addr-symbolizer

Crates.ioaddr-symbolizer
lib.rsaddr-symbolizer
version0.1.0
sourcesrc
created_at2024-10-17 12:18:53.966193
updated_at2024-10-17 12:18:53.966193
descriptionA KISS Rust crate to symbolize function addresses using Windows PDB files.
homepage
repositoryhttps://github.com/0vercl0k/addr-symbolizer-rs
max_upload_size
id1413004
size125,672
Axel Souchet (0vercl0k)

documentation

README

addr-symbolizer-rs

A KISS Rust crate to symbolize function addresses using Windows PDB files

Overview

addr-symbolizer-rs allows you to symbolize (0xfffff8053b9ca5c0 -> nt!KiPageFault+0x0) function addresses (from an execution trace for example); it is the crate that powers symbolizer-rs. Here is an example of a raw execution trace..:

0xfffff8053b9ca5c0
0xfffff8053b9ca5c1
0xfffff8053b9ca5c8
0xfffff8053b9ca5d0
0xfffff8053b9ca5d4
0xfffff8053b9ca5d8
0xfffff8053b9ca5dc
0xfffff8053b9ca5e0

..transformed into a full symbolized trace:

ntoskrnl.exe!KiPageFault+0x0
ntoskrnl.exe!KiPageFault+0x1
ntoskrnl.exe!KiPageFault+0x8
ntoskrnl.exe!KiPageFault+0x10
ntoskrnl.exe!KiPageFault+0x14
ntoskrnl.exe!KiPageFault+0x18
ntoskrnl.exe!KiPageFault+0x1c
ntoskrnl.exe!KiPageFault+0x20

It needs to know where modules (user & kernel) are in memory and how to read that memory. With those in hands, it is able to parse PE files, read the Export Address Table, extract the PDB identifier (if possible), attempt to download the PDB file from a symbol server, store it into a symbol cache and finally parse it to extract function boundaries.

Authors

Contributors

contributors-img

Commit count: 32

cargo fmt