origin
Recent would like to use IDAthe reverse function. In windowsthe debugger (for example vs, windbg) may be (by debugging symbols PDB) corresponding to the address and symbolic name together, provide us with a more readable information. IDAIt should also support the load PDB, by looking at the IDAinstallation directory idahelp.chm(open search PDByou can find instructions) found that really support. But when I load the symbols, but failed. This article documents the entire investigation process.
Effect of contrast
First put two comparison chart, we intuitively feel for the difference.
Without help debug symbols, we see the results:
With the help debug the case of symbols, we see the results:
Visible, help with debugging symbols, we can be more intuitive to see the name of the function corresponding to an address, you can better understand the disassembled code. But we in IDAhow to set it in this?
Load symbol IDA
- First, make sure
.\cfg\pdb.cfgthere is, and the configuration is correct. Generally, aIDAdefault configuration file, we just need to let go ofPDBSYM_SYMPATHthe previous comments can be. For insurance, make sure that the corresponding path (c:\symbols) exists.
// PDB plugin
// PDB information provider
#define PDB_PROVIDER_MSDIA 1 // use MSDIA local/remote provider
#define PDB_PROVIDER_PDBIDA 2 // use PDBIDA provider
//PDB_PROVIDER = PDB_PROVIDER_PDBIDA
// The downloaded symbols are stored in the specified directory.
// Microsoft's public symbol store is used for downloading the symbols.
//
// If this option is omitted or empty - use _NT_SYMBOL_PATH if set, otherwise use %TEMP%\ida directory
// If the value is not empty - use it
//PDBSYM_DOWNLOAD_PATH = "c:\\symbols";
// Full symbol path (in _NT_SYMBOL_PATH format)
// If set, PDBSYM_DOWNLOAD_PATH and _NT_SYMBOL_PATH are ignored
// BCN: uncomment line below to configure symbol path
//PDBSYM_SYMPATH = "SRV*c:\\symbols*http://symbols.mozilla.org/firefox;SRV*c:\\symbols*http://msdl.microsoft.com/download/symbols";
// remote server where win32_remote.exe is running
// used when loading PDB symbols on non-Windows platforms
// NB: it will be used only if there is not already an existing debugging session started
PDB_REMOTE_SERVER = "localhost";
PDB_REMOTE_PORT = 23946
// password for the remote server
PDB_REMOTE_PASSWD = "";{% note info %}
说明:如果配置了_NT_SYMBOL_PATH,那么不用修改该文件。强烈建议设置环境变量_NT_SYMBOL_PATH。真正做到了一次设置,到处适用。:sunglasses:
{% endnote %}
- 配置好后,通过
File-Load file-PDB file...来加载pdb。
我就是在这里遇到错误了,错误提示如下图:
IDA提示我们错误有三种可能。
- 当前加载的程序不是一个合法的
Windows PE文件。直接排除。 PDB Plugin不在plugin目录下。有可能,但是PDB Plugin的名称是什么?不清楚,待调查。- 系统中的
dbghelp.dll文件太旧了。哪个版本的dbghelp.dll算新?不清楚,待调查。
上面第二种和第三种情况都有可能,但是根本原因是哪个需要进一步调查。这时候该本文的主角process monitor闪亮登场啦!
调查
打开process monitor,开始捕获事件。然后在IDA中执行File - Load file - PDB file...加载pdb,等到上面的错误框弹出来后,停止捕获事件。
我们主要关注IDA的文件读写事件,而且应该是找不到某个dll文件,所以我们关心Result不是SUCCESS的事件。根据以上条件进行过滤,很快就得到了我们感兴趣的事件。看来我遇到的情况是找不到plugin\pdb64.dll。从别处拷贝一个pdb64.dll到plugin目录下,搞定。so fast! pretty good!:sunglasses:
Here I put a recording GIF, I feel for!
to sum up
process monitorReally troubleshoot magic weapon, the premise is to make good use of the filter, if the filter is not good, helping us limited.
Reference material
- Process Monitor
- "Windows Sysinternals combat Guide"
- IDA help documentation