MS debugging information analysis (1)

xiaoxiao2021-03-18  223

First of all, I will explain here, and the support of MS debugging information. In fact, MS has provided two libraries of DBGHELP and Imagehel. When we want more deeper understandable debugging information, you must come to understand the debugging file. I only discussed DBG files and PDB files here. Because of many of them, MS did not disclose, I only belong to the exploration phase, so it is inevitable.

The general modulation information is generally provided by the MS generally consisting of two files, DBG files, and PDB files. There is no PDB file in NT4.0, and the information in the PDB file is saved in the DBG file.

Let's take a closer look at the content of the DGB file.

Image_separate_debug_header This structure starts with two iconic characters "DI"

Image_section_header array, each structure in this array is located in the PE file of the corresponding component. The magnitude of this array is specified by the number_separate_debug_header NumberOfSections member.

The decoding of the export string is a set of zero-ended ANSI strings (8 bytes per ANSI string), these strings are the decoded form of the export symbol. Image_separate_debug_header's exportedNameSize member pointed out how many strings have been made. If the module does not export any symbols, ExportedNameSize will be 0, and this segment will not exist.

Image_debug_directory array, these structures are used to describe the formats of the subsequent part and their position. Image_separate_debug_header's debugdirectorySize member gives the size of the array.

DBG file structure distribution is shown below:

Image_separate_debug_header Structure Description: This structure is always at the beginning of the file. The definition in Winnt.h is as follows.

Typedef struct _image_separate_debug_header {

Word Signature;

Word flagg;

Word machine;

Word Characteristics;

DWORD TIMEDATESTAMP;

DWORD CHECKSUM;

DWORD ImageBase;

DWORD SIZEOFIMAGE;

DWORD NUMBEROFSECTIONS;

DWORD EXPORTEDNAMESSIZE;

DWORD DebugDirectorySize;

DWord SectionAlignment;

DWORD reserved [2];

} Image_separate_debug_header, * pimage_separate_debug_header;

Signature: The logo is always 0x4944 'di'

Flags: I don't know, (at least I don't know what it means)

Machine: Machine type, definition in Winnt.h The following mid type, from literal thinking we can know the type of file. Generally, our machine type is image_file_machine_i386.

Variable value meaning

Image_file_machine_unknown does not know the machine type

Image_file_machine_i386 intel 386.

Image_file_machine_r3000 MIPS Little-Endian

Image_file_machine_r4000

Image_file_machine_r10000 mips little-endian

Image_file_machine_wcemipsv2 WCE V2IMAGE_FILE_MACHINE_ALPHA / Alpha_AXP

Image_file_machine_powerpc ibm PowerPC Little-Endian

Image_file_machine_sh3 sh3 little-endian

Image_file_machine_sh3e sh3e little-endian

Image_file_machine_sh4 sh4 little-endian

Image_file_machine_arm arm Little-Endian

Image_file_machine_thumb

Image_file_machine_ia64 intel 64

Image_file_machine_mips16 MIPS

Image_file_machine_mips16

Image_file_machine_mipsfpu mips

Image_file_machine_mipsfpu16 MIPS

Image_file_machine_alpha64 alpha64

Image_file_machine_axp64

Characteristics: The feature point of this file, its variable can be combined with the following value

Variable meaning

Image_file_relocs_stripped rocation information is stripped from there.

Image_file_executable_image the file is Executable (There no unreSolved External References).

Image_file_line_nums_stripped line numbers are stripped from the file.

Image_file_local_syms_stripped local symbols area stripped from file.

Image_file_aggresive_ws_trim aggressively trim the working set.

Image_file_large_address_aware The Application CAN Handle Addresses Larger Than 2 GB.

Image_file_bytes_reverse_lo bytes of the word area.

Image_file_32bit_machine computer supports 32-bit words.

Image_file_debug_stripped debugging information is stored separationly in a .dbg file.

Image_file_removable_run_from_swap if The Image is on Removable Media, Copy and Run from The Swap File

Image_file_net_run_from_swap if the image is on the network, copy and run from the swap file.

Image_file_system system file.

Image_file_dll dll file.

Image_file_up_system_only file shouth be run only on a uniprocessor Computer. 0000-00-00 0000-00-00.

Image_file_bytes_reverse_hi bytes of Word Are Reverse.

TIMEDATESTAMP This file creation time, from 0:00 on January 1, 1970, starting Checksum: Inspection code, and the checksum of the PE file can be considered that the DBG file is the debugging information of the PE file ..

ImageBase: The base address of the PE file, this is just a default base address, often changed after the PE file is loaded.

SizeOfimag: I don't know who is what the size is.

NumberOfsections: The number of file_section_headers of the file next structure.

ExportedNamessize: The length of the export symbol, in bytes.

DebugDirectorySize: All image_debug_directory array length, in bytes

SectionAlignment: Aligned in each segment.

Next, let's take a look at the image_separate_debug_header output from the ntoskrnl.dbg file that is often used in debugging. Since some people may not have the same, some data may be a bit different,

Signature = 0x4944; // "di"

Flags = 0x0000;

Machine = 0x014c; // image_file_machine_i386

Characteristics = 0x030E; //

TIMEDATESTAMP = 0x4047db83; // 2004.3.6 1:44:35

Checksum = 0x001ac013;

ImageBase = 0x00400000; //

Image_file_debug_stripped | Image_file_32bit_machine |

Image_file_local_syms_stripped |

Image_file_line_nums_stripped |

Image_file_relocs_stripped

SizeOfimage = 0x001A59C0;

Numberofsections = 0x00000015;

ExportedNamessize = 0x00006390;

DebugdirectorySize = 0x000000A8;

SectionAlignment = 0x00000040;

From the above data we can know some of the basic information of the DBG file, in these parameters, we are most concerned about NumberOfSections and ExportedNamessize, because these two parameters will determine the distribution of data in our future, and create Time TIMEDASTAMP and check code Checksum can verify that the current PE file matches our debug file.

Image_section_header data

We can see from the above document, in the DBG file, the data is IMAGE_SEPARATE_DEBUG_HEADER IMAGE_SECTION_HEADER the data, when the data is a data group IMAGE_SECTION_HEADER, its size is determined primarily by NumberOfSections IMAGE_SEPARATE_DEBUG_HEADER, the structure in the WINNT.H The definition is as follows:

Typedef struct _image_section_header {

Byte name [image_sizeof_short_name];

Union {

DWORD PhysicalAddress;

DWORD VIRTUALSIZE;

} MISC;

DWORD VirtualAddress;

DWORD SIZEOFRAWDATA; DWORD POINTERTORAWDATA;

DWORD POINTERTORELOCATION;

DWORD POINTERTOLINENUMBERS;

Word Numberofrelocations;

Word Numberoflinenumbers;

DWORD Characteristics;

Image_section_header, * pimage_section_header;

Name: The name of this paragraph, length is 8

PhysicalAddress: file address

Virtualsize: Load the size in memory

VirtualAddress: The address of the first byte of this paragraph

SIZEOFRAWDATA: Save the size of data on disk

PointertorawData: This section corresponds to the start position of the COFF file

Pointertorelocations: Pointer from the newly positioned address

PointertolinenumBers: number of lines

NumberOfrelocations: Number of new positions

Numberoflinenumbers: quantity

Characteristics: Features of the file

Variable meaning

Image_scn_type_reg

Image_scn_type_dsect

Image_scn_type_noload

Image_scn_type_group

Image_scn_type_no_pad

Image_scn_type_copy

Image_scn_cnt_code section contains executable code.

Image_scn_cnt_initialized_data section contains initialized data

Image_scn_cnt_uninitialized_data section Contains Uninitialized Data

Image_scn_lnk_other

Image_scn_lnk_info

Image_scn_type_over

Image_scn_lnk_comdat section contains comdat data

Image_scn_mem_fardata

Image_scn_mem_purgeable

Image_scn_mem_16bit

Image_scn_mem_locked

Image_scn_mem_preload

Image_scn_align_1bytes align data on a 1-byte boundary

Let's analyze a segment information in the ntoskrnl.dgb file, from the information analysis of the above image_separate_debug_header we already know that the DBG file contains a total of 21 (0x15) segment, here I only list information in 4 segments, interested Friends can list 21 sections to find out to see

Section 0

Name: .text

PhysicalAddress: 0x 0006AD1B

Virtualsize: 0x 0006AD1B

VirtualAddress: 0x 00000540

SizeOfrawData: 0x 0006AD40

PointertorawData: 0x 00000540

Pointertorelocations: 0x 00000000

Pointertolinenumbers: 0x 00000000

Numberofrelocations: 0x 00000000

Numberoflinenumbers: 0x 00000000

Characteristics: 0x 68000020SECTION 1

Name: poolcode5

PhysicalAddress: 0x 00000B35

Virtualsize: 0x 00000B35

VirtualAddress: 0x 0006b280

SizeOfrawData: 0x 00000B40

PointertorawData: 0x 0006b280

Pointertorelocations: 0x 00000000

Pointertolinenumbers: 0x 00000000

Numberofrelocations: 0x 00000000

Numberoflinenumbers: 0x 00000000

Characteristics: 0x 68000020

Section 2

Name: poolmi

PhysicalAddress: 0x 00001289

Virtualsize: 0x 00001289

VirtualAddress: 0x 0006BDC0

SizeOfrawData: 0x 000012C0

PointertorawData: 0x 0006BDC0

Pointertorelocations: 0x 00000000

Pointertolinenumbers: 0x 00000000

Numberofrelocations: 0x 00000000

Numberoflinenumbers: 0x 00000000

Characteristics: 0x 68000020

Section 3

Name: MISYSPTE?

