Results 1 to 4 of 4

Thread: Can't get symbols working with Olly 1.10

  1. #1

    Can't get symbols working with Olly 1.10

    I installed the symbols from MS into C:\windows\symbols and in the options set olly to use that directory for symbols but it didn't work. I tried stepping through a program in Olly v2 alpha and when it gets to say CreateProcess all the parameters are filled in on the stack window. That isn't happening with Olly 1.10 and I don't think the symbols are working.

    I've seen tutorials on how to get symbols working using MS symbol server, but I obviously can't have an internet connection with malware.

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    this plugin was lying in my pc
    this was compiled with a hacked version of modified pdk's plugin.h by alex latest dbghelp.h / lib from windbg sdk and vc2008 express

    iirc stack was blowing up with cdecl in vc 2008 so i changed cdecl to _cdecl in plugin.h i think not sure

    not tested except for few runs while i compiled

    you need to set
    _NT_SYMBOL_PATH environment variable
    and you should have dbghelp.dll and symsrv.dll from windbg installation in ollydbg dir

    check if it works
    i will find the source or reimplement it and post it here

    refer to the last post in this thread for attachment
    Last edited by blabberer; May 19th, 2012 at 03:25.

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    wow 4 days and two downloads and no replies

    does it work properly

    did someone spin this in their machine

    anyway i found the src after a few hacks it compiled with vc 2010 with w4 wx and prefast clean

    here is the src

    Code:
    #include <windows.h>
    
    #include <string.h>
    
    #include "plugin.h"
    
    #include <dbghelp.h>
    
    #include <psapi.h>
    
    int _cdecl CheckDlls();
    
    HINSTANCE				hinst; 
    
    HWND					hwmain;
    
    BOOL 
    
    CALLBACK
    
    EnumerateSymbols(
    
    				 PSYMBOL_INFO  pSymInfo,
    
    				 ULONG SymbolSize,
    
    				 PVOID UserContext
    
    				 )
    
    {
    
    	UNREFERENCED_PARAMETER( UserContext );
    
    	UNREFERENCED_PARAMETER( SymbolSize );
    
    	Insertname(
    
    		(DWORD)pSymInfo->Address,
    
    		NM_LIBRARY,
    
    		pSymInfo->Name
    
    		);
    
    	return TRUE;
    
    }
    
    BOOL WINAPI DllMain(
    
    					HINSTANCE hi,
    
    					DWORD reason,
    
    					LPVOID reserved
    
    					)
    
    {
    
    	UNREFERENCED_PARAMETER( reserved );
    
    	if (reason==DLL_PROCESS_ATTACH)
    
    		hinst=hi;
    
    	return 1;
    
    };
    
    extc int _export _cdecl ODBG_Plugindata(
    
    										char shortname[32]
    
    )
    
    {
    
    	strcpy_s(
    
    		shortname,
    
    		30,
    
    		"SymbolLoader"
    
    		);
    
    	return PLUGIN_VERSION;
    
    };
    
    extc int _export _cdecl ODBG_Plugininit( 
    
    										int ollydbgversion,
    
    										HWND hw,
    
    										ulong *features
    
    										)
    
    {
    
    	UNREFERENCED_PARAMETER( features );
    
    	if (ollydbgversion<PLUGIN_VERSION)
    
    		return -1;
    
    	hwmain=hw;
    
    	Addtolist(
    
    		0,
    
    		1,
    
    		"SymbolLoader Plugin"
    
    		);
    
    	Addtolist(
    
    		0,
    
    		1,
    
    		"  As Usual Dedicated To Oleh Yuschuk"
    
    		);
    
    	return 0;
    
    };
    
    extc int _export _cdecl ODBG_Pluginmenu(
    
    										int origin,
    
    										char data[4096],
    
    										void *item
    
    										)
    
    {
    
    	UNREFERENCED_PARAMETER( item );
    
    	switch (origin) {
    
    			case PM_MAIN:
    
    				strcpy_s(
    
    					data,
    
    					4000,
    
    					"0 &SymbolLoader|1 &About"
    
    					);
    
    				return 1;
    
    			default: break;
    
    	};
    
    	return 0;
    
    };
    
    extc void _export _cdecl ODBG_Pluginaction(
    
    	int origin,
    
    	int action,
    
    	void *item
    
    	)
    
    {
    
    	HANDLE								hProcess;
    
    	t_table	*							ModuleTable;
    
    	t_module *							Module;
    
    	DWORD64								dwModuleBase;
    
    	int									i;
    
    	t_sorted							sorted;
    
