Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  How to use OS symbol pdb files in OllyDbg?

Topic created on: June 19, 2006 05:01 CDT by jeffreytan .

Hi all,

Thanks for your time! I have asked this in several forums without any definite resolution, hope I can resolve it here.

I have some problem with dealing with symbol loading in Ollydbg.

Normally, I used to use windbg to download most of the system dll symbols from Microsoft symbol server http://msdl.Microsoft.com/download/symbols to my local cache folder: c://localsymbols/ with _NT_SYMBOL_PATH environment variable.

I have set Ollydbg's symbol path to c://localsymbols/. But while debugging exe and reversing certain system APIs, the assembly output will not recognize symbols of system APIs at all.

Is there any trick to do this? With windbg, the disassembly output will recognize the system symbols without any problem.

Below is my troubleshooting steps:

I have used the windbg to debug OllyDbg symbol loading, I find my Ollydbg uses 0x00001210 as the parameter to

DBGHELP!SymSetOptions:
DBGHELP!SymSetOptions:
6d5250ed 8b442404 mov eax,[esp+0x4]
6d5250f1 a338f4576d mov [DBGHELP!g+0x2e0 (6d57f438)],eax
...

0:000> dd esp+4 l1
0013b130 00001210

While with .SymOpt command in windbg, I find windbg uses 0x30237 as the parameter to DBGHELP!SymSetOptions.

To change the parameter to the parameter what windbg uses, I used the conditional breakpoint below in windbg:
bp dbghelp!SymSetOptions ".echo dbghelp!SymSetOptions; ed esp+0x4 0x30237; gc;"

Then I used Ollydbg to debug the notepad.exe

My question is: how to determine if the OllyDbg has loaded the pdb symbol files for system dlls?

I have used Alt+E in ollydbg to see the module list. Then I used "View Names" menu to view the symbols in User32.dll in the list. I found there are 3 types of symbols: Export, Import, Library. Does "Library" mean the pdb file symbols?

I decided to do a test to determine if the symbol for user32 is loaded. I disassembly MessageBoxA in OllyDbg, which I get the following text:

77D504EA > 8BFF MOV EDI,EDI
77D504EC 55 PUSH EBP
77D504ED 8BEC MOV EBP,ESP
77D504EF 833D BC04D777 00 CMP DWORD PTR DS:[77D704BC],0
77D504F6 74 24 JE SHORT USER32.77D5051C

However, in windbg, I got the following:

0:002> uf user32!messageboxa
USER32!MessageBoxA:
77d504ea 8bff mov edi,edi
77d504ec 55 push ebp
77d504ed 8bec mov ebp,esp
77d504ef 833dbc04d77700 cmp dword ptr [USER32!gfEMIEnable (77d704bc)],0x0
77d504f6 7424 jz USER32!MessageBoxA+0x32 (77d5051c)

Why does USER32!gfEMIEnable symbol not recognize in Ollydbg? Does this mean that the pdb is still not loaded in Ollydbg? Additionally, why Ollydbg even can not recognize USER32!MessageBoxA in the assembly output?

Thanks for any information!

Jeffrey

  anonymouse     June 19, 2006 11:59.35 CDT
there is a little problem in symbol loading function on ollydbg after Symsrv sets the path ollydbg sends it another path which effectively disables the NT_SYMBOL_PATH

there is a little patch that if applied can successfully make ollydbg load pdbs without problem

you can check out this post in ollydbg subforum in woodmanns
http://www.woodmann.com/forum/showthread.php?t=8460


or if you google for shadow olly a modified ollydbg by
shadow it has this patch applied already (apart from many other patches)


btw like its mentioned it was too slow coz
ollydbg was sending pdb requests for all the loaded plugins

but you can ask symsrv to exclude those by making a exclude list.txt file and placing it in ollydbg dir

also with that patch it fetches pdbs independently from symsrv

  anonymouse     June 23, 2006 15:28.51 CDT
i thought ill edit my post since there werent any replies
but since the info is more i am making a reply to my own post :( :)

some one asked if it still works on xp-sp2

well it seems to work

odbg dir contains this

D:\odbg110>fc /b ollydbg.exe ollydbgsym.exe
Comparing files OLLYDBG.EXE and OLLYDBGSYM.EXE
00090709: 10 37
0009070A: 12 02
0009070B: 00 03
0009070C: 00 80
000907EC: 74 EB

