.sym (load pdb symbols)
Description of the '.sym' command in HyperDbg.
Command
.sym
Syntax
.sym [table].sym [reload] [pid ProcessId (hex)].sym [download].sym [load].sym [unload].sym [add] [base Address (hex)] [path Path (string)]
Description
Performs different tasks on symbols like building the symbol table or loading a special PDB file, or unloading all PDB files, or downloading or reloading.
By default, user-mode modules of the HyperDbg process are retrieved if you don't specify the Process Id. If you're debugging a process in the user-mode debugger, the user-mode modules of the debuggee are retrieved.
Parameters
[table]
Shows the current symbol table and status of loaded module and symbol paths.
[load]
Loads and parses PDB files based on the previously built symbol table.
[unload]
Unloads all modules PDB files.
[download]
Loads files from the local symbol path or if not available then download them from the remote server.
[reload]
Builds a new symbol table and loads files from the local symbol path or if not available, then WILL NOT download them.
[pid ProcessId (hex)]
The Process Id of the target process to get its user-mode modules.
[add]
Loads and parses a PDB file manually based on the base address and path of the PDB file.
[base Address (hex)]
The module's base address on the memory.
[path Path (string)]
Module name or path of the module's PDB file.
Examples
If you want to see the symbol table based on the target machine's loaded modules, you should use the following command.
1
HyperDbg> .sym table
2
is pdb details available? : true
3
is pdb a path instead of module name? : true
4
base address : 7ff7f6230000
5
file path : \\vmware-host\Shared Folders\build\debug\hyperdbg-cli.exe
6
guid and age : 07a111d3a879428482084e11155fb3d51
7
module symbol path/name : C:\Users\Sina\Desktop\HyperDbg\HyperDbg\hyperdbg\build\debug\hyperdbg-cli.pdb
8
========================================================================
9
is pdb details available? : true
10
is pdb a path instead of module name? : false
11
base address : 7ffd88d50000
12
file path : C:\Windows\SYSTEM32\ntdll.dll
13
guid and age : 1eb9facb04c73c5dea7160764cd333d01
14
module symbol path/name : ntdll.pdb
15
========================================================================
16
...
17
​
18
is pdb details available? : true
19
is pdb a path instead of module name? : false
20
base address : fffff80222200000
21
file path : c:\windows\system32\ntoskrnl.exe
22
guid and age : fc57f1c841c2c3f793d57ac134dc0efa1
23
module symbol path/name : ntkrnlmp.pdb
24
========================================================================
25
is pdb details available? : true
26
is pdb a path instead of module name? : false
27
base address : fffff802214d0000
28
file path : c:\windows\system32\hal.dll
29
guid and age : 0f693cebb815cf80a5d486d10b730ba71
30
module symbol path/name : hal.pdb
31
========================================================================
32
is pdb details available? : true
33
is pdb a path instead of module name? : false
34
base address : fffff802214e0000
35
file path : c:\windows\system32\kd.dll
36
guid and age : 9f02d75f803aca5d66dd256ed464d8ce1
37
module symbol path/name : kd.pdb
38
========================================================================
39
​
40
...
Copied!
If you want to update the symbol table and all the symbols from the local symbol path (and NOT download them), use the following command.
1
HyperDbg> .sym reload
2
interpreting symbols and creating symbol maps
3
symbol table updated successfully
Copied!
If you want to update the symbol table based on user mode modules of a process with Process Id equal to 1240, use the following command.
1
HyperDbg> .sym reload pid 1240
2
interpreting symbols and creating symbol maps
3
symbol table updated successfully
Copied!
If you want to load all the symbols from the local symbol path and if not available then, download them from the remote symbol server (e.g., Microsoft Symbol Server), use the following command.
1
HyperDbg> .sym download
2
downloading symbol 'ntdll.pdb'... downloaded
3
downloading symbol 'win32u.pdb'... downloaded
4
downloading symbol 'kd.pdb'... downloaded
5
downloading symbol 'mcupdate_GenuineIntel.pdb'... downloaded
6
downloading symbol 'clfs.pdb'... downloaded
7
downloading symbol 'tm.pdb'... downloaded
8
downloading symbol 'pshed.pdb'... downloaded
9
downloading symbol 'bootvid.pdb'... downloaded
10
downloading symbol 'fltMgr.pdb'... downloaded
11
downloading symbol 'msrpc.pdb'... downloaded
12
downloading symbol 'ksecdd.pdb'... downloaded
13
downloading symbol 'clipsp.pdb'... downloaded
14
downloading symbol 'cmimcext.pdb'... downloaded
15
downloading symbol 'WerKernel.pdb'... downloaded
16
downloading symbol 'ntosext.pdb'... downloaded
17
downloading symbol 'ci.pdb'... downloaded
18
downloading symbol 'cng.pdb'... downloaded
19
downloading symbol 'Wdf01000.pdb'... downloaded
20
downloading symbol 'wdfldr.pdb'... downloaded
21
downloading symbol 'wpprecorder.pdb'... downloaded
22
downloading symbol 'SleepStudyHelper.pdb'... downloaded
23
downloading symbol 'acpiex.pdb'... downloaded
24
downloading symbol 'mssecflt.pdb'... downloaded
25
downloading symbol 'SgrmAgent.pdb'... downloaded
26
downloading symbol 'acpi.pdb'... downloaded
27
downloading symbol 'wmilib.pdb'... downloaded
28
downloading symbol 'intelpep.pdb'... downloaded
29
downloading symbol 'WindowsTrustedRT.pdb'...
30
​
31
...
Copied!
If you want to load symbols from the disk (and NOT Download or NOT rebuild the symbol table), you should use the following command. Unlike
.sym reload, this command won't continue the debuggee in Debugger Mode as it won't rebuild the symbol table.1
HyperDbg> .sym load
2
loading symbol 'c:\Symbols\ntkrnlmp.pdb\1b4a6f5e0766c552c90710c8acc0295c1\ntkrnlmp.pdb'... loaded
3
loading symbol 'c:\Symbols\hal.pdb\0f693cebb815cf80a5d486d10b730ba71\hal.pdb'... loaded
4
loading symbol 'c:\Symbols\pshed.pdb\bebb43bee110c16e1f5490cc2a9b1b0b1\pshed.pdb'... loaded
5
loading symbol 'c:\Symbols\bootvid.pdb\faa603378fa9782971c12ac2656aefa51\bootvid.pdb'... loaded
6
loading symbol 'c:\Symbols\fltMgr.pdb\41c0b82054675d3ad752bff86090eed51\fltMgr.pdb'... loaded
Copied!
If you want to add a PDB file manually, use the following command.
1
HyperDbg> .sym add base fffff8077356000 path c:\Symbols\ntkrnlmp.pdb\fc57f1c841c2c3f793d57ac134dc0efa1\ntkrnlmp.pdb
2
loading module symbol at 'c:\symbols\ntkrnlmp.pdb\fc57f1c841c2c3f793d57ac134dc0efa1\ntkrnlmp.pdb'
Copied!
If you want to unload all modules' symbols, use the following command.
1
HyperDbg> .sym unload
Copied!
IOCTL
None
Remarks
In order to use most of the functionalities from this command, you should adjust the local symbol path and remote symbol server using the '.sympath' command.
In remote connection when you're connected to the debuggee using the '.listen' command, the symbol server should be located (and it will be accessed) in the remote computer.
If you use
.sym reload then it will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.Requirements
None
Related
Last modified 29d ago
Copy link
Edit on GitHub