Login/Register
Forcing WinDbg to load symbols of an unloaded module
Asked Answered
Solved windbg
T

2

22

I'm debugging a module for which I have only the .exe and a .pdb without private symbols.
During the debug session I need to inspect an internal struct. Obviously this struct does not appear in the PDB since it's private - but fortunately I have an .h file where this struct is defined. Therefore I can build some dummy module that uses this struct and obtain a PDB file that contains this struct.

Now I have an unloaded module with the struct symbols, and I would like to load its symbols in order to cast some memory to that struct. (without unloading the original .exe I'm debugging, of course)
The problem: it seems that WinDbg only allows loading symbols for loaded modules...

My question is: Is there a simple way I could load my symbols from the unloaded module?

I've tried .reload /i /f MyDll.dll but I always get ...MyDll.dll - unmatched.
Setting the sympath did not help.

Any ideas?

Tithe answered 11/6, 2012 at 11:44 Comment(0)
B
22

You can force windbg to load symbols at a specific address e.g.

0:000> .reload /f /i MyDll.dll=77777777
    c:\sym\MyDll.pdb - unmatched
0:000> lm
start             end                 module name
00000000`55555555 00000000`55555555   notepad    (no symbols)
00000000`77530000 00000000`7762a000   USER32     (deferred)
00000000`77777777 00000000`77777777   MyDll_77777777   (private pdb symbols)  c:\sym\MyDll.pdb

The unmatched warning here is because windbg cannot tell that the symbols match the correct version of the module since it can find no timestamp or checksum.

Bilbo answered 12/6, 2012 at 20:4 Comment(0)
M
26

A better way is .reload /unl MyDll.dll

Unloaded module list contains timestamp (for image/pdb matching) and image base address. Using /unl tells WinDBG to use that information.

Moonstone answered 9/9, 2013 at 7:29 Comment(1)
thank you: your command is the only variation that worked for me!Dichlorodifluoromethane
B
22

You can force windbg to load symbols at a specific address e.g.

0:000> .reload /f /i MyDll.dll=77777777
    c:\sym\MyDll.pdb - unmatched
0:000> lm
start             end                 module name
00000000`55555555 00000000`55555555   notepad    (no symbols)
00000000`77530000 00000000`7762a000   USER32     (deferred)
00000000`77777777 00000000`77777777   MyDll_77777777   (private pdb symbols)  c:\sym\MyDll.pdb

The unmatched warning here is because windbg cannot tell that the symbols match the correct version of the module since it can find no timestamp or checksum.

Bilbo answered 12/6, 2012 at 20:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.