{"id":29,"date":"2006-08-11T10:09:49","date_gmt":"2006-08-11T15:09:49","guid":{"rendered":"http:\/\/www.nynaeve.net\/?p=29"},"modified":"2019-12-13T17:41:39","modified_gmt":"2019-12-13T22:41:39","slug":"the-power-of-dumpbinexe-with-symbols","status":"publish","type":"post","link":"http:\/\/www.nynaeve.net\/?p=29","title":{"rendered":"The power of dumpbin.exe with symbols"},"content":{"rendered":"<p>Many of the compiler utilities shipped with Visual Studio and the DDK in recent times actually support symbols under the hood, but this support is not well documented.<\/p>\n<p>For example, &#8220;dumpbin.exe&#8221; (actually &#8220;link.exe \/dump&#8221;) supports this, and so does &#8220;dumpbin.exe \/disasm&#8221;.\u00c2\u00a0 All you need to do to activate this support is <a title=\"Setting a symbol path with _NT_SYMBOL_PATH\" href=\"\/?p=28\">set the default symbol path with _NT_SYMBOL_PATH<\/a>.\u00c2\u00a0 Henceforth, you will be able to see symbol names for exported functions with dumpbin (if you have symbols, of course) &#8211; even functions that are exported by ordinal only.<\/p>\n<p>Additionally, when combined with symbol support, you can use &#8220;dumpbin.exe \/disasm&#8221; as a quick-n-dirty x64\/IA-64 disassembler (a cheap replacement for IDA Pro Advanced, for instance).\u00c2\u00a0\u00c2\u00a0While certainly not as pleasant as a full project-based disassembler, it can get the job done in a pinch and it won&#8217;t cost you an arm and a leg either (not that I don&#8217;t love IDA, but they make it excessively difficult to get a copy of the 64-bit capable versions of their disassembler).\u00c2\u00a0\u00c2\u00a0 Skape and myself used this technique when performing research for <a title=\"x64 PatchGuard\" href=\"http:\/\/www.uninformed.org\/?v=3&#038;a=3&#038;t=sumry\">our paper on x64&#8217;s &#8220;PatchGuard&#8221;.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Many of the compiler utilities shipped with Visual Studio and the DDK in recent times actually support symbols under the hood, but this support is not well documented. For example, &#8220;dumpbin.exe&#8221; (actually &#8220;link.exe \/dump&#8221;) supports this, and so does &#8220;dumpbin.exe \/disasm&#8221;.\u00c2\u00a0 All you need to do to activate this support is set the default symbol [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,8],"tags":[],"_links":{"self":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/29"}],"collection":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=29"}],"version-history":[{"count":1,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/29\/revisions"}],"predecessor-version":[{"id":654,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/29\/revisions\/654"}],"wp:attachment":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=29"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=29"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=29"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}