Jump to content
Tuts 4 You

About This File

Analysing unknown binaries especially malware drivers without symbols is a very tedious affair. This WinDBG extension is an effort to reduce the tediousness by transferring the names IDA generated to WinDBG. Run the IDC script to dump names to a sym file and use the extension in WinDBG to resolve the symbols from that file. The IDC script (tested in IDA Free 5 only and hacks are IDA Free 5). It loads the inputfile and gets IMAGE_NT_HEADERS->OptionalHeader->BaseofCode and creates a variable to subtract which is the difference between IDC function FirstSeg()-BaseofCode (namely ImageBase). Then enumarates Name from FirstSeg() to MaxEA(); and dumps the bare offsets (RVA - IMAGEBASE ) and names to a file c:\\idasym\\GetInputFile().idasym in a format compatible to strtoul&sprintf() like: 00000300,DriverEntry 00017ce5,SomeCrapFunction() 00100000,aURLhttp://malwarebasedotcom/malware/foo.exe Bare offsets are dumped because it doesnt require rebasing in IDA and wouldnt have to worry about ASLR in WinDBG. Also bare offsets can help in naming virtual allocated blocks manually create an idasymfile with offset, name point it with an address in WinDBG and all offsets relative to that address will be named appropriately. Simply analyse with IDA and MakeName (visible in names window | publics) run the IDC script in IDA to overwrite an existing idasym file or create a new one. Do !addsym in WinDBG for an updated disassembly.


What's New in Version 03/07/2020 06:45 AM   See changelog

Released

No changelog available for this version.


User Feedback

Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...