Verifying SI Symbol's accuracy

0 Likes

Problem:

How can I be positive that the symbols I'm loading into SI match up with the corresponding image that I am debugging?

Resolution:


  1. Make sure that the dates from both the symbolic information file & the image file are approximately the same.
  2. If the symbols are for either NTOSKRNL or HAL, you can issue an IDT command from within SI. If the symbols line up you'll see entry #30 in the IDT mapped to _HalClockInterrupt & see a whole slew of _KITrapXX & _KIUnexpectedInterruptXX ISRs mapped to the IDT.
  3. Unassemble at a function or 2 that is likely to be short. Get*() API's are good targets. For example for kernel32, GetCurrentThread() is an ideal target. You should see a few instructions followed by a RET for practically every API.Additionally, you'll likely see a PUSH EBP MOV EBP, ESP sequence at the beginning of many API's you assemble at if your symbols match up.
Old KB# 11060
Comment List
Anonymous
Related Discussions
Recommended