Page 1 of 2 12 LastLast
Results 1 to 15 of 22

Thread: How to use OS symbol files in OllyDbg?

  1. #1
    JackTripper
    Guest

    How to use OS symbol files in OllyDbg?

    In order to enable OS symbol files in WinDbg you:
    1. File -> Symbol File Path (Ctrl+S)
    2. In Symbol path enter:
    "SRV*c:\symbols*http://msdl.microsoft.com/download/symbols"
    3. Click OK

    In order to enable OS symbol files in Process Monitor you:
    1. Options -> Configure symbols
    2. In Symbol paths enter:
    "SRV*c:\symbols*http://msdl.microsoft.com/download/symbols"
    3. Click OK

    In order to enable OS symbol files in OllyDbg you:
    ???
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    In order to enable OS symbol files in OllyDbg YOU put:

    enable OS symbol files in OllyDbg

    in YOUR favorite search engine and YOU actually read what you find. If you search, and read, and THEN don't understand, come back and ask for some clarification.

    Regards,
    JMI

  3. #3
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    From my experience, OllyDbg doesn't work with symsrv.dll, so you need to put all your .pdb files in a single directory and point OllyDbg to that directory.

  4. #4
    JackTripper
    Guest
    i already did google the problem. i didn't bother referencing a dozen other things that failed, since i didn't want to continue to spread mis-information that will only hurt the next guy who comes along wanting to use symbol files in Olly. But i'll post my research anyway:

    On 6/19/2006 jefferytan wondered the same thing in:
    http://www.openrce.org/forums/posts/187

    He tried setting his NT_SYMBOL_PATH environment variable (to what he doesn't say)

    anonymouse responds that there's a bug in Olly that it overwrites your _NT_SYMBOL_PATH. He patched Olly to make it work. You can read about the patch details at:
    http://www.woodmann.com/forum/showthread.php?t=8460

    and you can find a copy by googling for "shadow olly". i found a copy on RapidShare:
    http://ihatealex.org/2007/01/13/shadow-ollydbg/

    and downloaded and ran to no effect.

    The other thread here on Woodman:
    http://www.woodmann.com/forum/showthread.php?t=8460

    Where they note that it doesnt' work in Olly. They mention the patch that needs to be applied, but then continue to not explain how to make symbols work.

    One person suggests copying
    symsrv.dll
    dbghelp.dll
    srcsrv.dll

    to the ollydbg folder, which i've tried and doesn't help. They also suggest that a regular symbol path environment variable is insufficient for Olly, and you must use something like:
    _NT_SYMBOL_PATH=symsrv*symsrv.dll*e:\symbols*http://msdl.microsoft.com /download/symbols

    rather than the more common
    _NT_SYMBOL_PATH=SRV*c:\symbols*http://msdl.microsoft.com/download/symbols


    i tried setting mine to:
    _NT_SYMBOL_PATH=symsrv*symsrv.dll*c:\symbols*http://msdl.microsoft.com/download/symbols

    but it didn't help.


    Someone else in that thread (and the other responder in this thread) suggests that you must copy all *.pdb files into a single folder (rather than how they come out by default which is to be in a folder dedicated for each binary).

    You can't simply copy all the pbd files into your symbol folder, because of naming conflicts. For example you cannot copy
    c:\symbols\user32.pdb\92D15332471547DCA0D75061B8B6CDA42\user32.pdb
    to
    c:\symbols\user32.pdb
    because a folder named
    c:\symbols\user32.pdb already exists. i tried deleting the folder
    c:\symbols\user32.pdb
    so that i could copy
    c:\symbols\user32.pdb\92D15332471547DCA0D75061B8B6CDA42\user32.pdb
    to
    c:\symbols\user32.pdb

    but it didn't help Olly to find the symbols for user32. i tried copying user32.pdb into the OllyDbg folder, but it didn't help.

    i can't find it documented, or mentioned, or talked about, but i blindly guessed that i need to configure the OllyDbg option in the menus
    Debug->Select path for symbols
    to point the folder that contains the symbols.

    i tried pointing it to c:\symbols, where no actual symbol files (*.pdb) exist, but it is the symbol folder - didn't help.

    i tried copying some PDB files into c:\symbols, but it didn't help.

    i tried configuring
    Debug->Select path for symbols
    to point to the ollydbg folder, where i copied some pdb files, but it didn't help.


    i was hoping to create a single, clear, documentation quality answer to the question. Having bits and pieces of junk spread over 3 years, n versions, and n web-sites isn't very helpful.


    So, JMI, if it's not too much trouble, and won't take too much of your very prescious time, may this most inept developer please have a hint at the answer to his most minor problem, sir?


    Humbly yours.


    Edit.
    Attached is a screenshot of Olly (background) missing debug symbol information. Inset is a screenshot from WinDbg on the same line showing debug symbols information.
    Last edited by JackTripper; July 30th, 2008 at 11:07. Reason: Added screenshot
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Thanks Jack for your fained concern for my "precious time." For your edification, this rhetorical technique is known as "damning by faint praise" and is among a large group of rhetorical devices I studies during my college days more than 40 years ago.

    Had you taken the time to mention, in your first post, what you claim you had done in your second post, there would have been no reason for me to spend any of my "precious time" reminding you, or anyone, of our posting requirements.

    Have you considered the possibility that the issue might be related to your specific configuration and/or combination of OS and other components?

    Also, my own search of "using OS symbols in OllyDBG produced more almost 29,000 hits and it is unlikely you have exhausted the field of research. Perhaps you might try the search again with some "+" signs and some specific references to your OS and/or other special installed programs.

    So Jack... you keep trying, and someday, you might become half the wit that I am.

    And once you are a well seasoned practitioner of the rhetorical craft, you would know that the immediate response to the preceding sentence would be: "But that would make me a quarter-wit!"

    Regards,
    JMI

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,526
    Blog Entries
    15
    you can use anonymouse's modified commandline plugin (available for download from here as well as openrce downloads)

    he has enumerated how to use it in his blog in openrce
    i'll brief a little

    the plugin comes with two redistributable from ms dbghlp.dll and symsrv.dll
    put the plugin, the redistributables in ollydbg plugin folder

    set environment variable _NT_SYMBOL_PATH

    its like this in my present computer
    Code:
    C:\>set _nt
    _NT_SYMBOL_PATH=SRV*F:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS

    hit alt+f1
    type loadpdb c:\windows\system32\user32.dll
    hit enter

    if this is the first time you are downloading symbols then there will be a eula displayed from ms read and accept if it is acceptable to you

    symsrv will fetch the symbolfile from ms and the plugin will insert thier names to ollydbg


    and if you go with patch route as enumerated by me

    all you have to do is patch put the dbghlp.dll and symsrv.dll in ollydbg directory

    set _nt_symbol_path

    and run

    that is all

    Code:
    Log data
    Address    Message
               OllyDbg v1.10
               Bookmarks sample plugin v1.06 (plugin demo)
                 Copyright (C) 2001, 2002 Oleh Yuschuk
               Command line plugin v1.10
                 Written by Oleh Yuschuk
     
               File 
               New process with ID 00000C7C created
    00401000   Main thread with ID 00000CC8 created
    00400000                Debugging information (Microsoft format) available
    5D090000   Module C:\WINDOWS\system32\COMCTL32.DLL
                 Debugging information (Microsoft format) available
    763B0000   Module C:\WINDOWS\system32\COMDLG32.DLL
                 Debugging information (Microsoft format) available
    774E0000   Module C:\WINDOWS\system32\OLE32.DLL
                 Debugging information (Microsoft format) available
    77C00000   Module C:\WINDOWS\system32\VERSION.DLL
                 Debugging information (Microsoft format) available
    77C10000   Module C:\WINDOWS\system32\msvcrt.dll
                 Debugging information (Microsoft format) available
    77D40000   Module C:\WINDOWS\system32\USER32.dll
                 Debugging information (Microsoft format) available
    77DD0000   Module C:\WINDOWS\system32\ADVAPI32.DLL
                 Debugging information (Microsoft format) available
    77E70000   Module C:\WINDOWS\system32\RPCRT4.dll
                 Debugging information (Microsoft format) available
    77F10000   Module C:\WINDOWS\system32\GDI32.dll
                 Debugging information (Microsoft format) available
    77F60000   Module C:\WINDOWS\system32\SHLWAPI.dll
                 Debugging information (Microsoft format) available
    7C800000   Module C:\WINDOWS\system32\kernel32.dll
                 Debugging information (Microsoft format) available
    7C900000   Module C:\WINDOWS\system32\ntdll.dll
                 Debugging information (Microsoft format) available
    7C9C0000   Module C:\WINDOWS\system32\SHELL32.dll
                 Debugging information (Microsoft format) available
    00401000   Program entry point
               Analysing OLLYDBG
                 1016 heuristical procedures
                 4602 calls to known, 7987 calls to guessed functions
                 1597 loops, 195 switches
               Analysing kernel32
                 1013 heuristical procedures
                 2257 calls to known, 667 calls to guessed functions
                 336 loops, 92 switches

  7. #7
    JackTripper
    Guest
    Quote Originally Posted by JMI View Post
    Have you considered the possibility that the issue might be related to your specific configuration and/or combination of OS and other components?
    Is it that you know the answer, but refuse to share it out of spite?
    Last edited by JackTripper; July 30th, 2008 at 14:02. Reason: nice guy
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    JackTripper
    Guest
    Quote Originally Posted by JackTripper View Post
    In order to enable OS symbol files in OllyDbg you:
    ???
    i found the answer, although no solution:

    Symbol location problems/solution
    http://www.woodmann.com/forum/archive/index.php/t-8634.html

    Ollydbg doesnt fully exploit dbghelper api nor work with new symbol server feature at all.


    The symbol server was what i wanted.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Poor Jack:

    Sorry you are feeling that you are not getting whatever you want. I really don't have a great deal of time these days to do actual reversing. I work in a completely unrelated field which requires attention to detail and can be very time consuming. I was attempting to assist in your searching efforts by suggesting methods which might focus your search down to particular issues, which you had not actually discussed.

    From reading a lot about reversing, as opposed to doing a great deal of it, I am aware that system versions and configurations can affect the proper and/or expected operation of various debuggers. Therefore, I suggested this as an avenue for investigation.

    Had I sufficient opportunity to play with Olly, and knew from that experience what, specifically, was the cause of your problem, I probably still would not have spoon fed it to you, but not for the reason you suggest. A great part of the development of skill as a reverser, is learning the ability to find information one needs to accomplish a specific task or goal. Giving someone a "simple" answer defeats the task of attempting to teach how one finds needed information.

    So, if I had the specific answer, I would more likely have given you a more general criteria for you to search for, so that YOU could discover the answer. That is the type of information discovery which is truly the most satisfying, albeit frustrating to those who don't really care about the process of actually learning and only want what they want, when they want it. That choice is yours to make. It's not my job to try to make that decision for you, but simply to attempt to point you on the path to true learning. The rest is up to you.

    Regards,
    JMI

  10. #10
    Quote Originally Posted by blabberer View Post

    and if you go with patch route as enumerated by me

    all you have to do is patch put the dbghlp.dll and symsrv.dll in ollydbg directory

    set _nt_symbol_path

    and run

    that is all
    Hi Blabberer, can you further explain what needs to be patched and also what needs to be run for this to work. Sorry this is not clear to me.

    Does this thread contain >all< the patches to make this work or is there another solution available now?

    I also tried using the modified command line plug-in by Anonymouse and get the message that I need to set _NT_SYMBOL_PATH despite having done so. I also have succesfully download the symbol files using SymGet tool.
    This error message occurs when type loadpdb c:\windows\system32\user32.dll into command line field of the plug-in.


    SymGet copys the .pdb files to C:\Symserv using the default syswxp.ini file. Here is the directory listing:

    Code:
    Directory of C:\symserv
    
    04/23/2009  10:26 AM    <DIR>          .
    04/23/2009  10:26 AM    <DIR>          ..
    04/23/2009  10:25 AM    <DIR>          advapi32.pdb
    04/23/2009  10:26 AM    <DIR>          comctl32.pdb
    04/23/2009  10:26 AM    <DIR>          comdlg32.pdb
    04/23/2009  10:25 AM    <DIR>          gdi32.pdb
    04/23/2009  10:25 AM    <DIR>          kernel32.pdb
    04/23/2009  10:26 AM    <DIR>          msvcrt.pdb
    04/23/2009  10:25 AM    <DIR>          ntdll.pdb
    04/23/2009  10:26 AM    <DIR>          ole32.pdb
    04/23/2009  10:26 AM    <DIR>          oleaut32.pdb
    04/23/2009  10:25 AM                 0 pingme.txt
    04/23/2009  10:25 AM    <DIR>          rpcrt4.pdb
    04/23/2009  10:25 AM    <DIR>          user32.pdb
                   1 File(s)              0 bytes
                  13 Dir(s)  31,337,861,120 bytes free
    I thought I maybe needed to copy each .pdb file from each dir to the root of C:\symserv but the OS won't permit me to copy or move these files.

    Here is the symbol patch env variable I have set :
    "_NT_SYMBOL_PATH=SRV*C:\SYMSERV*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS"

    I also tried using :
    "_NT_SYMBOL_PATH=SRV*C:\WINDOWS\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS"


    Any idea what the problem(s) could be?



    Thankyou.
    Last edited by 5aLIVE; April 23rd, 2009 at 07:24.

  11. #11
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,526
    Blog Entries
    15
    yes 5alive that thread contains all you need to patch (for original ollydbg 1.10 version) the only relevent patch is 74 to eb the other three are for debug spew !sym noisy

    it should work without problems

    how are you setting _nt_symbol_path ?


    is that permanent setting or temporary setting
    if thats temporary does ollydbg inherit the setting

    Code:
    C:\>set _nt
    _NT_SYMBOL_PATH=SRV*F:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
    
    C:\>cmd 
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    
    C:\>set _NT_SYMBOL_PATH=SRV*D:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOL
    S
    
    temporary setting ^ 
    
    C:\>set _NT
    _NT_SYMBOL_PATH=SRV*D:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
    
    C:\>f:\odbg110\OLLYDBG.EXE  this ollydbg is child of new cmd.exe and will inherit d:\  while double clicking ollydbg,exe will look for symbols in f:\  
    
    C:\>exit 
    
    C:\>set _nt
    _NT_SYMBOL_PATH=SRV*F:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
    
    C:\>
    
    Log data, item 1   child with temp env var
     Message=39 SRV*D:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
    
    
    Log data, item 1  double clicked ollydbg.exe
     Message=39 SRV*F:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
    anonymouse also had a latest version uploaded to his repositary in oprnrce


    afaik symget sets temp env var for each session controllable with an ini file

    and if you are dependent on symgets setting of _nt_symbol_path then it might not exist for ollydbg

  12. #12
    Ah! I was setting the _NT_SYMBOLS_PATH env variable within a DOS box. I didn't realise this is treated as temporary. I added a permanent entry to my system variables and rebooted for the changes to take effect.

    Now if I load a test exe I see the following in the log file:
    Code:
    Log data
    Address    Message
               OllyDbg v1.10
               Bookmarks sample plugin v1.06 (plugin demo)
                 Copyright (C) 2001, 2002 Oleh Yuschuk
               Command line plugin v1.10
                 Written by Oleh Yuschuk
    
