Is it possible to add missing symbols to public symbols in a windbg debugging session?

Question

I am trying to see the IMAGE_DOS_HEADER structure using the 'dt' command in windbg:

0:001> dt ntdll!IMAGE_DOS_HEADER
**Symbol ntdll!IMAGE_DOS_HEADER not found**

I searched and found that others have been able to do this: MSDN Blogs > Junyoung's Blog > Portable Executable File Format on Memory Dump

0:000> dt IMAGE_DOS_HEADER 77c00000
ntdll!IMAGE_DOS_HEADER
   +0x000 e_magic          : 0x5a4d ? MZ
   +0x002 e_cblp           : 0x90
   +0x004 e_cp             : 3
   +0x006 e_crlc           : 0
   +0x008 e_cparhdr        : 4
   +0x00a e_minalloc       : 0
   +0x00c e_maxalloc       : 0xffff
   +0x00e e_ss             : 0
   +0x010 e_sp             : 0xb8
   +0x012 e_csum           : 0
   +0x014 e_ip             : 0
   +0x016 e_cs             : 0
   +0x018 e_lfarlc         : 0x40
   +0x01a e_ovno           : 0
   +0x01c e_res            : [4] 0
   +0x024 e_oemid          : 0
   +0x026 e_oeminfo        : 0
   +0x028 e_res2           : [10] 0
   +0x03c e_lfanew         : 232

Is it possible to add the missing symbol to public symbols of ntdll so that I can access the data structure fields in a windbg debugging session?

This is really weird - I tried the following and got different results on a win7 and on winxp systems - WinXP:

0:015> dt ntdll!*HEADER*
          ntdll!_IMAGE_NT_HEADERS
          ntdll!_IMAGE_FILE_HEADER
          ntdll!_IMAGE_OPTIONAL_HEADER
          ntdll!_SLIST_HEADER
          ntdll!_DISPATCHER_HEADER
          ntdll!_IMAGE_SECTION_HEADER

Win7:

0:000> dt ntdll!*HEADER*
          ntdll!_IMAGE_NT_HEADERS
          ntdll!_IMAGE_FILE_HEADER
          ntdll!_IMAGE_OPTIONAL_HEADER
          ntdll!_IMAGE_DOS_HEADER
          ntdll!_SLIST_HEADER
          ntdll!_DISPATCHER_HEADER
          ntdll!_MM_PAGE_ACCESS_INFO_HEADER
          ntdll!_WHEA_ERROR_RECORD_HEADER
          ntdll!_HEAP_USERDATA_HEADER
          ntdll!_HEAP_USERDATA_HEADER
          ntdll!_WHEA_ERROR_RECORD_HEADER_VALIDBITS
          ntdll!_WHEA_ERROR_RECORD_HEADER_FLAGS
          ntdll!_XSAVE_AREA_HEADER

So it seems that the _IMAGE_DOS_HEADER symbol is stripped from the public symbols of winxp's ntdll.dll - my question remains - how can I add the symbol if I know the structure to a public symbols dll of a dll I don't have the sources for?

Answer 1

This happens, it can be quite frustrating actually (though they've done a good job cleaning a lot of these up).

You can add types to existing PDBs, though it requires that you have the Visual C compiler available (either from Visual Studio or the WDK). I outline the steps in my response here:

http://www.osronline.com/showthread.cfm?link=193747

We're using the kernel there, though you have the same steps. The differences will be:

1) Look for ntdll instead of nt

2) You'll need to write a C file with the definition of the structure that you want.

-scott

Answer 2

you can also check this thread it shows how to add types to

http://www.woodmann.com/forum/showthread.php?10295-Mysteries-of-win32k-amp-GDI&p=72632&viewfull=1#post72632

post # 21

Answer 3

They're not missing, you just don't have your symbol path configured. Check the following Microsoft KB, if that doesn't work, you may have an odder problem.

One way to make sure you're debugging with symbols is the lm command. The output without debug symbols is likely to look like this:

lm
start    end        module name
01000000 01014000   notepad    (no symbols)     
74720000 7476b000   MSCTF      (export symbols)       C:\WINDOWS\system32\MSCTF.dl

Whilee the output for lm with debug symbols will be:

lm
start    end        module name
01000000 01014000   notepad    (pdb symbols)          e:\LocalSymbols\notepad.pdb\15800B8231AF4FDE85232D42B267D3E51\notepad.pdb