Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding pdb support to memory mapped modules (With solution) #57

Open
CycloneRing opened this issue Nov 16, 2024 · 3 comments
Open

Adding pdb support to memory mapped modules (With solution) #57

CycloneRing opened this issue Nov 16, 2024 · 3 comments

Comments

@CycloneRing
Copy link

Hi @bb107
It would be great if you can add the feature of support for loading pdb debug symbols for loaded memory modules.
It doesn't require driver to do such, Here's a how you can implement it :
https://github.com/ionescu007/HookingNirvana/blob/master/instrument/main.c

Basically few more hooks.
@bb107
Copy link
Owner

bb107 commented Nov 19, 2024

Hello, the example you provided only shows a method to set a system call callback (or a Hook), and does not show how to let the debugger load symbols for the DLL.

However, I have experimented with x64dbg and VisualStudio and summarized the methods that can make them load symbols.

For x64dbg, you can use the "Add Virtual Module" function it provides. First, correctly copy the pdb symbol file of the module that needs to be loaded into the symbol directory of x64dbg (pay attention to the directory structure). Then find the first address of the module loaded in memory on the "Memory Graph" page, right-click and select "Add Virtual Module", and enter the correct dll file name (matching the pdb file name). After completing these, you can see the virtual module and symbol information just added on the "Symbol" page. Note that if the memory module is modified, the pdb file must be copied to the symbol directory of x64dbg synchronously.

For VisualStudio, it needs to be done through the driver. I just passed the test on Windows 10 LTSC/VisualStudio2019. This method can achieve source code level debugging, but there will be some problems during debugging (breakpoints do not work/single stepping over rep or call instructions cannot stop before the next instruction).
img

@CycloneRing
Copy link
Author

@bb107 Thanks for your response.
I had a funny behavior I think worth mentioning, Before your push on init/shutdown i used to load dlls from memory using dllname and path with Ex method, And in debug it was showing the dll and all functions just like a normal dll and could be debugged in Visual Studio! I have no idea how but it was happening, even if app crash the information was provided on memory mapped dll.

Also there's a library that called BoxeAppSDK which has full PE loader that can load exe and dll directly from memory with PDB included and everything happens in userbase. I have full source code license I will take a look and let you know if I figured out how they are doing it.

When you load a dll from memory using BoxedAppSDK it will show the dll just like a normal one in every debugger.

@bb107
Copy link
Owner

bb107 commented Nov 20, 2024

This looks interesting, looking forward to your reply!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bb107 @CycloneRing