Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Can't get symbols working with Olly 1.10

Support forums for OllyDbg 32-bit Assembler-Level Debugger.
Developed by Oleh Yuschuk (http://www.ollydbg.de)
Locked
Sunk
Member
Posts: 51
Joined: Wed May 11, 2011 9:06 am

Can't get symbols working with Olly 1.10

Post by Sunk »

I installed the symbols from MS into C:\windows\symbols and in the options set olly to use that directory for symbols but it didn't work. I tried stepping through a program in Olly v2 alpha and when it gets to say CreateProcess all the parameters are filled in on the stack window. That isn't happening with Olly 1.10 and I don't think the symbols are working.

I've seen tutorials on how to get symbols working using MS symbol server, but I obviously can't have an internet connection with malware. :(
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

this plugin was lying in my pc
this was compiled with a hacked version of modified pdk's plugin.h by alex latest dbghelp.h / lib from windbg sdk and vc2008 express

iirc stack was blowing up with cdecl in vc 2008 so i changed cdecl to _cdecl in plugin.h i think not sure

not tested except for few runs while i compiled

you need to set
_NT_SYMBOL_PATH environment variable
and you should have dbghelp.dll and symsrv.dll from windbg installation in ollydbg dir

check if it works
i will find the source or reimplement it and post it here

refer to the last post in this thread for attachment
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

wow 4 days and two downloads :) and no replies

does it work properly

did someone spin this in their machine

anyway i found the src after a few hacks it compiled with vc 2010 with w4 wx and prefast clean

here is the src

Code: Select all


#include <windows.h>

#include <string.h>

#include "plugin.h"

#include <dbghelp.h>

#include <psapi.h>

int _cdecl CheckDlls();

HINSTANCE				hinst; 

HWND					hwmain;

BOOL 

CALLBACK

EnumerateSymbols(

				 PSYMBOL_INFO  pSymInfo,

				 ULONG SymbolSize,

				 PVOID UserContext

				 )

{

	UNREFERENCED_PARAMETER( UserContext );

	UNREFERENCED_PARAMETER( SymbolSize );

	Insertname(

		(DWORD)pSymInfo->Address,

		NM_LIBRARY,

		pSymInfo->Name

		);

	return TRUE;

}

BOOL WINAPI DllMain(

					HINSTANCE hi,

					DWORD reason,

					LPVOID reserved

					)

{

	UNREFERENCED_PARAMETER( reserved );

	if (reason==DLL_PROCESS_ATTACH)

		hinst=hi;

	return 1;

};

extc int _export _cdecl ODBG_Plugindata(

										char shortname[32]

)

{

	strcpy_s(

		shortname,

		30,

		"SymbolLoader"

		);

	return PLUGIN_VERSION;

};

extc int _export _cdecl ODBG_Plugininit( 

										int ollydbgversion,

										HWND hw,

										ulong *features

										)

{

	UNREFERENCED_PARAMETER( features );

	if (ollydbgversion<PLUGIN_VERSION)

		return -1;

	hwmain=hw;

	Addtolist(

		0,

		1,

		"SymbolLoader Plugin"

		);

	Addtolist(

		0,

		1,

		"  As Usual Dedicated To Oleh Yuschuk"

		);

	return 0;

};

extc int _export _cdecl ODBG_Pluginmenu(

										int origin,

										char data[4096],

										void *item

										)

{

	UNREFERENCED_PARAMETER( item );

	switch (origin) {

			case PM_MAIN:

				strcpy_s(

					data,

					4000,

					"0 &SymbolLoader|1 &About"

					);

				return 1;

			default: break;

	};

	return 0;

};

extc void _export _cdecl ODBG_Pluginaction(

	int origin,

	int action,

	void *item

	)

{

	HANDLE								hProcess;

	t_table	*							ModuleTable;

	t_module *							Module;

	DWORD64								dwModuleBase;

	int									i;

	t_sorted							sorted;

	LPTSTR								Envvar;

	IMAGEHLP_MODULE64					im;

	UNREFERENCED_PARAMETER( item );

	memset(&im,0,sizeof(im));

	im.SizeOfStruct = sizeof(im);

	if (origin==PM_MAIN) {

		switch (action){

			case 0:

				Addtolist(

					0,

					1,

					"SymbolLoader Plugin Was Called"

					);

				Envvar= (LPTSTR) malloc(4096);

				if( ! GetEnvironmentVariable(

					"_NT_SYMBOL_PATH",

					Envvar,

					4094 

					)) {

						Addtolist (

							0,

							1,

							"Set EnivronmemtVariable "

							"_NT_SYMBOL_PATH for symsrv "

							"to fetch or lookup symbol cache "

							);

						return;

				}

				if (( CheckDlls()) == FALSE) {

					Addtolist(

						0,

						1,

						"dbghelp.dll or symsrv.dll or both are missing "

						"please put them from windbg installation to ollydbg dir"

						);

					return;

				}

				if (( hProcess	= OpenProcess(

					PROCESS_ALL_ACCESS,

					FALSE,

					Plugingetvalue(VAL_PROCESSID)

					) ) == NULL) {

						Addtolist(

							0,

							1,

							"no debuggee found OpenProcess Failed"

							);

						return;

				}

				SymSetOptions(

					SYMOPT_UNDNAME | SYMOPT_CASE_INSENSITIVE

					);

				if ( ! SymInitialize( hProcess, Envvar, FALSE ) ) {

					Addtolist ( 

						0,

						1,

						"SymInitialize failed"

						);

					CloseHandle(hProcess);

					return;

				}

				ModuleTable = (t_table *)Plugingetvalue(

					VAL_MODULES

					);

				if(ModuleTable !=0) {

					sorted = ModuleTable->data;

					for(i=0;i<sorted.n;i++)

					{

						Module = (t_module *) ( (int)sorted.data+(i*sorted.itemsize));

						Addtolist(

							0,

							1,

							"Loading Symbols For %s",

							Module->path

							);

						if ( ( dwModuleBase = SymLoadModuleEx(

							hProcess,

							NULL,

							Module->path,

							"",

							0,

							0,

							0,

							NULL

							) ) == 0 ) {

								Addtolist(

									0,

									1,

									"SymLoadModuleEx %s Failed last error returned was %x",

									Module->path,

									GetLastError()

									);								

						}

						SymGetModuleInfo64(

							hProcess,

							dwModuleBase,

							&im

							);

						if ( im.SymType == SymExport || im.SymType == SymNone )

						{

							Addtolist(

								0,

								1,

								"Only Export symbols - skipping module %s",

								Module->name

								);

						}

						if( ( SymEnumSymbols(

							hProcess,

							dwModuleBase,

							"*",

							EnumerateSymbols,

							NULL

							))==FALSE) {

								Addtolist(

									0,

									1,

									"SymEnumSymbols Failed for %x Getlast Error returned %x",

									dwModuleBase,

									GetLastError()

									);

								break;

						}

						Module++;

					}

				}

				SymCleanup(hProcess);

				CloseHandle(hProcess);

				free(Envvar);

				break;

			case 1:

				MessageBox(

					hwmain,

					"SymbolLoader\n"

					"Copyright (C) From Genesis to Eternity Blabberer",

					"SymbolLoader",MB_OK|MB_ICONINFORMATION

					);

				break;

			default:

				break;

		};

	};

};

int _cdecl CheckDlls()

{

	char			Filename[MAX_PATH];

	char			Ollydrive[0x20];

	char			Ollydir[MAX_PATH - sizeof("ollydbg.exe")];

	WIN32_FIND_DATA	Foundfile;

	HANDLE			hProcess;

	HANDLE			hFile;

	DWORD			status = TRUE;

	if (( hProcess	= OpenProcess(

		PROCESS_ALL_ACCESS,

		FALSE,

		GetCurrentProcessId()

		) ) == NULL) {

			Addtolist(

				0,

				1,

				"OpenProcess Ollydbg Failed"

				);

			return FALSE;

	}

	if( ( GetModuleFileNameEx (

		hProcess,

		NULL,

		Filename,

		MAX_PATH

		) ) == 0 ) {

			Addtolist(

				0,

				1,

				"Path to Ollydbg.exe is not available"

				);

			CloseHandle(hProcess);

			return FALSE;

	}

	Addtolist(

		0,

		1,

		"path to ollydbg.exe is %s",

		Filename

		);

	_splitpath_s(

		Filename,

		Ollydrive,

		sizeof(Ollydrive),

		(char *)&Ollydir,

		(MAX_PATH - sizeof("ollydbg.exe")),

		NULL,

		0,

		NULL,

		0

		);

	_makepath_s(

		Filename,

		MAX_PATH,

		Ollydrive,

		Ollydir,

		"dbghelp",

		"dll"

		);

	Addtolist(

		0,

		1,

		"checking for presence %s ",

		Filename

		);

	if ( ( hFile = FindFirstFile(

		Filename,

		&Foundfile

		) ) == INVALID_HANDLE_VALUE) {

			Addtolist(

				0,

				1,

				"you need the latest dbghelp.dll in the directory where ollydbg resides"

				);

			status = FALSE;

	}

	FindClose(hFile);

	_makepath_s(

		Filename,

		MAX_PATH,

		Ollydrive,

		Ollydir,

		"symsrv",

		"dll"					

		);

	Addtolist(

		0,

		1,

		"checking for presence %s ",

		Filename

		);

	if ( ( hFile = FindFirstFile(

		Filename,

		&Foundfile

		) ) == INVALID_HANDLE_VALUE) {

			Addtolist(

				0,

				1,

				"you need the latest symsrv.dll in the directory where ollydbg resides"

				);

			status = FALSE;

	}

	FindClose(hFile);

	CloseHandle(hProcess);

	return status;

}

here is the difference in plugin.h

and here is the complete folder tree

there was a break; in an error clause which resulted in any symbols not being loaded if that specific error occured
fixed it

new src/compiled binary/modified plugin.h/mak files all in one compilable in vc 2010 express
Attachments
PrefastClaen_VC2010_Olly110_SymbolLoaderPlugin.rar
(153.62 KiB) Downloaded 99 times
differenced between alex modified pdk plugin.h and my mods to it.jpg
5aLIVE
Senior Member
Posts: 215
Joined: Tue Dec 16, 2003 7:35 am

Post by 5aLIVE »

Better a late reply of feedback than none at all. Your plugin loaded downloaded and loaded symbols for me without a hitch.
Nice work. :)
Locked