Skip to content

Symbols

Jump to bottom
Tobias Neitzel edited this page Sep 10, 2023 · 3 revisions

rpv-web uses two sources for resolving symbols. The first source is called rpv symbol file and is a TOML formatted file that contains symbol information. The other are regular PDB files that are e.g. created by Visual Studio.

rpv Symbol File

When adding symbols within the graphical user interface of rpv-web, the symbol information is temporary saved within the state of the web application. Before quitting the application, you should either sync your symbols with the rpv-web executable (if not running in offline mode) or export the symbol file. Both can be done within the settings menu:

image

The rpv-web executable attempts to read an rpv symbol file (rpv-web-symbols.toml) from the current working directory at startup. When syncing symbols from the web interface, all your changes are send to the rpv-web executable. If no rpv symbol file was found during startup, it is created now and all your symbols are saved. If a file was already present during startup, your symbols are merged with the already existing symbols.

When running in offline mode (or when you just do not want to sync symbols) you can also export them by saving your symbol file locally. The following listing shows an example for an rpv symbol file:

[12345778-1234-abcd-ef00-0123456789ab]
name='''SuperSecureInterface'''
notes='''This interface is super secure.'''
1='''This method is secure.'''
2='''This method may be vulnerable.'''

[ace1c026-8b3f-4711-8918-f345d17f5bff]
name='''NotSoSecureInterface'''
0='''This method should be vulnerable'''

['C:\Windows\System32\lsasrv.dll']
0x2626acfaad0='''SuperSecureCallback'''
0x2626acfad70='''SuperSecureCallback'''
0x7ffff0195e10='''CredrRename'''
0x7ffff0160900='''LsaClose'''
0x1d77d6ffd70='''SuperSecureCallback'''
0x1d77d6ffad0='''InsecureCallback'''
0x7ffff0254790='''updatePrivateData'''

During startup of rpv-web you can specify the symbol file that should be used by using the -symbol-file option. Moreover, you can load a symbol file at runtime by using the settings menu:

image

PDB Files

rpv-web can resolve symbols from PDB files. For this to work, you have to configure the PDB path accordingly. This can be done at startup or during runtime. To start rpv-web with a PDB symbol path, use the -pdb-path option. The following listing shows an example command line that specifies a PDB path:

C:\Users\tne>.\rpv-web-x64.exe -pdb-path srv*C:\Users\tne\Symbols

Adding a path during runtime can be done by using the appropriate section from the settings menu. After adding a PDB path at runtime, a refresh is required to utilize the newly configured symbol information.

image

PDB symbol resolving is not supported when running in offline mode. However, snapshots that were created with a PDB path being configured contain all symbol information that could be resolved when creating the snapshot.

Getting Symbols

Microsoft provides symbols for their own executables that are shipped with the operating system. They can be downloaded from the Microsoft symbol server. The probably easiest way to do this is to install the most recent Windows SDK, which ships a tool called symchk.exe. The following commands (copied from itm4n's Fuzzing Windows RPC with RpcView article) can be used do download symbols for all .dll files in C:\Windows\System32:

C:\> mkdir Symbols
C:\> cd "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\"
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\> .\symchk.exe /s srv*c:\SYMBOLS*https://msdl.microsoft.com/download/symbols C:\Windows\System32\*.dll

Notice that this will require quite some time and free disk space. Depending on the speed of your internet connection, the download probably takes about an hour and several GB free disk space are required.

Clone this wiki locally