DownloadResearchTutorialhwdbg

.sym (load pdb symbols)

Description of the '.sym' command in HyperDbg.

Command

.sym

Syntax

.sym [table]

.sym [reload] [pid ProcessId (hex)]

.sym [download]

.sym [load]

.sym [unload]

.sym [add] [base Address (hex)] [path Path (string)]

Description

Performs different tasks on symbols like building the symbol table or loading a special PDB file, or unloading all PDB files, or downloading or reloading.

By default, user-mode modules of the HyperDbg process are retrieved if you don't specify the Process Id. If you're debugging a process in the user-mode debugger, the user-mode modules of the debuggee are retrieved.

Parameters

[table]

Shows the current symbol table and status of loaded module and symbol paths.

[load]

Loads and parses PDB files based on the previously built symbol table.

[unload]

Unloads all modules PDB files.

[download]

Loads files from the local symbol path or if not available then download them from the remote server.

[reload]

Builds a new symbol table and loads files from the local symbol path or if not available, then WILL NOT download them.

[pid ProcessId (hex)]

The Process Id of the target process to get its user-mode modules.

[add]

Loads and parses a PDB file manually based on the base address and path of the PDB file.

[base Address (hex)]

The module's base address on the memory.

[path Path (string)]

Module name or path of the module's PDB file.

Examples

If you want to see the symbol table based on the target machine's loaded modules, you should use the following command.

HyperDbg> .sym table
is pdb details available? : true
is pdb a path instead of module name? : true
base address : 7ff7f6230000
file path : \\vmware-host\Shared Folders\build\debug\hyperdbg-cli.exe
guid and age : 07a111d3a879428482084e11155fb3d51
module symbol path/name : C:\Users\Sina\Desktop\HyperDbg\HyperDbg\hyperdbg\build\debug\hyperdbg-cli.pdb
========================================================================
is pdb details available? : true
is pdb a path instead of module name? : false
base address : 7ffd88d50000
file path : C:\Windows\SYSTEM32\ntdll.dll
guid and age : 1eb9facb04c73c5dea7160764cd333d01
module symbol path/name : ntdll.pdb
========================================================================
...

is pdb details available? : true
is pdb a path instead of module name? : false
base address : fffff80222200000
file path : c:\windows\system32\ntoskrnl.exe
guid and age : fc57f1c841c2c3f793d57ac134dc0efa1
module symbol path/name : ntkrnlmp.pdb
========================================================================
is pdb details available? : true
is pdb a path instead of module name? : false
base address : fffff802214d0000
file path : c:\windows\system32\hal.dll
guid and age : 0f693cebb815cf80a5d486d10b730ba71
module symbol path/name : hal.pdb
========================================================================
is pdb details available? : true
is pdb a path instead of module name? : false
base address : fffff802214e0000
file path : c:\windows\system32\kd.dll
guid and age : 9f02d75f803aca5d66dd256ed464d8ce1
module symbol path/name : kd.pdb
========================================================================

...

If you want to update the symbol table and all the symbols from the local symbol path (and NOT download them), use the following command.

HyperDbg> .sym reload
interpreting symbols and creating symbol maps
symbol table updated successfully

If you want to update the symbol table based on user mode modules of a process with Process Id equal to 1240, use the following command.

HyperDbg> .sym reload pid 1240
interpreting symbols and creating symbol maps
symbol table updated successfully

If you want to load all the symbols from the local symbol path and if not available then, download them from the remote symbol server (e.g., Microsoft Symbol Server), use the following command.

HyperDbg> .sym download
downloading symbol 'ntdll.pdb'...    downloaded
downloading symbol 'win32u.pdb'...    downloaded
downloading symbol 'kd.pdb'...  downloaded
downloading symbol 'mcupdate_GenuineIntel.pdb'...       downloaded
downloading symbol 'clfs.pdb'...        downloaded
downloading symbol 'tm.pdb'...  downloaded
downloading symbol 'pshed.pdb'...       downloaded
downloading symbol 'bootvid.pdb'...     downloaded
downloading symbol 'fltMgr.pdb'...      downloaded
downloading symbol 'msrpc.pdb'...       downloaded
downloading symbol 'ksecdd.pdb'...      downloaded
downloading symbol 'clipsp.pdb'...      downloaded
downloading symbol 'cmimcext.pdb'...    downloaded
downloading symbol 'WerKernel.pdb'...   downloaded
downloading symbol 'ntosext.pdb'...     downloaded
downloading symbol 'ci.pdb'...  downloaded
downloading symbol 'cng.pdb'... downloaded
downloading symbol 'Wdf01000.pdb'...    downloaded
downloading symbol 'wdfldr.pdb'...      downloaded
downloading symbol 'wpprecorder.pdb'... downloaded
downloading symbol 'SleepStudyHelper.pdb'...    downloaded
downloading symbol 'acpiex.pdb'...      downloaded
downloading symbol 'mssecflt.pdb'...    downloaded
downloading symbol 'SgrmAgent.pdb'...   downloaded
downloading symbol 'acpi.pdb'...        downloaded
downloading symbol 'wmilib.pdb'...      downloaded
downloading symbol 'intelpep.pdb'...    downloaded
downloading symbol 'WindowsTrustedRT.pdb'...

...

If you want to load symbols from the disk (and NOT Download or NOT rebuild the symbol table), you should use the following command. Unlike .sym reload, this command won't continue the debuggee in Debugger Mode as it won't rebuild the symbol table.

HyperDbg> .sym load
loading symbol 'c:\Symbols\ntkrnlmp.pdb\1b4a6f5e0766c552c90710c8acc0295c1\ntkrnlmp.pdb'...      loaded
loading symbol 'c:\Symbols\hal.pdb\0f693cebb815cf80a5d486d10b730ba71\hal.pdb'...        loaded
loading symbol 'c:\Symbols\pshed.pdb\bebb43bee110c16e1f5490cc2a9b1b0b1\pshed.pdb'...    loaded
loading symbol 'c:\Symbols\bootvid.pdb\faa603378fa9782971c12ac2656aefa51\bootvid.pdb'...        loaded
loading symbol 'c:\Symbols\fltMgr.pdb\41c0b82054675d3ad752bff86090eed51\fltMgr.pdb'...  loaded

If you want to add a PDB file manually, use the following command.

HyperDbg> .sym add base fffff8077356000 path c:\Symbols\ntkrnlmp.pdb\fc57f1c841c2c3f793d57ac134dc0efa1\ntkrnlmp.pdb
loading module symbol at 'c:\symbols\ntkrnlmp.pdb\fc57f1c841c2c3f793d57ac134dc0efa1\ntkrnlmp.pdb'

If you want to unload all modules' symbols, use the following command.

HyperDbg> .sym unload

IOCTL

None

Remarks

In order to use most of the functionalities from this command, you should adjust the local symbol path and remote symbol server using the '.sympath' command.

In remote connection when you're connected to the debuggee using the '.listen' command, the symbol server should be located (and it will be accessed) in the remote computer.

If you use .sym reload then it will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.

Requirements

None

Related

.sympath (set the symbol server)

Previous.sympath (set the symbol server)Next.pe (parse PE file)

Last updated