Reputation: 1573
How can I find a statically linked function in a DLL with IDA Pro?
I'm currently trying to hook SSL write function of Chromium, but I have some difficulties to find where I should hook.
Currently, I inject my DLL by using RtlCreateUserThread and allocating DLL path and making the target process loading it. Then, the DLL will load the targeted function by GetProcAddress and then the usually-you-know-overwritting-5-bytes-by-jmp-instruction. I've succeed to do it with Firefox. But I have troubles with Chrome as he seems to use NSS/OpenSSL according to source code of Chromium (I see two impl of SSLSocket in the repo, but can't see which one is used with the binary).
Thanks in advance.
Upvotes: 0
Views: 1647
Answers (1)
Reputation: 416
sorry to be the bearer of bad news, but there really isn't a simple way to do this.
The simplest way I've found to do this is to use the Chromium Symbol server, which is located at:
http://chromium-browser-symsrv.commondatastorage.googleapis.com
The caveat is that the symbols seem to be missing for the release version of Chrome on 64 bit windows. At least I've had little luck getting them.
In the general case you can follow some of the instructions below to get a good collection of symbols pre-loaded into your local cache.
In order to use the symbol server functionality with IDA pro, you have to do a few things.
First, you have to install the Windows Debugging tools. (The Windows 8.1 DDK is a good bet for these and is freely available from MicroSoft.) It includes the DLL that allows simple communication with the symbol servers.
Second, you need to add a global system environment variable as below: _NT_SYMBOL_PATH=srv*c:\pdb_cache*msdl.microsoft.com/download/symbols;srv*c:\pdb_cache*http://chromium-browser-symsrv.commondatastorage.googleapis.com
What this does is setup a symbol path and associated local cache for the storage of symbols.
Third, you can use the following command line to use a tool that ships with the WDK 8.1 and pulls the symbols:
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)\Google" /s symsrv*C:\pdb_cache\*http://chromium-browser-symsrv.commondatastorage.googleapis.com/
The above should force the symbols to load into the local symbol cache and you can select them (IDA may to this automatically, or it may not). If it doesn't you can manually select the symbol file once WinDbg/symchk downloads it.
At least that's the theory according to: http://www.chromium.org/developers/how-tos/debugging
I've had no luck getting the symbols to download correctly on the release version of Chromium. However, if you go to the http://chromium-browser-symsrv.commondatastorage.googleapis.com/ link, and examine the contents of the returned XML, you will note the "Truncated" flag is set. You can use the filter expression (it's an Amazon S3 Bucket). Digging around, there's even another symbol server at: http://chromium-browser-symbols.commondatastorage.googleapis.com/ It's quite old by the look of things, though.
I'll leave you with a script to pull all the symbols from my list of known symbol servers. It's useful to pre-load against anything on the system that you might need to debug. :-). I've also noticed that no symbols download for the SysWOW64 subsystem on Window 7 x64. If anyone else has any information about additional public symbol servers it would be welcome :-).
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)" /s symsrv*c:\symbols*hxtp://msdl.microsoft.com/download/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)" /s symsrv*c:\symbols*hxtp://symbols.mozilla.org/firefox
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)" /s symsrv*c:\symbols*hxtp://chromium-browser-symsrv.commondatastorage.googleapis.com
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)" /s symsrv*c:\symbols*hxtp://ctxsym.citrix.com/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)" /s symsrv*c:\symbols*hxtp://developer.apple.com/internet/safari/windows_symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Program Files" /s symsrv*c:\symbols*hxtp://msdl.microsoft.com/download/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Program Files" /s symsrv*c:\symbols*hxtp://symbols.mozilla.org/firefox
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Program Files" /s symsrv*c:\symbols*hxtp://chromium-browser-symsrv.commondatastorage.googleapis.com
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Program Files" /s symsrv*c:\symbols*hxtp://ctxsym.citrix.com/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Program Files" /s symsrv*c:\symbols*hxtp://developer.apple.com/internet/safari/windows_symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://msdl.microsoft.com/download/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://symbols.mozilla.org/firefox
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://chromium-browser-symsrv.commondatastorage.googleapis.com
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://ctxsym.citrix.com/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://developer.apple.com/internet/safari/windows_symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://msdl.microsoft.com/download/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://symbols.mozilla.org/firefox
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://chromium-browser-symsrv.commondatastorage.googleapis.com
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://ctxsym.citrix.com/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://developer.apple.com/internet/safari/windows_symbols
StackOverflow won't let me use the http links, so just replace hxtp in your text editor with http and you're in business.
You can also use this string to set the path in your environment, if you like. Hope this helps, mate!
Set _NT_SYMBOL_PATH=symsrv*c:\symbols*hxtp://msdl.microsoft.com/download/symbols;symsrv*c:\symbols*hxtp://symbols.mozilla.org/firefox;symsrv*c:\symbols*hxtp://chromium-browser-symsrv.commondatastorage.googleapis.com;symsrv*c:\symbols*hxtp://ctxsym.citrix.com/symbols;symsrv*c:\symbols*hxtp://developer.apple.com/internet/safari/windows_symbols
Upvotes: 2
Related Questions
- How to find out which functions are being called in a DLL?
- How to export functions that have no name from a dll
- Is there a way to find all the functions exposed by a dll
- How to Link to a function from a DLL loaded by a DLL?
- Search path for a DLL referenced by a plug-in DLL
- Finding what function is causing a library function to be linked
- Find name-mangled function in dynamically-loaded dll
- finding a loaded dll using a CreateToolHelp32Snapshot, finding a function within the dll and then calling it, GetProcAddress
- Finding external calls in a C++ dll
- Static Linking Function in a DLL Project