First of all, I will explain here, and the support of MS debugging information. In fact, MS has provided two libraries of DBGHELP and Imagehel. When we want more deeper understandable debugging information, you must come to understand the debugging file. I only discussed DBG files and PDB files here. Because of many of them, MS did not disclose, I only belong to the exploration phase, so it is inevitable.
The general modulation information is generally provided by the MS generally consisting of two files, DBG files, and PDB files. There is no PDB file in NT4.0, and the information in the PDB file is saved in the DBG file.
Let's take a closer look at the content of the DGB file.
Image_separate_debug_header This structure starts with two iconic characters "DI"
Image_section_header array, each structure in this array is located in the PE file of the corresponding component. The magnitude of this array is specified by the number_separate_debug_header NumberOfSections member.
The decoding of the export string is a set of zero-ended ANSI strings (8 bytes per ANSI string), these strings are the decoded form of the export symbol. Image_separate_debug_header's exportedNameSize member pointed out how many strings have been made. If the module does not export any symbols, ExportedNameSize will be 0, and this segment will not exist.
Image_debug_directory array, these structures are used to describe the formats of the subsequent part and their position. Image_separate_debug_header's debugdirectorySize member gives the size of the array.
DBG file structure distribution is shown below:
Image_separate_debug_header Structure Description: This structure is always at the beginning of the file. The definition in Winnt.h is as follows.
Typedef struct _image_separate_debug_header {
Word Signature;
Word flagg;
Word machine;
Word Characteristics;
DWORD TIMEDATESTAMP;
DWORD CHECKSUM;
DWORD ImageBase;
DWORD SIZEOFIMAGE;
DWORD NUMBEROFSECTIONS;
DWORD EXPORTEDNAMESSIZE;
DWORD DebugDirectorySize;
DWord SectionAlignment;
DWORD reserved [2];
} Image_separate_debug_header, * pimage_separate_debug_header;
Signature: The logo is always 0x4944 'di'
Flags: I don't know, (at least I don't know what it means)
Machine: Machine type, definition in Winnt.h The following mid type, from literal thinking we can know the type of file. Generally, our machine type is image_file_machine_i386.
Variable value meaning
Image_file_machine_unknown does not know the machine type
Image_file_machine_i386 intel 386.
Image_file_machine_r3000 MIPS Little-Endian
Image_file_machine_r4000
Image_file_machine_r10000 mips little-endian
Image_file_machine_wcemipsv2 WCE V2IMAGE_FILE_MACHINE_ALPHA / Alpha_AXP
Image_file_machine_powerpc ibm PowerPC Little-Endian
Image_file_machine_sh3 sh3 little-endian
Image_file_machine_sh3e sh3e little-endian
Image_file_machine_sh4 sh4 little-endian
Image_file_machine_arm arm Little-Endian
Image_file_machine_thumb
Image_file_machine_ia64 intel 64
Image_file_machine_mips16 MIPS
Image_file_machine_mips16
Image_file_machine_mipsfpu mips
Image_file_machine_mipsfpu16 MIPS
Image_file_machine_alpha64 alpha64
Image_file_machine_axp64
Characteristics: The feature point of this file, its variable can be combined with the following value
Variable meaning
Image_file_relocs_stripped rocation information is stripped from there.
Image_file_executable_image the file is Executable (There no unreSolved External References).
Image_file_line_nums_stripped line numbers are stripped from the file.
Image_file_local_syms_stripped local symbols area stripped from file.
Image_file_aggresive_ws_trim aggressively trim the working set.
Image_file_large_address_aware The Application CAN Handle Addresses Larger Than 2 GB.
Image_file_bytes_reverse_lo bytes of the word area.
Image_file_32bit_machine computer supports 32-bit words.
Image_file_debug_stripped debugging information is stored separationly in a .dbg file.
Image_file_removable_run_from_swap if The Image is on Removable Media, Copy and Run from The Swap File
Image_file_net_run_from_swap if the image is on the network, copy and run from the swap file.
Image_file_system system file.
Image_file_dll dll file.
Image_file_up_system_only file shouth be run only on a uniprocessor Computer. 0000-00-00 0000-00-00.
Image_file_bytes_reverse_hi bytes of Word Are Reverse.
TIMEDATESTAMP This file creation time, from 0:00 on January 1, 1970, starting Checksum: Inspection code, and the checksum of the PE file can be considered that the DBG file is the debugging information of the PE file ..
ImageBase: The base address of the PE file, this is just a default base address, often changed after the PE file is loaded.
SizeOfimag: I don't know who is what the size is.
NumberOfsections: The number of file_section_headers of the file next structure.