               Console file 'C:\Documents and Settings\test.exe'
               New process with ID 00000BC0 created
    00445114   Main thread with ID 00000BC4 created
    00400000   Module C:\Documents and Settings\test.exe
                 Debugging information (Microsoft format) available
    7C800000   Module C:\WINDOWS\system32\kernel32.dll
                 CRC changed, discarding .udd data
                 Debugging information (Microsoft format) available
    7C900000   Module C:\WINDOWS\system32\ntdll.dll
                 CRC changed, discarding .udd data
                 Debugging information (Microsoft format) available
    7E410000   Module C:\WINDOWS\system32\USER32.dll
                 CRC changed, discarding .udd data
                 Debugging information (Microsoft format) available
    77F10000   Module C:\WINDOWS\system32\GDI32.dll
                 CRC changed, discarding .udd data
                 Debugging information (Microsoft format) available
    77DD0000   Module C:\WINDOWS\system32\ADVAPI32.dll
                 CRC changed, discarding .udd data
                 Debugging information (Microsoft format) available
    77E70000   Module C:\WINDOWS\system32\RPCRT4.dll
                 CRC changed, discarding .udd data
                 Debugging information (Microsoft format) available
    00445114   Program entry point
               3d C:\WINDOWS\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
               dbghelp dll loaded and address retrieved
               Only Export symbols - skipping
               3d C:\WINDOWS\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
               dbghelp dll loaded and address retrieved
               Only Export symbols - skipping
    77FE0000   Module C:\WINDOWS\system32\Secur32.dll
                 CRC changed, discarding .udd data
                 Debugging information (Microsoft format) available
    Can the comments about CRC changes be ignored or is this another problem?

    If I now type : loadpdb C:\WINDOWS\system32\user32.dll

    into the modified command line plug-in I see the following lof message:
    Code:
               3d C:\WINDOWS\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
               dbghelp dll loaded and address retrieved
               Only Export symbols - skipping
    If I then go to view names I don't see any additon symbols listed.

  13. #13
    I've made a changed the system env variable to C:\SYMSERV*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
    which now shows:

    35 C:\SYMSERV*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
    dbghelp dll loaded and address retrieved
    I still get the CRC change messages too.
    When I load a symbol table via the loadpdb command. I'm still not sure I'm seeing any more symbols in the test.exe disassembly though?

  14. #14
    Another related question I have is with IDA freeware. I can creat an .map file easily enough and load it into OllyDbg using the MapConv plug-in. I can view all labels generated by IDA and lso any comments that I have added to the listing.

    What I cant see hower is the comments IDA make for stack variables. For example, the following IDA generated comments are lost:

    Code:
    .text:100028A0 50                 push    eax             ; size_t
    .text:100028A1 8D+                lea     eax, [ebp+var_E0]
    .text:100028A7 FF+                push    [ebp+arg_4]     ; char *
    .text:100028AA 2B+                sub     eax, esi
    .text:100028AC 50                 push    eax             ; char *
    Is there any way to preseve these comments?

  15. #15
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,526
    Blog Entries
    15
    to remove crc errors analyze all modules that got thier pdbs loaded and reload alt+e -> right click -> analyze all modules then ctrl+n

    when using loadpdb do you have internet connected ? is user32.pdb available in c:\symsrv

    try using loadpdb on an unpatched ollydbg in a newly unzipped folder with just that commandline plugin with a may be temporary _nt_sym_path (use dosbox and fire ollydbg from within that dosbox

    the plugin should connect to ms server and fetch the pdb and then apply the names

    btw what os ? (iirc the plugin isnt tested in newer os like vizzzta and w2k8 or win7 )

Similar Threads

  1. OllyDbg and .bat files
    By jhonniewalk in forum OllyDbg Support Forums
    Replies: 2
    Last Post: August 30th, 2013, 04:11
  2. symbol not defined - Why?
    By 5aLIVE in forum The Newbie Forum
    Replies: 22
    Last Post: December 28th, 2003, 19:39
  3. how can i dump PE files for OllyDbg and ollydump.
    By andyboll in forum OllyDbg Support Forums
    Replies: 1
    Last Post: May 17th, 2003, 10:17
  4. Softice symbol help.. please help if u can
    By R I Z E N in forum Tools of Our Trade (TOT) Messageboard
    Replies: 19
    Last Post: April 9th, 2002, 15:53
  5. IDA / symbol loading Q..
    By Znah in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: June 10th, 2001, 23:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •