DBGHELP.DLL

  • File Path: C:\Program Files (x86)\Microsoft Office\root\Office16\DBGHELP.DLL
  • Description: Windows Image Helper

Hashes

Type Hash
MD5 2D79BA335E29077A25BF80D3329C8548
SHA1 BA268E22AF8A1B73BC0EF5CFD361A7E4069C011B
SHA256 F91C9481803309D99456968E92C2DF97B3ED060DD90509ADDC67E7CB1E7AAAAF
SHA384 A35007BB9A6BE46D435FECC5B8136C0930DA400328722A366742C201A0BA3481175809C2D7E93AAEEAF76456BF5C594B
SHA512 A843EDE441766D8672C2E4C259C7BAC7AD8A9D1DF04A831D3E5D42A8C282DC84A0FDFA2B6EF417CA7E02C24614E734D5654F8262C99D510C751BC8CD9556B0CF
SSDEEP 24576:TPbZLRFrQhhIZbFAQQWIacM1OoHkrGo/AIUhmcbyawkBxu5wPClYLNS/Dim55K7i:HZ/rQwZbWELnw5wOZ58a/1H
IMP AA1A201B4F2748EFF76FB698C0CD8EF3
PESHA1 CA48F14BB6CD020C88F78976C2A53EF22764951C
PE256 6685E369C8133FA13BFDEE96310106E3951A85F8E61C504CA4455BA45FE65254

DLL Exports:

Function Name Ordinal Type
SymGetSourceFile 1254 Exported Function
SymGetSourceFileChecksum 1255 Exported Function
SymGetSearchPath 1252 Exported Function
SymGetSearchPathW 1253 Exported Function
SymGetSourceFileFromTokenW 1258 Exported Function
SymGetSourceFileToken 1259 Exported Function
SymGetSourceFileChecksumW 1256 Exported Function
SymGetSourceFileFromToken 1257 Exported Function
SymGetModuleInfoW64 1246 Exported Function
SymGetOmapBlockBase 1121 Exported Function
SymGetModuleInfo64 1244 Exported Function
SymGetModuleInfoW 1247 Exported Function
SymGetScope 1250 Exported Function
SymGetScopeW 1251 Exported Function
SymGetOmaps 1248 Exported Function
SymGetOptions 1249 Exported Function
SymGetSymNext 1269 Exported Function
SymGetSymNext64 1268 Exported Function
SymGetSymFromName 1267 Exported Function
SymGetSymFromName64 1266 Exported Function
SymGetTypeFromName 1274 Exported Function
SymGetTypeFromNameW 1275 Exported Function
SymGetSymPrev 1271 Exported Function
SymGetSymPrev64 1270 Exported Function
SymGetSourceVarFromToken 1262 Exported Function
SymGetSourceVarFromTokenW 1263 Exported Function
SymGetSourceFileTokenW 1260 Exported Function
SymGetSourceFileW 1261 Exported Function
SymGetSymFromAddr 1265 Exported Function
SymGetSymFromAddr64 1264 Exported Function
SymGetSymbolFile 1272 Exported Function
SymGetSymbolFileW 1273 Exported Function
SymGetDiaSession 1120 Exported Function
SymGetExtendedOption 1224 Exported Function
SymFunctionTableAccess64 1221 Exported Function
SymFunctionTableAccess64AccessRoutines 1222 Exported Function
SymGetHomeDirectoryW 1227 Exported Function
SymGetLineFromAddr 1229 Exported Function
SymGetFileLineOffsets64 1225 Exported Function
SymGetHomeDirectory 1226 Exported Function
SymFromInlineContextW 1216 Exported Function
SymFromName 1217 Exported Function
SymFromIndexW 1214 Exported Function
SymFromInlineContext 1215 Exported Function
SymFromTokenW 1220 Exported Function
SymFunctionTableAccess 1223 Exported Function
SymFromNameW 1218 Exported Function
SymFromToken 1219 Exported Function
SymGetLinePrev 1240 Exported Function
SymGetLinePrev64 1239 Exported Function
SymGetLineNext64 1236 Exported Function
SymGetLineNextW64 1238 Exported Function
SymGetModuleBase64 1242 Exported Function
SymGetModuleInfo 1245 Exported Function
SymGetLinePrevW64 1241 Exported Function
SymGetModuleBase 1243 Exported Function
SymGetLineFromInlineContext 1231 Exported Function
SymGetLineFromInlineContextW 1232 Exported Function
SymGetLineFromAddr64 1228 Exported Function
SymGetLineFromAddrW64 1230 Exported Function
SymGetLineFromNameW64 1235 Exported Function
SymGetLineNext 1237 Exported Function
SymGetLineFromName 1234 Exported Function
SymGetLineFromName64 1233 Exported Function
SymSrvGetFileIndexesW 1321 Exported Function
SymSrvGetFileIndexInfo 1316 Exported Function
SymSrvDeltaNameW 1315 Exported Function
SymSrvGetFileIndexes 1320 Exported Function
SymSrvGetFileIndexStringW 1319 Exported Function
SymSrvGetSupplement 1322 Exported Function
SymSrvGetFileIndexInfoW 1317 Exported Function
SymSrvGetFileIndexString 1318 Exported Function
SymSetScopeFromIndex 1310 Exported Function
SymSetScopeFromInlineContext 1311 Exported Function
SymSetParentWindow 1308 Exported Function
SymSetScopeFromAddr 1309 Exported Function
symsrv 1355 Exported Function
SymSrvDeltaName 1314 Exported Function
SymSetSearchPath 1312 Exported Function
SymSetSearchPathW 1313 Exported Function
SymUnloadModule64 1332 Exported Function
UnDecorateSymbolName 1334 Exported Function
SymUnDName64 1330 Exported Function
SymUnloadModule 1333 Exported Function
vc7fpo 1356 Exported Function
WinDbgExtensionDllInit 1337 Exported Function
UnDecorateSymbolNameW 1335 Exported Function
UnmapDebugInformation 1336 Exported Function
SymSrvIsStoreW 1325 Exported Function
SymSrvStoreFile 1326 Exported Function
SymSrvGetSupplementW 1323 Exported Function
SymSrvIsStore 1324 Exported Function
SymSrvStoreSupplementW 1329 Exported Function
SymUnDName 1331 Exported Function
SymSrvStoreFileW 1327 Exported Function
SymSrvStoreSupplement 1328 Exported Function
SymMatchFileNameW 1286 Exported Function
SymMatchString 1287 Exported Function
SymLoadModuleExW 1284 Exported Function
SymMatchFileName 1285 Exported Function
SymNext 1290 Exported Function
SymNextW 1291 Exported Function
SymMatchStringA 1288 Exported Function
SymMatchStringW 1289 Exported Function
SymGetUnwindInfo 1278 Exported Function
SymInitialize 1279 Exported Function
SymGetTypeInfo 1276 Exported Function
SymGetTypeInfoEx 1277 Exported Function
SymLoadModule64 1281 Exported Function
SymLoadModuleEx 1283 Exported Function
SymInitializeW 1280 Exported Function
SymLoadModule 1282 Exported Function
SymSearchW 1302 Exported Function
SymSetContext 1303 Exported Function
SymRegisterFunctionEntryCallback64 1299 Exported Function
SymSearch 1301 Exported Function
SymSetHomeDirectoryW 1306 Exported Function
SymSetOptions 1307 Exported Function
SymSetExtendedOption 1304 Exported Function
SymSetHomeDirectory 1305 Exported Function
SymQueryInlineTrace 1294 Exported Function
SymRefreshModuleList 1295 Exported Function
SymPrev 1292 Exported Function
SymPrevW 1293 Exported Function
SymRegisterCallbackW64 1298 Exported Function
SymRegisterFunctionEntryCallback 1300 Exported Function
SymRegisterCallback 1297 Exported Function
SymRegisterCallback64 1296 Exported Function
omap 1348 Exported Function
optdbgdump 1349 Exported Function
MiniDumpReadDumpStream 1152 Exported Function
MiniDumpWriteDump 1153 Exported Function
Ordinal1102 1102 Exported Function
Ordinal1103 1103 Exported Function
optdbgdumpaddr 1350 Exported Function
Ordinal1101 1101 Exported Function
inlinedbg 1344 Exported Function
itoldyouso 1345 Exported Function
ImageRvaToSection 1146 Exported Function
ImageRvaToVa 1147 Exported Function
MakeSureDirectoryPathExists 1150 Exported Function
MapDebugInformation 1151 Exported Function
lmi 1346 Exported Function
lminfo 1347 Exported Function
Ordinal1114 1114 Exported Function
Ordinal1115 1115 Exported Function
Ordinal1112 1112 Exported Function
Ordinal1113 1113 Exported Function
Ordinal1118 1118 Exported Function
RangeMapAddPeImageSections 1154 Exported Function
Ordinal1116 1116 Exported Function
Ordinal1117 1117 Exported Function
Ordinal1106 1106 Exported Function
Ordinal1107 1107 Exported Function
Ordinal1104 1104 Exported Function
Ordinal1105 1105 Exported Function
Ordinal1110 1110 Exported Function
Ordinal1111 1111 Exported Function
Ordinal1108 1108 Exported Function
Ordinal1109 1109 Exported Function
EnumerateLoadedModules64 1127 Exported Function
EnumerateLoadedModulesEx 1129 Exported Function
EnumDirTreeW 1126 Exported Function
EnumerateLoadedModules 1128 Exported Function
ExtensionApiVersion 1132 Exported Function
FindDebugInfoFile 1133 Exported Function
EnumerateLoadedModulesExW 1130 Exported Function
EnumerateLoadedModulesW64 1131 Exported Function
chksym 1339 Exported Function
dbghelp 1340 Exported Function
_EFN_DumpImage 1122 Exported Function
block 1338 Exported Function
dh 1341 Exported Function
EnumDirTree 1125 Exported Function
DbgHelpCreateUserDump 1123 Exported Function
DbgHelpCreateUserDumpW 1124 Exported Function
homedir 1343 Exported Function
ImageDirectoryEntryToData 1143 Exported Function
GetSymLoadError 1141 Exported Function
GetTimestampForLoadedLibrary 1142 Exported Function
ImagehlpApiVersionEx 1149 Exported Function
ImageNtHeader 1145 Exported Function
ImageDirectoryEntryToDataEx 1144 Exported Function
ImagehlpApiVersion 1148 Exported Function
FindExecutableImage 1136 Exported Function
FindExecutableImageEx 1137 Exported Function
FindDebugInfoFileEx 1134 Exported Function
FindDebugInfoFileExW 1135 Exported Function
FindFileInSearchPath 1140 Exported Function
fptr 1342 Exported Function
FindExecutableImageExW 1138 Exported Function
FindFileInPath 1139 Exported Function
SymEnumSourceLinesW 1186 Exported Function
SymEnumSym 1187 Exported Function
SymEnumSourceFileTokens 1182 Exported Function
SymEnumSourceLines 1185 Exported Function
SymEnumSymbolsExW 1190 Exported Function
SymEnumSymbolsForAddr 1191 Exported Function
SymEnumSymbols 1188 Exported Function
SymEnumSymbolsEx 1189 Exported Function
SymEnumerateSymbolsW64 1203 Exported Function
SymEnumLines 1179 Exported Function
SymEnumerateSymbols64 1201 Exported Function
SymEnumerateSymbolsW 1204 Exported Function
SymEnumSourceFiles 1183 Exported Function
SymEnumSourceFilesW 1184 Exported Function
SymEnumLinesW 1180 Exported Function
SymEnumProcesses 1181 Exported Function
SymFindFileInPath 1209 Exported Function
SymFindFileInPathW 1210 Exported Function
SymFindExecutableImage 1207 Exported Function
SymFindExecutableImageW 1208 Exported Function
SymFromAddrW 1212 Exported Function
SymFromIndex 1213 Exported Function
SymFreeDiaString 1119 Exported Function
SymFromAddr 1211 Exported Function
SymEnumTypes 1194 Exported Function
SymEnumTypesByName 1195 Exported Function
SymEnumSymbolsForAddrW 1192 Exported Function
SymEnumSymbolsW 1193 Exported Function
SymFindDebugInfoFile 1205 Exported Function
SymFindDebugInfoFileW 1206 Exported Function
SymEnumTypesByNameW 1196 Exported Function
SymEnumTypesW 1197 Exported Function
SetSymLoadError 1165 Exported Function
srcfiles 1351 Exported Function
SearchTreeForFileW 1163 Exported Function
SetCheckUserInterruptShared 1164 Exported Function
StackWalk 1167 Exported Function
StackWalk64 1166 Exported Function
stack_force_ebp 1352 Exported Function
stackdbg 1353 Exported Function
RangeMapRead 1157 Exported Function
RangeMapRemove 1158 Exported Function
RangeMapCreate 1155 Exported Function
RangeMapFree 1156 Exported Function
ReportSymbolLoadSummary 1161 Exported Function
SearchTreeForFile 1162 Exported Function
RangeMapWrite 1159 Exported Function
RemoveInvalidModuleList 1160 Exported Function
SymDeleteSymbol 1177 Exported Function
SymDeleteSymbolW 1178 Exported Function
SymCleanup 1175 Exported Function
SymCompareInlineTrace 1176 Exported Function
SymEnumerateModulesW64 1200 Exported Function
SymEnumerateSymbols 1202 Exported Function
SymEnumerateModules 1199 Exported Function
SymEnumerateModules64 1198 Exported Function
SymAddrIncludeInlineTrace 1174 Exported Function
SymAddSourceStream 1169 Exported Function
StackWalkEx 1168 Exported Function
sym 1354 Exported Function
SymAddSymbol 1172 Exported Function
SymAddSymbolW 1173 Exported Function
SymAddSourceStreamA 1170 Exported Function
SymAddSourceStreamW 1171 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 33000001B24A37C6C97E0168860001000001B2
  • Thumbprint: A380D6A21D68FA9B52D2405B36C712BAFA57632B
  • Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DBGHELP.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/f91c9481803309d99456968e92c2df97b3ed060dd90509addc67e7cb1e7aaaaf/detection/

Possible Misuse

The following table contains possible examples of DBGHELP.DLL being misused. While DBGHELP.DLL is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_dbghelp_dbgcore_load.yml title: Load of dbghelp/dbgcore DLL from Suspicious Process DRL 1.0
sigma sysmon_suspicious_dbghelp_dbgcore_load.yml description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump DRL 1.0
sigma sysmon_suspicious_dbghelp_dbgcore_load.yml API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and DRL 1.0
sigma sysmon_suspicious_dbghelp_dbgcore_load.yml - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html DRL 1.0
sigma sysmon_suspicious_dbghelp_dbgcore_load.yml - '\dbghelp.dll' DRL 1.0
sigma sysmon_lsass_memdump.yml description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 DRL 1.0
sigma sysmon_lsass_memdump.yml - '*dbghelp.dll*' DRL 1.0
signature-base apt_donotteam_ytyframework.yar $s9 = “dbghelp.dll” wide fullword CC BY-NC 4.0

MIT License. Copyright (c) 2020 Strontic.