    	LPTSTR								Envvar;
    
    	IMAGEHLP_MODULE64					im;
    
    	UNREFERENCED_PARAMETER( item );
    
    	memset(&im,0,sizeof(im));
    
    	im.SizeOfStruct = sizeof(im);
    
    	if (origin==PM_MAIN) {
    
    		switch (action){
    
    			case 0:
    
    				Addtolist(
    
    					0,
    
    					1,
    
    					"SymbolLoader Plugin Was Called"
    
    					);
    
    				Envvar= (LPTSTR) malloc(4096);
    
    				if( ! GetEnvironmentVariable(
    
    					"_NT_SYMBOL_PATH",
    
    					Envvar,
    
    					4094 
    
    					)) {
    
    						Addtolist (
    
    							0,
    
    							1,
    
    							"Set EnivronmemtVariable "
    
    							"_NT_SYMBOL_PATH for symsrv "
    
    							"to fetch or lookup symbol cache "
    
    							);
    
    						return;
    
    				}
    
    				if (( CheckDlls()) == FALSE) {
    
    					Addtolist(
    
    						0,
    
    						1,
    
    						"dbghelp.dll or symsrv.dll or both are missing "
    
    						"please put them from windbg installation to ollydbg dir"
    
    						);
    
    					return;
    
    				}
    
    				if (( hProcess	= OpenProcess(
    
    					PROCESS_ALL_ACCESS,
    
    					FALSE,
    
    					Plugingetvalue(VAL_PROCESSID)
    
    					) ) == NULL) {
    
    						Addtolist(
    
    							0,
    
    							1,
    
    							"no debuggee found OpenProcess Failed"
    
    							);
    
    						return;
    
    				}
    
    				SymSetOptions(
    
    					SYMOPT_UNDNAME | SYMOPT_CASE_INSENSITIVE
    
    					);
    
    				if ( ! SymInitialize( hProcess, Envvar, FALSE ) ) {
    
    					Addtolist ( 
    
    						0,
    
    						1,
    
    						"SymInitialize failed"
    
    						);
    
    					CloseHandle(hProcess);
    
    					return;
    
    				}
    
    				ModuleTable = (t_table *)Plugingetvalue(
    
    					VAL_MODULES
    
    					);
    
    				if(ModuleTable !=0) {
    
    					sorted = ModuleTable->data;
    
    					for(i=0;i<sorted.n;i++)
    
    					{
    
    						Module = (t_module *) ( (int)sorted.data+(i*sorted.itemsize));
    
    						Addtolist(
    
    							0,
    
    							1,
    
    							"Loading Symbols For %s",
    
    							Module->path
    
    							);
    
    						if ( ( dwModuleBase = SymLoadModuleEx(
    
    							hProcess,
    
    							NULL,
    
    							Module->path,
    
    							"",
    
    							0,
    
    							0,
    
    							0,
    
    							NULL
    
    							) ) == 0 ) {
    
    								Addtolist(
    
    									0,
    
    									1,
    
    									"SymLoadModuleEx %s Failed last error returned was %x",
    
    									Module->path,
    
    									GetLastError()
    
    									);								
    
    						}
    
    						SymGetModuleInfo64(
    
    							hProcess,
    
    							dwModuleBase,
    
    							&im
    
    							);
    
    						if ( im.SymType == SymExport || im.SymType == SymNone )
    
    						{
    
    							Addtolist(
    
    								0,
    
    								1,
    
    								"Only Export symbols - skipping module %s",
    
    								Module->name
    
    								);
    
    						}
    
    						if( ( SymEnumSymbols(
    
    							hProcess,
    
    							dwModuleBase,
    
    							"*",
    
    							EnumerateSymbols,
    
    							NULL
    
    							))==FALSE) {
    
    								Addtolist(
    
    									0,
    
    									1,
    
    									"SymEnumSymbols Failed for %x Getlast Error returned %x",
    
    									dwModuleBase,
    
    									GetLastError()
    
    									);
    
    								break;
    
    						}
    
    						Module++;
    
    					}
    
    				}
    
    				SymCleanup(hProcess);
    
    				CloseHandle(hProcess);
    
    				free(Envvar);
    
    				break;
    
    			case 1:
    
    				MessageBox(
    
    					hwmain,
    
    					"SymbolLoader\n"
    
    					"Copyright (C) From Genesis to Eternity Blabberer",
    
    					"SymbolLoader",MB_OK|MB_ICONINFORMATION
    
    					);
    
    				break;
    
    			default:
    
    				break;
    
