0vercl0k/symbolizer 0vercl0k/symbolizer

  • Stars
    star
    130
  • Rank 268,836 (Top 6 %)
  • Language
    C++
  • License
    MIT License
  • Created over 3 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
0vercl0k/symbolizer
github

0vercl0k

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A fast execution trace symbolizer for Windows.

Symbolizer - A fast execution trace symbolizer for Windows

Builds

Symbolizer

Overview

This is utility that symbolizes an execution trace via the dbgeng APIs and a crash-dump. The dbgeng APIs are used to load the crash-dump and symbolizes RIP values by querying the available symbols.

Transform the below raw execution trace:

0xfffff8053b9ca5c0
0xfffff8053b9ca5c1
0xfffff8053b9ca5c8
0xfffff8053b9ca5d0
0xfffff8053b9ca5d4
0xfffff8053b9ca5d8
0xfffff8053b9ca5dc
0xfffff8053b9ca5e0

Into a full symbolized trace:

nt!KiPageFault+0x0
nt!KiPageFault+0x1
nt!KiPageFault+0x8
nt!KiPageFault+0x10
nt!KiPageFault+0x14
nt!KiPageFault+0x18
nt!KiPageFault+0x1c
nt!KiPageFault+0x20

Or a mod+offset trace to load it into Lighthouse for code-coverage exploration:

nt+0x1ca5c0
nt+0x1ca5c1
nt+0x1ca5c8
nt+0x1ca5d0
nt+0x1ca5d4
nt+0x1ca5d8
nt+0x1ca5dc
nt+0x1ca5e0
nt+0x1ca5e4
nt+0x1ca5e8

Usage

In order for symbolizer to work you need to place dbghelp.dll as well as symsrv.dll in the directory of the symbolizer executable. Symbolizer will copy the two files if they are found in the default Windows SDK's Debuggers install location: c:\Program Files (x86)\Windows Kits\10\Debuggers\<arch>.

Symbolizer - A fast execution trace symbolizer for Windows
Usage: src\x64\Release\symbolizer.exe [OPTIONS]

Options:
  -h,--help                   Print this help message and exit
  --help-all                  Expand all help
  -i,--input TEXT:PATH(existing) REQUIRED
                              Input trace file or directory
  -c,--crash-dump TEXT:FILE REQUIRED
                              Crash-dump path
  -o,--output TEXT            Output trace (default: stdout)
  -s,--skip UINT=0            Skip a number of lines
  -m,--max UINT=20000000      Stop after a number of lines
  --style ENUM:value in {modoff->0,fullsym->1} OR {0,1}=fullsym
                              Trace style
  --overwrite=0               Overwrite the output file if necessary
  --line-numbers=0            Include line numbers

Batch mode

The batch mode is designed to symbolize an entire directory filled with execution traces. You can turn on batch mode by simply specifying a directory for the --input command line option and an output directory for the --output option.

Batch mode

Single file mode

As opposed to batch mode, you might be interested in just symbolizing a single trace file which in this case you can specify a file path via the --input command line option.

Single mode

Build

Clone the repository with:

(base) > git clone --recurse-submodules https://github.com/0vercl0k/symbolizer.git

You can open the Visual Studio solution symbolizer.sln or build it via the command line with:

(base) symbolizer>msbuild /p:Configuration=Release src\symbolizer.sln
Microsoft (R) Build Engine version 16.7.0+b89cb5fde for .NET Framework
Copyright (C) Microsoft Corporation. All rights reserved.

[...]

Build succeeded.
    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:00.42

More Repositories

1

rp

rp++ is a fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries.
C++
1,722
star
2

wtf

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows and Linux user-mode (experimental!).
C++
1,351
star
3

CVE-2021-31166

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.
Python
823
star
4

CVE-2019-11708

Full exploit chain (CVE-2019-11708 & CVE-2019-9810) against Firefox on Windows 64-bit.
JavaScript
615
star
5

stuffz

Basically a script thrift shop
C
584
star
6

CVE-2022-21971

PoC for CVE-2022-21971 "Windows Runtime Remote Code Execution Vulnerability"
Rich Text Format
303
star
7

clairvoyance

Visualize the virtual address space of a Windows process on a Hilbert curve.
C++
290
star
8

windbg-scripts

A bunch of JavaScript extensions for WinDbg.
JavaScript
286
star
9

z3-playground

A repository to store Z3-python scripts you can use as examples, reminders, whatever.
Python
273
star
10

CVE-2019-9810

Exploit for CVE-2019-9810 Firefox on Windows 64-bit.
JavaScript
227
star
11

CVE-2021-24086

Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.
Python
225
star
12

CVE-2021-28476

PoC for CVE-2021-28476 a guest-to-host "Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.
C
212
star
13

kdmp-parser

A Windows kernel dump C++ parser library with Python 3 bindings.
C++
181
star
14

udmp-parser

A Cross-Platform C++ parser library for Windows user minidumps with Python 3 bindings.
C++
172
star
15

blazefox

Blazefox exploits for Windows 10 RS5 64-bit.
C++
147
star
16

zenith

Zenith exploits a memory corruption vulnerability in the NetUSB driver to get remote-code execution on the TP-Link Archer C7 V5 router for Pwn2Own Austin 2021.
Python
123
star
17

sic

Enumerate user mode shared memory mappings on Windows.
C
112
star
18

ollydbg2-python

Scripting OllyDBG2 using Python is now possible!
C++
108
star
19

rp-bf.rs

rp-bf: A library to bruteforce ROP gadgets by emulating a Windows user-mode crash-dump
Rust
108
star
20

snapshot

WinDbg extension written in Rust to dump the CPU / memory state of a running VM
Rust
91
star
21

paracosme

Paracosme is a zero-click remote memory corruption exploit that compromises ICONICS Genesis64 which was demonstrated successfully on stage during the Pwn2Own Miami 2022 competition.
Python
84
star
22

fuzzing-ida75

Repository of the findings found by wtf when fuzzing IDA75.
83
star
23

CVE-2022-28281

PoC for CVE-2022-28281 a Mozilla Firefox Out of bounds write.
HTML
74
star
24

pywinhv

Python bindings for the Microsoft Hypervisor Platform APIs.
Python
66
star
25

CVE-2022-21974

PoC for CVE-2022-21974 "Roaming Security Rights Management Services Remote Code Execution Vulnerability"
Rich Text Format
60
star
26

lockmem

This utility allows you to lock every available memory regions of an arbitrary process into its working set.
C++
58
star
27

CVE-2021-32537

PoC for CVE-2021-32537: an out-of-bounds memory access that leads to pool corruption in the Windows kernel.
C++
58
star
28

pwn2own2023-miami

Writeups, PoCs of the bugs I found while preparing for the Pwn2Own Miami 2023 contest targeting UaGateway from the OPC UA Server category.
C++
54
star
29

j0llyDmpr

j0llydmper is a windows service that allows you to dump furtively and automaticaly some contents of USB disks just plugged in your computer. In order to dump potentialy interesting files, you can use a rule on the file name or/and on the file size.
C
41
star
30

udmp-parser-rs

A Rust crate for parsing Windows user minidumps.
Rust
40
star
31

inject

Yet another Windows DLL injector.
C++
33
star
32

KEPaboo

Neutralize KEPServerEX anti-debugging techniques
C++
28
star
33

longue-vue

Longue vue is an exploit chain that can compromise over the internet NETGEAR DGND3700v2 devices.
JavaScript
24
star
34

kdmp-parser-rs

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
Rust
24
star
35

TV-Show-Downloader

Maybe you're a guy a bit like me -- who watch a lot of series -- so I guess you already know that downloading the latest episodes of all your favorites TV Shows is absolutely PAINFUL. I mean it, really. Thus, TVShow Downloader is a set of basic scripts (crontab + python script + bash script) designed to simplify my whole existence on this earth: I haven't to think about downloading my serie anymore \o/.
Python
22
star
36

teesee-calc

Visualize and compare total compensation (TC) packages over time.
HTML
10
star
37

articles

Mirror of the different PDF articles I wrote
10
star
38

0vercl0k

5
star
39

gflags-rs

Utility that lets you interact with Microsoft Windows Global Flags and particularly PageHeap, made to learn Rust
Rust
4
star
40

symbolizer-rs

A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.
Rust
4
star
41

rp2s

3
star
42

result

Simple, tiny and readable implementation of a Rust like std::result type for C++.
1
star