nihilus / detpdb Goto Github PK

Determina PDB plugin for IDA Pro

   by Alexander Sotirov <[email protected]>


This is a replacement for the IDA PDB plugin which significantly improves the
analysis of binaries with public debugging symbols. The distribution contains
source code under a BSD license and a binary for IDA Pro 5.0 and 5.1.


Compiling from source:

If you want to use the precompiled binary, skip to the next section. To compile
the plugin from source, you will need the following:

   GNU make from Cygwin
   Microsoft Visual C++ 2005
   Debugging Tools for Windows 6.7.5.0
   IDA Pro SDK 5.0 or 5.1

Edit the Makefile and set the IDASDK and DBGSDK variables. They need to point
to the directories containing the IDA SDK and the Debugging Tools for Windows
SDK. Make sure that the compiler is in your path and the INCLUDE and LIB
environment variables are set. Run make to compile the plugin.


Installation:

1) Make a backup copy of pdb.plw and pdb.p64 in your IDA plugins directory.

2) Copy plugin/plw/pdb.plw and plugin/p64/pdb.p64 to your IDA plugins
   directory, overwriting the existing files.

3) Copy detpdb.cfg to the IDA cfg directory.

3) Make sure that you have the latest versions of dbghelp.dll and symsrv.dll in
   your IDA directory. If they are older than 6.7.5.0, download the Debugging
   Tools for Windows from http://www.microsoft.com/whdc/devtools/debugging/
   and replace the files in the IDA directory with the latest versions.


Configuration:

The Determina PDB plugin uses the same method for finding symbol files as the
WinDbg debugger. By default, the plugin will search the current working
directory, followed by the symbol search path specified in the _NT_SYMBOL_PATH
and _NT_ALTERNATE_SYMBOL_PATH environmental variables.

The search path can also be specified by setting the DETPDB_SYMBOL_PATH option
in the detpdb.cfg configuration file.

For more information about the format of the symbol path and the environmental
variables, see the documentation included in the Debugging Tools for Windows.


Usage:

When loading a new file linked with debugging information, IDA will invoke
the Determina PDB plugin. If the corresponding symbol file is found in the
symbol path, the plugin will display the list of all available symbols and
their addresses. Press OK to load these symbols into the IDA database, or
Cancel to skip the symbol loading.

Once the IDA autoanalysis is finished, check the messages window for any
errors or warnings. You will probably see messages similar to:

   Name 'const GCObj::`vftable'' at 5A323BC0 is deleted...

These messages indicate that some names were deleted during the final analysis
pass. One solution is to disable the 'Make final analysis pass' options before
starting the analysis. A better alternative is to run the PDB plugin a second
time after the autoanalysis is finished, ensuring that the deleted names are
recreated.