PDA

View Full Version : addsym windbg extension (extension to load names from ida to windbg)


blabberer
March 18th, 2014, 18:02
Analysing unknown binaries especially malware drivers without symbols is a very tedious affair.

this windbg extension is an effort to reduce the tediousness by transferring the names ida generated to windbg

run the idc script to dump names to a sym file
and use the extension in windbg to resolve the symbols from that file

the idc script is posted below (tested in ida free 5 only and hacks are ida free 5 based if a chris eagle sees the script and knows of a better function that works seamlessly across the versions please comment back )

it loads the inputfile and gets IMAGE_NT_HEADERS->OptionalHeader->BaseofCode and creates a variable to subtract which is the difference between idc function FirstSeg()-BaseofCode (namely ImageBase)

then enumarates Name from FirstSeg() to MaxEA(); and dumps the bare offsets (RVA - IMAGEBASE ) and names to a file c:\\idasym\\GetInputFile().idasym in a format compatible to strtoul&sprintf()

like

00000300,DriverEntry
00017ce5,SomeCrapFunction()
00100000,aURLhttp://malwarebasedotcom/malware/foo.exe

bare offsets are dumped because it doesnt require rebasing in ida and wouldnt have to worry about aslr in windbg

also bare offsets can help in naming virtual allocated blocks
manually create an idasymfile
with offset,name
point it with an address in windbg and all offsets relative to that address will be named appropriately

simply analyse with ida and MakeName (visible in names window | publics) run the idc script in ida to overwrite an existing idasym file or create a new one

do !addsym <modname> <path> in windbg for an updated disassembly

idc script follows

Code:

#include <idc.idc>
static main(void)
{
auto temp,elfaw_new ,baseofcode,tosubtract,symfile,segstart,segend,i,outfile,symname;
// idafree doesnt seem to know anything about pe header HACK to get stuff
temp = fopen(GetInputFilePath(),"rb";
fseek(temp,0x3c,0); //to Read IMAGE_DOS_HEADER->elfaw_new
elfaw_new = readlong(temp,0);
fseek(temp,(elfaw_new+0x2c),0); //to read _IMAGE_NT_HEADERS->OptionalHeader->BaseofCode
baseofcode = readlong(temp,0);
tosubtract = FirstSeg()-baseofcode;
fclose(temp);

symfile = "c:\\IDASYM\\" + GetInputFile() + ".idasym";
outfile = fopen( symfile,"w";
if (!outfile)
{
Message("failed to create file %s\n check if c:\\idasym folder exists",symfile);
}
else
{
Message("creating idasym file %s\n",symfile);
segstart = 0;
do
{
segstart = NextSeg(segstart);
segend = SegEnd(segstart);
for ( i = 0 ; i < segend-segstart ; i++)
{
symname = Name( segstart+i ) ;
// discarding DOC AND UNDOC dummy names (does pro ida have convinience funcs ?
//must be tedious without them )
if (
(symname != "" ) &&
(substr(symname,0,4) != "sub_" &&
(substr(symname,0,7) != "locret_" &&
(substr(symname,0,4) != "loc_" ) &&
(substr(symname,0,4) != "off_" ) &&
(substr(symname,0,4) != "seg_" ) &&
(substr(symname,0,4) != "asc_" ) &&
(substr(symname,0,5) != "byte_" ) &&
(substr(symname,0,5) != "word_" ) &&
(substr(symname,0,6) != "dword_" ) &&
(substr(symname,0,5) != "qword_" ) &&
(substr(symname,0,4) != "flt_" ) &&
(substr(symname,0,4) != "dbl_" ) &&
(substr(symname,0,6) != "tbyte__" ) &&
(substr(symname,0,5) != "stru_" ) &&
(substr(symname,0,5) != "algn_" ) &&
(substr(symname,0,6) != "oword_" ) &&
(substr(symname,0,4) != "unk_" )
)
{
fprintf(outfile,"%08x,%s\n", ((segstart+i)-tosubtract) , Name( segstart+i ) );
}
}
}while (segend != BADADDR);
fclose(outfile);
}
}



source code for windbg extension follows

Code:


#include <engextcpp.hpp>
#include < iostream >
#include < fstream >
#include < string >
#include <tchar.h>

using namespace std;

class EXT_CLASS : public ExtExtension
{
public:
EXT_COMMAND_METHOD(addsym);
};

EXT_DECLARE_GLOBALS();

// takes two arguments first is an exprssion second is a string (path of idasymbol file)
// !addsym modulename viz nt / address viz 0x804d7200 etc c:\idasym\xxx.idasym

