Lib.rs

Parser implementations
#pdb #symbols #kernel #windows #read-memory #crash-dump

addr-symbolizer

A KISS Rust crate to symbolize function addresses using Windows PDB files

by Axel Souchet

1 unstable release

new 0.1.0 Oct 17, 2024

#855 in Parser implementations

Download history 165/week @ 2024-10-14

165 downloads per month
Used in symbolizer-rs

MIT license

90KB
2K SLoC

addr-symbolizer-rs

A KISS Rust crate to symbolize function addresses using Windows PDB files

Overview

addr-symbolizer-rs allows you to symbolize (0xfffff8053b9ca5c0 -> nt!KiPageFault+0x0) function addresses (from an execution trace for example); it is the crate that powers symbolizer-rs. Here is an example of a raw execution trace..:

0xfffff8053b9ca5c0
0xfffff8053b9ca5c1
0xfffff8053b9ca5c8
0xfffff8053b9ca5d0
0xfffff8053b9ca5d4
0xfffff8053b9ca5d8
0xfffff8053b9ca5dc
0xfffff8053b9ca5e0

..transformed into a full symbolized trace:

ntoskrnl.exe!KiPageFault+0x0
ntoskrnl.exe!KiPageFault+0x1
ntoskrnl.exe!KiPageFault+0x8
ntoskrnl.exe!KiPageFault+0x10
ntoskrnl.exe!KiPageFault+0x14
ntoskrnl.exe!KiPageFault+0x18
ntoskrnl.exe!KiPageFault+0x1c
ntoskrnl.exe!KiPageFault+0x20

It needs to know where modules (user & kernel) are in memory and how to read that memory. With those in hands, it is able to parse PE files, read the Export Address Table, extract the PDB identifier (if possible), attempt to download the PDB file from a symbol server, store it into a symbol cache and finally parse it to extract function boundaries.

Authors

Contributors

contributors-img

Dependencies

~11–19MB
~365K SLoC