ExportedNamessize: The length of the export symbol, in bytes.
DebugDirectorySize: All image_debug_directory array length, in bytes
SectionAlignment: Aligned in each segment.
Next, let's take a look at the image_separate_debug_header output from the ntoskrnl.dbg file that is often used in debugging. Since some people may not have the same, some data may be a bit different,
Signature = 0x4944; // "di"
Flags = 0x0000;
Machine = 0x014c; // image_file_machine_i386
Characteristics = 0x030E; //
TIMEDATESTAMP = 0x4047db83; // 2004.3.6 1:44:35
Checksum = 0x001ac013;
ImageBase = 0x00400000; //
Image_file_debug_stripped | Image_file_32bit_machine |
Image_file_local_syms_stripped |
Image_file_line_nums_stripped |
Image_file_relocs_stripped
SizeOfimage = 0x001A59C0;
Numberofsections = 0x00000015;
ExportedNamessize = 0x00006390;
DebugdirectorySize = 0x000000A8;
SectionAlignment = 0x00000040;
From the above data we can know some of the basic information of the DBG file, in these parameters, we are most concerned about NumberOfSections and ExportedNamessize, because these two parameters will determine the distribution of data in our future, and create Time TIMEDASTAMP and check code Checksum can verify that the current PE file matches our debug file.
Image_section_header data
We can see from the above document, in the DBG file, the data is IMAGE_SEPARATE_DEBUG_HEADER IMAGE_SECTION_HEADER the data, when the data is a data group IMAGE_SECTION_HEADER, its size is determined primarily by NumberOfSections IMAGE_SEPARATE_DEBUG_HEADER, the structure in the WINNT.H The definition is as follows:
Typedef struct _image_section_header {
Byte name [image_sizeof_short_name];
Union {
DWORD PhysicalAddress;
DWORD VIRTUALSIZE;
} MISC;
DWORD VirtualAddress;
DWORD SIZEOFRAWDATA; DWORD POINTERTORAWDATA;
DWORD POINTERTORELOCATION;
DWORD POINTERTOLINENUMBERS;
Word Numberofrelocations;
Word Numberoflinenumbers;
DWORD Characteristics;
Image_section_header, * pimage_section_header;
Name: The name of this paragraph, length is 8
PhysicalAddress: file address
Virtualsize: Load the size in memory
VirtualAddress: The address of the first byte of this paragraph
SIZEOFRAWDATA: Save the size of data on disk
PointertorawData: This section corresponds to the start position of the COFF file
Pointertorelocations: Pointer from the newly positioned address
PointertolinenumBers: number of lines
NumberOfrelocations: Number of new positions
Numberoflinenumbers: quantity
Characteristics: Features of the file
Variable meaning
Image_scn_type_reg
Image_scn_type_dsect
Image_scn_type_noload
Image_scn_type_group
Image_scn_type_no_pad
Image_scn_type_copy
Image_scn_cnt_code section contains executable code.
Image_scn_cnt_initialized_data section contains initialized data
Image_scn_cnt_uninitialized_data section Contains Uninitialized Data
Image_scn_lnk_other
Image_scn_lnk_info
Image_scn_type_over
Image_scn_lnk_comdat section contains comdat data
Image_scn_mem_fardata
Image_scn_mem_purgeable
Image_scn_mem_16bit
Image_scn_mem_locked
Image_scn_mem_preload
Image_scn_align_1bytes align data on a 1-byte boundary
Let's analyze a segment information in the ntoskrnl.dgb file, from the information analysis of the above image_separate_debug_header we already know that the DBG file contains a total of 21 (0x15) segment, here I only list information in 4 segments, interested Friends can list 21 sections to find out to see
Section 0
Name: .text
PhysicalAddress: 0x 0006AD1B
Virtualsize: 0x 0006AD1B
VirtualAddress: 0x 00000540
SizeOfrawData: 0x 0006AD40
PointertorawData: 0x 00000540
Pointertorelocations: 0x 00000000
Pointertolinenumbers: 0x 00000000
Numberofrelocations: 0x 00000000
Numberoflinenumbers: 0x 00000000
Characteristics: 0x 68000020SECTION 1
Name: poolcode5
PhysicalAddress: 0x 00000B35
Virtualsize: 0x 00000B35
VirtualAddress: 0x 0006b280
SizeOfrawData: 0x 00000B40
PointertorawData: 0x 0006b280
Pointertorelocations: 0x 00000000
Pointertolinenumbers: 0x 00000000
Numberofrelocations: 0x 00000000
Numberoflinenumbers: 0x 00000000
Characteristics: 0x 68000020
Section 2
Name: poolmi
PhysicalAddress: 0x 00001289
Virtualsize: 0x 00001289
VirtualAddress: 0x 0006BDC0
SizeOfrawData: 0x 000012C0
PointertorawData: 0x 0006BDC0
Pointertorelocations: 0x 00000000
Pointertolinenumbers: 0x 00000000
Numberofrelocations: 0x 00000000
Numberoflinenumbers: 0x 00000000
Characteristics: 0x 68000020
Section 3
Name: MISYSPTE?
