add debug section to exe #10
Comments
|
a possible way todo this would be to store a kind of template debug section for both x86 and x64 targets and configure it as necessary on the fly before writing it to the dll/exe |
this seems to be the format for a debug directory entry And this seems to be the format of the inner debug data. |
|
Adding to this: Some of the executables I created a fake .pdb for with IDA labels have the Debug Directory stripped. In this case, it would need to artificially be added to the executable. At the same time, if a fake random PDB id is generated, it would have to be patched in the executable as well. P.S.: If you know any PE Editors that let you add the Debug Directory on the fly, do let me know. |
|
Sadly I dont know of any pe editors that expose that functionality. A possibly simple outcome would be to expand the executable's last section a certain number of bytes or add a new section at the end of the executable. |
|
I've sorted it out.
I planted it as I saw in most executables, at the end of .rdata section:
Size is always 0x1C bytes.
SizeOfData represents the whole block + null terminator. The RSDS section has to have the first 4 characters as 'RSDS', then GUID as the next 16 bytes, then Age as DWORD (01 00 00 00) and lastly the path to the pdb. I chose to use the pdb name directly, no path given. The GUID is also something random (well, a GUID I borrowed from another pdb). Once you've done all this, ONLY THEN open the executable in IDA and dump the fake .pdb. WHY? Because if you've done your work right, this will happen: Instead of: Notice how, without a Debug Directory, the symserv PDB id is 0. If you patch your executable beforehand, then FakePDB will read that information and use it when generating the PDB ;) I've opened a ticket here thinking it was an x64dbg issue not being able to load the .pdb. The x64dbg author mentioned in there that you can force the pdb to be loaded by editing the x32dbg/x64dbg .ini to force load the pdb. Might work without all the work I mentioned above.. to just load the .pdb in.. Thought it'd be interesting for you to read up on it :) BR, |
There is none but CFF Explorer is scriptable, here's a starting point: filename = GetOpenFile()
pehandle = OpenFile(filename)
local random = math.random
local function uuid()
local template = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'
return string.gsub(template, '[xy]', function (c)
local v = (c == 'x') and random(0, 0xf) or random(8, 0xb)
return string.format('%x', v)
end)
end
math.randomseed(os.time())
function string.random(length)
local randomString = ''
for i = 1, length do
randomString = randomString .. string.char(math.random(0, 255))
end
return randomString
end
data = "RSDS" .. string.random(16) .. string.char(1, 0, 0, 0) .. "executablenamebuffer.pdb"
AddSectionWithData(pehandle, data, ".debug", IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_DISCARDABLE | IMAGE_SCN_CNT_INITIALIZED_DATA) |
|
As this page points out: https://lordjeb.com/2023/03/10/how-the-hell-things-work-how-windows-debugger-finds-symbols-for-your-code/ So if the module doesn't have a debug section, the debugger will look for the short GUID version, If you manually add a module pdb to you're symbol store doing: If the tool doesn't. Then you can manually create it using a script. At any rate do: It will show the search for the PDB and you'll see the problem if any. |
referencing the newly created pdb.
The text was updated successfully, but these errors were encountered: