Potentially missing kernel symbols

mstange / pdb-addr2line

A rust crate to symbolicate addresses from PDBs, like addr2line. Uses the `pdb` crate.

https://docs.rs/pdb-addr2line

Apache License 2.0

33 stars 4 forks source link

Potentially missing kernel symbols #43

Closed mstange closed 3 years ago

mstange commented 3 years ago

% curl -o ntkrnlmp.pdb -L "https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/1B4A6F5E0766C552C90710C8ACC0295C1/ntkrnlmp.pdb"
% pdb-addr2line -fC -e ntkrnlmp.pdb 0x408b9a 0x408bc7

In this PDB file, pdb-addr2line does not seem to find the functions KiSystemServiceCopyEnd or KiSystemServiceExit. According to the pdb_symbols example in the pdb repo, these two functions are global symbols in section 8, with section internal offsets 208b90 and 208bc0.

mstange commented 3 years ago

For some reasons, these symbols have function: false set on them.

[src/lib.rs:291] symbol.parse() = Ok(
    Public(
        PublicSymbol {
            code: false,
            function: false,
            managed: false,
            msil: false,
            offset: PdbInternalSectionOffset {
                section: 0x8,
                offset: 0x208b90,
            },
            name: RawString("KiSystemServiceCopyEnd"),
        },
    ),
)

I'm not sure what that means. Maybe we can just include all public symbols, regardless of whether they're marked as function symbols.

@jrmuizel

jrmuizel commented 3 years ago

These symbols probably come from code written in assembly. It seems reasonable to include them.

mstange commented 3 years ago

Fixed in 0.7.0. I ended up only including non-function public symbols which are in executable sections.