6

When I debug any program with debugger (for example OllyDbg), in disassembled assembly code, I can see function names, for example:

push 0
call msvcrt.exit

How does the debugger know the function names? Where do they come from? In machine code, it is represented as call address. So how debugger knows it?

greatwolf
  • 20,287
  • 13
  • 71
  • 105
Smax Smaxović
  • 550
  • 2
  • 7
  • 17
  • 1
    There is information along with the executable that contains all that information. – Some programmer dude Sep 15 '13 at 17:55
  • A "binary", exe, elf, coff, etc are file formats that contain more than just the machine code, they also contain where in memory (real or virtual) to place the machine code and data, and some formats have options to include symbols, for example the names and addresses of functions and variables. Often when you see a .bin binary though that is purely machine code and data, one big blob (that magically someone has to know what address to write it to use it) and that wont normally contain symbols. – old_timer Sep 15 '13 at 18:00
  • If you dont compile and/or link with symbols (-g on gnu tools) then it wont put them there. – old_timer Sep 15 '13 at 18:00
  • Modern platforms have some notion or other of "dynamic linking" (either at load time or at runtime). This is necessarily done by *name*, and thus the names of the functions must be stored somewhere. A completely statically linked program does not necessarily need to contain any human-readable names. – Kerrek SB Sep 15 '13 at 19:20
  • @Kerrek On Windows, exports are not mandated to have a *name*. They can be exported by *ordinal* just as well (see [`GetProcAddress`](http://msdn.microsoft.com/en-us/library/windows/apps/ms683212.aspx) for information). – IInspectable Sep 15 '13 at 19:34
  • @IInspectable: Ah, interesting - how is the mapping done? Is that stored in the .lib files? – Kerrek SB Sep 15 '13 at 19:50
  • @Kerrek The ordinal is simply an index into the export table. Given the structure of the [Portable Executable File Format](http://msdn.microsoft.com/en-us/magazine/cc301808.aspx) I would assume that the ordinal is available from a .lib file as well (.lib files also use the PE file format). Debuggers, however, will usually map RVA's to symbols using .pdb's (see [`SymFromAddr`](http://msdn.microsoft.com/en-us/library/windows/desktop/ms681323.aspx)). [`/EXPORT`](http://msdn.microsoft.com/en-us/library/7k30y2k5.aspx) has information on exporting symbols by ordinal only. – IInspectable Sep 16 '13 at 13:05

1 Answers1

4

Compilers generate "symbols" files, providing to debuggers a way to show the name of a symbol that corresponds to a particular address or an offset. This is highly system-dependent: for example, VS toolchain on Windows places these symbols in separate .pdb files, while on some UNIX flavors these debug symbols are embedded into the executable. EDIT : According to the comments, OllyDbg pulls symbols from the Import Address Table embedded in executable files.

When symbols are embedded into the executable, compiler vendors provide a tool to remove these symbols. For example, GNU provides the strip utility to work with their toolchain.

Sergey Kalinichenko
  • 714,442
  • 84
  • 1,110
  • 1,523
  • 1
    The answer is not complete. OllyDbg also uses the symbols from the import table of the executable and obviously this is the case described in the question. – johnfound Sep 16 '13 at 04:13
  • 1
    @johnfound OP used OllyDbg only as an example: see the title and the following text in the question: "(**for example** OllyDbg)" (emphasis is mine). I gather that if OP wanted to know the specifics of OllyDbg, he would have entitled his question differently - for example, "How does OllyDbg know function names?" – Sergey Kalinichenko Sep 16 '13 at 13:02
  • It should be noted that symbols are placed in a .pdb file only if you're using an msvc toolchain. There are multiple C compilers on windows and they all handle debugging symbols differently. Also, the answer should at least mention how ollydbg is pulling symbols out of msvc runtime when there are no available pdb symbol file. Since pdb is not an open format, I doubt ollydbg can understand it unless the author did some serious hacking and reverse engineering on it. – greatwolf Sep 16 '13 at 14:51