Hi all,
Thanks for your time! I have asked this in several forums without any definite resolution, hope I can resolve it here.
I have some problem with dealing with symbol loading in Ollydbg.
Normally, I used to use windbg to download most of the system dll symbols from Microsoft symbol server http://msdl.Microsoft.com/download/symbols to my local cache folder: c://localsymbols/ with _NT_SYMBOL_PATH environment variable.
I have set Ollydbg's symbol path to c://localsymbols/. But while debugging exe and reversing certain system APIs, the assembly output will not recognize symbols of system APIs at all.
Is there any trick to do this? With windbg, the disassembly output will recognize the system symbols without any problem.
Below is my troubleshooting steps:
I have used the windbg to debug OllyDbg symbol loading, I find my Ollydbg uses 0x00001210 as the parameter to
DBGHELP!SymSetOptions:
DBGHELP!SymSetOptions:
6d5250ed 8b442404 mov eax,[esp+0x4]
6d5250f1 a338f4576d mov [DBGHELP!g+0x2e0 (6d57f438)],eax
...
0:000> dd esp+4 l1
0013b130 00001210
While with .SymOpt command in windbg, I find windbg uses 0x30237 as the parameter to DBGHELP!SymSetOptions.
To change the parameter to the parameter what windbg uses, I used the conditional breakpoint below in windbg:
bp dbghelp!SymSetOptions ".echo dbghelp!SymSetOptions; ed esp+0x4 0x30237; gc;"
Then I used Ollydbg to debug the notepad.exe
My question is: how to determine if the OllyDbg has loaded the pdb symbol files for system dlls?
I have used Alt+E in ollydbg to see the module list. Then I used "View Names" menu to view the symbols in User32.dll in the list. I found there are 3 types of symbols: Export, Import, Library. Does "Library" mean the pdb file symbols?
I decided to do a test to determine if the symbol for user32 is loaded. I disassembly MessageBoxA in OllyDbg, which I get the following text:
77D504EA > 8BFF MOV EDI,EDI
77D504EC 55 PUSH EBP
77D504ED 8BEC MOV EBP,ESP
77D504EF 833D BC04D777 00 CMP DWORD PTR DS:[77D704BC],0
77D504F6 74 24 JE SHORT USER32.77D5051C
However, in windbg, I got the following:
0:002> uf user32!messageboxa
USER32!MessageBoxA:
77d504ea 8bff mov edi,edi
77d504ec 55 push ebp
77d504ed 8bec mov ebp,esp
77d504ef 833dbc04d77700 cmp dword ptr [USER32!gfEMIEnable (77d704bc)],0x0
77d504f6 7424 jz USER32!MessageBoxA+0x32 (77d5051c)
Why does USER32!gfEMIEnable symbol not recognize in Ollydbg? Does this mean that the pdb is still not loaded in Ollydbg? Additionally, why Ollydbg even can not recognize USER32!MessageBoxA in the assembly output?
Thanks for any information!
Jeffrey