PhysicalAddress: 0x 000006ec
Virtualsize: 0x 000006ec
VirtualAddress: 0x 0006d080
SizeOfrawData: 0x 00000700
PointertorawData: 0x 0006d080
Pointertorelocations: 0x 00000000
Pointertolinenumbers: 0x 00000000
Numberofrelocations: 0x 00000000
Numberoflinenumbers: 0x 00000000
Characteristics: 0x 68000020
EXPORT symbol name
Its starting address is the address of obtaining file data image_separate_debug_header size
Image_section_header size * number, its size is an exportedNamessize in Image_seParate_Debug_Header; all export symbols will be listed here. Ntoskrnl.dbg exports 1230 symbols as shown below
Cccaniwrite ccdeferwrite ccfastcopyread ccfastcopywrite ccfastmdlreadwait ccfastreadnotpossible ccfastreadwait ccflushcache ccgetdirtypages. . . . . . . Towupper vSprintf WCSCAT WCSCHR WCSCMP WCSCPY WCSCSPN WCSLEN WCSNCAT WCSNCMP WCSNCPY WCSRCHR WCSSPN WCSSTMBS WCTOMB
Image_debug_directory array
The last part of the DBG file is an image_debug_directory array, where the debug information directory is saved, its address is the size of the address symbol name of the address export symbol name, defined in Winnt.h as
Typedef struct _image_debug_directory {dword characteristics;
DWORD TIMEDATESTAMP;
Word Majorversion;
Word minorversion;
DWORD TYPE;
DWORD SIZEOFDATA;
DWord AddressofrawData;
DWORD POINTERTORAWDATA;
} Image_debug_directory, * pimage_debug_directory;
CHARACTERISTICS: Reserved
TIMEDATESTAMP: The time and date of debugging information creation
MajorVersion: Main version of the debugging information
MinorVersion: The secondary version of the debugging information
TYPE: The type of debugging information is one of the following variables
Variable information
Image_debug_type_unknown unknown value, Ignored by all all tools
Images.
Image_debug_type_codeview code. The format of the data block is described by The CodeView 4.0 Specification.
IMAGE_DEBUG_TYPE_FPO Frame pointer omission (FPO) information. This information tells the debugger how to interpret nonstandard stack frames, which use the EBP register for a purpose other than as a frame pointer.
Image_debug_type_misc miscellaneous information.
Image_debug_type_exception Exception Information
Image_debug_type_fixup fixup information.
Image_debug_type_borland borland debugging information.
Image_debug_type_omap_to_src
Image_debug_type_omap_from_src
Image_debug_type_reserved10
SIZEOFDATA: The length of the current debugging information.
AddressOfrawData: When the file is loaded by LOAD,
PointertorawData: File pointer to debug information.
Not all the information here DGB files are included, WINNT4.0 IMAGE_DEBUG_TYPE_COFF contains only four of them, IMAGE_DEBUG_TYPE_CODEVIEW IMAGE_DEBUG_TYPE_FPO and IMAGE_DEBUG_TYPE_MISC and Windows 2000-.dbg file usually increases IMAGE_DEBUG_TYPE_OMAP_TO_SRC, IMAGE_DEBUG_TYPE_OMAP_FROM_SRC undocumented and a type ID to the 0x1000 structure.
If you are interested in parsing or browsing symbols, then you only need to understand the directory item: image_debug_type_codeview, image_debug_type_omap_to_src and image_debug_type_omap_from_src
Image_debug_directory array is primarily determined by the debugdirectorySize information in Image_separate_debug_header. Image_debug_directory = debugdirectorySize / sizeof (image_debug_directory), because image_debug_directory data is more important, I will introduce them in detail here. Let's take a look at Directory in ntoskrnl.dgb.
First seeking address of image_debug_directory in DGB file
Image_debug_directory * PDIR = (Image_Debug_directory *) (PEXPORT PSEDEBUGHEADER-> ExportedNamessize);
Re-see
DWORD DIRESIZE = (PDEBU-> DebugDirectorySize) / (sizeof (image_debug_directory);
DIRESIZE is 6 and we say before, the address of the data file it points to the file is the base address of the file PointertorawData, its size is SizeOfdata;
Let's take a look at each structure.