EXT_COMMAND(
addsym,
"windbg extension to use names that are generated by ida \n do .reload /f MODULE.ext=base,size
prior to using this extension",
"{;e;MODULE;An expression or address like nt / 0x804d7000 }{;x;path;path to idasym file \n
viz c:\\idasym\\MODULE.EXT.idasym}"
)
{
ULONG offset;
ifstream ifs ,fs;
char *symoff;
string inbuff,buff;
int i = 0;
int j = 1;
ULONG64 imagebase = GetUnnamedArgU64(0);
ifs.open(GetUnnamedArgStr(1));
if ( (ifs.rdstate() & ifstream::failbit ) != 0)
{
Out("failed to open idasym file\n";
goto exit;
}
do
{
i++;
}while ( getline(ifs,inbuff) != NULL);
Out("total symbols in idasym file is %d press ctrl+break to interrupt symbol resolving \n",i-1);
ifs.close();
fs.open(GetUnnamedArgStr(1));
if ( (fs.rdstate() & ifstream::failbit ) != 0)
{
Out("failed to open idasym file\n";
goto exit;
}
i = 0;
while ( getline(fs,buff) != NULL)
{
i++;
if (m_Control3->GetInterrupt() == S_OK)
{
break;
}
offset = strtoul(buff.c_str(),&symoff,16);
m_Symbols3->AddSyntheticSymbol((imagebase + offset ),4,symoff+1,DEBUG_ADDSYNTHSYM_DEFAULT,NULL);
if (i == 500)
{
Out("%d symbols resolved\n",i*j);
i = 0;
j++;
}
}
Out("total %d symbols resolved \n",((500*(j-1))+i) );
fs.close();
exit:
Out("done\n";
}



usage of extesnion follows (aswsp.sys of avastfree picked at random )

Code:

lkd> .load addsym
lkd> !addsym
ERROR: !addsym: extension exception 0x80070057.
"Missing required argument '<MODULE>'"
lkd> !addsym /?
!addsym <MODULE> <path>
<MODULE> - An expression or address like nt / 0x804d7000
<path> - path to idasym file
viz c:\idasym\MODULE.EXT.idasym (consumes remainder of input string)
windbg extension to use names that are generated by ida
do .reload /f MODULE.ext=base,size prior to using this extension
lkd> !addsym aswsp
ERROR: !addsym: extension exception 0x80040205.
"Unable to evaluate expression 'aswsp'"
lkd> lm m aswsp*
start end module name
lkd> .reload /f aswsp.sys
ERROR: Module load completed but symbols could not be loaded for \??\C:\WINDOWS\system32\drivers\aswSP.sys
lkd> lm m aswsp*
start end module name
a968e000 a96ef600 aswSP (no symbols)
lkd> x aswsp!*
lkd> !addsym aswsp
ERROR: !addsym: extension exception 0x80070057.
"Missing required argument '<path>'"
lkd> !addsym aswsp c:\idasym\aswsp.sys.idasy
failed to open idasym file
done
lkd> !addsym aswsp c:\idasym\aswsp.sys.idasym
total symbols in idasym file is 1457 press ctrl+break to interrupt symbol resolving
500 symbols resolved
1000 symbols resolved
total 1457 symbols resolved
done
lkd> lm m aswsp*
start end module name
a968e000 a96ef600 aswSP (no symbols)
lkd> x aswsp!*
a969be30 aswSP!nullsub_1 = <no type information>
a96a980e aswSP!nullsub_2 = <no type information>
a96b6ed4 aswSP!memcpy = <no type information>
a96b6ee0 aswSP!memset = <no type information>
a96b6eec aswSP!strncmp = <no type information>
a96b6ef8 aswSP!ObReferenceObjectByName = <no type information



idc script . source and compiled dll attached belowaddsym.rar (26.7 KB)

Kayaker
April 15th, 2014, 01:33
Hey b,

I finally got some time to take a look at this. Haven't gotten into the Windbg part yet, but you mentioned that the idc script is extremely slow when the binary is more than a few kb in size. The reason for that seems to be that you're doing a byte by byte search for autogenerated or user generated names. I think you were forced into that because of the somewhat limited scope of the strictly IDC commands, though you might have been able to use NextHead() and still pick up all the symbol names.

