dbghelp.dll

  • File Path: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\dbghelp.dll
  • Description: Windows Image Helper

Hashes

Type Hash
MD5 4003E34416EBD25E4C115D49DC15E1A7
SHA1 FAF95EC65CDE5BD833CE610BB8523363310EC4AD
SHA256 C06430B8CB025BE506BE50A756488E1BCC3827C4F45158D93E4E3EEB98CE1E4F
SHA384 EAAC8A0C332D585989AFAB77B2747EBB21E140B09DEB89BAA1DF1B2DA205421843ED3E46DE47603BD8F50F80E50134E3
SHA512 88F5D417377CD62BDE417640A79B6AC493E80F0C8B1F63A99378A2A67695EF8E4A541CEDB91ACFA296ED608E821FEE466983806F0D082ED2E74B0CD93EB4FB84
SSDEEP 24576:9AkmijauMug/iyFzb2DfsPV8A4C2vNI1cPdf8xZLGNfav9T:9WiOuRg/iyFzb2QN83XfeYaZ
IMP FA6B094F828920CF8999743FF0004319
PESHA1 8F30240D35FF738C8FCE2EFEF226B5B212D2D0AA
PE256 80A53A6F620AED4EF5D688407274A77F5A67AFD128452B0716A475E5FDF84AC6

DLL Exports:

