preface
Debugging symbols are convenient for reverse analysts to quickly find the key position when analyzing the program, and also help reverse analysts understand the function and code logic of the program. It is a powerful tool for people engaged in dynamic analysis of winbg.
WinDbg symbol settings
The first step in using WinDbg is naturally to set the path of debugging symbols and Microsoft's debugging symbol server.
- Set symbol path and debug symbol server
.sympath SRV*cache*https://msdl.microsoft.com/download/symbols
-
The cache is the local symbol cache path, which needs to be set according to the actual disk space. For example, my cache path is D : m y s y m b o l \textcolor{orange}{D:\\mysymbol} D:mysymbol, then the above command is written as
.sympath SRV*D:\mysymbol*https://msdl.microsoft.com/download/symbols
-
Set an environment variable_ NT_SYMBOL_PATH to ensure that the previously set symbol path is automatically used every time WinDbg is opened.
-
Set agent
Because the debugging symbol server is blocked, you need to scientifically surf the Internet to download the symbol file, and you want WinDbg to automatically go to the agent when downloading the symbol. This needs to be set as follows:
-
Set system environment variables
- Set a name_ NT_ SYMBOL_ Environment variables for proxy
-
Set the SOCKET proxy port of your ladder to be consistent with that in the environment variable. Here is 8080.
-
-
Execute in WinDbg
!sym noisy .reload
- The first command is to display the detailed information of the symbol loading (downloading) process, so as to find out the reason for the loading failure
- The first command is to reload symbols. Optional parameters:
- /d. Reload all modules in the debugger module list.
- /i. Ignore pdb file version mismatch. (if this parameter is not included, the debugger will not load the mismatched symbol file.) When / I is used, / f is used even if it is not explicitly specified.
- /f. Forces the debugger to load symbols immediately. This parameter overrides delayed symbol loading.
- /n. Reload only kernel symbols. This parameter does not reload any user mode symbols. (this option can only be used when debugging in kernel mode.)
- /User, reload only the user mode symbol. (this option can only be used when debugging in kernel mode.)
- /u. Unloads the specified Module and all its symbols. The debugger unloads any Module whose name matches Module, regardless of its full path. The image name is also searched. For more information, see the notes section below.
Normally, after completing the above three steps, WinDbg will download the debugging symbols from the Microsoft debugging symbol server to the cache path, and automatically load the symbols according to the actual debugging situation.
Unexpected situation
as fruit use of yes S O C K E T 5 of generation reason be no can just often lower load symbol number writing piece \textcolor{green} {if you use a SOCKET5 agent, you can't download the symbol file normally} If you use the SOCKET5 agent, the symbol file cannot be downloaded normally
terms of settlement:
First, copy the details of all symbol loading processes from the command line window of WinDbg to a text file, which is named log txt.
Download debug symbols using the following script
#!/usr/bin/env python from urllib.parse import urljoin import os import logging LOG_LEVEL = logging.DEBUG def download_file_by_curl(url, outdir, filename): newpath = os.path.dirname(outdir) if newpath != '': old_path=os.getcwd() logging.info(newpath) if not os.path.exists(newpath): os.makedirs(newpath) os.chdir(os.getcwd()+"\\"+newpath) os.system('curl -OL %s'%url) os.chdir(old_path) else: os.system('curl -OL %s'%url) def main(): filename = "log.txt" outdir = 'downloads/' main_url = 'https://msdl.microsoft.com/' with open(filename, 'r') as fp: content = fp.readlines() for rline in content: line = rline.strip() if line.startswith('SYMSRV: HTTPGET:'): m = line.split(': ') url =urljoin(main_url, m[2]) pdb_name = m[2][len('/download/symbols/'):] logging.info("{} {}".format(url, pdb_name)) download_file_by_curl(url, pdb_name, filename) if __name__ == '__main__': logging.basicConfig(format='%(asctime)s\tFile \"%(filename)s\",line %(lineno)s\t%(levelname)s: %(message)s', level=LOG_LEVEL) main()
Put the script into your symbol cache directory for execution.
foot book need want send use reach c u r l work have , transport that 's ok Should foot book front need want security pretend c u r l \textcolor{green} {script needs to use curl tool. Curl} needs to be installed before running the script The script needs to use curl tool. Curl needs to be installed before running the script
curl Download
Curl official website: https://curl.haxx.se/windows/
Choose the appropriate version to download according to your system. Mine is a 64 bit system, and the curl corresponding to the latest version is
-
Download the decompression file. My decompression path is G : / t o o l / n c u r l − 7.81.0 − w i n 64 − m i n g w / b i n \textcolor{orange}{G:/tool/ncurl-7.81.0-win64-mingw/bin} G:/tool/ncurl−7.81.0−win64−mingw/bin
-
Set the user environment variable Path and add an item G : / t o o l / c u r l − 7.81.0 − w i n 64 − m i n g w / b i n \textcolor{orange}{G:/tool/curl-7.81.0-win64-mingw/bin} G:/tool/curl−7.81.0−win64−mingw/bin
-
cmd execution
curl --version --------------------------------------------------------------------------------------- curl 7.79.1 (Windows) libcurl/7.79.1 Schannel Release-Date: 2021-09-22 Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp Features: AsynchDNS HSTS IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI UnixSockets
If such a message appears, the installation is successful.
reference resources
[1] https://blog.csdn.net/counsellor/article/details/104721338
[2] https://www.cnblogs.com/hgy413/archive/2012/05/12/3693715.html
[3] https://blog.csdn.net/guzhao593/article/details/83473427