{"id":16714015,"url":"https://github.com/therealdreg/symseghelper","last_synced_at":"2025-10-12T15:47:05.768Z","repository":{"id":50228736,"uuid":"518597682","full_name":"therealdreg/symseghelper","owner":"therealdreg","description":"Helper scripts for windows debugging with symbols for Bochs and IDA Pro (PDB files). Very handy for user mode \u003c--\u003e kernel mode","archived":false,"fork":false,"pushed_at":"2023-08-11T06:27:33.000Z","size":15410,"stargazers_count":19,"open_issues_count":0,"forks_count":5,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-24T07:13:27.842Z","etag":null,"topics":["bochs","ida-pro","idapython","kernel-debugging","pdb","windows"],"latest_commit_sha":null,"homepage":"https://rootkit.es/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/therealdreg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["therealdreg"],"patreon":"dreg","custom":["https://www.paypal.me/therealdreg","https://www.paypal.me/therealdreg"]}},"created_at":"2022-07-27T20:08:24.000Z","updated_at":"2024-11-07T12:04:46.000Z","dependencies_parsed_at":"2025-02-16T19:43:34.098Z","dependency_job_id":null,"html_url":"https://github.com/therealdreg/symseghelper","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fsymseghelper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fsymseghelper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fsymseghelper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fsymseghelper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/therealdreg","download_url":"https://codeload.github.com/therealdreg/symseghelper/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248166925,"owners_count":21058481,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bochs","ida-pro","idapython","kernel-debugging","pdb","windows"],"created_at":"2024-10-12T20:48:51.212Z","updated_at":"2025-10-12T15:47:00.729Z","avatar_url":"https://github.com/therealdreg.png","language":"Python","funding_links":["https://github.com/sponsors/therealdreg","https://patreon.com/dreg","https://www.paypal.me/therealdreg"],"categories":[],"sub_categories":[],"readme":"# symseghelper\nHelper scripts for windows debugging with symbols for Bochs and IDA Pro (PDB files). Very handy for user mode \u003c--\u003e kernel mode\n\n![bochstvshow](img/bochstvshow.gif)\n\n![names](img/mnames.png)\n\n# Fast and easy way (only names)\n\nIn Guest: Install windows debugging tools (windbg)\n\nIn Guest: install debug symbols\n\nIn Guest: execute windbg with command line -logo:\n```\n\"C:\\Program Files\\Debugging Tools for Windows (x86)\\windbg.exe\" -logo c:\\windbg_syms_output.txt\n```\n\nGo to File -\u003e Kernel Debug -\u003e Local\n\nGo to File -\u003e Symbol File Path -\u003e Browse \n\nSelect your symbol path (for me its C:\\winsymbols), Select Reload -\u003e OK\n\nList all processes in windbg with:\n```\n!process 0 0 \n\n...\n\nPROCESS 8982ec20  SessionId: 0  Cid: 056c    Peb: 7ffd7000  ParentCid: 0548\n    DirBase: 10a83000  ObjectTable: e18f4320  HandleCount: 237.\n    Image: explorer.exe\n\n...\n```\n\nAttach to explorer.exe with **.process /p /r** 8976e2d0 (it has a a lot of user mode dlls)\n```\n.process /p /r 8982ec20\n```\n\ntype: \n```\n.reload -a\n```\n\ntype:\n```\n.reload /f\n```\n\nExecute in windbg:\n```\nx /2 *!*\n```\n\nWait and be patient\n\nClose windbg\n\nClean c:\\windbg_syms_output.txt file, removing all lines before\n```\nlkd\u003e x /2 *!*\n```\n\nwindbg_syms_output.txt should looks like:\n\n```\n7ffe0300 SharedUserData!SystemCallStub\n00af1d80 kext!diskspace\n00af2af0 kext!DebugExtensionInitialize\n00af2bb0 kext!DebugExtensionNotify\n00af2ce0 kext!DebugExtensionUninitialize\n...\nf7ba0a90 Ntfs!LfsAllocateSpanningBuffer\nf7b78831 Ntfs!NtfsQueryBasicInfo\nf7b85653 Ntfs!NtfsCacheSharedSecurityByDescriptor\n```\n\nMove windbg_syms_output.txt to Host\n\nIn Host: Execute\n```\nwindbg_syms_parser.py windbg_syms_output.txt bochs_syms_and_ida_names.txt\n```\n\n## Bochs\n\nin Host: Open Bochs Debugger, start a debug session, Press Ctrl + C (break). Use ldsym global bochs_syms_and_ida_names.txt \n\nExample:\n```\nldsym global \"C:\\\\Users\\\\leno\\\\Desktop\\\\symseghelper\\\\bochs_syms_and_ida_names.txt\"\n```\n\nDone!