Reading raw debug symbol data

[donkey]

Hi clive,

Thanks very much. The program will be single stepped if you add the following to CREATE_PROCESS_DEBUG_EVENT:

Code Select Expand

mov D[context.ContextFlags],CONTEXT_CONTROL
invoke SuspendThread, [dbe.u.CreateProcessInfo.hThread]
invoke GetThreadContext,[dbe.u.CreateProcessInfo.hThread],offset context
or D[context.EFlags],0x100
invoke SetThreadContext,[dbe.u.CreateProcessInfo.hThread],offset context
invoke ResumeThread, [dbe.u.CreateProcessInfo.hThread]

The single step is handled in the EXCEPTION_SINGLE_STEP handler. A quick test here shows that the program goes into single step though it appears that I may have to reset the EFlags for each instruction. Not a terribly difficult thing to do but very time consuming, I will have to experiment a bit more when I get back to my dev box. I ran it on a Vista box without the OS objecting at all.

Edgar

[jj2007]

Hi JJ2007,

I tried to build with /Zi and /Debug and the information is not present in the build, only the absolute path to the PDB file (use a hex editor and look at the very end of the file). I was using link 5.12.8078.0 which is the only version I have since I don't use MASM much at all I have never upgraded it. You can change the extension of the PDB file without losing your symbols as the search path is set by trying to open that file, if it is not found then the DbgHelp API (which Olly uses) will attempt to find any file in that path that matches the specs for a PDB and contains debug information for the executable.

Actually, I was tricked by Olly:
When FileName.pdb is present, Olly loads it and creates a file named \masm32\OllyDbg\FileName.udd
Afterwards, you can delete FileName.pdb without losing the symbolic names.

[brixton]

Hi donkey,

Did you get any further with this?  I have completed the exact same task (parsing the Symbol Table in a COFF header) in order to find locations of variables once loaded into memory.  I am also single stepping through instructions.  This is to a completely different end to you - and I resorted to C, although it's pretty API and structure intensive, so not much different in the code!

Tom

[donkey]

Hi donkey,

Did you get any further with this?  I have completed the exact same task (parsing the Symbol Table in a COFF header) in order to find locations of variables once loaded into memory.  I am also single stepping through instructions.  This is to a completely different end to you - and I resorted to C, although it's pretty API and structure intensive, so not much different in the code!

Tom

Hi Tom,

Yes I have completed the parsing of the symbol table and have also sorted through the sections etc.. I am currently working towards either using a prepackaged library for disassembly or writing my own, this is in order to help make a guess at procedure start and end. As for the single stepping, I haven't implemented that completely yet but it appears to be viable, there is another solution using page guard that I am hoping to try soon.

Edgar

[brixton]

Hi donkey,

Sounds promising!  The single stepping is not a problem - For my application, I set an int3 breakpoint on the first instruction of the target binary, and when I process this (not the initial Windows EXCEPTION_BREAKPOINT) I do a GetContext, do a bitwise inclusive-or on the trap flag in the EFLAGS register and then SetContext.  Unfortunately yes, after each EXCEPTION_SINGLE_STEP you need to GetContext, set the trap flag and then SetContext again.

I am actually using the BeaEngine library for disassembly.  You pass it the EIP register (or actually any pointer) and it returns a structure containing information about the first instruction it encounters.  It also gives you a nice string so you can just print the instruction out if need be.  BeaEngine comes with python, pascal, C, NASM/MASM/FASM/GoASM headers, I've been using it and it seems accurate so far..

Tom

[ecube]

nice find brixton, it's under the LGPL license which rocks, and it looks very clean and fast, + has 64bit and Goasm/Masm support :D even has a LDE version, wow dude you really hit the motherload here! most other good engines are crappy GPL and difficult to use with GoASM/MASM.

[brixton]

Hey ecube,

Yes, I did a lot of research on this subject - it does seem good, but I am yet to put it through more intensive tests  :bdg

[donkey]

Hi Brixton,

I have looked at BeaEngine, (as well as DiStorm but that was too language restrictive) a nice package with a very liberal license however there are some issues with GoAsm and the _Disasm@4 export (DLL version). Specifically it requires that you use the /mix switch and that has some adverse affects on the headers, Jeremy is looking at the bug. The lib file that comes with the distribution could not be read by GoAsm, the format was unrecognized. Right now I have almost decided on Drizz's disassembler, I haven't looked it through very deeply but the license is great and the author is known around the forums:

Copy-left FOREVER by drizz.  No rights reserved. 

All modules in this library are dedicated to the public domain by drizz.

Permission to use, copy, modify, reverse-engineer, crack,
patch and distribute this compilation for any purpose is hereby granted.

Gotta love it !

Edgar

[ecube]

donkey I got BeaEngine's goasm staticlib example to assemble fine. just added

#dynamiclinkfile msvcrt.dll to the source and assembled with

Code Select Expand


set INCLUDE=C:\GoAsm\include
\GoAsm\bin\GoAsm /x86 example.asm
\GoAsm\bin\GoLink /console /fo example.exe example.obj
pause


[brixton]

Incidentally, I am trying to tease out the length (size) of a symbol, if it is statically linked data.  Does anyone know how to do this?  I can find the location, but the size eludes me..

[ecube]

BeaEngine also has a 32bit/64bit len dissembler on their site, it's still crashing for me, but you can use it to read certain number of bytes and it'll give back the instructions len.

[brixton]

I actually mean variable (included in symbol table) lengths, not instruction lengths.  eg. if I have a global variable:

someString BYTE 5 DUP(?)

I can find the location of someString in the data section of memory (garnered from the symbol table), but I don't know how to find its length of 5.

[ecube]

if it's your own code you can use sizeof for a lot of things, if it's another processes code you can use heap32first etc...to walk through alloc'd heap memory(globalloc,heapalloc etc...) or virtualquery to walk memory pages ingeneral and get sizes.

for static libs, you can use the /l switch with goasm, to generate a listing, i'm not sure how much help it'd be in that case but it may. if your static lib has debug symbols you can load your assembled program in olly and it'll give you info, aswell as the option to load the source code in, so it gives you line by line.

[ecube]

Donkey,

Icezlion does what you want here http://win32assembly.online.fr/tut30.html but he says single stepping large programs can take 10 mins, wtf!

[drizz]

I actually mean variable (included in symbol table) lengths, not instruction lengths.  eg. if I have a global variable:

someString BYTE 5 DUP(?)

I can find the location of someString in the data section of memory (garnered from the symbol table), but I don't know how to find its length of 5.

You can't. You could guess the size by deducting label offsets (next-this). But there could be "align" directive for example which would add to size.

VCx0.pdb could have this info (i'm not sure) but only for c/c++.

Here's an old obj2asm utility i made. If you test it you can see that it just dumps the bytes no analysis on the data.