I did a test run and the output of your produced .idasym file is identical to the information already in the Names window. So...all you need to do is read/export the contents of the Names window. This is easily done with IDAPython:

Code:

for i in xrange(idaapi.get_nlist_size()):
ea = idaapi.get_nlist_ea(i)
name = idaapi.get_nlist_name(i)
print hex(ea) + "," + name


Which gives virtually the same format output as your .idasym file:

Code:

0x11329,NotifyRoutine
0x118ad,IRP_MJ_CREATE
0x1191d,DriverEntry
0x11a0b,DriverUnload
0x11f7a,strncpy
0x11f8c,DbgPrint


Also, you don't have to use that cumbersome IF statement to filter unwanted prefixes.


This seems like a very useful Windbg extension, and since many end users are probably already happily using IDAPython, you might as well take advantage of that as well.

If you really don't want to use IDAPython, or a plugin to call the commands, there may be one other possibility, a simple C program which makes use of the idaapi.* commands in that script directly.
get_nlist_size(), get_nlist_ea() and get_nlist_name() are all exported by ida.wll, but might be difficult to make use of external of a plugin or py script.

blabberer
April 18th, 2014, 07:49
hi k

thanks for the comments

last time i looked idapython was 5.3 and up and didnt seem to work with free 5.0 not sure will check it up

if it works for 5 then i dont have any problems using python.

even though i am searching byte by byte i dont think dumping about 11000 names (odbg 201) should take hours together

probably 5.0 is built with performance degrading timebombs inside it i think

ill try to explore the suggestions

thanks

blabberer
April 18th, 2014, 19:41
well accessing the functions turns out to be pain as ida free ida.wll exports all the functions by ordinals rather than names
and sdk isnt available

but few rounds of ollydbg wont be able to stop ida free from spitting its secrets

here is a sdk less ida free plugin (POC ) that retrieves what you suggested from ida free 5


2922

Code:


// typedeffed from stevem's ida plugin writing tutorial
// reversing the pdb.plw we see the disassembled run function ends with retn 4
// and takes a single arg so it must be __stdcall
// version seems to be 'L' flag = 0x19 but we will use 0 as in stevems template
// vc 2010 express compile and link with cl /LD /Fetestplug.plw testplug.cpp user32.lib

#include <stdlib.h>
#include <stdio.h>
#include <windows.h>

// ilfak it seems actively dissuades anyone from writing a plugin to
// ida free it seems all exports are by ordinal
// open calc.exe in ida and view names window we see 219 names
// load ida in ollydbg and load calc in ida
// search for constant 0xdb (219) in ida.wll (odbg201 aligned search yields
// the constant first hit in ida.wll data section
// looking at referances we can easily deduce that #383 is get_nlist_size
// coz only one referance is named
// Search - References to IDA_WLL:.data:100D7C84..100D7C87, item 23
// Address = 10035878 #383
// Command = MOV EAX, DWORD PTR DS:[IDA_WLL.100D7C84]
// Comments =
// the other two functions are near this function.
// CPU Disasm
// Address Hex dump Command Comments
// 10035878 #383 /$ A1 847C0D10 MOV EAX, DWORD PTR DS:[IDA_WLL.100D7C84] ; IDA_WLL.#383(guessed void)
// 1003587D \. C3 RETN
// lets forward declare the function loadlib and getproc them

int ( __stdcall *g_size ) (void);
int ( __stdcall *g_ea ) (int index);
char* ( __stdcall *g_name ) (int index);

typedef struct _IDAINIT
{
int version;
int flags;
int (__stdcall * init)(void);
void (__stdcall * term)(void);
void (__stdcall * run)(int arg);
char *comment;
char *help;
char *plgname;
char *hotkey;
} IdaInit, *PIdaInit;

// Dll EntryPoint copy paste from ollydbg plugin

HINSTANCE hdllinst;

BOOL WINAPI DllEntryPoint( HINSTANCE hi, DWORD reason, LPVOID reserved ) {
UNREFERENCED_PARAMETER( reserved );
if (reason==DLL_PROCESS_ATTACH)
hdllinst=hi;
return 1;
};
int __stdcall init(void)
{
return 1;
}
void __stdcall run(int)
{
HMODULE hMod;
MessageBox(
NULL,
"This is a Hacked sdk less plugin for ida free 5" ,
"let ilfak keep his sdk we will write a plugin without it" ,
NULL
);
if ( ( hMod = LoadLibrary("C:\\Program Files\\IDA Free\\Ida.wll" ) == NULL )
{
MessageBox(
NULL,
"cannot loadlib ida.wll" ,
"let ilfak keep his sdk we will write plugin without it" ,
NULL
);
return;
}
*(FARPROC *)&g_size = GetProcAddress(hMod,MAKEINTRESOURCE(383));
*(FARPROC *)&g_ea = GetProcAddress(hMod,MAKEINTRESOURCE(40));
*(FARPROC *)&g_name = GetProcAddress(hMod,MAKEINTRESOURCE(252));
char foo[0x500];
int size = g_size();
int ea = g_ea(1);
char *name = g_name(1);
sprintf_s(
foo,
"ida.wll Loaded and the Following Export Address Retrieved\n"
"get_nlist_size = 0x%08X\n"
"get_nlist_ea = 0x%08X\n"
"get_nlist_name = 0x%08X\n"
"no of names in calc.exe = 0x%08x\n"
"ea of function 1 = 0x%08x\n"
"name of function 1 = %s\n",
g_size,
g_ea,
g_name,
size,
ea,
name
);
MessageBox(NULL,foo , "let ilfak keep his sdk we will write plugin without it" ,NULL);
}
__declspec(dllexport) IdaInit PLUGIN =
{
'L',
0,
init,
NULL,.
run,
NULL,
NULL,
"IdaFree5_plugin_without_sdk",
NULL
};

blabberer
April 21st, 2014, 18:47
hi k thanks for the suggestion gave me an opputunity to look inside ida
and hope fully this plugin should work across versions it seems to work in idafree 5.0

Code:

#include <stdlib.h>
#include <stdio.h>
#include <windows.h>

#pragma pack(1)
typedef struct _INF
{
byte unk[43];
unsigned long MinEa;
} Inf, *PInf;

typedef struct _IDAINIT
{
int version;
int flags;
int (__stdcall * init)(void);
void (__stdcall * term)(void);
void (__stdcall * run)(int arg);
char *comment;
char *help;
char *plgname;
char *hotkey;
} IdaInit, *PIdaInit;

typedef int ( __stdcall *g_size ) (void);
typedef unsigned long ( __stdcall *g_ea ) (int index);
typedef char* ( __stdcall *g_name ) (int index);
typedef int ( __stdcall *g_inputfilepath ) (int index,char * buff,int buffsize);
typedef void* ( __stdcall *g_inf ) (void);

g_size get_nlist_size = 0;
g_ea get_nlist_ea = 0;
g_name get_nlist_name = 0;
g_inputfilepath netnode_valstr = 0;
g_inf inf = 0;
HINSTANCE hdllinst = 0;

BOOL WINAPI DllEntryPoint( HINSTANCE hi, DWORD reason, LPVOID reserved ) {
UNREFERENCED_PARAMETER( reserved );
if (reason==DLL_PROCESS_ATTACH)
hdllinst=hi;
return 1;
};

int __stdcall init(void)
{
return 1;
}

void __stdcall run(int)
{
HMODULE hMod;

if ( ( hMod = LoadLibrary("Ida.wll" ) == NULL )
{
MessageBox( NULL, "Cannot Loadlib ida.wll" , "Error_LoadLib" , NULL );
return;
}

if ( ( get_nlist_size = (g_size) GetProcAddress(hMod, "get_nlist_size" ) == NULL)
{
if ( ( get_nlist_size = (g_size) GetProcAddress(hMod,MAKEINTRESOURCE(383)) ) == NULL)
{
MessageBox(NULL,"Cannot resolve ProcAddress of get_nlist_size" , "Error GetProc genidasym plugin" ,NULL);
return ;
}
}

if ( ( get_nlist_ea = (g_ea) GetProcAddress(hMod, "get_nlist_ea" ) == NULL)
{
if ( ( get_nlist_ea = (g_ea) GetProcAddress(hMod,MAKEINTRESOURCE(40)) ) == NULL)
{
MessageBox(NULL,"Cannot resolve ProcAddress of get_nlist_ea" , "Error GetProc genidasym plugin" ,NULL);
return ;
}
}

if ( ( get_nlist_name = (g_name) GetProcAddress(hMod, "get_nlist_name" ) == NULL)
{
if ( ( get_nlist_name = (g_name) GetProcAddress(hMod,MAKEINTRESOURCE(252)) ) == NULL)
{
MessageBox(NULL,"Cannot resolve ProcAddress of get_nlist_name" , "Error GetProc genidasym plugin" ,NULL);
return ;
}
}

if ( ( netnode_valstr = (g_inputfilepath) GetProcAddress(hMod, "netnode_valstr" ) == NULL)
{
if ( ( netnode_valstr = (g_inputfilepath) GetProcAddress(hMod,MAKEINTRESOURCE(811)) ) == NULL)
{
MessageBox(NULL,"Cannot resolve ProcAddress of netnode_valstr" , "Error GetProc genidasym plugin" ,NULL);
return ;
}
}

if ( ( inf = (g_inf) GetProcAddress(hMod, "inf" ) == NULL)
{
if ( ( inf = (g_inf) GetProcAddress(hMod,MAKEINTRESOURCE(416)) ) == NULL)
{
MessageBox(NULL,"Cannot resolve ProcAddress of inf" , "Error GetProc genidasym plugin" ,NULL);
return ;
}
}

char inputfilepath[0x250];
char outputfilepath[0x100];
memset (&inputfilepath,0,0x250);
memset (&outputfilepath,0,0x100);
unsigned long dos_elfaw = 0;
unsigned long baseofcode = 0;
unsigned long ImageBase = 0;
FILE *fp = 0;
errno_t err = 0;
int fseekret = 0;
size_t freadret = 0;

int size = get_nlist_size();

netnode_valstr(0xff000001,inputfilepath,0x200);

if (( err = fopen_s(&fp,inputfilepath,"rb" ) != NULL)
{
MessageBox(NULL,"Cannot open inputfile" , "Error opening input file idasym plugin" ,NULL);
return ;
}

if (( fseekret = fseek(fp,0x3c,SEEK_SET) ) != NULL)
{
MessageBox(NULL,"Cannot fseek inputfile" , "Error seeking dos_elfaw_new in input file idasym plugin" ,NULL);
return ;
}

if (( freadret = fread(&dos_elfaw,sizeof(unsigned long),1,fp) ) != 1)
{
MessageBox(NULL,"fread dos_elfaw_new didnt read required count of items" , "Error fread idasym plugin" ,NULL);
return ;
}

if (( fseekret = fseek(fp,dos_elfaw+0x2c,SEEK_SET) ) != NULL)
{
MessageBox(NULL,"Cannot fseek inputfile" , "Error seeking baseofcode in input file idasym plugin" ,NULL);
return ;
}

if (( freadret = fread(&baseofcode,sizeof(unsigned long),1,fp) ) != 1)
{
MessageBox(NULL,"fread baseofcode didnt read required count of items" , "Error fread idasym plugin" ,NULL);
return ;
}

if (( fseekret = fseek(fp,dos_elfaw+0x34,SEEK_SET) ) != NULL)
{
MessageBox(NULL,"Cannot fseek inputfile" , "Error seeking ImageBase in input file idasym plugin" ,NULL);
return ;
}

if (( freadret = fread(&ImageBase,sizeof(unsigned long),1,fp) ) != 1 )
{
MessageBox(NULL,"fread imagebase didnt read required count of items" , "Error fread idasym plugin" ,NULL);
return ;
}

if (( err = fclose(fp) ) != NULL)
{
MessageBox(NULL,"Cannot close inputfile" , "Error closing input file idasym plugin" ,NULL);
return ;
}

unsigned long tosubtract;

if ( (((PInf)inf)->MinEa) == ImageBase )
{
tosubtract = ImageBase;
}
else if ( (((PInf)inf)->MinEa) == (ImageBase + baseofcode) )
{
tosubtract = ImageBase;
}
else
{
tosubtract = ( ((PInf)inf)->MinEa - baseofcode );
}

FILE * symfile;
char * symfilename = strrchr( inputfilepath ,'\\');

sprintf_s(outputfilepath,"c:\\idasym%s.idasym\0",symfilename);

if (( err = fopen_s(&symfile,outputfilepath,"w" ) != NULL)
{
MessageBox(NULL,"Cannot open outputfile" , "Error opening output file idasym plugin" ,NULL);
return ;
}

for (int i =0; i< size; i++)
{
unsigned long ea = get_nlist_ea(i);
char *name = get_nlist_name(i);
fprintf(symfile,"0x%08x,%s\n",(ea-tosubtract),name );
}

if (( err = fclose(symfile) ) != NULL)
{
MessageBox(NULL,"Cannot close outputfile" , "Error closing output file idasym plugin" ,NULL);
return ;
}

}

__declspec(dllexport) IdaInit PLUGIN =
{
'L',
0,
init,
NULL,
run,
NULL,
NULL,
"genidasym",
NULL
};





the src and a compiled plugin attatched

blabberer
May 7th, 2014, 15:49
3700+ views driving this post to all time number two and not a single comment about the utility / futility of the content