\n\n![betweenrings](img/betweenrings.png)\n\n## IDA PRO:\n\nEdit \"C:\\Program Files\\IDA Pro 7.7\\cfg\\dbg_bochs.cfg\"\n```\nBOCHSDBG = \"C:\\\\Users\\\\leno\\\\Desktop\\\\Bochs-pruebas\\\\bochs\\\\bochs.exe\";\nBOCHSRC = \"C:\\\\Users\\\\leno\\\\Desktop\\\\Bochs-pruebas\\\\bochs\\\\.bochsrc\";\n```\n\nGo to IDA .....\n\nDebugger -\u003e Run -\u003e Local Bochs Debugger\n\nApplication:\n```\nC:\\Users\\leno\\Desktop\\Bochs-pruebas\\bochs\\.bochsrc\n```\n\nCick Debug Options -\u003e Set specific options -\u003e Select Disk image\n\nin Host: Open IDA PRO, start a debug session and go to File -\u003e Script File \n\nSelect ida_load_names.py, this script ask you for bochs_syms_and_ida_names.txt \n\nDone!\n\n![names](img/mnames.png)\n\n# Segments \n\n**WARNING:** Only follow these steps if you need segments\n\nCopy dumpmodules.wds to Guest C:\\\n\nCreate in Guest C:\\outfiles directory\n\nIn Guest: Install windows debugging tools (windbg)\n\nIn Guest: install debug symbols\n\nIn Guest: execute windbg\n```\n\"C:\\Program Files\\Debugging Tools for Windows (x86)\\windbg.exe\"\n```\n\nGo to File -\u003e Kernel Debug -\u003e Local\n\nGo to File -\u003e Symbol File Path -\u003e Browse \n\nSelect your symbol path (for me its C:\\winsymbols), Select Reload -\u003e OK\n\nList all processes in windbg with:\n```\n!process 0 0 \n\n...\n\nPROCESS 8982ec20  SessionId: 0  Cid: 056c    Peb: 7ffd7000  ParentCid: 0548\n    DirBase: 10a83000  ObjectTable: e18f4320  HandleCount: 237.\n    Image: explorer.exe\n\n...\n```\n\nAttach to explorer.exe with **.process /p /r** 8976e2d0 (it has a a lot of user mode dlls)\n```\n.process /p /r 8982ec20\n```\n\ntype: \n```\n.reload -a\n```\n\ntype:\n```\n.reload /f\n```\n\nExecute in windbg\n```\n$$\u003ea\u003cC:\\dumpmodules.wds C:\\outfiles\n```\n\nmove C:\\outfiles dir from Guest to Host\n\ntype in windbg\n```\n.cls\n```\n\ntype in windbg\n```\nlm vo\n```\n\nCreate a new file called windbg_lm_output.txt and paste **lm vo** output\n\n windbg_lm_output.txt shoud looks like:\n```\n806d0000 806f0300   hal        (pdb symbols)          c:\\winsymbols\\dll\\halaacpi.pdb\n    Loaded symbol image file: halaacpi.dll\n    Image path: halaacpi.dll\n    Image name: halaacpi.dll\n    Timestamp:        Sun Apr 13 11:31:27 2008 (4802517F)\n    CheckSum:         00024F17\n    ImageSize:        00020300\n    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4\nbf800000 bf9c2980   win32k     (pdb symbols)          c:\\winsymbols\\sys\\win32k.pdb\n    Loaded symbol image file: \\SystemRoot\\System32\\win32k.sys\n    Image path: \\SystemRoot\\System32\\win32k.sys\n...\n```\n\nmove windbg_lm_output.txt to Guest\n\n## In Host\n\nwith seg_helper.py, windbg_lm_output.txt and outfiles/ in same path, execute:\n```\nseg_helper.py windbg_lm_output.txt outfiles ida_segments.txt bochs_segments.txt\n```\n\n### bochs_segments.txt\n\nyou can use this file in Bochs debugger with ldsym global, example:\n\n```\nldsym global \"C:\\\\Users\\\\leno\\\\Desktop\\\\symseghelper\\\\bochs_segments.txt\"\n```\n\nIt can be useful have segments + symbols together:\n```\ntype bochs_segments.txt \u003e bochs_syms_with_segments.txt\ntype bochs_syms_and_ida_names.txt \u003e\u003e bochs_syms_with_segments.txt\n```\n\nLoad segments + symbols in Bochs:\n```\nldsym global \"C:\\\\Users\\\\leno\\\\Desktop\\\\symseghelper\\\\bochs_syms_with_segments.txt\"\n```\n\nNow, when a instruction its out of a known segment its easy to view:\n\n![bochsend](img/bochsend.png)\n\n### ida_segments.txt\n\nin Host: Open IDA PRO, start a debug session and go to File -\u003e Script File \n\nSelect ida_load_segs.py, this script ask you for ida_segments.txt\n\ndone!\n\n![segments](img/segments.png)\n\n# Related\n\n- https://github.com/therealdreg/pdbdump_bochs\n- https://github.com/therealdreg/ida_bochs_windows\n- https://github.com/therealdreg/ida_vmware_windows_gdb\n- https://github.com/therealdreg/bochs_linux_kernel_debugging\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fsymseghelper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftherealdreg%2Fsymseghelper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fsymseghelper/lists"}