A symbol file is a secondary data that contains some annotation information about the application code that is useful during debugging. If there is no secondary data, then the information available is only the binary file of the application. Binary files are difficult to debug because you cannot see the function names, data structure names, and so on in your code. This is exactly what the symbol file can display. The extension of the symbol file is usually the PDB, which is a good way for the debugger to parse the file format.
Compilers and linker when creating binary image files (such as EXE, DLL, SYS), the associated suffix named. dbg,. Sym, or. pdb files that contain image file compilation, symbolic information generated during linking, are called symbol files. Specifically, the symbolic information includes the following:
- global variables;
- local variables;
- function
- variable, struct type definition;
The source file path and each symbol corresponds to the line number in the source file, which is the basis for source-level debugging.
There is so much information contained in the symbol file that the symbol file is usually much larger than the binary (PE) file itself. As long as the correct setting of the symbol path, so that the debugger can debug target, symbol files and source code file one by one corresponding to the best to play the powerful role of the debugger.
There are two types of symbol files: private symbol files and public symbol files.
- Private symbol File: a symbol file that most developers use in their daily work, which contains all the symbolic information needed in a debugging session.
- Public symbol File: Only selectively contains some symbolic information.
Symbolic information is subordinate to the specified module, so only the debugger needs to use a module, its symbolic information can be loaded and analyzed the necessary.
To use symbols in the debugger, we must first tell the debugger where the symbol files are located, that is, set the symbol path. The symbol path can be a local folder path, an accessible UNC path, or a symbol server path.
Symbol server: During debugging, you need to involve thousands of symbol files, as well as different symbol file versions under different platforms for the same symbol file. One by one manually setting the symbolic path is definitely unrealistic, so the concept of symbolic servers is introduced. Symbol server has a set of naming rules, so that debugging software can correctly find the required symbol files. In general, the symbol server is large, are common, and placed on the remote host. In order to reduce the cost of network access, but also introduced the concept of symbolic cache, will be downloaded from the server to the symbol file, stored in the local cache, the debugger needs a symbol file, the first from the cache to look for, can not find the time to download the server.
1. Set the symbol path
The syntax for setting the symbol path is as follows:
. sympath [+] [path]
To overwrite the original path settings, use the new path:
. sympath < New path >
To add a new path based on the original path, you can use:
. sympath+ < New paths >
If the parameter is not present, then the output is the symbol path of the current setting:
0:000>. Sympathsymbol search Path is: <empty> //symbol path not set
If debugging, I know the required symbol file is located in the folder "D:\MyPdb".
0:000>. Sympath D:\MyPdb //overwrite the original symbol path symbol search path is:d:\mypdbexpanded symbol search path is:d:\mypdb
The debugger will now record the new symbolic path above, but will not load any symbols from this path, and to instruct the debugger to load symbols, you can use the META command reload. This command enumerates all the loaded modules in the process's address space and attempts to identify the symbol files associated with each module.
0:000> reloadreloading current modules .....
If the debugger cannot find the file in the specified directory, it will output an error message:
Error:symbol file could not being found. defaulted to export symbols for Xxx.dll
When the local cache path is not set, the debugger uses the Sym folder under the installation path of the Debug software.
It is important to note that when you use. Sympath to change or add a symbol path, the symbol file is not automatically updated and should be executed again. Reload command to update it.
Lazy loading makes the symbol table of the module only loaded the first time it is actually used. This speeds up the program startup without having to load all the symbol files in the first time.
Use. symopt +4 and. Symopt-4 to turn lazy load settings on or off.
In cases where deferred loading has been initiated, if you want to temporarily change the policy, load the symbol for the specified module into the debugger immediately, using the LD or. reload/f command.
2. Symbol Server and Symbol cache
The basic syntax for setting up a symbol server is:
srv*[symbol Cache]* server address
syntax has SRV boot, symbol cache and server address preceded by an asterisk.
In addition, we should always add the common symbol Library of Microsoft to our symbolic path:
. sympath+ srv*< Cache Address >*http://msdl.microsoft.com/download/symbols
This is a Microsoft External server, using HTTP address access, not everyone can remember this URL, so the best way is to use the. Symfix command (automatically remembers the Microsoft Symbolic server address above), the syntax is as follows:
. symfix [+] [symbol cache address]
The following command is equivalent to the. sympath command above without entering a long HTTP address.
0:010>. Symfix c:\windows\symbols0:010>. Sympathsymbol Search Path is:srv*expanded Symbol search Path Is:srv*c:\wi Ndows\symbols*http://msdl.microsoft.com/download/symbols
When the above settings are needed, the WinDbg will be downloaded to the server automatically, and then saved in C:\windows\symbols.
Of course, we can also set up on the computer, the way is:
My Computer = "advanced system settings =" Advanced tab, click on Environment variables, create a new user variable as follows:
- Variable name: _NT_SYMBOL_PATH
- Variable Value: srv*d:\pdb*http://msdl.microsoft.com/download/symbols/
3. Symbol Options
The command format is as follows:
- Show current settings:. symopt
- Add options:. symopt+ Flags
- Delete option:. symopt-flags
The first command does not have any parameters and displays the current settings. "+" represents the addition of an option, "-" represents the removal of an option.
0:000>. Symoptsymbol options is 0x30237: 0x00000001-symopt_case_insensitive 0x00000002-symopt_undname< C5/>0x00000004-symopt_deferred_loads 0x00000010-symopt_load_lines 0x00000020-symopt_omap_find_nearest 0x00000200-symopt_fail_critical_errors 0x00010000-symopt_auto_publics 0x00020000-symopt_no_image _search
The available symbol options are shown in the following table:
Value |
Readable name |
Describe |
0x1 |
Symopt_case_insensitive |
Symbol names are case insensitive |
0x2 |
Symopt_undname |
Symbol name not decorated |
0x4 |
Symopt_deferred_loads |
Lazy Loading |
0x8 |
Symopt_no_cpp |
Turn off C + + conversion, in C + +:: Symbol will be displayed as __ |
0x10 |
Symopt_load_lines |
Load line numbers from the source file |
0x20 |
Symopt_omap_find_ NEAREST |
If the corresponding symbol cannot be found due to compiler optimizations, replace it with the nearest symbol |
0x40 |
Symopt_load_anything |
When the symbols match, the matching principle is looser and less strict. |
0x80 |
Symopt_ignore_cvrec |
Ignore CV records in image file header |
0x100 |
Symopt_no_unqualified_ LOADS |
Searches for symbols only in loaded modules, and does not automatically load new modules if the search symbol fails. |
0x200 |
Symopt_fail_critical_ ERRORS |
The File Access error dialog box is not displayed. |
0x400 |
Symopt_exact_symbols |
For the most stringent symbol file checks, symbol files are not loaded as long as there are minor differences. |
0x800 |
Symopt_allow_absolute_ SYMBOLS |
Allows reading of symbolic information from an absolute address in memory. |
0x1000 |
Symopt_ignore_nt_ SYMPATH |
Ignores the symbolic path set in the environment variable, and ignores the execution path of the debugged process. In other words, when searching for symbol files, they are not searched from these paths. |
0x2000 |
Symopt_include_32bit_modules |
Let the debugger run on the Itanium system, also enumerate the 32-bit modules. |
0x4000 |
Symopt_publics_only |
Only the common (public) symbol table of the symbol file is searched, and the private symbol table is ignored. |
0x8000 |
Symopt_no_publics |
Common (public) symbol tables that do not search for symbol files |
0x10000 |
Symopt_auto_publics |
The private symbol table of the pdb file is searched first, and if the corresponding symbol is found in it, the common (public) symbol table is no longer searched, which can speed up the search. |
0x20000 |
Symopt_no_image_search |
Do not search for mirrored copies |
0x40000 |
Symopt_secure |
Safe mode, so that the debugger does not affect the host as much as possible. |
0x80000 |
Symopt_no_prompts |
Do not display the symbol Proxy Server's authentication dialog box, which will cause some time to not be able to access the symbol server |
0x80000000 |
Symopt_debug |
Show detailed procedures and information for symbol search |
4. Symbol loading
1. Load immediately
The command format is as follows:
LD module name [/F Symbol file name]
Loads the symbol for the specified module. The debugger uses delay mode to load symbols by default. The LD causes the delay mode to be broken, and the symbol file for the specified module is immediately loaded into the debugger. This directive sets a custom match name for the symbol file for a module.
LD 123/f ABC
In this way, abc.pdb will become a 123.exe symbol file. Under normal circumstances, this is not possible, only the abc.pdb corresponds to Abc.exe.
2. Reload
If you are confused about the symbol file you are using, such as the obvious mismatch between the source code and the line number, it is best to reload the symbol file. The syntax for this command is as follows:
- . reload/f/V [module name]
The function of the. Reload command is to delete the specified or all loaded symbol files, by default, the debugger does not immediately re-search and load new symbol files based on the symbol path, but instead defers to the next time the debugger uses the file.
Use the/f parameter to immediately search for and reload the new symbol file by breaking the debugger.
Other parameters are explained as follows:
- /V: Displays the details of the search process.
- /I: Do not check the version information of PDB files;
- /L: Only display module information, kernel mode, and "LM N T" command similar, but display content more than the latter, because the user module information is included;
- /n: Only reload kernel symbols, do not reload user symbols;
- /o: Forces the symbol file in the symbol library to be overwritten, even if the version is the same;
- /d: The default option when using WinDbg in user layer mode, overloading all modules in the Debugger module list;
- /s: The default option when using WinDbg in kernel mode, overloading all modules in the list of system modules, and if the debugger is running in user mode, to load kernel modules, you must also use the/s option, otherwise the debugger will only search in the debugger modules list to cause the kernel module to be found;
- /u: Uninstalls the specified module. If the current symbol version is found to be incorrect, use the/u switch to unload it before reloading.
3. Symbol Verification
Symbol files do not match, it is possible that the programmer in the post-test may be the project to compile multiple times, in order to maintain multiple versions and make themselves also confused. You can use the following command to verify the symbol file for a module:
- !chksym < module name > [symbol name]
Load options:!sym
There are two types of symbolic loading options. The first class is the Noisy/quiet,noisy option to print the details of the symbol loading, and the Quiet option ignores the information. The second class is prompts/prompts off, that is, whether to allow prompt execution (prompts) dialogs.
The load Options command is typically executed before the. Reload command is called.
The so-called noisy is noisy, the debugger will display more search-related information when searching and loading symbols. In quiet mode, this information is not displayed. Whether noisy or not, will not affect the final search, loading results. When downloading the symbol file from the network, may encounter the network server asks the customer to carry on the security authentication situation, if turns on the prompts option, then pops up the authentication dialog box, lets the user enter the authentication information; otherwise, the dialog box does not pop up and the symbol file is not downloaded.
Without any parameters, the current load option setting is displayed, and the following manifest indicates that the current setting is quite and prompts mode
0:000>. Symoptsymbol options are0x30237:0x00000001-Symopt_case_insensitive0x00000002- Symopt_undname 0x00000004- symopt_deferred_loads 0x00000010- Symopt_load_lines 0x00000020- symopt_omap_find_nearest 0x00000200- Symopt_fail_ Critical_errors 0x00010000- Symopt_auto_publics 0x00020000- Symopt_no_image_search0:000>! sym!sym <noisy/quiet-prompts/prompts off>-quiet mode-symbol prompts on span>
5. Symbol Search
Symbol search includes both global search and proximity search.
1. Global Search
The command "x" is used for a global search of symbols, and you can interpret it directly as search. The format is as follows:
- x [parameters] [module! symbol]
If none of the parameters are present, it will list all local variables under the current debugging environment, provided that another command that displays the local variables is DV if there is a local variable present, which is also discussed later.
The above command searches for and prints out the symbols that begin with all a in the Kernel32 module. The x command supports DML, which is displayed in DML format using the/d option.
0:000>! Sym!sym <noisy/quiet-prompts/prompts off>-Quiet mode- symbol prompts on0:000> x kernel32!a*7 69836a8 kernel32! Alloccontext = <no type information>769a4286 kernel32! Adjusthijriyears = <no type information>76986698 kernel32! Addlocalalternatecomputernamew = <no type information>76997fab kernel32! Allocateuserphysicalpages = <no type Information> .... Too long to omit part
If you don't know what module ntcreatefile this function is defined in, you can try using the following command:
- X *!*ntcreatefile* (Note: Also refer to!dlls–c command)
A function of the same name is defined in multiple system modules, which may surprise you, but it brings you real knowledge.
In addition, the X command has multiple optional parameters. It is recommended to always bring the/T and/V to show more symbols, type information.
- /f: Only the function symbol will be displayed, and a detailed definition of the function will be displayed.
- /d: Displays more information about the variable type.
2, the nearest search
If you know the approximate address of the symbol, but cannot determine the exact symbolic name, what should be handled? The nearest find command "LN" works, and LN is the abbreviation for list nearest. It does this by listing all the symbols in a certain range nearby (based on the given address).
6. Source Code Command
If the source information is included, the debugging process can be carried out in source code mode. The commands related to the source code include the following:
Source path:
Similar to the symbolic path, to set the source path, use the following syntax format:
- . srcpath[+] [path 1; Path 2]
Displays the source path of the current setting without any parameters.
The following command overrides the original setting and sets a new source search path
- .srcpath< path Information >
Use "+" to add new paths to the original settings without overwriting the original settings:
- . srcpath+ < path information >
7. Source Code Options
Three source options are listed here.
1, noisy
- Status:. Srcnoisy
- Open:. Srcnoisy 1
- Close:. Srcnoisy 0
Start the "noisy source" option, in the source code loading, unloading, or even single-step, will display rich source information.
2, lines
Line number option, that is, whether the line number is also loaded during symbol file loading. Because WinDbg supports source-level debugging, it is enabled (enable) by default in WinDbg.
The parameter d is the meaning of disable; E is the meaning of enable; t is the meaning of switching, that is, automatically switching between disable and enable.
3. Line-of-code options
Include line numbers and content, with the following syntax:
- Open: L + [Options]
- OFF: l [Options]
Command | is the abbreviation for line, unlike the. lines command above,. Lines is the load-time option, and L is the debug-time option. It is recommended to use the "l+*" directive to open all the line options, which will work well. This way, each step of the code and line number will be displayed when you step through the debugging. It looks very eye-catching!
It is worth noting that the commands to enter the source mode and enter the assembly mode are:
- SOURCE mode: L+t
- Assembly mode: L-t
Run both commands and click the source mode option under the Debug menu of WinDbg to have the same effect.
windbg symbol and source code "second article"