Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Forcing WinDbg to load symbols of an unloaded module

Tags:

windbg

I'm debugging a module for which I have only the .exe and a .pdb without private symbols.
During the debug session I need to inspect an internal struct. Obviously this struct does not appear in the PDB since it's private - but fortunately I have an .h file where this struct is defined. Therefore I can build some dummy module that uses this struct and obtain a PDB file that contains this struct.

Now I have an unloaded module with the struct symbols, and I would like to load its symbols in order to cast some memory to that struct. (without unloading the original .exe I'm debugging, of course)
The problem: it seems that WinDbg only allows loading symbols for loaded modules...

My question is: Is there a simple way I could load my symbols from the unloaded module?

I've tried .reload /i /f MyDll.dll but I always get ...MyDll.dll - unmatched.
Setting the sympath did not help.

Any ideas?

like image 845
Amir Gonnen Avatar asked Jun 11 '12 11:06

Amir Gonnen


People also ask

How do you force load symbols in WinDbg?

You can force symbol loading to occur by using the /f option or by issuing an ld (Load Symbols) command.

How do I download Microsoft symbols?

The easiest way to get Windows symbols is to use the Microsoft public symbol server. The symbol server makes symbols available to your debugging tools as needed. After a symbol file is downloaded from the symbol server it is cached on the local computer for quick access.


2 Answers

A better way is .reload /unl MyDll.dll

Unloaded module list contains timestamp (for image/pdb matching) and image base address. Using /unl tells WinDBG to use that information.

like image 156
Codeguard Avatar answered Oct 15 '22 02:10

Codeguard


You can force windbg to load symbols at a specific address e.g.

0:000> .reload /f /i MyDll.dll=77777777
    c:\sym\MyDll.pdb - unmatched
0:000> lm
start             end                 module name
00000000`55555555 00000000`55555555   notepad    (no symbols)
00000000`77530000 00000000`7762a000   USER32     (deferred)
00000000`77777777 00000000`77777777   MyDll_77777777   (private pdb symbols)  c:\sym\MyDll.pdb

The unmatched warning here is because windbg cannot tell that the symbols match the correct version of the module since it can find no timestamp or checksum.

like image 37
John Avatar answered Oct 15 '22 03:10

John