Topic created on: February 8, 2007 14:49 CST by
bmazic 
.
How do I load debugging symbols (or an IDB file) for a DLL used by the application being debugged?
I am trying to reverse engineer MSPATCHA.DLL. If I load the DLL directly into IDA Pro, the IDA finds and loads the associated PDB file and I can see all the internal symbols. Lovely.
So I wrote a little application that just calls a function in the DLL. Now, when I load the app into IDA, the IDA loads the application's PDB file, but not the MSPATCHA.DLL's PDB file (or what would be even better - the DLL's IDB file). In other words, when I start debugging the app and single step into the MSPATCHA.DLL not only that I don't see its local symbols, but the DLL has not being analysed by the IDA at all.
Any help would be greatly appreciated.
Boris
P.S. Is there anybody out there familiar with the patch file format (PA19)? I am particularly interested in the location of old file and new file CRC32s. They don't always seem to be at the same location in the patch file header.
When I have to do this (load symbols for multiple files in a single .idb) my option is to open the primary file in IDA, make all analysis, attach to a running process (so all DLLs are actually in memory), keep it open and then:
Open a secondary IDA, with a secondary binary, load all symbols for 2nd DLL, let the auto analysis finish, make all changes I want, and export as IDC (File -> Produce -> dump database to IDC).
Then I manually edit the produced IDC and leave only Enums() Structures() Bytes() and Functions().
In the primary IDA, atacched to the process, open the produced IDC file. This will load all informatio for the secondary DLL. Wait for analysis to finish
now, mark all segments pertaining to the secondary DLL as Loader Segment (Ctrl-S, select DLL segment, Enter/2xClick, Alt-S, remove Debuger Segment and add Loader segment).
This last change makes IDA save the information for additional segments into the .idb file.
You can load lots of extra .IDC of course.
There's one small detail: if the base for the DLL is different in the attached process than that of the static version loaded in the secondary IDA, I would say that it's best to first rebase the .idb in the secondary IDA, and then export all information.
All this process is quite simple, try it. No need for plugins or nothing
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}