Is it possible to manually import symbol files into info.db?

[tomnewman86]

Hello,

I am currently using MemProcFS in an offiline environment (Windows) and have already created the necessary symbol file for this particular memory dump whilst using other tools and would like to import this symbol file into info.db so I can continue analysis using MemProcFS.

Is it possible to do this? Or is there another approach I can take to achieve this that I'm missing?

Fantastic tool btw, takes memory analysis to the next level.

Thanks

Tom

[ufrisk]

I don't have the scrips I use for it in a production state right now.

If you're on Windows Ill include instructions how to retrieve the neccessary pdbs from microsoft and where to place them in the file system though. At least for ntoskrnl, tcpip and ntdll. Would this be sufficient for your use case? I plan to release this at the end of the month.

If you're targeting the updates from this patch tuesday (nov2022) Ill push symbol updates this eavning. Symbols are usually lagging a bit after patch release.

[tomnewman86]

Thanks for the quick response.

My current use case is for ntkrnlmp and was generated using the pdbconv python script. Instructions would be incredibly helpful going forward as we nearly always work in an offline environment so can continue to add new symbol files to info.db or place them where necessary

I'll also ensure my version is fully up-to-date so I don't miss any of the updates.

Thank you.

[ufrisk]

Offline ntkrnlmp will be supported as well in the next version. It will use the raw pdb file and no conversions will be necessary.

Also, I've updated the info.db in the releases section with new offsets a few minutes ago.

I'll leave this issue open until I've completed the next release.

[tomnewman86]

That's fantastic.

Thank you for this and the tool in general Ulf. Amazing work.

[ufrisk]

And huge thanks for sponsoring 💙

I'll let you know here once I release it, unfortunately it's a few weeks off though since it's tied in with some other more major changes.

[ufrisk]

Can you please try this on your new version. It will nag you if the symbols aren't found similar to before, but this time you'll be able to see additional info if you use MemProcFS in verbose mode -v flag, or if you only wish to see the symbol download address: -loglevel symbol:4 is it working for you with this?

[tomnewman86]

Just tested it on my local workstation with the symbol server disabled and it works great!

MemProcs output provided the address to download the pdb and where it needed to be saved. I had a bit of confusion with the directory naming convention as I placed the downloaded .blob file here -> ./ntkrnlmp.pdb//ntkrnlmp.pdb/*.blob which failed.

Renamed the .blob file to ntkrnlmp.pdb and moved it here -> ./ntkrnlmp.pdb//*.pdb and that sorted it.

Fantastic. Really looking forward to using this tool a lot more. It was a great help in a recent incident I worked and has generated some real interest amongst my team. Thanks very much

[ufrisk]

Thanks, and it makes me super glad my tool was helpful in this area.

If you're able to share the download url that would be a little bit helpful since I cache some of the symbols in the info.db file. And sometimes there are a few kernels missed. You could share this in private also if you wish, or no worries if you're not able to.

I'll be closing this issue now since it's resolved, but please let me know if you run into anything else you feel would need some improvement and I'll try to do my best to look into it.

[tomnewman86]

If you're able to share the download url that would be a little bit helpful since I cache some of the symbols in the info.db file. And sometimes there are a few kernels missed. You could share this in private also if you wish, or no worries if you're not able to.

Please let me know a suitable place to send the urls to you. I'm sure me and the team will generate a fair few so more than happy to keep sending them over as and when

[ufrisk]

This is hugely appreciated. I try to update the info.db database at least once a month (usually like 2-3 days after patch Tuesday).

If you find additional downloads please email them to me at ulf.frisk@memsec.se (my project side company) or if you prefer Discord or Twitter the contact details are on the readme. Many thanks in advance.