Login/Register
How does debugger know function names?
Asked Answered
Solved cwinapiassemblyollydbg
N

1

6

When I debug any program with debugger (for example OllyDbg), in disassembled assembly code, I can see function names, for example:

push 0
call msvcrt.exit

How does the debugger know the function names? Where do they come from? In machine code, it is represented as call address. So how debugger knows it?

Naturism answered 15/9, 2013 at 17:50 Comment(7)
There is information along with the executable that contains all that information.Jointless
A "binary", exe, elf, coff, etc are file formats that contain more than just the machine code, they also contain where in memory (real or virtual) to place the machine code and data, and some formats have options to include symbols, for example the names and addresses of functions and variables. Often when you see a .bin binary though that is purely machine code and data, one big blob (that magically someone has to know what address to write it to use it) and that wont normally contain symbols.Arita
If you dont compile and/or link with symbols (-g on gnu tools) then it wont put them there.Arita
Modern platforms have some notion or other of "dynamic linking" (either at load time or at runtime). This is necessarily done by name, and thus the names of the functions must be stored somewhere. A completely statically linked program does not necessarily need to contain any human-readable names.Burgoo
@Kerrek On Windows, exports are not mandated to have a name. They can be exported by ordinal just as well (see GetProcAddress for information).Elaineelam
@IInspectable: Ah, interesting - how is the mapping done? Is that stored in the .lib files?Burgoo
@Kerrek The ordinal is simply an index into the export table. Given the structure of the Portable Executable File Format I would assume that the ordinal is available from a .lib file as well (.lib files also use the PE file format). Debuggers, however, will usually map RVA's to symbols using .pdb's (see SymFromAddr). /EXPORT has information on exporting symbols by ordinal only.Elaineelam
R
4

Compilers generate "symbols" files, providing to debuggers a way to show the name of a symbol that corresponds to a particular address or an offset. This is highly system-dependent: for example, VS toolchain on Windows places these symbols in separate .pdb files, while on some UNIX flavors these debug symbols are embedded into the executable. EDIT : According to the comments, OllyDbg pulls symbols from the Import Address Table embedded in executable files.

When symbols are embedded into the executable, compiler vendors provide a tool to remove these symbols. For example, GNU provides the strip utility to work with their toolchain.

Reeducate answered 15/9, 2013 at 17:57 Comment(3)
The answer is not complete. OllyDbg also uses the symbols from the import table of the executable and obviously this is the case described in the question.Immersed
@Immersed OP used OllyDbg only as an example: see the title and the following text in the question: "(for example OllyDbg)" (emphasis is mine). I gather that if OP wanted to know the specifics of OllyDbg, he would have entitled his question differently - for example, "How does OllyDbg know function names?"Reeducate
It should be noted that symbols are placed in a .pdb file only if you're using an msvc toolchain. There are multiple C compilers on windows and they all handle debugging symbols differently. Also, the answer should at least mention how ollydbg is pulling symbols out of msvc runtime when there are no available pdb symbol file. Since pdb is not an open format, I doubt ollydbg can understand it unless the author did some serious hacking and reverse engineering on it.Stockdale

© 2022 - 2024 — McMap. All rights reserved.