0, filename, 0,0,0);



    if ( !dwModuleBase )

    {

       	Addtolist(0,1, "SymLoadModuleFailed" );

	VirtualFree(hMem,0,MEM_RELEASE);

	CloseHandle(hProcess);

        return 1;

    }



	

	psymgetmoduleinfo( hProcess, dwModuleBase, &im );



	if ( im.SymType == SymExport )

	{

		Addtolist(0,1, "Only Export symbols - skipping");

		VirtualFree(hMem,0,MEM_RELEASE);

		CloseHandle(hProcess);

		return FALSE;

	}



	if ( im.SymType == SymNone )

	{

		Addtolist(0,1, "No Symbols - skipping");

		VirtualFree(hMem,0,MEM_RELEASE);

		CloseHandle(hProcess);

		return FALSE;

	}







    psymenumsymbols( hProcess, dwModuleBase, 0, psymcallback, 0 );

    psymunloadmodule( hProcess, dwModuleBase );

    psymcleanup( hProcess );   

    VirtualFree(hMem,0,MEM_RELEASE);

    CloseHandle(hProcess);

    return 0;

}







#pragma argsused

BOOL CALLBACK SYM_ENUMERATESYMBOLS_CALLBACK( PSYMBOL_INFO  pSymInfo, ULONG SymbolSize, PVOID UserContext )

{



	Insertname(pSymInfo->Address,NM_LIBRARY,pSymInfo->Name);

	return TRUE;

}

without that sample this code would have been impossible atleast for me :)

pedram has updated the download section today you can find the latest source and binary here
https://www.openrce.org/downloads/download_file/206

any comments suggestion criticisms are welcome

Blog Comments

thepope	Posted: Friday, October 2 2009 20:07.25 CDT
I tried to use your plugin but it says "Unrecognized command: LOADPDB" Any suggestions?

There are 31,316 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit