create symbol or rename a function inside WinDBG

Question

is there a way to rename a function in windbg? similar of using symbol.

For example, we have a function that is identified in windbg as "example+0x14". after reverse engineering, I know this function is making call to a trampoline that will do printf. Now, I want to rename the "example+0x14" to "example-printf".

Doing this is very straightforward in other debuggers like (x64), but I couldn't find a way of doing this in windbg.

eventually, I want to resolve the addresses in the IAT, find their references (trampolines), rename those trampolines and make my debugging easier.

is there a way of doing it?

Answer 1

There is an API with which you can do this. Unfortunately, there isn't a "command" to do it. One could be created very easily from a debugger extension.

The API in question is IDebugSymbols3::AddSyntheticSymbol (https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/dbgeng/nf-dbgeng-idebugsymbols3-addsyntheticsymbol) or the Unicode variant IDebugSymbols3::AddSyntheticSymbolWide (https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/dbgeng/nf-dbgeng-idebugsymbols3-addsyntheticsymbolwide).

You can go much further than this if you want to write a plug-in. There are new target composition APIs to the debugger (https://www.nuget.org/packages/Microsoft.Debugging.TargetModel.SDK) which allow you to define your own notion of what symbols are by providing a symbol provider (DEBUG_SERVICE_SYMBOL_PROVIDER / ISvcSymbolProvider). The only sample (https://github.com/microsoft/WinDbg-Samples/tree/master/TargetComposition/TextDump) currently available for that API surface unfortunately does not yet cover symbols. In the near future (hopefully within a month or two), there will be a second sample in that same repo which will cover this and allow a whole lot of dynamic manipulation and editing of symbols AND type system.

JFYI: in regard to your comments about the IAT. The ImageInfo.js JavaScript extension which is included with the debugger already parses the IAT and exposes much of that information through the data model. Everything it exposes is on the Contents property of a module object. The IAT information is within .Contents.Imports:

0:007> dx -r3 @$curprocess.Modules[0].Contents.Imports
@$curprocess.Modules[0].Contents.Imports                
    ["KERNEL32.dll"] : KERNEL32.dll
        ModuleName       : KERNEL32.dll
        ResolvedModule   : C:\Windows\System32\KERNEL32.DLL
            BaseAddress      : 0x7ff8eef70000
            Name             : C:\Windows\System32\KERNEL32.DLL
            Size             : 0xbd000
            Contents        
            ImageType        : PE
        Functions       
            [0x0]            : Named Import of 'SetEvent'
            [0x1]            : Named Import of 'GlobalFree'
            [0x2]            : Named Import of 'GetLocaleInfoW'
            [0x3]            : Named Import of 'CreateFileW'
            [0x4]            : Named Import of 'ReadFile'
            ...
    ["GDI32.dll"]    : GDI32.dll
        ModuleName       : GDI32.dll
        ResolvedModule   : C:\Windows\System32\GDI32.dll
            BaseAddress      : 0x7ff8f0750000
            Name             : C:\Windows\System32\GDI32.dll
            Size             : 0x29000
            Contents        
            ImageType        : PE
        Functions       
            [0x0]            : Named Import of 'CreateDCW'
            [0x1]            : Named Import of 'StartPage'
            [0x2]            : Named Import of 'StartDocW'
            [0x3]            : Named Import of 'SetAbortProc'
            [0x4]            : Named Import of 'EndDoc'
            ...