Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Hi everyone,
So I have a situation where I need to transfer .PDB files over to an airgapped test machine. I found from here that you can use symchk /om
to first create a manifest file, and then symchk /im
to download the corresponding .PDB files.
However, it seems that whever I try to follow the following guide from OSR, I always get the following output:
C:\Users\Maxim\Documents\w10>symchk /om manifest.w10 /ie ntoskrnl.exe /s c:\users\Maxim\Documents\w10\empty SYMCHK: ntoskrnl.exe FAILED - ntkrnlmp.pdb mismatched or not found SYMCHK: hal.dll FAILED - hal.pdb mismatched or not found SYMCHK: kd.dll FAILED - kd.pdb mismatched or not found SYMCHK: mcupdate_AuthenticAMD.dll FAILED - mcupdate_AuthenticAMD.pdb mismatched or not found SYMCHK: msrpc.sys FAILED - msrpc.pdb mismatched or not found SYMCHK: ksecdd.sys FAILED - ksecdd.pdb mismatched or not found SYMCHK: werkernel.sys FAILED - WerKernel.pdb mismatched or not found SYMCHK: clfs.sys FAILED - clfs.pdb mismatched or not found SYMCHK: tm.sys FAILED - tm.pdb mismatched or not found SYMCHK: PSHED.DLL FAILED - pshed.pdb mismatched or not found ... SYMCHK: FAILED files = 195 SYMCHK: PASSED + IGNORED files = 0
The manifest looks like this:
C:\Users\Maxim\Documents\w10>type manifest.w10 ntoskrnl.exe,00,2 hal.dll,00,2 kd.dll,00,2 mcupdate_AuthenticAMD.dll,00,2 msrpc.sys,00,2 ksecdd.sys,00,2 werkernel.sys,00,2 clfs.sys,00,2 tm.sys,00,2 PSHED.DLL,00,2 ...
Consequently when I try to then fetch the files, I get symchk
complaining:
C:\Users\Maxim\Documents\w10>symchk /im manifest.w10 /s SRV*c:\users\Maxim\Documents\w10\empty*http://msdl.microsoft.com/download/symbols SYMCHK: ntoskrnl.exe ERROR - Unable to download file. Error reported was 2 SYMCHK: hal.dll ERROR - Unable to download file. Error reported was 2 SYMCHK: kd.dll ERROR - Unable to download file. Error reported was 2 SYMCHK: mcupdate_AuthenticAMD.dll ERROR - Unable to download file. Error reported was 2 SYMCHK: msrpc.sys ERROR - Unable to download file. Error reported was 2 SYMCHK: ksecdd.sys ERROR - Unable to download file. Error reported was 2 SYMCHK: werkernel.sys ERROR - Unable to download file. Error reported was 2 SYMCHK: clfs.sys ERROR - Unable to download file. Error reported was 2 SYMCHK: tm.sys ERROR - Unable to download file. Error reported was 2 SYMCHK: PSHED.DLL ERROR - Unable to download file. Error reported was 2 ...
Could someone suggest as to what mistake I'm making? The zeroes in the manifest file look rather suspicious, because I tried with an older tool on Win XP, and evidently that's where the checksum is supposed to go.
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Kernel Debugging | 9-13 Sept 2024 | Live, Online |
Developing Minifilters | 15-19 July 2024 | Live, Online |
Internals & Software Drivers | 11-15 Mar 2024 | Live, Online |
Writing WDF Drivers | 20-24 May 2024 | Live, Online |
Comments
If the machine is airgapped, how can it download the symbols from the manifest?
If you have run windbg and loaded symbols on a networked machine, why not just copy the whole symbol directory over to a USB drive and transfer it to the airgapped machine?
Tim Roberts, [email protected]
Software Wizard Emeritus
Well, ive got three machines: A, B, and C. A is connected to network, B and C are not. Machine B is my development machine, on which I want to launch WinDbg... and attach to machine C, the test machine.
I want to get PDBs that correspond to the binaries running on C, and then have them available to machine B so that I get sane view in WinDbg.
So I want to retrieve a list of PDBs that correspond to the binaries running on C. I believe symchk does that by giving me a manifest. I then get that manifest onto machine A via USB stick, and fetch those exact PDBs. Then I copy them over to machine B for WinDbg.
I can reproduce this behavior and SymChk is definitely broken. If you turn on verbose logging it's coming up with a PDB signature value of zero and that's not helpful...Worst part is that it does get the value correctly earlier in the output, but when it outputs the summary it shows zero.
The bug appears to be in symbolcheck.dll. In the name of science I grabbed a much older copy of that DLL from the Win7 SP1 WDK and replaced the one in the latest installation. Now when I run the command line I get proper manifest output. For example:
That might be a temporary workaround until this is fixed.
-scott
OSR