Skip navigation
All Places > Metasploit > Blog > 2008 > December

Add synergy with symport

Posted by rapid7-admin Dec 18, 2008

Originally Posted by Pusscat



Ever wish you could take all the work you just did commenting up a binary in IDA and have it all show up in your debugger? Now, you can produce a map file in IDA, and import it directly into WinDbg with the !symport command in byakugan.


In IDA, select File -> Produce File - > Create Map File, and select the destination. You can select any options for this, but currently we only import what's listed as the Local Symbols (This is all symbols that are tied to a specific memory address relative to the base address).  All of the names you changed and added as labels and functions will be exported to the .map file.


Inside windbg, load byakugan as normal, then use the !symport command with the arguments of the module name, and the map file path to import the map file by name.  These will be imported as synthetic symbols, so you wont be able to use them to set breakpoints (this will be fixed soon) but they will show up in the disassembly window.


0:001> !load byakugan.dll
0:001> .reload/f
Reloading current modules
.*** ERROR: Module load completed but symbols could not be loaded for C:\Windows\System32\calc.exe
....*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\GDI32.dll -
.........*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\SHELL32.dll -
0:001> !symport calc C:\Users\lgrenier\
[S] Adjusting symbols to base address of: 0x calc (00680000)
[S] Failed to add synthetic symbol: ?bFocus@@3HA
[S] Failed to add synthetic symbol: ?machine@@3PAY04DA
[S] Failed to add synthetic symbol: ?init_num_ten@@3U_number@@A
[S] Failed to add synthetic symbol: ?init_p_rat_exp@@3U_number@@A
[S] Successfully imported 566 symbols.


A couple caveats to be aware of. First, you should reload symbol server symbols manually before importing your own (unless they overlap). Reloading will remove all synthetic symbols. Second, if your symbols do overlap, !symport will be unable to override the symbol server symbols. If you'd rather use your own instead of the proper symbols, don't reload at all - just realize that you will be unable to do in depth heap analysis without the symbols of unexported functions.


NOTE: My xp build vm is at home on my laptop, so only Vista binaries have been updated with this new functionality! I'll be adding XP binaries tonight or tomorrow, or you can build on your own. Good luck!

Originally Posted by hdm



The Metasploit Decloak Engine is now back online with a handful of new updates and bug fixes. Decloak identifies the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. The first version was announced in June of 2006 and was eventually made obsolete by changes to the Flash plugin and improvements in the Torbutton Firefox addon. The new version includes enhanced versions of the Flash and Java tests, no longer uses any javascript, and adds support for iTunes, Quicktime, and Microsoft Office techniques. A properly configured Tor+Torbutton+Privoxy solution still stands up against Decloak, but just about everything else fails. Decloak is unique in that it can obtain the DNS server addresses used by a web browser by combining the results of multiple application protocols into a single test. Thanks to Paul Craig for the Quicktime method implemented in iKAT and the Mike Perry for writing the Torbutton Design Documentation


Filter Blog

By date: By tag: