.sym (load/reload/unload/download pdb symbols)

Description of '.sym' command in HyperDbg.

HyperDbg doesn't support symbols in "Debugger Mode", please do not use symbols in remote serial debugging for now. It will be available soon!

Command

.sym

Syntax

.sym [table | reload | load | unload | download] [base (hex address)] [path (string path to pdb)]

Description

Performs different tasks on symbols like building the symbol table or loading a special PDB file, or unloading all PDB files, or downloading or reloading.

table: builds and shows the current symbol table and status of loaded module and symbol paths.

load: loads and parses a PDB file based on the base address and path of the PDB file.

unload: unloads all modules PDB files.

download: builds a symbol table and loads files from the local symbol path or if not available, then downloads them from the remote server.

reload: builds a symbol table and loads files from the local symbol path or if not available, then WILL NOT download them.

Parameters

[table | reload | load | unload | download]

The action to be performed on symbols.

[base (hex address)]

The module's base address on the memory.

[path (string path to pdb)]

Module name or path of the module's PDB file.

Examples

If you want to build a symbol table based on the target machine's loaded modules, you should use the following command.

HyperDbg> .sym table
is pdb details available? : true
is pdb a path instead of module name? : false
base address : fffff80222200000
file path : c:\windows\system32\ntoskrnl.exe
guid and age : fc57f1c841c2c3f793d57ac134dc0efa1
module symbol path/name : ntkrnlmp.pdb
========================================================================
is pdb details available? : true
is pdb a path instead of module name? : false
base address : fffff802214d0000
file path : c:\windows\system32\hal.dll
guid and age : 0f693cebb815cf80a5d486d10b730ba71
module symbol path/name : hal.pdb
========================================================================
is pdb details available? : true
is pdb a path instead of module name? : false
base address : fffff802214e0000
file path : c:\windows\system32\kd.dll
guid and age : 9f02d75f803aca5d66dd256ed464d8ce1
module symbol path/name : kd.pdb
========================================================================
...

If you want to load all the symbols from the local symbol path (and NOT download them), use the following command.

HyperDbg> .sym reload
loading symbol 'c:\Symbols\ntkrnlmp.pdb\fc57f1c841c2c3f793d57ac134dc0efa1\ntkrnlmp.pdb'... loaded
loading symbol 'c:\Symbols\hal.pdb\0f693cebb815cf80a5d486d10b730ba71\hal.pdb'... loaded
loading symbol 'c:\Symbols\kd.pdb\9f02d75f803aca5d66dd256ed464d8ce1\kd.pdb'... loaded
...

If you want to load all the symbols from the local symbol path and if not available then, download them from the remote symbol server (e.g., Microsoft Symbol Server), use the following command.

HyperDbg> .sym download
downloading symbol 'ntkrnlmp.pdb'... downloaded
downloading symbol 'kd.pdb'... downloaded
downloading symbol 'mcupdate_GenuineIntel.pdb'... downloaded
downloading symbol 'clfs.pdb'... downloaded
downloading symbol 'tm.pdb'... downloaded
downloading symbol 'pshed.pdb'... downloaded
downloading symbol 'bootvid.pdb'... downloaded
downloading symbol 'fltMgr.pdb'... downloaded
downloading symbol 'msrpc.pdb'... downloaded
downloading symbol 'ksecdd.pdb'... downloaded
downloading symbol 'clipsp.pdb'... downloaded
downloading symbol 'cmimcext.pdb'... downloaded
downloading symbol 'WerKernel.pdb'... downloaded
downloading symbol 'ntosext.pdb'... downloaded
downloading symbol 'ci.pdb'... downloaded
downloading symbol 'cng.pdb'... downloaded
downloading symbol 'Wdf01000.pdb'... downloaded
downloading symbol 'wdfldr.pdb'... downloaded
downloading symbol 'wpprecorder.pdb'... downloaded
downloading symbol 'SleepStudyHelper.pdb'... downloaded
downloading symbol 'acpiex.pdb'... downloaded
downloading symbol 'mssecflt.pdb'... downloaded
downloading symbol 'SgrmAgent.pdb'... downloaded
downloading symbol 'acpi.pdb'... downloaded
downloading symbol 'wmilib.pdb'... downloaded
downloading symbol 'intelpep.pdb'... downloaded
downloading symbol 'WindowsTrustedRT.pdb'...
...

If you want to load a PDB file manually, use the following command.

HyperDbg> .sym load base fffff8077356000 path c:\Symbols\ntkrnlmp.pdb\fc57f1c841c2c3f793d57ac134dc0efa1\ntkrnlmp.pdb
loading module symbol at 'c:\symbols\ntkrnlmp.pdb\fc57f1c841c2c3f793d57ac134dc0efa1\ntkrnlmp.pdb'

If you want to unload all modules' symbols, use the following command.

HyperDbg> .sym unload

IOCTL

None

Remarks

In order to use most of the functionalities from this command, you should adjust the local symbol path and remote symbol server using the '.sympath' command.

Requirements

None

.sympath (set the symbol server)