The first image_debug_directory information is
TIMEDATESTAMP 0X403D35E2; // 2004.2.25.23.55.14
Majorversion 0x0000;
Minorversion 0x0000;
TYPE 0x00000002; // image_debug_type_codeview
SizeOfdata 0x0000001D;
AddressofrawData 0x00000000;
PointertorawData 0x000067D0;
It can be seen that its data type is image_debug_type_codeview, which will be discussed in detail later, slight here.
Looking at the second image_debug_directory
TIMEDATESTAMP 0X403D35E2; // 2004.2.25.23.55.14
Majorversion 0x0000;
Minorversion 0x0000;
TYPE 0x00000003; // image_debug_type_fpo
SizeOfdata 0x00011f10;
AddressofrawData 0x00000000;
PointertorawData 0x000067F0;
This type is image_debug_type_fpo, the data structure is an fpo_data array, and her start address is the loading address of the file PointertorawData, which is SizeOfdata.
In WinNT. The definition of the FPO_DATA structure in h is as follows
Typedef struct _fpo_data {
DWORD ULOFFSTART; // Offset 1st Byte of Function Code
DWORD CBPROCSIZE; / / # bytes in function
DWORD cdwlocals; // # bytes in locals / 4word cdwparams; // # bytes in params / 4
Word CBPROLOG: 8; / / # bytes in protog
Word Cbregs: 3; // # regs saved
Word Fhasseh: 1; // True IF SEH IN FUNC
Word Fusebp: 1; // True IF EBP HAS BEEN Allocated
Word Reserved: 1; // Reserved for Future Use
Word CBFrame: 2; // Frame Type
} Fpo_data, * pfpo_data;
#define sizeof_rfpo_data 16
ULOFFSTART: The offset of the function and the base address.
CBPROCSIZE: The size of this function
CDWLOCALS: Local variable, unit is DWORD
CDWParams: Number of parameters, unit is DWORD
CBPROLOG: Prerequisited bytes
CBREGS: number of registration
Fhasseh: If you have a True, there is an exception handler
FUSEBP: If you are True, register EPB
CBFrame: Frame Type
Types of meaning
Frame_fpo fpo frame
Frame_trap trap frame
Frame_tss TSS Frame
Frame_nonfpo non-fpo frame
Looking at the third image_debug_directory
TIMEDATESTAMP 0X403D35E2; // 2004.2.25.23.55.14
Majorversion 0x0000;
Minorversion 0x0000;
TYPE 0x00000004; // image_debug_type_misc
SizeOfdata 0x00000110;
AddressofrawData 0x00000000;
PointertorawData 0x00018700;
This structure should be understood as various types of information, and its length is 272 bytes let us see the specific information, the structure of this information is
TYPEDEF STRUCT _IMAGE_DEBUG_MISC {
DWORD DATATYPE; // Type of Misc Data, See Defines
DWord Length; // Total Length of Record, Rouded to Four
// Byte Multiple.
Boolean Unicode; // True IF Data IS Unicode String
Byte Reserved [3];
Byte Data [1]; // Actual Data
}} Image_debug_misc, * pimage_debug_misc;
DataType: The type of information, now only defined a kind of
#DEFINE Image_DEBUG_MISC_EXENAME 1
Length: Total Data Length Unicode: Is it unicode
DATA: Data information.
Let's take a look at the data in ntoskrnl.dbg DATATYPE to image_debug_misc_exename, Length is 0x110, Unicode is false, and DATA data is some string combination to OBJ / I386 / NTOSKRNL.EXE, from above, MISC information should be compiled The path of the file.
Looking at the fourth image_debug_directory
TIMEDATESTAMP 0x000000004
Majorversion 0x0001
Minorversion 0x0000
TYPE 0x00000007; // image_debug_type_omap_to_src
SizeOfData 0x000D4D08;
AddressofrawData 0x00000000;
PointertorawData 0x00018810;
It can be seen from the data, and some of the previous directories, she did not create time, and its main version number is 1, and the data is very much. Take a look at the definition of the OMAP structure.
Typedef struct _omap {
Ulong RVA;
Ulong rvato;
} OMAP, * POMAP;
RVA: Local virtual address
RVATO: Address in the original program
Looking at the fifth image_debug_directory
Its type is image_debug_type_omap_from_src, structure, and image_debug_type_omap_to_src.
Look at the sixth image_debug_directory, I don't know what it means, Microsoft has not public
In the next section, I will introduce information on the CodeView section.
Refer to "undocumented Windows 2000 Secret"