How to load the symbol table in WinDBG

It is very difficult for WinDBG to load the symbol table. It is clear that the path of the symbol table has been loaded, but the breakpoint cannot be added. The following is the subject:

The symbol table cannot be loaded and the breakpoint cannot be triggered.

1. Check whether sympath is correct

Kd>. sympath
Symbol search path is: srv * Signature
Expanded Symbol search path is: srv * Signature

In the previous attempt, we thought that the path of the symbol table had a lot to do with it. After all, we searched for the path in sequence. As long as the search is correct, what is the relationship between the path and the position of the symbol table.

The difference between src * And; is that src * is found on the symbol table server, while src * is located on the local path, which is the same for a machine.

2 ,! Find the corresponding module information by using LMIS truecrypt.

Kd>! LMIS truecrypt
Loaded Module Info: [truecrypt]
Module: truecrypt
Base Address: ee21b000
Image Name: truecrypt. sys
Machine Type: 332 (I386)
Time Stamp: 4d889673 Tue Mar 22 20:30:43 2011
Size: 4ef80
CheckSum: 55776
Characteristics: 102
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 5c, 43fc8, 43fc8 RSDS-GUID: {1B9489BA-E47D-4E48-89EB-D0CB60055F22}
Age: 1, Pdb: d: \ vssdatabase \ truecrypt \ driver \ obj_driver_debug \ i386 \ truecrypt. pdb
Image Type: MEMORY-Image read successfully from loaded memory.
Symbol Type: EXPORT-PDB not found
Load Report: export symbols

Symbol Type: EXPORT-PDB not found Symbol table not found
Export
No symbol file is found. The output information of the image file (such as the DLL Export) is used as the symbol.
3. Check the loading details of the symbol table.
! Sym noisy
When the Windbg loads the Symbol file, it displays the Symbol path, which is not displayed by default.
YMSRV: unable to establish a connection with the server
SYMSRV: c: \ windows \ symbols \ truecrypt. pdb \ 1B9489BAE47D4E4889EBD0CB60055F221 \ truecrypt. pdb not found
! Sym quiet does not display the path
SYMSRV: truecrypt. pdb not found

Kd>! Sym noisy
Noisy mode-symbol prompts on

Kd>. reload/f truecrypt. sys
SYMSRV: unable to establish a connection with the server
SYMSRV: c: \ windows \ symbols \ truecrypt. pdb \ 1B9489BAE47D4E4889EBD0CB60055F221 \ truecrypt. pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/truecrypt.pdb/1B9489BAE47D4E4889EBD0CB60055F221/truecrypt.pdb not found
DBGHELP: d: \ vssdatabase \ truecrypt \ driver \ obj_driver_debug \ i386 \ truecrypt. pdb-mismatched pdb
DBGHELP: d: \ vssdatabase \ truecrypt \ driver \ obj_driver_debug \ i386 \ sys \ truecrypt. pdb-file not found
DBGHELP: d: \ vssdatabase \ truecrypt \ driver \ obj_driver_debug \ i386 \ symbols \ sys \ truecrypt. pdb-file not found
SYMSRV: unable to establish a connection with the server
SYMSRV: d: \ vssdatabase \ truecrypt \ driver \ obj_driver_debug \ i386 \ truecrypt. pdb \ 1B9489BAE47D4E4889EBD0CB60055F221 \ truecrypt. pdb not found
SYMSRV: c: \ windows \ symbols \ truecrypt. pdb \ 1B9489BAE47D4E4889EBD0CB60055F221 \ truecrypt. pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/truecrypt.pdb/1B9489BAE47D4E4889EBD0CB60055F221/truecrypt.pdb not found
DBGHELP: d: \ vssdatabase \ truecrypt \ driver \ obj_driver_debug \ i386 \ truecrypt. pdb-mismatched pdb
DBGHELP: Couldn't load mismatched pdb for truecrypt. sys
* ** ERROR: Symbol file cocould not be found. Defaulted to export symbols for truecrypt. sys-
DBGHELP: truecrypt-export symbols

Note that the position of the symbol table is correct and correct, but the result is mismatched pdb, so I will delete the content in the debug directory and generate it again, and copied to the virtual machine, the results are still the same,
Still mismatched pdb.
4. Comparison of module details
! IToldYouSo tests the validity of a module against a symbol file. The module can be specified by either its name or base address. If a symbol file is not specified, then the loaded symbol is tested.
Otherwise, if a pdb or dbg symbol file path is specified, it is tested against the loaded module.

Kd>! Itoldyouso truecrypt d: \ vssdatabase \ truecrypt \ driver \ obj_driver_debug \ i386 \ truecrypt. pdb

Truecrypt. sys
Timestamp: 4D889673
SizeOfImage: 4EF80
Pdb: d: \ vssdatabase \ truecrypt \ driver \ obj_driver_debug \ i386 \ truecrypt. pdb
Pdb sig: 1B9489BA-E47D-4E48-89EB-D0CB60055F22
Age: 1

Truecrypt. pdb
Pdb sig: 329A35FA-70B8-4A97-BB0E-99BA6342AB6A
Age: 1

Sig MISMATCH: truecrypt. pdb and truecrypt. sys

The signature is different. The result shows that the driver loaded in my virtual machine is inconsistent with the symbol table that I re-generated. After checking, it is found that the truecrypt. sys loaded at truecrypt.exe startup is not under C: \ Windows \ System32 \ Drivers,
In the installation directory of truecrypt.exe, after replacement, the symbol table can be loaded successfully.
As follows:

Kd>! LMIS truecrypt
Loaded Module Info: [truecrypt]
Module: truecrypt
Base Address: ee1ef000
Image Name: truecrypt. sys
Machine Type: 332 (I386)
Time Stamp: 4d8c8e61 Fri Mar 25 20:45:21 2011
Size: 4f180
CheckSum: 5b7fa
Characteristics: 102
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 5c, 44148,441 48 RSDS-GUID: {160409E4-8EFC-4412-B760-4E9BF8F1A05A}
Age: 1, Pdb: d: \ vssdatabase \ truecrypt \ driver \ obj_driver_debug \ i386 \ truecrypt. pdb
Image Type: MEMORY-Image read successfully from loaded memory.
Symbol Type: PDB-Symbols loaded successfully from symbol search path.
D: \ vssdatabase \ truecrypt \ driver \ obj_driver_debug \ i386 \ truecrypt. pdb
Compiler: Resource-front end [0.0 bld 0]-back end [9.0 bld 30729]
Load Report: private symbols & lines, not source indexed
D: \ vssdatabase \ truecrypt \ driver \ obj_driver_debug \ i386 \ truecrypt. pdb