PhysicalAddress: 0x 000006ec

Virtualsize: 0x 000006ec

VirtualAddress: 0x 0006d080

SizeOfrawData: 0x 00000700

PointertorawData: 0x 0006d080

Pointertorelocations: 0x 00000000

Pointertolinenumbers: 0x 00000000

Numberofrelocations: 0x 00000000

Numberoflinenumbers: 0x 00000000

Characteristics: 0x 68000020

EXPORT symbol name

Its starting address is the address of obtaining file data image_separate_debug_header size

Image_section_header size * number, its size is an exportedNamessize in Image_seParate_Debug_Header; all export symbols will be listed here. Ntoskrnl.dbg exports 1230 symbols as shown below

Cccaniwrite ccdeferwrite ccfastcopyread ccfastcopywrite ccfastmdlreadwait ccfastreadnotpossible ccfastreadwait ccflushcache ccgetdirtypages. . . . . . . Towupper vSprintf WCSCAT WCSCHR WCSCMP WCSCPY WCSCSPN WCSLEN WCSNCAT WCSNCMP WCSNCPY WCSRCHR WCSSPN WCSSTMBS WCTOMB

Image_debug_directory array

The last part of the DBG file is an image_debug_directory array, where the debug information directory is saved, its address is the size of the address symbol name of the address export symbol name, defined in Winnt.h as

Typedef struct _image_debug_directory {dword characteristics;

DWORD TIMEDATESTAMP;

Word Majorversion;

Word minorversion;

DWORD TYPE;

DWORD SIZEOFDATA;

DWord AddressofrawData;

DWORD POINTERTORAWDATA;

} Image_debug_directory, * pimage_debug_directory;

CHARACTERISTICS: Reserved

TIMEDATESTAMP: The time and date of debugging information creation

MajorVersion: Main version of the debugging information

MinorVersion: The secondary version of the debugging information

TYPE: The type of debugging information is one of the following variables

Variable information

Image_debug_type_unknown unknown value, Ignored by all all tools

Images.

Image_debug_type_codeview code. The format of the data block is described by The CodeView 4.0 Specification.

IMAGE_DEBUG_TYPE_FPO Frame pointer omission (FPO) information. This information tells the debugger how to interpret nonstandard stack frames, which use the EBP register for a purpose other than as a frame pointer.

Image_debug_type_misc miscellaneous information.

Image_debug_type_exception Exception Information

Image_debug_type_fixup fixup information.

Image_debug_type_borland borland debugging information.

Image_debug_type_omap_to_src

Image_debug_type_omap_from_src

Image_debug_type_reserved10

SIZEOFDATA: The length of the current debugging information.

AddressOfrawData: When the file is loaded by LOAD,

PointertorawData: File pointer to debug information.

Not all the information here DGB files are included, WINNT4.0 IMAGE_DEBUG_TYPE_COFF contains only four of them, IMAGE_DEBUG_TYPE_CODEVIEW IMAGE_DEBUG_TYPE_FPO and IMAGE_DEBUG_TYPE_MISC and Windows 2000-.dbg file usually increases IMAGE_DEBUG_TYPE_OMAP_TO_SRC, IMAGE_DEBUG_TYPE_OMAP_FROM_SRC undocumented and a type ID to the 0x1000 structure.

If you are interested in parsing or browsing symbols, then you only need to understand the directory item: image_debug_type_codeview, image_debug_type_omap_to_src and image_debug_type_omap_from_src

Image_debug_directory array is primarily determined by the debugdirectorySize information in Image_separate_debug_header. Image_debug_directory = debugdirectorySize / sizeof (image_debug_directory), because image_debug_directory data is more important, I will introduce them in detail here. Let's take a look at Directory in ntoskrnl.dgb.

First seeking address of image_debug_directory in DGB file

Image_debug_directory * PDIR = (Image_Debug_directory *) (PEXPORT PSEDEBUGHEADER-> ExportedNamessize);

Re-see

DWORD DIRESIZE = (PDEBU-> DebugDirectorySize) / (sizeof (image_debug_directory);

DIRESIZE is 6 and we say before, the address of the data file it points to the file is the base address of the file PointertorawData, its size is SizeOfdata;

Let's take a look at each structure.

The first image_debug_directory information is

TIMEDATESTAMP 0X403D35E2; // 2004.2.25.23.55.14

Majorversion 0x0000;

Minorversion 0x0000;

TYPE 0x00000002; // image_debug_type_codeview

SizeOfdata 0x0000001D;

AddressofrawData 0x00000000;

PointertorawData 0x000067D0;

It can be seen that its data type is image_debug_type_codeview, which will be discussed in detail later, slight here.

Looking at the second image_debug_directory

TIMEDATESTAMP 0X403D35E2; // 2004.2.25.23.55.14

Majorversion 0x0000;

Minorversion 0x0000;

TYPE 0x00000003; // image_debug_type_fpo

SizeOfdata 0x00011f10;

AddressofrawData 0x00000000;

PointertorawData 0x000067F0;

This type is image_debug_type_fpo, the data structure is an fpo_data array, and her start address is the loading address of the file PointertorawData, which is SizeOfdata.

In WinNT. The definition of the FPO_DATA structure in h is as follows

Typedef struct _fpo_data {

DWORD ULOFFSTART; // Offset 1st Byte of Function Code

DWORD CBPROCSIZE; / / # bytes in function

DWORD cdwlocals; // # bytes in locals / 4word cdwparams; // # bytes in params / 4

Word CBPROLOG: 8; / / # bytes in protog

Word Cbregs: 3; // # regs saved

Word Fhasseh: 1; // True IF SEH IN FUNC

Word Fusebp: 1; // True IF EBP HAS BEEN Allocated

Word Reserved: 1; // Reserved for Future Use

Word CBFrame: 2; // Frame Type

} Fpo_data, * pfpo_data;

#define sizeof_rfpo_data 16

ULOFFSTART: The offset of the function and the base address.

CBPROCSIZE: The size of this function

CDWLOCALS: Local variable, unit is DWORD

CDWParams: Number of parameters, unit is DWORD

CBPROLOG: Prerequisited bytes

CBREGS: number of registration

Fhasseh: If you have a True, there is an exception handler

FUSEBP: If you are True, register EPB

CBFrame: Frame Type

Types of meaning

Frame_fpo fpo frame

Frame_trap trap frame

Frame_tss TSS Frame

Frame_nonfpo non-fpo frame

Looking at the third image_debug_directory

TIMEDATESTAMP 0X403D35E2; // 2004.2.25.23.55.14

Majorversion 0x0000;

Minorversion 0x0000;

TYPE 0x00000004; // image_debug_type_misc

SizeOfdata 0x00000110;

AddressofrawData 0x00000000;

PointertorawData 0x00018700;

This structure should be understood as various types of information, and its length is 272 bytes let us see the specific information, the structure of this information is

TYPEDEF STRUCT _IMAGE_DEBUG_MISC {

DWORD DATATYPE; // Type of Misc Data, See Defines

DWord Length; // Total Length of Record, Rouded to Four

// Byte Multiple.

Boolean Unicode; // True IF Data IS Unicode String

Byte Reserved [3];

Byte Data [1]; // Actual Data

}} Image_debug_misc, * pimage_debug_misc;

DataType: The type of information, now only defined a kind of

#DEFINE Image_DEBUG_MISC_EXENAME 1

Length: Total Data Length Unicode: Is it unicode

DATA: Data information.

Let's take a look at the data in ntoskrnl.dbg DATATYPE to image_debug_misc_exename, Length is 0x110, Unicode is false, and DATA data is some string combination to OBJ / I386 / NTOSKRNL.EXE, from above, MISC information should be compiled The path of the file.

Looking at the fourth image_debug_directory

TIMEDATESTAMP 0x000000004

Majorversion 0x0001

Minorversion 0x0000

TYPE 0x00000007; // image_debug_type_omap_to_src

SizeOfData 0x000D4D08;

AddressofrawData 0x00000000;

PointertorawData 0x00018810;

It can be seen from the data, and some of the previous directories, she did not create time, and its main version number is 1, and the data is very much. Take a look at the definition of the OMAP structure.

Typedef struct _omap {

Ulong RVA;

Ulong rvato;

} OMAP, * POMAP;

RVA: Local virtual address

RVATO: Address in the original program

Looking at the fifth image_debug_directory

Its type is image_debug_type_omap_from_src, structure, and image_debug_type_omap_to_src.

Look at the sixth image_debug_directory, I don't know what it means, Microsoft has not public

In the next section, I will introduce information on the CodeView section.

Refer to "undocumented Windows 2000 Secret"

转载请注明原文地址:https://www.9cbs.com/read-129982.html

New Post(0)