    		};
    
    	};
    
    };
    
    int _cdecl CheckDlls()
    
    {
    
    	char			Filename[MAX_PATH];
    
    	char			Ollydrive[0x20];
    
    	char			Ollydir[MAX_PATH - sizeof("ollydbg.exe")];
    
    	WIN32_FIND_DATA	Foundfile;
    
    	HANDLE			hProcess;
    
    	HANDLE			hFile;
    
    	DWORD			status = TRUE;
    
    	if (( hProcess	= OpenProcess(
    
    		PROCESS_ALL_ACCESS,
    
    		FALSE,
    
    		GetCurrentProcessId()
    
    		) ) == NULL) {
    
    			Addtolist(
    
    				0,
    
    				1,
    
    				"OpenProcess Ollydbg Failed"
    
    				);
    
    			return FALSE;
    
    	}
    
    	if( ( GetModuleFileNameEx (
    
    		hProcess,
    
    		NULL,
    
    		Filename,
    
    		MAX_PATH
    
    		) ) == 0 ) {
    
    			Addtolist(
    
    				0,
    
    				1,
    
    				"Path to Ollydbg.exe is not available"
    
    				);
    
    			CloseHandle(hProcess);
    
    			return FALSE;
    
    	}
    
    	Addtolist(
    
    		0,
    
    		1,
    
    		"path to ollydbg.exe is %s",
    
    		Filename
    
    		);
    
    	_splitpath_s(
    
    		Filename,
    
    		Ollydrive,
    
    		sizeof(Ollydrive),
    
    		(char *)&Ollydir,
    
    		(MAX_PATH - sizeof("ollydbg.exe")),
    
    		NULL,
    
    		0,
    
    		NULL,
    
    		0
    
    		);
    
    	_makepath_s(
    
    		Filename,
    
    		MAX_PATH,
    
    		Ollydrive,
    
    		Ollydir,
    
    		"dbghelp",
    
    		"dll"
    
    		);
    
    	Addtolist(
    
    		0,
    
    		1,
    
    		"checking for presence %s ",
    
    		Filename
    
    		);
    
    	if ( ( hFile = FindFirstFile(
    
    		Filename,
    
    		&Foundfile
    
    		) ) == INVALID_HANDLE_VALUE) {
    
    			Addtolist(
    
    				0,
    
    				1,
    
    				"you need the latest dbghelp.dll in the directory where ollydbg resides"
    
    				);
    
    			status = FALSE;
    
    	}
    
    	FindClose(hFile);
    
    	_makepath_s(
    
    		Filename,
    
    		MAX_PATH,
    
    		Ollydrive,
    
    		Ollydir,
    
    		"symsrv",
    
    		"dll"					
    
    		);
    
    	Addtolist(
    
    		0,
    
    		1,
    
    		"checking for presence %s ",
    
    		Filename
    
    		);
    
    	if ( ( hFile = FindFirstFile(
    
    		Filename,
    
    		&Foundfile
    
    		) ) == INVALID_HANDLE_VALUE) {
    
    			Addtolist(
    
    				0,
    
    				1,
    
    				"you need the latest symsrv.dll in the directory where ollydbg resides"
    
    				);
    
    			status = FALSE;
    
    	}
    
    	FindClose(hFile);
    
    	CloseHandle(hProcess);
    
    	return status;
    
    }
    here is the difference in plugin.h

    and here is the complete folder tree

    there was a break; in an error clause which resulted in any symbols not being loaded if that specific error occured
    fixed it

    new src/compiled binary/modified plugin.h/mak files all in one compilable in vc 2010 express
    Attached Images Attached Images  
    Attached Files Attached Files
    Last edited by blabberer; May 19th, 2012 at 03:29.

  4. #4
    Better a late reply of feedback than none at all. Your plugin loaded downloaded and loaded symbols for me without a hitch.
    Nice work.

Similar Threads

  1. Replies: 3
    Last Post: March 29th, 2013, 12:18
  2. Replies: 2
    Last Post: February 15th, 2009, 21:52
  3. Softice & IDA symbols
    By omega_red in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: May 20th, 2004, 19:19
  4. symbols or implib
    By idanski in forum OllyDbg Support Forums
    Replies: 2
    Last Post: December 27th, 2003, 03:09
  5. how to use symbols just like windbg
    By a1rsupp1y in forum OllyDbg Support Forums
    Replies: 1
    Last Post: November 27th, 2003, 22:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •