Dbghelp.dll ollydbg error

dbghelp.dll ollydbg error

Basically, Frida uses dbghelp.dll APIs to lookup symbols in Windows platform. But what it lacked was using symbol server support. OllyDbg is able to use dbghelp. dll and symsrv. dll to show extended debug information, such as the module source code (if referenced by the debug. It is a problem related to the old dbghelp.dll, if you have newer version, everything works ok, ollydbg here is just an example of.

Dbghelp.dll ollydbg error - think, that

Developer forums (C::B DEVELOPMENT STRICTLY!) > Development

Build C::B against wx3.02 with gcc 5.2 under Windows

<<< (6/25) >>>

ollydbg:

--- Quote from: stahta01 on September 28, 2015, 04:13:20 pm ---
--- Quote from: ollydbg on September 28, 2015, 03:47:15 pm ---I think I may meet a GCC issue which cause the crash I reported in this thread.
Now, I have just finishing building the wx3 library in debug mode with the command line:

After that, when testing the built C::B, I don't have any crash when disable or enable plugins. I even strip all the debug information(both the C::B related binaries and the wx3 library dll), it also works fine. So, I believe the crash bug comes from the mingw-build gcc 5.2.

Another issue I encountered is that after running the "update30.bat", I can't start codeblocks.exe from the output30 folder. I check the codeblocks.exe in output30 folder by dependency walker tool, it said the "dbghelp.dll" file is broken. How would that happen? (I think I use a wrong strip.exe?, because I put a strip.exe in a common folder, the strip.exe is quite old, the build time of the strip.exe was 2011-03-20, so maybe, I need to use the strip.exe come from the newer gcc suite), to solve the issue, I just copy the "dbghelp.dll" from the devel30 folder to output30 folder, and now, codeblocks.exe works fine.  :)

--- End quote ---

I do NOT strip the DLLs put into output30 because no Compilers are in my path.

--- End quote ---
I also have no Compilers in my PATH, but I have put an old "strip.exe" in my PATH.


--- Quote ---Do you still want the Zipped Binary of my CB build?
I am uploading it right now. I am guessing 30 minutes to finish uploading.
Tim S.

--- End quote ---
Yes, I need that, I want to see whether your built binary crashes in my system. Thanks.

stahta01:

--- Quote from: ollydbg on September 28, 2015, 04:17:30 pm ---Yes, I need that, I want to see whether your built binary crashes in my system. Thanks.

--- End quote ---

PMed link to you.

Please confirm you received it; and it unzips good; I hope to delete that old location today.

Tim S.

scarphin:

--- Quote from: ollydbg on September 28, 2015, 03:47:15 pm ---EDIT:
When using the BUILD=debug option to build wxWidgets 3.0.2, it actually use the "-O0" option for the G++ compiler, while BUILD=release uses the "-O2" option instead, thus I believe the "-O2" cause the crash issue.

--- End quote ---
I use '-o3' for my x32 and x64 builds all the time and I don't have such a crash issue. My version for mingw-builds is 4.9.2 though. I used your method to overcome the pch issue to be able to compile 64-bit cb. Maybe you should try '-o3'.

ollydbg:

--- Quote from: stahta01 on September 28, 2015, 04:41:30 pm ---
--- Quote from: ollydbg on September 28, 2015, 04:17:30 pm ---Yes, I need that, I want to see whether your built binary crashes in my system. Thanks.

--- End quote ---

PMed link to you.

Please confirm you received it; and it unzips good; I hope to delete that old location today.

Tim S.

--- End quote ---

Hi, Tim, thanks.
I just tested your built version, and by enable and disable several plugins, I still see the crash.  :(
Here is the codeblocks.RPT:

--- Code: ---codeblocks.exe caused an Access Violation at location 69E8C5E5 in module wxmsw30u_gcc_mingw_builds.dll Reading from location 00000010.

Registers:
eax=6abc9220 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00040be8
eip=69e8c5e5 esp=0022d684 ebp=0a365f18 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

AddrPC   Params
69E8C5E5 00040BE8 00000001 00000016  wxmsw30u_gcc_mingw_builds.dll!wxWindow::FindItemByHWND(HWND__*, bool) const
69E8DC28 0022D830 00000133 4E01187C  wxmsw30u_gcc_mingw_builds.dll!wxWindow::HandleCtlColor(HBRUSH__**, HDC__*, HWND__*)
69E897A0 77F1E10B 0301112F 00000133  wxmsw30u_gcc_mingw_builds.dll!wxWindow::MSWWindowProc(unsigned int, unsigned int, long)

codeblocks.exe 13.12.0.0
ntdll.dll    5.1.2600.6055
kernel32.dll 5.1.2600.6532
COMCTL32.DLL 5.82.2900.6028
ADVAPI32.dll 5.1.2600.5755
RPCRT4.dll  5.1.2600.6477
Secur32.dll 5.1.2600.5834
GDI32.dll    5.1.2600.6460
USER32.dll  5.1.2600.5512
libgcc_s_dw2-1.dll
msvcrt.dll  7.0.2600.5512
libwinpthread-1.dll 1.0.0.0
SHELL32.dll 6.0.2900.6242
SHLWAPI.dll 6.0.2900.5912
SHFOLDER.DLL 6.0.2900.5512
libstdc++-6.dll
wxmsw30u_gcc_mingw_builds.dll 3.0.2.0
...
...

--- End code ---
Which is much similar like the crash report I see in my self built C::B.
Thanks.

stahta01:
New warning that looks like a real problem to me.

MSys2 32 bit MinGW GCC 5.2 compiler.

Tim S.


