Support your local geek

debugging with windbg and ollydbg. reversing engineering malware, exploits and various binary with IDA. computer security under unix and windows. web security as a daily routine. various hacker tricks & tips. C ,ASM, java and groovy has a daily bread.the life of a Linux geek exploring windows API and Internals :)

Friday, January 23, 2009

showing exports symbols with windbg (updated!)

Like i talked about a complicated way of viewing exports symbols,
Here is the way of viewing symbols from an executable directly.


First we check with "lm"

0:002> lm
start end module name
003e0000 003fa000 WinsockHookDLL C (export symbols) C:\Program Files\Secway\SimpLite-MSN 2.2\Plugins\WinsockHookDLL.dll
00400000 004ea000 protect (no symbols)

Here our guility the modules named 'protect'.

How to get the export from the executable image?

you must unload it with the command ".reload /u"

0:002> .reload /u protect
Unloaded protect

now just reload the image and indicate where you want to store it
Remenber "lm" showed our executable was stored a 00400000

0:002> .reload /f /v protect.exe=00400000
0:002> lm
start end module name
003e0000 003fa000 WinsockHookDLL C (export symbols) C:\Program Files\Secway\SimpLite-MSN 2.2\Plugins\WinsockHookDLL.dll
00400000 004ea000 protect (export symbols) protect.exe

Done!

now you can start inspecting your symbols with x protect!*

0:002> x protect!*
00401066 protect!PSE_MemoryFree ()
00405eaf protect!PSA_Uninitialize ()
00406002 protect!PSA_GetLicenseStoragePath ()
004061aa protect!PSA_GetLicenseInformation ()
0040630d protect!PSA_GetFeaturesGrantedByLicense ()
00406455 protect!PSA_DisableFeaturesGrantedByLicense ()

Voila that's all ;)
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Followers