Performs different tasks on symbols like building the symbol table or loading a special PDB file, or unloading all PDB files, or downloading or reloading.
By default, user-mode modules of the HyperDbg process are retrieved if you don't specify the Process Id. If you're debugging a process in the user-mode debugger, the user-mode modules of the debuggee are retrieved.
Parameters
[table]
Shows the current symbol table and status of loaded module and symbol paths.
[load]
Loads and parses PDB files based on the previously built symbol table.
[unload]
Unloads all modules PDB files.
[download]
Loads files from the local symbol path or if not available then download them from the remote server.
[reload]
Builds a new symbol table and loads files from the local symbol path or if not available, then WILL NOT download them.
[pid ProcessId (hex)]
The Process Id of the target process to get its user-mode modules.
[add]
Loads and parses a PDB file manually based on the base address and path of the PDB file.
[base Address (hex)]
The module's base address on the memory.
[path Path (string)]
Module name or path of the module's PDB file.
Examples
If you want to see the symbol table based on the target machine's loaded modules, you should use the following command.
HyperDbg> .sym tableis pdb details available?:trueis pdb a path instead of module name?:truebase address : 7ff7f6230000file path : \\vmware-host\Shared Folders\build\debug\hyperdbg-cli.exeguid and age : 07a111d3a879428482084e11155fb3d51module symbol path/name : C:\Users\Sina\Desktop\HyperDbg\HyperDbg\hyperdbg\build\debug\hyperdbg-cli.pdb========================================================================is pdb details available?:trueis pdb a path instead of module name?:falsebase address : 7ffd88d50000file path : C:\Windows\SYSTEM32\ntdll.dllguid and age : 1eb9facb04c73c5dea7160764cd333d01module symbol path/name : ntdll.pdb========================================================================...is pdb details available?:trueis pdb a path instead of module name?:falsebase address : fffff80222200000file path : c:\windows\system32\ntoskrnl.exeguid and age : fc57f1c841c2c3f793d57ac134dc0efa1module symbol path/name : ntkrnlmp.pdb========================================================================is pdb details available?:trueis pdb a path instead of module name?:falsebase address : fffff802214d0000file path : c:\windows\system32\hal.dllguid and age : 0f693cebb815cf80a5d486d10b730ba71module symbol path/name : hal.pdb========================================================================is pdb details available?:trueis pdb a path instead of module name?:falsebase address : fffff802214e0000file path : c:\windows\system32\kd.dllguid and age : 9f02d75f803aca5d66dd256ed464d8ce1module symbol path/name : kd.pdb========================================================================...
If you want to update the symbol table and all the symbols from the local symbol path (and NOT download them), use the following command.
HyperDbg> .sym reloadinterpreting symbols and creating symbol mapssymbol table updated successfully
If you want to update the symbol table based on user mode modules of a process with Process Id equal to 1240, use the following command.
HyperDbg> .sym reload pid 1240interpreting symbols and creating symbol mapssymbol table updated successfully
If you want to load all the symbols from the local symbol path and if not available then, download them from the remote symbol server (e.g., Microsoft Symbol Server), use the following command.
HyperDbg> .sym downloaddownloading symbol 'ntdll.pdb'... downloadeddownloading symbol 'win32u.pdb'... downloadeddownloading symbol 'kd.pdb'... downloadeddownloading symbol 'mcupdate_GenuineIntel.pdb'... downloadeddownloading symbol 'clfs.pdb'... downloadeddownloading symbol 'tm.pdb'... downloadeddownloading symbol 'pshed.pdb'... downloadeddownloading symbol 'bootvid.pdb'... downloadeddownloading symbol 'fltMgr.pdb'... downloadeddownloading symbol 'msrpc.pdb'... downloadeddownloading symbol 'ksecdd.pdb'... downloadeddownloading symbol 'clipsp.pdb'... downloadeddownloading symbol 'cmimcext.pdb'... downloadeddownloading symbol 'WerKernel.pdb'... downloadeddownloading symbol 'ntosext.pdb'... downloadeddownloading symbol 'ci.pdb'... downloadeddownloading symbol 'cng.pdb'... downloadeddownloading symbol 'Wdf01000.pdb'... downloadeddownloading symbol 'wdfldr.pdb'... downloadeddownloading symbol 'wpprecorder.pdb'... downloadeddownloading symbol 'SleepStudyHelper.pdb'... downloadeddownloading symbol 'acpiex.pdb'... downloadeddownloading symbol 'mssecflt.pdb'... downloadeddownloading symbol 'SgrmAgent.pdb'... downloadeddownloading symbol 'acpi.pdb'... downloadeddownloading symbol 'wmilib.pdb'... downloadeddownloading symbol 'intelpep.pdb'... downloadeddownloading symbol 'WindowsTrustedRT.pdb'......
If you want to load symbols from the disk (and NOT Download or NOT rebuild the symbol table), you should use the following command. Unlike .sym reload, this command won't continue the debuggee in Debugger Mode as it won't rebuild the symbol table.
HyperDbg> .sym loadloading symbol 'c:\Symbols\ntkrnlmp.pdb\1b4a6f5e0766c552c90710c8acc0295c1\ntkrnlmp.pdb'... loadedloading symbol 'c:\Symbols\hal.pdb\0f693cebb815cf80a5d486d10b730ba71\hal.pdb'... loadedloading symbol 'c:\Symbols\pshed.pdb\bebb43bee110c16e1f5490cc2a9b1b0b1\pshed.pdb'... loadedloading symbol 'c:\Symbols\bootvid.pdb\faa603378fa9782971c12ac2656aefa51\bootvid.pdb'... loadedloading symbol 'c:\Symbols\fltMgr.pdb\41c0b82054675d3ad752bff86090eed51\fltMgr.pdb'... loaded
If you want to add a PDB file manually, use the following command.
HyperDbg> .sym add base fffff8077356000 path c:\Symbols\ntkrnlmp.pdb\fc57f1c841c2c3f793d57ac134dc0efa1\ntkrnlmp.pdbloading module symbol at 'c:\symbols\ntkrnlmp.pdb\fc57f1c841c2c3f793d57ac134dc0efa1\ntkrnlmp.pdb'
If you want to unload all modules' symbols, use the following command.
HyperDbg> .sym unload
IOCTL
None
Remarks
In order to use most of the functionalities from this command, you should adjust the local symbol path and remote symbol server using the '.sympath' command.
In remote connection when you're connected to the debuggee using the '.listen' command, the symbol server should be located (and it will be accessed) in the remote computer.
If you use .sym reload then it will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