--- Code: ---src\plugins\contrib\wxSmith\wxwidgets\defitems\wxsfontpickerctrl.cpp

Frida has become more popular recently due to its convenience to install hooks using JavaScript language. I saw many researches using Frida for mobile platform, but it seems like Windows has more usage tractions recently. At DarunGrim, we are researching new methodology that security researchers can use for their day to day work. Frida is one of the tools that, we thought, can be useful for Windows reverse engineering. But, during our testing, we found that the symbol lookup capability was limiting factor in broader use of this tool. We made improvements and it is now available with Frida 12.9.8. We are really thankful to Ole André Vadla Ravnås for his help in merging the changes.

We will go through the change we made briefly and will explain how you can use improved symbol lookup capabilities in real world problem solving.

Frida 12.9.8 Improvements

Basically, Frida uses dbghelp.dll APIs to lookup symbols in Windows platform. But what it lacked was using symbol server support. We added symbol server support and made improvements in passing symbol string in Windows. With older Frida implementation, it took some time to look up each symbol because it was using wildcard module names to lookup any symbols. Now you can specify module names to speed up the symbol lookup.

New Frida will ship with symsrv.dll with dbghelp.dll to support symbol server including Microsoft symbol server.

These are the changes we made with help from Ole.

Case Study: Analyzing Office Macro Behavior

With improved Frida functionality, here’s an Office Macro malware example that we want to apply Frida for deep analysis.

Injection and instrumentation

The following diagram shows how Frida generally install hooks and gets messages from the installed hooks.

There are frida, session, script objects involved in this process to manage hook installations. The hooking callback is written in JavaScript.

The following code shows an example how these objects can be used to install JavaScript hooking code assigned to self.script_text variable to process with process_id variable.

code.py

Symbol Lookup: resolveName

Frida JavaScript APIs are well described in the API documentation.

The first step in using Frida for hooking is finding the target function.

If the function is exported, then you can just call Module.findExportByName method with exported function name with DLL name.

But, if the function is not exported and it is only recorded in PDB symbol file for example, you can call DebugSymbol.getFunctionByName method. With Frida 12.9.8, you can pass “DLLName!FunctionName” notation for better accuracy in designating specific function and to achieve better performance in locating them.

Loading a symbol for a module can be a slow work sometimes because it might come from remote symbol server. So, you need to call DebugSymbol.load method to initiate the loading of symbols so that we load minimal number of symbols.

Here’s an example code that used Module.findExportByName and DebugSymbol methods to lookup any symbolled or exported functions. It uses dictionary to cache its findings to remove any duplicate works. This can save overall symbol lookup time, if you are hooking enormous number of functions.

vbe.js

Setting Symbol Path

There are different approaches to setup symbol server on Windows environment, we suggest setting _NT_SYMBOL_PATH variable from command line. Symbol path for Windows debuggers has a good description on the usage of the variable.

The following will use “c:\symbols” as its local symbol store to cache official Microsoft symbol server.

The following command will let the system use default symbol storage directory.

Running Malware and Observing Behavior

We used following sample to test Frida’s improved symbol lookup capability. It has some amount of obfuscations that can be easily analyzed using Frida hooks.

The code we presented here can be found from the following GitHub repository.

Frida.examples.vbe

So, when you launched a Word process and the process id is 3064, the following command can be used to install hooks from vbe.js included in the repository. After installing the hooks, you can open the malicious document to observe its behavior.

Hooks For Monitoring Office Macro Behavior

The vbe.js has few interesting hooks to monitor behavior of malicious Office documents.

__vbaStrCat

The vbe7.dll is the DLL that has the Visual Basic runtime engine is located. There are tons of interesting functions inside. But firstly, we wanted to observe string de-obfuscation operations

vbe7!__vbaStrCat is the function called when strings are concatenated in Visual Basic.

Many Macro-based malware documents use string-based obfuscation. By observing strings concatenation actions, you can observe the constructions of final de-obfuscated strings.

The following hooking code will print out the concatenated strings for each call.

vbe.js

This is one example output that shows the final de-obfuscated string.

Here’s another example that shows how “WScript.Shell” string is constructed from obfuscated strings.

rtcCreateObject2

One of the many behaviors that malicious Macro shows is creating objects to perform system operations. The function that performs this action is rtcCreateObject2.

This rtcCreateObject2 function is called when new objects are created in VB engine.

The following hook monitors args[2] argument (wchar_t *Str2), which contains the object name it creates.

vbe.js

The example session showed CreateObject method creating WScript.Shell object. This object is used to run external commands from the script. We can expect that this script will run external malicious command.

DispCallFunc

One of the interesting API is DispCallFunc function. This function is used to call COM methods. By monitoring this API, we can gain better insights into what the malware is trying to do.

The prototype of the function looks like following.

The 1st argument pvInstance has the pointer to the COM instance and 2nd argument oVft has the offset of the method this function is calling. With some calculations, you can locate the function the COM call will call eventually.

The following is the hook for this function that will print out the actual COM method name and its instructions. Frida has APIs to disassemble instructions and it can be really useful in this case.

The following shows the example output that shows a COM method call to wshom.ocx!CWshShell::Run.

Also, you can add device callback, which will monitor the process creation behavior. The following shows the rundll child process is used to run PowerShell using powershdll.dll DLL’s main function to run PowerShell command.

Conclusion

Frida is the most convenient and handy dynamic analysis tool that I ever used on Windows platform. There are WinDbg, OllyDbg and PyKD for advanced reverse engineering. They have their places and usages. But, for really quick and repetitive analysis work, Frida is more than enough and has a powerful capability to dump and to analyze program behavior. With Frida 12.9.8, now we have better symbol handling which will increase overall usability and productivity.

Training Information

DarunGrim is a threat intelligence and knowledge company. We are providing training regarding using Frida for Windows Reverse Engineering. Please contact us for details.

ShareTweetLinkedInReddit

How to obtain decrypted virus body of Bolzano virus using Ollydbg 1.10 debugging on windows OS

I don't have
Also your link points to several samples
Providing exact of the sample can eliminate ambiguities while answering

here is a small walk through using basic hex editor and a basic disassembler of why it might be possible for that exception to be generated.

downloaded the first sample in openmalware

drag dropped to

unzipped using given password infected

drag dropped into

all three checksums match ok

http://msdn.microsoft.com/en-us/library/ms809762.aspx

using ollydbg as a disassembler

ctrl+g 100

pe header shows

so we can start disassembling at 0x600

disassembly

virtual size of section is 1000 as we saw earlier
so it jumps to next section
next section starts at 0x800 as we saw earlier

disassembly

following

ctrl+g 805 disassemble

for byte scanning puproses
looks if all 100 bytes starting at 10c00 are zero
if they are zero sets (win nt k32 base no aslr fixed)
else to (win 95 / 98 kernel32 base no aslr fixed)
esi to some offset

compares in k32 dll

for this pattern

for this pattern

jumps to ok or not ok

if it finds the pattern will go to 850

else 91b

at 91b there is

so this will return to 920 (see above retn to 402005)

this will retn to kernel or exit thread address (pushad == 0x20)
all else are junk
exe contains nothing at 204f to 224f will simply exit via retn
(184f+800 ecx = 40 two lodsd = 80 dwords = 200 bytes = 224f)

if the region compared ok to retn value - 5 (see sub edx,5)
the app will crash and ollydbg can issue that warning

ollydbg will show dont know how to step because memory at address 0 is not readable try changing Eip or pass exception to program if it reaches here

disassembling at 850 or 402050

byte pattern at 16ee

disassembling further

try walking ahead a bit :)

Post moved from OpenRCE, original date: Friday, January 30 2009

Recently I’ve came across some “strange” problems during loading some executables into OllyDbg. After loading the file, OllyDbg just crashed without any error. During a quick research I’ve figured out that the problem lays in the extension of the loaded file. In fact, the problem laid in the old version of dbghelp.dll (5.1.3590.0). I’ve asked google if “she” (or “he”, who knows) knows something about this bug, and that was a good choice. I’ve found a discussion on tuts4you forum:

hxxp://forum.tuts4you.com/index.php?showtopic=16445

and a link to an exploit on milw0rm:

http://www.milw0rm.com/exploits/6031

As you can read, it was related to “export name buffer overflow vulnerability”. My problem was different, but debugging OllyDbg lead me to the call to SymLoadModule at the same place like in the mentioned exploit. Further debugging revealed that my problem is related to the wrong use of _splitpath function from msvcrt.dll. Calling tree looks like this:

function FileNameIsPdb has a local variable:

which is passed to the splitpath, and if our prepared file extension is longer than 20 bytes it overwrites values on the stack, next 8 bytes overwrite some local variables, and finaly next 4 bytes overwrites the return address:

it is not enough to crash OllyDbg though (for exploiting it should be sufficient), because there is SEH that can deal with this stack corruption. I figured out that overwriting another 26 bytes should crash OllyDbg, so the file extension should look like this:

If someone has not updated dbghelp.dll in the olly directory, we can use this method as a simple anti-debug. We don’t need to rename executable to such form, we can dump a sample dll (with malformed extension) on the disk during the execution of the program, and just load it with LoadLibrary function. Development of an exploit could prove to be problematic because of limitations of charset that can be used to craft filename.

This bug cannot be applied to newer versions of dbghelp.dll.

Original paper at:http://rewolf.pl/stuff/rewolf_dbghelp.txt

OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and Version 2.0 was released in June 2010, and OllyDbg has been rewritten from

These could be third-party servers like the online Microsoft Symbol Server or buckets of DIFs For all other symbols, using the original debug file is sufficiently fast causes a lot of overhead in the blob storage and is prone to race conditions Additionally, there were issues around the upload of debug information files.


First see get the code for checkout and build instructions. is the default on Windows and gives full debugging information with types, locals, globals, If you are debugging official Google Chrome release builds, use the symbol server: to add some extra randomness in order to help expose race conditions in your code.

It uses one-time memory breakpoints to detect all calls from the user code to the Windows API and protocols the arguments and But sometimes it simply doesn't know that temporary breakpoint is necessary. The source code is enclosed: New plugin interface is similar to the old (v1.10) but is not backwards compatible.

Bruce Dang is a senior security development engineering lead at Microsoft Last but not least, I want to thank Alex, Elias, and Sébastien for helping me OllyDbg, MASM, etc. File system minifi lter driver—Drivers that interact with the fi le system to is open source framework (released under the GNU Lesser GPL v2)

This is the second article in a series about using the OllyDbg, a 32 bit assembler level Luckily, this is all possible via the use of a debugger by using Take note of the top entry on the stack (bottom right hand pane) as well as the Double click on the entry that has the text "Welcome to Vulnerable Server!

Windbg is a component in a set of debuggers developed by Microsoft. WinDBG We use AppVerifier mainly to enable page heap debugging. Image fill in the exe name, not the full path, select Create user mode stack trace database; "Qt Creator's CDB Debugger-Skills and Experiences, Focus on Symbols Path Setting".

makes symbols available to your debugging tools as. backdash symbol, There are a several things to know when setting up a symbol server and/or technology used to obtain debugging information (symbols) needed in order to debug an. Assetto corsa race modsMicrosoft officially concluded its free Windows 10.

The options here are just like those found in ollydbg 1.10 with a few additional features. Undecorate Symbol Names: This makes symbol names look cleaner. Anyway, thank you for your blog, I found it usefull cos I didn't know If you want to view the plugin dll in x64dbg, it is complicated, but possible.

When the Symbol Server is enabled, any symbols files stored in local Feed to a ProGet feed will result in a race condition - whichever package is See the NuGet documentation on building a symbol package for detailed information. To configure source server support, browse to Debugging > General

You can use ollydbg or windbg to load your.exe and trace through the.dll and only use a high level debugger when i have some symbols to And i tend to use Linux much more than Windows (and if on windows, use IDA or Ollydbg), c:\windows\system32\rundll32.exe <dll path> [entry point function]

The most known and valued plugin for IDA is Hex-Rays decompiler, that Popularity of OllyDbg is obvious with the fact, that no other debugger, like icons, images, forms, localized texts, as well as other information, can Website, https://rammichael.com/resource-hacker-fx Contact. Blog; Newsletter


Hi,I'm trying to get the TeamCity Symbol Server plugin to work and are able to configure Visual Studio to download symbols and source files from TeamCity. Please let me know if you need any aditional information to help me resolve this. Please enable debug logging on TeamCity server, trigger

As malware researchers, we spend several days a week debugging malware in to choose from, such as OllyDbg, x64dbg, IDA Pro and Immunity Debugger. an additional layer of complexity by introducing its own idiosyncrasies. In this post, we'll go over this new version of WinDbg's debugger data

The CHFI is a very advanced security-training program. LinkMASSter-2 o Hardware Tool: RoadMASSter-2 o Logicube: ECHOPLUS & Enabled Computers Manual Detection of Wireless APs Active Wireless Scanning explore various features of Helix Lab 13 - 06: Use "OLLYDBG" for binary code analysis

Why does Visual Studio require debugger symbol files to exactly match the This exact duplication is necessary because the layout of apps can System.pdb files contain symbols for Windows DLLs,.exe files, and device drivers. To use the No Symbols Loaded document page to help find and load

OllyDbg is able to use dbghelp. dll and symsrv. dll to show extended debug information, such as the module source code (if referenced by the debug information) or module symbols from a PDB file (which can be fetched from the Microsoft Symbol Server for system modules).

Set the Windows Symbol Server path in File > Settings > Symbol path (see extract of the original Stack Overflow Documentation created by following contributors and OllyDbg • OllyDbg is the most popular user-mode debugger for malware

Kali Linux - Reverse Engineering - In this chapter, we will learn about the reverse OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft that helps convert APK file (android) to JAR file in order to view the source code.

I suspect ollydbg is trying to be helpful by reverse engineering your stack layout Like that below check your email addresses a tour of OllyDbg and how the I had to use, debugger for Microsoft® Windows® source code Structured Handler.

OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when Version 1.10 is the final 1.x release. Version 2.0 was released in June 2010, and OllyDbg has been rewritten from the ground up in this release.

Ollydbg is implemented as a dll so to create ollydbg plugin you have to When I tried to build project I got unresolved external symbols error. A typical vishing system will reject ask for log in PIN and it will reject log-ins

The Definitive Guide and Tutorial to Debugging with Mr. Exodia's x64_dbg. Welcome to this short, introductory tutorial for using x64dbg by Mr. Exodia. The options here are just like those found in ollydbg 1.10 with a few

In most cases, to debug a.dll, you'll want to write a small program to You can use ollydbg or windbg to load your.exe and trace through the.dll code. first to get an overview over the unknown binary, then use ollydbg or

The other aspect of this is how to reverse engineer any EXE to crack the Reverse engineers analyze your source code in assembly language Once we find that, we have to check out if it's calling convention code - A jump.

Symbol Servers; Using the Microsoft Symbol Server; Getting Symbols Manually By default, PDB files contain the following information: You can also set up a private symbol server for your company, team or network, which

its source code by exercising advance reverse engineering mechanism. Now the real assault begins, download the OllyDBG tool from its official is occur that how to determine which section of assembly code in the

So when do you use WinDbg, when do you use OllyDbg/X64Debug, and WinDbg is a kernel mode debugger developed by Microsoft which can Intro to Blackbox Fuzzing: Binary-only fuzzing (pdfinfo) using AFLplusplus.

udl image libraries, replace scan of object files from v1.10; Search for integers and floats in dump; Search for procedures (entry points); Limited support for NTFS

practical step by step tutorial can be taken as without difficulty as picked to act. Authorama offers up a good OllyDbg 2.0 help file - ZenK-Security. Working With

On the other hand, IDA Pro of Hex-Rays proved itself as a useful tool, very handy. The bottom line - when in June 2010 version 2.0 of OllyDBG was released, it was

hlp, not included due to copyright reasons), you can attach it and get instant help on system API calls. Startup. You can specify executable file in command line,

OllyDbg 2.0 help file - ZenK-Security. OllyDbg Plugins: OllyScript: SHaG: OllyScript is a plugin for OllyDbg, which is, in my opini. Nov 20, 2007: Catcha! mikado:

snippets and scripts. This project is an open repository for all reverse engineering related code snippets, scripts, plugins and applets. See http://openrce.org

Fill Openrce Fax, download blank or editable online. Sign, fax and printable from PC, iPad, tablet or mobile with PDFfiller ✓ Instantly ✓ No software. Try Now!

Reverse Engineering. Malware dissection, vulnerability discovery, interoperability, recovery, etc. Fuzzing. Custom fuzzers to blow up your software before your

OllyDbg 2.0 includes built-in help on all 80x86 integer and floating-point commands. If you possess. Windows API help (win32.hlp, not included due to copyright

Displaying IDA names in x64dbg or OllyDbg. The plugin labeless (https://github.com/a1ext/labeless) was created for exactly this purpose. You can now also use

Background. Debugging symbols are required to debug running systems or crash dump files. Symbols contain information that is not used by binaries as they run

OllyDbg 2.0 is rewritten from scratch. No, plugins are not yet implemented. Yes, they will be implemented again - presumably in v2.02. December 3, 2009 The

Step Tutorial under Windows 2000 and. Windows XP, but should work. OllyDbg 2.0 help file - ZenK-. Security. Working With Ollydbg A. Practical Step By Step.

This trick works under Windows XP, but I am not sure whether Vista/Win7 use the New is support for symbol server, stack walking using dbghelp and names of

OllyDbg is a 32-bit assembler level analysing debugger for Microsoft OllyDbg is a shareware, but you can download and use it for free. ollydbg 2.0 screen.

Plugins compiled for OllyDbg 2.01 beta are 100% compatible with v2.01. to compile a plugin, I must change several options, like unsigned characters, byte

This tutorial shows how to use Olly Debugger to force a program to show you the 24. HowTo: Using OllyDbg v2.1d and v2.1.0.4 with MS debug symbols server.

Plugins compiled for OllyDbg 2.01 beta are 100% compatible with v2.01. PDK will be updated soon Preliminary version of Disassembler 2.01 is almost ready.

Immunity Debugger is a powerful new way to write exploits, analyze malware, shortcuts as if they were in a typical text-based debugger, such as WinDBG or

Ollydbg um debbuger gr fico que tenha sido focado em modo usu rio por longo tempo. Howto using ollydbg v2.1d and v2.1.0.4 with ms debug symbols server.

Debug symbols allow you to have better debugging sessions. They have information about the functions contained in executables and dynamic libraries and

Symbols on Demand (an OllyDbg plugin). OllyDbg is able to use dbghelp.dll and symsrv.dll to show extended debug information, such as the module source

If you have new(2010 or newer) vcredist HowTo: Using OllyDbg v2.1d and v2.1.0.4 with MS debug symbols server. OllyDbg 2.0 overview OllyDbg. Page 19/41

[PDF] Manual Unpacking Of Upx Packed Executable Using Ollydbg and. OllyDbg 2.0 help file - ZenK-Security OllyDbg Plugin API v1 - Documentation & Help

Introduction. Have you ever been trying to reverse a specific function in an application, but cannot really find it? For instance, let us assume you

I looked at several process-dumping plugins compatible with OllyDbg version 2.01. My favorite one is OllyDumpEx by low_priority. It offers a lot of

dll and newer versions of dbghelp.dll (in start directory) to fetch symbolic information. I assume "set symbols path" option in ollydbg corresponds

When the source code is not provided, it is still possible to patch the normally forced by the software vendor in order to test the robustness of

OllyDbg is an application for compiling and analyzing code, as it will allow users to view information about the code and much more. It provides

If you include the string srv* in your symbol path, the debugger uses a symbol server to get symbols from the default symbol store. For example,

Next Comment on Symbols on Demand (an OllyDbg plugin) by NicePlugin. Previous Comment on 7+ Taskbar Numberer: taskbar numbers for Utter Command

(6) Series-Labeless Introduction; (24) Series-Reversing With IDA From Scrach a debugging session (WinDbg/GDB/LLDB/OllyDbg/OllyDbg2/x64dbg) with

It explains how to use the Microsoft symbol server, and also how to set up Sometimes it's possible to look at the raw values on the stack, and

Contribute to trietptm/OllyDbg-Archive development by creating an account on GitHub. Use dbghelp to walk stack0. Use Microsoft Symbol Server0.

What's new in OllyDbg 2.01: OllyDbg is a software solution built specifically for debugging multi-thread programs. The application is able to

PDB files; DBG files and embedded debug information. Normally, debugging information is stored in a symbol file separate from the executable

i try reversing program with ollydbg2.01, but i Noticed strange thing with ollydbg when try debug program in log file i have 76FC0000 Module

When the source code is not provided, it is still possible to patch the in order to test the robustness of software copy protection sachem.

Although OllyDbg is free, it is NOT open source as we do not have access As you can see below, Olly, takes the code and breaks into several

Hi the secret is 'openrce-2014'. Site is pretty much an archive at this point. Completely out of date. I haven't had any amazing ideas for

OllyDbg 2.01 LATEST. Requirements: Windows XP / Vista / Windows 7 / Windows 8 / Windows 10. User Rating: Click to vote. Author / Product:.

Run trace

How to obtain decrypted virus body of Bolzano virus using Ollydbg 1.10 debugging on windows OS

I don't have
Also your link points to several samples
Providing exact of the sample can eliminate ambiguities while answering

here is a small walk through using basic hex editor and a basic disassembler of why it might be possible for that exception to be generated.

downloaded the first sample in openmalware

drag dropped to

unzipped using given password infected

drag dropped into

all three checksums match ok

http://msdn.microsoft.com/en-us/library/ms809762.aspx

using ollydbg as a disassembler

ctrl+g 100

pe header shows

so we can start disassembling dbghelp.dll ollydbg error 0x600

disassembly

virtual size of section is 1000 as we saw earlier
so it jumps to next section
next section starts at 0x800 as we saw earlier

disassembly

following

ctrl+g 805 disassemble

for byte scanning puproses
looks if all 100 bytes starting at 10c00 are zero
if they are zero sets (win nt k32 base no aslr fixed)
else to (win 95 / 98 kernel32 base no aslr fixed)
esi to some offset

compares in k32 dll

for this pattern

for this pattern

jumps to ok or not ok

if it finds the pattern will go to 850

else 91b

at 91b there is

so this will return to 920 (see above retn to 402005)

this will retn to kernel or exit thread address (pushad == 0x20)
all else are junk
exe contains nothing dbghelp.dll ollydbg error 204f to 224f will simply exit via retn
(184f+800 ecx = 40 two lodsd = 80 dwords = 200 bytes = 224f)

if the region compared ok to retn value - 5 (see sub edx,5)
the app will crash and ollydbg can issue that warning

ollydbg will show dont know how to step because memory at address 0 is not readable try changing Eip or pass exception to program if it reaches here

disassembling at 850 or 402050

byte pattern at 16ee

disassembling further

try walking ahead a bit :)

Topic created on:June 19, 2006 05:01 CDT by jeffreytan.

Hi all,

Thanks for your time! I have asked this in several forums without any definite resolution, dbghelp.dll ollydbg error, hope I can resolve it here.

I have some problem with dealing with symbol loading in Ollydbg.

Normally, I used to use windbg to download most of the system dll symbols from Microsoft symbol server http://msdl.Microsoft.com/download/symbols to my local cache folder: c://localsymbols/ with _NT_SYMBOL_PATH environment variable.

I have set Ollydbg's symbol path to c://localsymbols/. But while debugging exe and reversing certain system APIs, the assembly output will not recognize symbols of system APIs at all, dbghelp.dll ollydbg error.

Is there any trick to do this? With windbg, dbghelp.dll ollydbg error, the disassembly output will recognize the system symbols without any problem.

Below is my troubleshooting steps:

I have used the windbg to debug OllyDbg symbol loading, I find my Ollydbg uses 0x00001210 as the parameter to

While with .SymOpt command in windbg, I find windbg uses 0x30237 as the parameter to DBGHELP!SymSetOptions.

To change the parameter to the parameter what windbg uses, I used the conditional breakpoint below dbghelp.dll ollydbg error windbg:
bp dbghelp!SymSetOptions ".echo dbghelp!SymSetOptions; ed esp+0x4 0x30237; gc;"

Then I used Ollydbg to debug the notepad.exe

My question is: how to determine if the OllyDbg has loaded the pdb symbol files for system dlls?

I have used Alt+E in ollydbg to see the module list, dbghelp.dll ollydbg error. Delphi tclientsocket error I used "View Names" menu to view the symbols in User32.dll in the list. I found there are 3 types of symbols: Export, Import, Library. Does "Library" mean the pdb file symbols?

I decided to do a test to determine if the symbol for user32 is loaded. I disassembly MessageBoxA in OllyDbg, which I get the following text:

However, dbghelp.dll ollydbg error, in windbg, I got the following:

Why does USER32!gfEMIEnable symbol not recognize in Ollydbg? Does this mean that the pdb is still not loaded in Ollydbg? Additionally, why Ollydbg even can not recognize USER32!MessageBoxA in the assembly output?

Thanks for any information!

Jeffrey
i thought ill edit my post since there werent any replies
but since the info is more i am making a reply to my own post :( :)

some one asked if it still works on xp-sp2

well it seems to work

odbg dir contains this

D:\odbg110>fc /b ollydbg.exe ollydbgsym.exe
Comparing files OLLYDBG.EXE and OLLYDBGSYM.EXE
00090709: 10 37
0009070A: 12 02
0009070B: 00 03
0009070C: 00 80
000907EC: 74 EB

D:\odbg110>set _
_NT_SYMBOL_PATH=SRV*D:\odbg110\symbols*http://msdl.microsoft.com/download/symbo
s

D:\odbg110>dir *.dll

Directory of D:\odbg110

355,328 symsrv.dll
71,168 Cmdline.dll
1,017,856 dbghelp.dll
55,808 BOOKMARK.DLL
76,288 srcsrv.dll
21,504 symbolcheck.dll
               6 File(s)      1,597,952 bytes
               0 Dir(s)   8,510,455,808 bytes free

D:\odbg110>


the symsrv symbolcheck dbghlp dll are from latest windbg
aka 6.6.3.

ntsymbol path set to a symbol folder i just created

opened ollydbg and loaded win.exe

i get the symsrv confirmation dialog from ms i hit yes
it creates symsrv.yes blank file in dir

ctrl+g MessageBoxA




Directory of D:\odbg110\symbols

06/24/2006  01:43 AM    <DIR>          .
06/24/2006  01:43 AM    <DIR>          .
06/24/2006  01:44 Dbghelp.dll ollydbg error 06/24/2006  01:44 AM                 0 pingme.txt
06/24/2006  01:44 AM    <DIR>          gdi32.pdb
06/24/2006  01:44 AM    <DIR>          kernel32.pdb
06/24/2006  01:45 AM    <DIR>          ntdll.pdb
               1 File(s)              0 bytes
               6 Dir(s)   8,506,122,240 bytes free

D:\odbg110\symbols>
warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses]

Frida has become more popular recently due to its convenience to install hooks using JavaScript language. I saw many researches using Frida for mobile platform, but it seems like Windows has more usage tractions recently. At DarunGrim, dbghelp.dll ollydbg error, we are researching new methodology that security researchers can use for dbghelp.dll ollydbg error day to day work. Frida is one of the tools that, we thought, can be useful for Windows reverse engineering. But, during our testing, dbghelp.dll ollydbg error, we found that the symbol lookup capability was limiting factor in broader use of this tool. We made improvements and it is now available with Frida 12.9.8. We are really thankful to Ole André Vadla Ravnås for his help in merging the changes.

We will go through the change we made briefly and will explain how you can use improved symbol lookup capabilities in real world problem solving.

Frida 12.9.8 Improvements

Basically, Frida uses dbghelp.dll APIs to lookup symbols in Windows platform. But what it lacked was using symbol server support. We dbghelp.dll ollydbg error symbol server support and made improvements in passing symbol string in Windows. With older Frida implementation, it took some time to look up each symbol because it was using wildcard module names to lookup any symbols. Now you can specify module names to speed up the symbol lookup.

New Frida will ship with symsrv.dll with dbghelp.dll to support symbol server including Microsoft symbol server.

These are the changes we made with help from Ole.

Case Study: Analyzing Office Macro Behavior

With improved Frida functionality, dbghelp.dll ollydbg error, here’s an Office Macro malware example that we want to apply Frida for deep analysis.

Injection and instrumentation

The following diagram shows how Frida generally install hooks and gets messages from the installed hooks.

There are frida, session, script objects involved in this process to manage hook installations. The hooking callback is written in JavaScript.

The following code shows an example how these objects can be used to install JavaScript hooking code assigned to self.script_text variable to process with process_id variable.

code.py

Symbol Lookup: resolveName

Frida JavaScript APIs are well described in the API documentation.

The first step in using Frida for hooking is finding the target function.

If the function is exported, then you can just call Module.findExportByName method with exported function name with DLL name.

But, if the function is not exported and it is only recorded in PDB symbol file for example, you can call DebugSymbol.getFunctionByName method. With Frida 12.9.8, you can pass “DLLName!FunctionName” notation dbghelp.dll ollydbg error better accuracy in designating specific function and to achieve better performance in locating them.

Loading a symbol for a module can be a slow work sometimes because it might come from remote symbol server. So, you need to call DebugSymbol.load method to initiate the loading of symbols so that we load minimal number of symbols.

Here’s an example code that used Module.findExportByName dbghelp.dll ollydbg error DebugSymbol methods to lookup any symbolled or exported functions, dbghelp.dll ollydbg error. It uses dictionary to cache its findings to remove any duplicate works. This can save overall symbol lookup time, if you are hooking enormous number of functions.

vbe.js

Setting Symbol Path

There are different approaches to setup symbol server on Windows environment, we suggest setting _NT_SYMBOL_PATH variable from command line. Symbol path for Windows debuggers has a good description on the usage of the variable.

The following will use “c:\symbols” as its local symbol store to cache official Microsoft symbol server.

The following command will let the system use default symbol storage directory.

Running Malware and Observing Behavior

We used following sample to test Frida’s improved symbol lookup capability. It has some amount of obfuscations that can be easily analyzed using Frida hooks.

The code we presented here can be found from the following GitHub repository.

Frida.examples.vbe

So, when you launched a Word process and the process id is 3064, the following command can be used to install hooks from vbe.js included in the repository. After installing the hooks, you can open the malicious document to observe its behavior.

Hooks For Monitoring Office Macro Behavior

The vbe.js has few interesting hooks dbghelp.dll ollydbg error monitor behavior of malicious Office documents.

__vbaStrCat

The vbe7.dll is the DLL that has the Visual Basic runtime engine is located. There are tons of interesting functions inside. But firstly, dbghelp.dll ollydbg error, we wanted to observe string clear cmos error operations

vbe7!__vbaStrCat is the function called when strings are concatenated dbghelp.dll ollydbg error Visual Basic.

Many Macro-based malware documents use string-based obfuscation, dbghelp.dll ollydbg error. By observing strings concatenation actions, you can observe the constructions of final de-obfuscated strings.

The following hooking code will print out the concatenated strings for each call.

vbe.js

This is one example output that shows the final de-obfuscated string.

Here’s another example that shows how “WScript.Shell” string is constructed from obfuscated strings.

rtcCreateObject2

One of the many behaviors that malicious Macro shows is creating objects to perform system operations. The function that performs this action is rtcCreateObject2.

This rtcCreateObject2 function is called when new objects are created in VB engine.

The following hook monitors args[2] argument (wchar_t *Str2), which contains the object name it creates.

vbe.js

The example session showed CreateObject method creating WScript.Shell object. This object is used to run external commands from the script. We can expect that this script will run external malicious command.

DispCallFunc

One of the interesting API is DispCallFunc function. This function is used to call COM methods. By monitoring this API, we can gain better insights into what the malware is trying to do.

The prototype of the function looks like following.

The 1st argument pvInstance has the pointer to the COM instance and 2nd argument oVft has the offset of the method this function is calling. With some calculations, you can locate the function the COM call will call eventually.

The following is the hook for this function that will print out the actual COM method name and its instructions. Frida has APIs to disassemble instructions and it can be really useful in this case.

The following shows the example output that shows a COM method call to wshom.ocx!CWshShell::Run.

Also, you can add device callback, which will monitor the process creation behavior. The following shows the rundll child process is used to run PowerShell using powershdll.dll DLL’s main function to run PowerShell command.

Conclusion

Frida is the most convenient and handy dynamic analysis tool that I ever used on Windows platform. There are WinDbg, OllyDbg and PyKD for advanced reverse engineering. They have their places and usages. But, for really quick and repetitive analysis work, Frida is more than enough and has a powerful capability to dump and to analyze program behavior. With Frida 12.9.8, now we have better symbol handling which will increase overall usability and productivity.

Training Information

DarunGrim is a threat intelligence and knowledge company. We are providing training regarding using Frida for Windows Reverse Engineering. Please contact us for details.

ShareTweetLinkedInReddit

If your Olly is crashing when loading executable protected by VMProtect, you most likely have outdated dbghelp.dll somewhere on your path. Grab the latest version from Microsoft and put it in the Olly folder.

Well, dbghelp.dll ollydbg error, that might be enough to work around the issue that I had - but I still wanted to know what's causing the crash.

Cause of the problem

If you try to debug Olly with another Olly, you'll see the Access Violation happening somewhere in dbghelp.dll:

Log data,item0

Address=6D529B91

Message=Access violation when reading[C4983C3E]

6D529B8E   8B55F4          MOV EDX,DWORD PTR SS:[EBP-C]

6D529B91   66:833C4200     CMP Dbghelp.dll ollydbg error DS:[EDX+EAX*2],0

6D529B96   7507            JNZ SHORTDBGHELP.6D529B9F

Check register values in Olly:

EAX00000000   <----------------

ECX00000001

EDX C4983C3E   <----------------

EBX0458A390

ESP0018A450

EBP0018AC94

ESI045EE7E8

EDI045EF738

EIP6D529B91DBGHELP.6D529B91

For some reason, value in EDX is garbage and therefore access violation happens.

Call stack doesn't tell us much:

Call stack of main thread

Procedure/arguments                 Called from              Name from PDB

DBGHELP.6D52997D                      DBGHELP.6D52ACFD         LoadExportSymbols(struct_MODULE_ENTRY *,struct_IMGHLP_DEBUG_DATA *)

DBGHELP.6D52A755                      DBGHELP.6D52B035         load(char*,DWORD)

DBGHELP.6D52ADB8                      DBGHELP.6D5264B2         InternalLoadModule(char*,char*FullPath,char*Str1,unsigned__int64,unsigned__int32,void*,struct_DBGHELP_MODLOAD_DATA *,unsigned__int32)

DBGHELP.SymLoadModuleEx               DBGHELP.6D526502              

DBGHELP.SymLoadModule64               DBGHELP.6D526522            

DBGHELP.SymLoadModule                 OLLYDBG.00491502

And same piece of code in IDA doesn't help much either:

.text:6D529B8Eloop_check_something:                   ;CODE XREF:LoadExportSymbols(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA vba on error resume nextr mov     edx,[ebp+ptrAllocatedMemory]

.text:6D529B91                 cmp     wordptr[edx+eax*2],0;<----------------

.text:6D529B96                 jnz     shortloc_6D529B9F

.text:6D529B98                 add     [ebp+var_10],10h

.text:6D529B9C                 inc     [ebp+arg_4]

.text:6D529B9F

.text:6D529B9Floc_6D529B9F:                           ;CODE XREF:LoadExportSymbols(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *)+219j

.text:6D529B9F                 inc     eax

.text:6D529BA0                 cmp     eax,ecx

.text:6D529BA2                 jb      shortloop_check_something

So, it's debugging time! Set breakpoint to start of LoadExportSymbols, then set hardware breakpoint on write to address [ebp+ptrAllocatedMemory].

First hit is initialization of variable with 0:

.text:6D529986                 xor     ecx,ecx

.text:6D529988                 test    byteptr dword_6D57F438+1,4

.text:6D52998F                 mov     [ebp+ptrAllocatedMemory],ecx

Second hit stores the address of allocated memory:

.text:6D529AA7                 call    [email protected]    ;pMemAlloc(x)

.text:6D529AAC                 xor     ecx,ecx

.text:6D529AAE                 cmp     eax,ecx

.text:6D529AB0                 mov     [ebp+ptrAllocatedMemory],eax

.text:6D529AB3                 jz      loc_6D529D56

And third time is a charm:

.text:6D529AF5                 lea     edx,[ebp+exportFunctionName];0018A45C

.text:6D529AFB                 sub     edx,eax        ;EDX=FBAD009A

.text:6D529AFD

.text:6D529AFDloop_strcpy_overflows:                  ;CODE XREF:LoadExportSymbols(_MODULE_ENTRY *,_IMGHLP_DEBUG_DATA *)+188j

.text:6D529AFD                 mov     cl,[eax]

.text:6D529AFF                 mov     [edx+eax],cl   ;<----------------

.text:6D529B02                 inc     eax

.text:6D529B03                 test    cl,cl

.text:6D529B05                 jnz     shortloop_strcpy_overflows

Good folks at Microsoft have left us with a nice buffer overflow. exportFunctionName is defined as byte array of size 2048 bytes. Any exported dbghelp.dll ollydbg error name longer than that will cause stack overflow and (possibly) subsequent crash.

010Editor with PETemplate confirms that the export name is indeed very long (3100 chars):

From what I can tell, it's a similar (but not the same) bug to dbghelp.dll ollydbg error was described by j00ru at http://j00ru.vexillium.org/?p=405 (see "PE Image Fuzzing (environment + process)")

Stay safe!

P.S Here's an example file, if you want to test your Olly: https://forum.tuts4you.com/topic/38963-vmprotect-professional-v-309-custom-protection/
P.P.S. CFF Explorer, HIEW and IDA do not show us any exports in this example file - but that's a matter of another story.

kao Posted in Reversing, Toolsaccess violation, bug, dbghelp, export table, vmprotect

youtube video

How to do reverse Engineering without searching for strings ; debugging without string references

0 Comments

Leave a Comment