`symbolizer-rs`

A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.

## Overview [symbolizer-rs](https://github.com/0vercl0k/symbolizer-rs) is the successor of [symbolizer](https://github.com/0vercl0k/symbolizer): it is faster, better and runs on all major platforms.

It doesn't depend on [dbgeng](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-engine-api-overview) and download / parse PDB symbols on its own (thanks to the [pdb](https://github.com/getsentry/pdb) crate) unlike [symbolizer](https://github.com/0vercl0k/symbolizer) which was depending on Microsoft's [dbgeng](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-engine-api-overview) for that.

[symbolizer-rs](https://github.com/0vercl0k/symbolizer-rs) allows you to transform raw execution traces (`0xfffff8053b9ca5c0`) into symbolized ones (`nt!KiPageFault+0x0`). In order to be able to do this, it needs a kernel crash-dump that contains the lists of user / kernel modules available as well as their PE headers to extract the PDB information necessary to download them off Microsoft or any other symbol server. This tool was made originally to be paired with the [what the fuzz](https://github.com/0vercl0k/wtf) snapshot fuzzer but can be used by any similar tools. Here is an example of a raw execution trace..: ```text 0xfffff8053b9ca5c0 0xfffff8053b9ca5c1 0xfffff8053b9ca5c8 0xfffff8053b9ca5d0 0xfffff8053b9ca5d4 0xfffff8053b9ca5d8 0xfffff8053b9ca5dc 0xfffff8053b9ca5e0 ``` ..transformed into a full symbolized trace: ```text ntoskrnl.exe!KiPageFault+0x0 ntoskrnl.exe!KiPageFault+0x1 ntoskrnl.exe!KiPageFault+0x8 ntoskrnl.exe!KiPageFault+0x10 ntoskrnl.exe!KiPageFault+0x14 ntoskrnl.exe!KiPageFault+0x18 ntoskrnl.exe!KiPageFault+0x1c ntoskrnl.exe!KiPageFault+0x20 ``` Or into a `mod+offset` (*modoff*) trace to load it into [Lighthouse](https://github.com/gaasedelen/lighthouse) for code-coverage exploration: ```text ntoskrnl.exe+0x1ca5c0 ntoskrnl.exe+0x1ca5c1 ntoskrnl.exe+0x1ca5c8 ntoskrnl.exe+0x1ca5d0 ntoskrnl.exe+0x1ca5d4 ntoskrnl.exe+0x1ca5d8 ntoskrnl.exe+0x1ca5dc ntoskrnl.exe+0x1ca5e0 ntoskrnl.exe+0x1ca5e4 ntoskrnl.exe+0x1ca5e8 ``` ## Installation - `cargo install symbolizer-rs` - Build it yourself with by cloning the repository with `git clone https://github.com/0vercl0k/symbolizer-rs.git`, and build with `cargo build --release`. - Prebuilts binaries available in the [Releases](https://github.com/0vercl0k/symbolizer-rs/releases/) section ### Batch mode The batch mode is designed to symbolize an entire directory filled with execution traces. You can turn on batch mode by simply specifying a directory for the `--trace` command line option and an output directory for the `--output` option. ![Batch mode](https://github.com/0vercl0k/symbolizer-rs/raw/main/pics/batch.webp) ### Single file mode As opposed to batch mode, you can symbolize a single trace file by specifying a trace file path via the `--trace` command line option. ![Single mode](https://github.com/0vercl0k/symbolizer-rs/raw/main/pics/single.webp) ## Usage ```text A fast execution trace symbolizer for Windows. Usage: symbolizer-rs.exe [OPTIONS] --trace Options: -t, --trace Directory path full of traces or single input trace file -o, --output Output directory where to write symbolized traces, a path to an output file, or empty for the output to go on stdout -c, --crash-dump Path to the crash-dump to load. If not specified, an attempt is made to find a 'state/mem.dmp' file in the same directory than the trace file -s, --skip Skip a number of lines [default: 0] -m, --max The maximum amount of lines to process per file [default: 20000000] --style