{"id":16714114,"url":"https://github.com/therealdreg/pdbdump_bochs","last_synced_at":"2025-04-10T06:10:23.028Z","repository":{"id":50149741,"uuid":"518025235","full_name":"therealdreg/pdbdump_bochs","owner":"therealdreg","description":"Dump PDB Symbols including support for Bochs Debugging Format (with wine support)","archived":false,"fork":false,"pushed_at":"2023-08-11T06:27:06.000Z","size":65689,"stargazers_count":15,"open_issues_count":0,"forks_count":8,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-24T07:14:05.493Z","etag":null,"topics":["bochs","debugging","instrumentation","kernel-debugging","linux-support","osdev","pdb","reverse-engineering","windows","wine"],"latest_commit_sha":null,"homepage":"https://rootkit.es/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/therealdreg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["therealdreg"],"patreon":"dreg","custom":["https://www.paypal.me/therealdreg","https://www.paypal.me/therealdreg"]}},"created_at":"2022-07-26T11:02:49.000Z","updated_at":"2025-01-07T09:48:54.000Z","dependencies_parsed_at":"2025-02-16T19:43:43.803Z","dependency_job_id":null,"html_url":"https://github.com/therealdreg/pdbdump_bochs","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fpdbdump_bochs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fpdbdump_bochs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fpdbdump_bochs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fpdbdump_bochs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/therealdreg","download_url":"https://codeload.github.com/therealdreg/pdbdump_bochs/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248166925,"owners_count":21058481,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bochs","debugging","instrumentation","kernel-debugging","linux-support","osdev","pdb","reverse-engineering","windows","wine"],"created_at":"2024-10-12T20:49:25.299Z","updated_at":"2025-04-10T06:10:23.016Z","avatar_url":"https://github.com/therealdreg.png","language":"C","funding_links":["https://github.com/sponsors/therealdreg","https://patreon.com/dreg","https://www.paypal.me/therealdreg"],"categories":[],"sub_categories":[],"readme":"# pdbdump_bochs\n\nDump PDB Symbols including support for Bochs Debugging Format (with wine support)\n\nIf you need download symbol from a file use this project:\n\n- https://github.com/Biswa96/PDBDownloader\n\nExample of use on wine:\n```\nwine PDBDownloader.exe advapi32.dll\n```\n\n## Example with ntkrnlpa loaded in Bochs at 0x804D7000\n\nDownload this repo: \n\nhttps://github.com/therealdreg/pdbdump_bochs/archive/refs/heads/main.zip\n\nFor 32 bit address base:\n\n```\nx32\\x32_pdbdump_bochs.exe -b ntkrnlpa.pdb:0x804D7000 \u003e sym.txt\n```\n\nCheck results:\n```\ntype sym.txt\n```\n\n![example](img/example.png)\n\nUse the generated file in Bochs debugger with ldsym global + file path, example:\n\n```\nldsym global \"C:\\\\Users\\\\Dreg\\\\bochs\\\\sym.txt\"\n```\n\nBochs GUI Debugger:\n\n![debugui](img/debugui.png)\n\nBochs Console Debugger:\n\n![names](img/names.png)\n\n# 64 bit address\n\n**WARNING**: For a 64 bit address you must use x64\\x64_pdbdump_bochs.exe\n```\nx64\\x64_pdbdump_bochs.exe -b ntkrnlpa.pdb:0x1122334455667788 \u003e sym_64.txt\n```\n\n## Prefix output\n\n```\nx32\\x32_pdbdump_bochs.exe\" -b c:\\winsymbols\\dll\\kernel32.pdb:0x7c800000 PFX:kernel32!\n```\n\n```\n0x7c801160 kernel32!_imp__NtFindAtom\n0x7c825e00 kernel32!c_PmapEntries_apphelp\n0x7c863ca4 kernel32!GetThreadTimes\n0x7c855154 kernel32!c_PmapEntries_cryptui\n0x7c87b813 kernel32!InsertPreComposedForm\n0x7c85f578 kernel32!GlobalCompact\n0x7c8010e4 kernel32!_imp___allmul\n0x7c81736e kernel32!OpenSection\n0x7c801164 kernel32!_imp__RtlLookupAtomInAtomTable\n0x7c885380 kernel32!gAnsiCodePage\n0x7c81cc7b kernel32!GetEnvironmentStrings\n0x7c873d1f kernel32!ReadConsoleOutputCharacterW\n.....\n```\n\n## How to get the base address of a kernel module\n\nSteps:\n\n1. Install WinDBG in guest machine\n2. Install Windows Symbols in guest machine\n3. Open Windbg and Go to File -\u003e Kernel Debug -\u003e Local\n4. Load the symbols: Go to File -\u003e Symbol File Path (and select .reload)\n5. Type in Windbg Console (k is for kernel modules): **lm k**\n\n![windbg](img/windbg.png)\n\nDone, execute pdbdump_bochs.exe using the **lm k** output (pdb file + module base address)\n\nMore info:\n\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-local-kernel-debugging-of-a-single-computer-manually\n\n## Linux - Debian based\n\n```\napt-get install wine\n```\n\n```\nWINEDLLOVERRIDES=\"dbghelp=n;\" wine ./x32/x32_pdbdump_bochs.exe -b ntkrnlpa.pdb:0x804D7000\n```\n\nFor 64 bit address:\n\n```\nWINEDLLOVERRIDES=\"dbghelp=n;\" wine ./x64/x64_pdbdump_bochs.exe  -b ntkrnlpa.pdb:0x1122334455667788\n```\n\n# HELP - Usage\n\n```\n    Usage: pdbdump.exe [-csv] [-sasnf] [-r] pdb_or_exe[:BASE] [PFX:prefix]\n       -t: Enumerate types.\n     -csv: Output comma-separated-values format.\n -s[asnf]: Sort by (a)ddress, (s)ize, (n)ame, or (f)ile. ASNF to reverse.\n       -r: Resolve names and addresses read from stdin.\n  -w[...]: Wildcard to use when enumerating symbols.\n       -b: Bochs sym output.\n   [PFX:]: Prefix each symbol name with own prefix (only valid with -b)\n\n By default modules (.pdb or .exe files) are loaded with a base address of\n 0x400000. This can be overriden by adding a :BASE suffix to the module's\n file name. For example; my_project.pdb:0x20030000.\n\n Examples: 1. Output all symbols from a.pdb and b.dll;\n               \u003e pdbdump_bochs.exe a.pdb b.dll\n           2. Output all of a.pdb's function symbols in CSV format;\n               \u003e pdbdump_bochs.exe -csv a.pdb | findstr SymTagFunction\n           3. List all symbols starting with 'is_enab';\n               \u003e pdbdump_bochs.exe -wis_enab* a.pdb\n           4. Resolve two symbols by name and by address;\n               \u003e echo 0x401000 is_enabled | pdbdump_bochs.exe -r a.pdb\n           5. Dump symbols in Bochs Sym format with own base address:\n               \u003e pdbdump_bochs.exe -b ntkrnlpa.pdb:0x804D7000\n           6. Dump symbols in Bochs Sym format with own base address + nt! prefix:\n               \u003e pdbdump_bochs.exe -b ntkrnlpa.pdb:0x804D7000 PFX:nt!\n```\n\n# Notes\n\ndbghelp \u0026 more from: \n- dbg_amd64_6.12.2.633.msi\n- dbg_x86_6.12.2.633.msi\n\n# Related\n\nHelper script for Windows kernel debugging with IDA Pro on native Bochs debugger (including PDB symbols):\n- https://github.com/therealdreg/ida_bochs_windows\n\nHelper scripts for windows debugging with symbols for Bochs and IDA Pro (PDB files). Very handy for user mode \u003c--\u003e kernel mode:\n- https://github.com/therealdreg/symseghelper\n\n# Credits\n\nThis project is just a mod from pdbdump by Martin Ridgers, pdbdump 'at' fireproofgravy.co.uk:\n\n- https://gist.github.com/mridgers/2968595\n\nTools for Linux kernel debugging on Bochs (including symbols, native Bochs debugger and IDA PRO):\n- https://github.com/therealdreg/bochs_linux_kernel_debugging\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fpdbdump_bochs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftherealdreg%2Fpdbdump_bochs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fpdbdump_bochs/lists"}