D:\odbg110>set _
_NT_SYMBOL_PATH=SRV*D:\odbg110\symbols*http://msdl.microsoft.com/download/symbo
s

D:\odbg110>dir *.dll

Directory of D:\odbg110

355,328 symsrv.dll
71,168 Cmdline.dll
1,017,856 dbghelp.dll
55,808 BOOKMARK.DLL
76,288 srcsrv.dll
21,504 symbolcheck.dll
               6 File(s)      1,597,952 bytes
               0 Dir(s)   8,510,455,808 bytes free

D:\odbg110>


the symsrv symbolcheck dbghlp dll are from latest windbg
aka 6.6.3.

ntsymbol path set to a symbol folder i just created

opened ollydbg and loaded win.exe

i get the symsrv confirmation dialog from ms i hit yes
it creates symsrv.yes blank file in dir

ctrl+g MessageBoxA



77D804EA MessageBoxA  MOV EDI,EDI
77D804EC              PUSH EBP
77D804ED              MOV EBP,ESP
77D804EF              CMP DWORD PTR DS:[gfEMIEnable],0
77D804F6              JE SHORT user32.77D8051C
77D804F8              MOV EAX,DWORD PTR FS:[18]
77D804FE              PUSH 0
77D80500              PUSH DWORD PTR DS:[EAX+24]
77D80503              PUSH OFFSET user32.gdwEMIThreadID
77D80508              CALL DWORD PTR DS:[<&KERNEL32.Interlocke>; kernel32.InterlockedCompareExchange
77D8050E              TEST EAX,EAX
77D80510              JNZ SHORT user32.77D8051C
77D80512              MOV DWORD PTR DS:[gpReturnAddr],1
77D8051C              PUSH 0
77D8051E              PUSH DWORD PTR SS:[EBP+14]
77D80521              PUSH DWORD PTR SS:[EBP+10]
77D80524              PUSH DWORD PTR SS:[EBP+C]
77D80527              PUSH DWORD PTR SS:[EBP+8]
77D8052A              CALL user32.MessageBoxExA
77D8052F              POP EBP
77D80530              RETN 10




Directory of D:\odbg110\symbols

06/24/2006  01:43 AM    <DIR>          .
06/24/2006  01:43 AM    <DIR>          ..
06/24/2006  01:44 AM    <DIR>          user32.pdb
06/24/2006  01:44 AM                 0 pingme.txt
06/24/2006  01:44 AM    <DIR>          gdi32.pdb
06/24/2006  01:44 AM    <DIR>          kernel32.pdb
06/24/2006  01:45 AM    <DIR>          ntdll.pdb
               1 File(s)              0 bytes
               6 Dir(s)   8,506,122,240 bytes free

D:\odbg110\symbols>

  SamB   July 15, 2010 17:27.53 CDT
> anonymouse:
[...]
> D:\\odbg110>fc /b ollydbg.exe ollydbgsym.exe
> Comparing files OLLYDBG.EXE and OLLYDBGSYM.EXE
> 00090709: 10 37
> 0009070A: 12 02
> 0009070B: 00 03
> 0009070C: 00 80
> 000907EC: 74 EB
[...]

So, what's the SYMOPT_DEBUG (0x80000000) flag for? That one wasn't included in either set jeffreytan gave above. Furthermore, the description in the API help file:

> Pass debug output through OutputDebugString or the SymRegisterCallbackProc64 callback function.

gives me the impression that BAD THINGS would happen if the debuggee were to send a debug message when using this flag in a program not designed for it.

Note: Registration is required to post to the forums.

There are 31,320 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit