windbg symbol and source code "second article"

A symbol file is a secondary data that contains some annotation information about the application code that is useful during debugging. If there is no secondary data, then the information available is only the binary file of the application. Binary files are difficult to debug because you cannot see the function names, data structure names, and so on in your code. This is exactly what the symbol file can display. The extension of the symbol file is usually the PDB, which is a good way for the debugger to parse the file format.

Compilers and linker when creating binary image files (such as EXE, DLL, SYS), the associated suffix named. dbg,. Sym, or. pdb files that contain image file compilation, symbolic information generated during linking, are called symbol files. Specifically, the symbolic information includes the following:

• global variables;
• local variables;
• function
• variable, struct type definition;

The source file path and each symbol corresponds to the line number in the source file, which is the basis for source-level debugging.

There is so much information contained in the symbol file that the symbol file is usually much larger than the binary (PE) file itself. As long as the correct setting of the symbol path, so that the debugger can debug target, symbol files and source code file one by one corresponding to the best to play the powerful role of the debugger.

　　

There are two types of symbol files: private symbol files and public symbol files.

• Private symbol File: a symbol file that most developers use in their daily work, which contains all the symbolic information needed in a debugging session.
• Public symbol File: Only selectively contains some symbolic information.

Symbolic information is subordinate to the specified module, so only the debugger needs to use a module, its symbolic information can be loaded and analyzed the necessary.

To use symbols in the debugger, we must first tell the debugger where the symbol files are located, that is, set the symbol path. The symbol path can be a local folder path, an accessible UNC path, or a symbol server path.

Symbol server: During debugging, you need to involve thousands of symbol files, as well as different symbol file versions under different platforms for the same symbol file. One by one manually setting the symbolic path is definitely unrealistic, so the concept of symbolic servers is introduced. Symbol server has a set of naming rules, so that debugging software can correctly find the required symbol files. In general, the symbol server is large, are common, and placed on the remote host. In order to reduce the cost of network access, but also introduced the concept of symbolic cache, will be downloaded from the server to the symbol file, stored in the local cache, the debugger needs a symbol file, the first from the cache to look for, can not find the time to download the server.

　　1. Set the symbol path

The syntax for setting the symbol path is as follows:

. sympath [+] [path]

To overwrite the original path settings, use the new path:

. sympath < New path >

To add a new path based on the original path, you can use:

. sympath+ < New paths >

　　If the parameter is not present, then the output is the symbol path of the current setting:

0:000>. Sympathsymbol search Path is: <empty> //symbol path not set

If debugging, I know the required symbol file is located in the folder "D:\MyPdb".

0:000>. Sympath D:\MyPdb //overwrite the original symbol path symbol search path is:d:\mypdbexpanded symbol search path is:d:\mypdb

　　The debugger will now record the new symbolic path above, but will not load any symbols from this path, and to instruct the debugger to load symbols, you can use the META command reload. This command enumerates all the loaded modules in the process's address space and attempts to identify the symbol files associated with each module.

0:000> reloadreloading current modules  .....

If the debugger cannot find the file in the specified directory, it will output an error message:

Error:symbol file could not being found. defaulted to export symbols for Xxx.dll

When the local cache path is not set, the debugger uses the Sym folder under the installation path of the Debug software.

　　It is important to note that when you use. Sympath to change or add a symbol path, the symbol file is not automatically updated and should be executed again. Reload command to update it.

Lazy loading makes the symbol table of the module only loaded the first time it is actually used. This speeds up the program startup without having to load all the symbol files in the first time.

Use. symopt +4 and. Symopt-4 to turn lazy load settings on or off.

In cases where deferred loading has been initiated, if you want to temporarily change the policy, load the symbol for the specified module into the debugger immediately, using the LD or. reload/f command.

　　2. Symbol Server and Symbol cache

The basic syntax for setting up a symbol server is:

srv*[symbol Cache]* server address

syntax has SRV boot, symbol cache and server address preceded by an asterisk.

In addition, we should always add the common symbol Library of Microsoft to our symbolic path:

. sympath+ srv*< Cache Address >*http://msdl.microsoft.com/download/symbols

This is a Microsoft External server, using HTTP address access, not everyone can remember this URL, so the best way is to use the. Symfix command (automatically remembers the Microsoft Symbolic server address above), the syntax is as follows:

. symfix [+] [symbol cache address]

The following command is equivalent to the. sympath command above without entering a long HTTP address.

0:010>. Symfix c:\windows\symbols0:010>. Sympathsymbol Search Path is:srv*expanded Symbol search Path Is:srv*c:\wi Ndows\symbols*http://msdl.microsoft.com/download/symbols

When the above settings are needed, the WinDbg will be downloaded to the server automatically, and then saved in C:\windows\symbols.

Of course, we can also set up on the computer, the way is:

My Computer = "advanced system settings =" Advanced tab, click on Environment variables, create a new user variable as follows:

• Variable name: _NT_SYMBOL_PATH
• Variable Value: srv*d:\pdb*http://msdl.microsoft.com/download/symbols/

　　

　　3. Symbol Options

The command format is as follows:

• Show current settings:. symopt
• Add options:. symopt+ Flags
• Delete option:. symopt-flags

The first command does not have any parameters and displays the current settings. "+" represents the addition of an option, "-" represents the removal of an option.

0:000>. Symoptsymbol options is 0x30237:  0x00000001-symopt_case_insensitive  0x00000002-symopt_undname< C5/>0x00000004-symopt_deferred_loads  0x00000010-symopt_load_lines  0x00000020-symopt_omap_find_nearest  0x00000200-symopt_fail_critical_errors  0x00010000-symopt_auto_publics  0x00020000-symopt_no_image _search

The available symbol options are shown in the following table:

Value	Readable name	Describe
0x1	Symopt_case_insensitive	Symbol names are case insensitive
0x2	Symopt_undname	Symbol name not decorated
0x4	Symopt_deferred_loads	Lazy Loading
0x8	Symopt_no_cpp	Turn off C + + conversion, in C + +:: Symbol will be displayed as __
0x10	Symopt_load_lines	Load line numbers from the source file
0x20	Symopt_omap_find_ NEAREST	If the corresponding symbol cannot be found due to compiler optimizations, replace it with the nearest symbol
0x40	Symopt_load_anything	When the symbols match, the matching principle is looser and less strict.
0x80	Symopt_ignore_cvrec	Ignore CV records in image file header
0x100	Symopt_no_unqualified_ LOADS	Searches for symbols only in loaded modules, and does not automatically load new modules if the search symbol fails.
0x200	Symopt_fail_critical_ ERRORS	The File Access error dialog box is not displayed.
0x400	Symopt_exact_symbols	For the most stringent symbol file checks, symbol files are not loaded as long as there are minor differences.
0x800	Symopt_allow_absolute_ SYMBOLS	Allows reading of symbolic information from an absolute address in memory.
0x1000	Symopt_ignore_nt_ SYMPATH	Ignores the symbolic path set in the environment variable, and ignores the execution path of the debugged process. In other words, when searching for symbol files, they are not searched from these paths.
0x2000	Symopt_include_32bit_modules	Let the debugger run on the Itanium system, also enumerate the 32-bit modules.
0x4000	Symopt_publics_only	Only the common (public) symbol table of the symbol file is searched, and the private symbol table is ignored.
0x8000	Symopt_no_publics	Common (public) symbol tables that do not search for symbol files
0x10000	Symopt_auto_publics	The private symbol table of the pdb file is searched first, and if the corresponding symbol is found in it, the common (public) symbol table is no longer searched, which can speed up the search.
0x20000	Symopt_no_image_search	Do not search for mirrored copies
0x40000	Symopt_secure	Safe mode, so that the debugger does not affect the host as much as possible.
0x80000	Symopt_no_prompts	Do not display the symbol Proxy Server's authentication dialog box, which will cause some time to not be able to access the symbol server
0x80000000	Symopt_debug	Show detailed procedures and information for symbol search

　　4. Symbol loading

　　1. Load immediately

The command format is as follows:

LD module name [/F Symbol file name]

Loads the symbol for the specified module. The debugger uses delay mode to load symbols by default. The LD causes the delay mode to be broken, and the symbol file for the specified module is immediately loaded into the debugger. This directive sets a custom match name for the symbol file for a module.

LD 123/f ABC

In this way, abc.pdb will become a 123.exe symbol file. Under normal circumstances, this is not possible, only the abc.pdb corresponds to Abc.exe.

　　2. Reload

If you are confused about the symbol file you are using, such as the obvious mismatch between the source code and the line number, it is best to reload the symbol file. The syntax for this command is as follows:

• . reload/f/V [module name]

The function of the. Reload command is to delete the specified or all loaded symbol files, by default, the debugger does not immediately re-search and load new symbol files based on the symbol path, but instead defers to the next time the debugger uses the file.

Use the/f parameter to immediately search for and reload the new symbol file by breaking the debugger.

Other parameters are explained as follows:

• /V: Displays the details of the search process.
• /I: Do not check the version information of PDB files;
• /L: Only display module information, kernel mode, and "LM N T" command similar, but display content more than the latter, because the user module information is included;
• /n: Only reload kernel symbols, do not reload user symbols;
• /o: Forces the symbol file in the symbol library to be overwritten, even if the version is the same;
• /d: The default option when using WinDbg in user layer mode, overloading all modules in the Debugger module list;
• /s: The default option when using WinDbg in kernel mode, overloading all modules in the list of system modules, and if the debugger is running in user mode, to load kernel modules, you must also use the/s option, otherwise the debugger will only search in the debugger modules list to cause the kernel module to be found;
• /u: Uninstalls the specified module. If the current symbol version is found to be incorrect, use the/u switch to unload it before reloading.

　　3. Symbol Verification

Symbol files do not match, it is possible that the programmer in the post-test may be the project to compile multiple times, in order to maintain multiple versions and make themselves also confused. You can use the following command to verify the symbol file for a module:

• !chksym < module name > [symbol name]

Load options:!sym

There are two types of symbolic loading options. The first class is the Noisy/quiet,noisy option to print the details of the symbol loading, and the Quiet option ignores the information. The second class is prompts/prompts off, that is, whether to allow prompt execution (prompts) dialogs.

The load Options command is typically executed before the. Reload command is called.

The so-called noisy is noisy, the debugger will display more search-related information when searching and loading symbols. In quiet mode, this information is not displayed. Whether noisy or not, will not affect the final search, loading results. When downloading the symbol file from the network, may encounter the network server asks the customer to carry on the security authentication situation, if turns on the prompts option, then pops up the authentication dialog box, lets the user enter the authentication information; otherwise, the dialog box does not pop up and the symbol file is not downloaded.

Without any parameters, the current load option setting is displayed, and the following manifest indicates that the current setting is quite and prompts mode

0:000>. Symoptsymbol options are0x30237:0x00000001-Symopt_case_insensitive0x00000002- Symopt_undname 0x00000004- symopt_deferred_loads 0x00000010- Symopt_load_lines 0x00000020- symopt_omap_find_nearest 0x00000200- Symopt_fail_ Critical_errors 0x00010000- Symopt_auto_publics 0x00020000- Symopt_no_image_search0:000>! sym!sym <noisy/quiet-prompts/prompts off>-quiet mode-symbol prompts on  span>               

　　5. Symbol Search

Symbol search includes both global search and proximity search.

　　1. Global Search

The command "x" is used for a global search of symbols, and you can interpret it directly as search. The format is as follows:

• x [parameters] [module! symbol]

If none of the parameters are present, it will list all local variables under the current debugging environment, provided that another command that displays the local variables is DV if there is a local variable present, which is also discussed later.

• X kernel32!a*

The above command searches for and prints out the symbols that begin with all a in the Kernel32 module. The x command supports DML, which is displayed in DML format using the/d option.

0:000>!  Sym!sym <noisy/quiet-prompts/prompts off>-Quiet mode- symbol prompts on0:000> x kernel32!a*7 69836a8 kernel32! Alloccontext = <no type information>769a4286 kernel32! Adjusthijriyears = <no type information>76986698 kernel32! Addlocalalternatecomputernamew = <no type information>76997fab kernel32! Allocateuserphysicalpages = <no type Information> .... Too long to omit part        

If you don't know what module ntcreatefile this function is defined in, you can try using the following command:

• X *!*ntcreatefile* (Note: Also refer to!dlls–c command)

A function of the same name is defined in multiple system modules, which may surprise you, but it brings you real knowledge.

In addition, the X command has multiple optional parameters. It is recommended to always bring the/T and/V to show more symbols, type information.

• /f: Only the function symbol will be displayed, and a detailed definition of the function will be displayed.
• /d: Displays more information about the variable type.

　　2, the nearest search

If you know the approximate address of the symbol, but cannot determine the exact symbolic name, what should be handled? The nearest find command "LN" works, and LN is the abbreviation for list nearest. It does this by listing all the symbols in a certain range nearby (based on the given address).

　　6. Source Code Command

If the source information is included, the debugging process can be carried out in source code mode. The commands related to the source code include the following:

Source path:

Similar to the symbolic path, to set the source path, use the following syntax format:

• . srcpath[+] [path 1; Path 2]

Displays the source path of the current setting without any parameters.

The following command overrides the original setting and sets a new source search path

• .srcpath< path Information >

Use "+" to add new paths to the original settings without overwriting the original settings:

• . srcpath+ < path information >

　　7. Source Code Options

Three source options are listed here.

　　1, noisy

• Status:. Srcnoisy
• Open:. Srcnoisy 1
• Close:. Srcnoisy 0

Start the "noisy source" option, in the source code loading, unloading, or even single-step, will display rich source information.

　　2, lines

Line number option, that is, whether the line number is also loaded during symbol file loading. Because WinDbg supports source-level debugging, it is enabled (enable) by default in WinDbg.

• . lines [-D|-E|-T]

The parameter d is the meaning of disable; E is the meaning of enable; t is the meaning of switching, that is, automatically switching between disable and enable.

　　3. Line-of-code options

Include line numbers and content, with the following syntax:

• Open: L + [Options]
• OFF: l [Options]

Command | is the abbreviation for line, unlike the. lines command above,. Lines is the load-time option, and L is the debug-time option. It is recommended to use the "l+*" directive to open all the line options, which will work well. This way, each step of the code and line number will be displayed when you step through the debugging. It looks very eye-catching!

It is worth noting that the commands to enter the source mode and enter the assembly mode are:

• SOURCE mode: L+t
• Assembly mode: L-t

Run both commands and click the source mode option under the Debug menu of WinDbg to have the same effect.

windbg symbol and source code "second article"