Hi! Recently I was trying to learn more about Windows Kernel. I downloaded right symbols for my sys(win7 x64 free). I run IDA and open ntoskrnl.exe. IDA asked whether to attach pdb file. But most of functions were not resolved - sub_XXXXXX. So I ran Windbg, I unassembled randomly chosen function which has to be in ntoskrnl - KiSystemCall64. And it show output. But there is no such function in IDA(or it was not resolved). To sum up, using the same symbols, functions which are unassembled in WinDBg, are not resolved(no sign of them) in IDA(and vice versa). I would appreciate any help, suggestions from You.
+1
A:
Did you analyze the module after you loaded symbols for it? In the Modules window, right click the kernel and choose "Load debug symbols." After that's done, right click the module again and choose, "Analyze module."
-scott
snoone
2010-10-19 16:50:11
Yes, this is what I need. But Load debug symbols seems not to work properly(nothing happens), and there's no such option as analyze. Do You have any idea?
Vasilij
2010-10-20 00:38:20
Which version are you using? In any case, do you have your symbol path set correctly? Easiest way is to set the _NT_SYMBOL_PATH environment variable.
snoone
2010-10-20 13:45:37
Version is IDA 5.5. I set that varialbe and everything seems to work fine. Thanks.
Vasilij
2010-10-20 21:39:44
One last question:) In which version does "analyze module" works?
Vasilij
2010-10-20 21:40:40
Ah, you should upgrade. That was the first version with crash dump support, it's getting better in later versions. The first version I saw with the analyze module command was 5.7 (though I skipped 5.6, so it might be there as well).
snoone
2010-10-21 14:50:01