Add synergy with symport

Last updated at Wed, 26 Jul 2017 18:09:34 GMT

Ever wish you could take all the work you just did commenting up a binary in IDA and have it all show up in your debugger? Now, you can produce a map file in IDA, and import it directly into WinDbg with the !symport command in byakugan.

In IDA, select File -> Produce File - > Create Map File, and select the destination. You can select any options for this, but currently we only import what's listed as the Local Symbols (This is all symbols that are tied to a specific memory address relative to the base address).  All of the names you changed and added as labels and functions will be exported to the .map file.

Inside windbg, load byakugan as normal, then use the !symport command with the arguments of the module name, and the map file path to import the map file by name.  These will be imported as synthetic symbols, so you wont be able to use them to set breakpoints (this will be fixed soon) but they will show up in the disassembly window.

0:001> !load byakugan.dll
0:001> .reload/f
Reloading current modules
.*** ERROR: Module load completed but symbols could not be loaded for C:\Windows\System32\calc.exe
....*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\GDI32.dll -
.........*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\SHELL32.dll -
.....
0:001> !symport calc C:\Users\lgrenier\calc.map
[S] Adjusting symbols to base address of: 0x calc (00680000)
[S] Failed to add synthetic symbol: ?bFocus@@3HA
[S] Failed to add synthetic symbol: ?machine@@3PAY04DA
[S] Failed to add synthetic symbol: ?init_num_ten@@3U_number@@A
[S] Failed to add synthetic symbol: ?init_p_rat_exp@@3U_number@@A
[S] Successfully imported 566 symbols.

A couple caveats to be aware of. First, you should reload symbol server symbols manually before importing your own (unless they overlap). Reloading will remove all synthetic symbols. Second, if your symbols do overlap, !symport will be unable to override the symbol server symbols. If you'd rather use your own instead of the proper symbols, don't reload at all - just realize that you will be unable to do in depth heap analysis without the symbols of unexported functions.

NOTE: My xp build vm is at home on my laptop, so only Vista binaries have been updated with this new functionality! I'll be adding XP binaries tonight or tomorrow, or you can build on your own. Good luck!