Function Name Ordinal Type
SymGetSymFromName64 121 Exported Function
SymGetSymFromName 122 Exported Function
SymGetSymFromAddr64 119 Exported Function
SymGetSymPrev 126 Exported Function
SymGetSymNext64 123 Exported Function
SymGetSymNext 124 Exported Function
SymGetSourceVarFromTokenW 118 Exported Function
SymGetSourceVarFromToken 117 Exported Function
SymGetSourceFileW 116 Exported Function
SymGetSymFromAddr 120 Exported Function
SymGetSymbolFileW 128 Exported Function
SymGetSymbolFile 127 Exported Function
SymGetSymPrev64 125 Exported Function
SymLoadModule64 136 Exported Function
SymLoadModule 137 Exported Function
SymInitializeW 135 Exported Function
SymMatchFileName 140 Exported Function
SymLoadModuleExW 139 Exported Function
SymLoadModuleEx 138 Exported Function
SymGetTypeInfo 131 Exported Function
SymGetTypeFromNameW 130 Exported Function
SymGetTypeFromName 129 Exported Function
SymInitialize 134 Exported Function
SymGetUnwindInfo 133 Exported Function
SymGetTypeInfoEx 132 Exported Function
SymGetSourceFileTokenW 115 Exported Function
SymGetModuleBase 100 Exported Function
SymGetLinePrevW64 98 Exported Function
SymGetLinePrev64 96 Exported Function
SymGetModuleInfo64 101 Exported Function
SymGetModuleInfo 102 Exported Function
SymGetModuleBase64 99 Exported Function
SymGetLineNext 94 Exported Function
SymGetLineFromNameW64 92 Exported Function
SymGetLineFromName64 90 Exported Function
SymGetLinePrev 97 Exported Function
SymGetLineNextW64 95 Exported Function
SymGetLineNext64 93 Exported Function
SymGetModuleInfoW 104 Exported Function
SymGetSourceFile 111 Exported Function
SymGetSearchPathW 110 Exported Function
SymGetSearchPath 109 Exported Function
SymGetSourceFileToken 114 Exported Function
SymGetSourceFileFromTokenW 113 Exported Function
SymGetSourceFileFromToken 112 Exported Function
SymGetOmaps 105 Exported Function
SymGetOmapBlockBase 1 Exported Function
SymGetModuleInfoW64 103 Exported Function
SymGetScopeW 108 Exported Function
SymGetScope 107 Exported Function
SymGetOptions 106 Exported Function
SymSrvGetSupplement 174 Exported Function
SymSrvGetFileIndexStringW 171 Exported Function
SymSrvGetFileIndexString 170 Exported Function
SymSrvIsStoreW 177 Exported Function
SymSrvIsStore 176 Exported Function
SymSrvGetSupplementW 175 Exported Function
SymSrvGetFileIndexes 172 Exported Function
SymSrvDeltaNameW 167 Exported Function
SymSrvDeltaName 166 Exported Function
SymSrvGetFileIndexInfoW 169 Exported Function
SymSrvGetFileIndexInfo 168 Exported Function
SymSrvGetFileIndexesW 173 Exported Function
SymSrvStoreFile 178 Exported Function
UnDecorateSymbolNameW 187 Exported Function
UnDecorateSymbolName 186 Exported Function
SymUnloadModule64 184 Exported Function
WinDbgExtensionDllInit 189 Exported Function
vc7fpo 205 Exported Function
UnmapDebugInformation 188 Exported Function
SymSrvStoreSupplementW 181 Exported Function
SymSrvStoreSupplement 180 Exported Function
SymSrvStoreFileW 179 Exported Function
SymUnloadModule 185 Exported Function
SymUnDName64 182 Exported Function
SymUnDName 183 Exported Function
symsrv 204 Exported Function
SymRefreshModuleList 149 Exported Function
SymPrevW 148 Exported Function
SymPrev 147 Exported Function
SymRegisterCallbackW64 152 Exported Function
SymRegisterCallback64 150 Exported Function
SymRegisterCallback 151 Exported Function
SymMatchStringA 143 Exported Function
SymMatchString 142 Exported Function
SymMatchFileNameW 141 Exported Function
SymNextW 146 Exported Function
SymNext 145 Exported Function
SymMatchStringW 144 Exported Function
SymRegisterFunctionEntryCallback 154 Exported Function
SymSetScopeFromAddr 162 Exported Function
SymSetParentWindow 161 Exported Function
SymSetOptions 160 Exported Function
SymSetSearchPathW 165 Exported Function
SymSetSearchPath 164 Exported Function
SymSetScopeFromIndex 163 Exported Function
SymSearchW 156 Exported Function
SymSearch 155 Exported Function
SymRegisterFunctionEntryCallback64 153 Exported Function
SymSetHomeDirectoryW 159 Exported Function
SymSetHomeDirectory 158 Exported Function
SymSetContext 157 Exported Function
SymGetLineFromName 91 Exported Function
lminfo 198 Exported Function
lmi 197 Exported Function
itoldyouso 196 Exported Function
MiniDumpReadDumpStream 30 Exported Function
MapDebugInformation 29 Exported Function
MakeSureDirectoryPathExists 28 Exported Function
ImagehlpApiVersionEx 27 Exported Function
ImagehlpApiVersion 26 Exported Function
ImageDirectoryEntryToDataEx 22 Exported Function
ImageRvaToVa 25 Exported Function
ImageRvaToSection 24 Exported Function
ImageNtHeader 23 Exported Function
MiniDumpWriteDump 31 Exported Function
sym 203 Exported Function
StackWalk64 34 Exported Function
StackWalk 35 Exported Function
SymAddSourceStreamW 38 Exported Function
SymAddSourceStreamA 37 Exported Function
SymAddSourceStream 36 Exported Function
SearchTreeForFileW 33 Exported Function
SearchTreeForFile 32 Exported Function
omap 199 Exported Function
stackdbg 202 Exported Function
stack_force_ebp 201 Exported Function
srcfiles 200 Exported Function
ImageDirectoryEntryToData 21 Exported Function
EnumerateLoadedModules 7 Exported Function
EnumDirTreeW 5 Exported Function
EnumDirTree 4 Exported Function
EnumerateLoadedModulesExW 9 Exported Function
EnumerateLoadedModulesEx 8 Exported Function
EnumerateLoadedModules64 6 Exported Function
dbghelp 192 Exported Function
chksym 191 Exported Function
block 190 Exported Function
dh 193 Exported Function
DbgHelpCreateUserDumpW 3 Exported Function
DbgHelpCreateUserDump 2 Exported Function
EnumerateLoadedModulesW64 10 Exported Function
FindFileInSearchPath 19 Exported Function
FindFileInPath 18 Exported Function
FindExecutableImageExW 17 Exported Function
homedir 195 Exported Function
GetTimestampForLoadedLibrary 20 Exported Function
fptr 194 Exported Function
FindDebugInfoFileEx 13 Exported Function
FindDebugInfoFile 12 Exported Function
ExtensionApiVersion 11 Exported Function
FindExecutableImageEx 16 Exported Function
FindExecutableImage 15 Exported Function
FindDebugInfoFileExW 14 Exported Function
SymFindFileInPathW 73 Exported Function
SymFindFileInPath 72 Exported Function
SymFindExecutableImageW 71 Exported Function
SymFromIndex 76 Exported Function
SymFromAddrW 75 Exported Function
SymFromAddr 74 Exported Function
SymEnumTypesW 60 Exported Function
SymEnumTypesByNameW 59 Exported Function
SymEnumTypesByName 58 Exported Function
SymFindExecutableImage 70 Exported Function
SymFindDebugInfoFileW 69 Exported Function
SymFindDebugInfoFile 68 Exported Function
SymFromIndexW 77 Exported Function
SymGetHomeDirectoryW 86 Exported Function
SymGetHomeDirectory 85 Exported Function
SymGetFileLineOffsets64 84 Exported Function
SymGetLineFromAddrW64 89 Exported Function
SymGetLineFromAddr64 87 Exported Function
SymGetLineFromAddr 88 Exported Function
SymFromToken 80 Exported Function
SymFromNameW 79 Exported Function
SymFromName 78 Exported Function
SymFunctionTableAccess64 82 Exported Function
SymFunctionTableAccess 83 Exported Function
SymFromTokenW 81 Exported Function
SymEnumTypes 57 Exported Function
SymEnumerateSymbols 65 Exported Function
SymEnumerateModulesW64 63 Exported Function
SymEnumerateModules64 61 Exported Function
SymEnumerateSymbolsW64 66 Exported Function
SymEnumerateSymbolsW 67 Exported Function
SymEnumerateSymbols64 64 Exported Function
SymCleanup 41 Exported Function
SymAddSymbolW 40 Exported Function
SymAddSymbol 39 Exported Function
SymEnumerateModules 62 Exported Function
SymDeleteSymbolW 43 Exported Function
SymDeleteSymbol 42 Exported Function
SymEnumLines 44 Exported Function
SymEnumSymbols 53 Exported Function
SymEnumSym 52 Exported Function
SymEnumSourceLinesW 51 Exported Function
SymEnumSymbolsW 56 Exported Function
SymEnumSymbolsForAddrW 55 Exported Function
SymEnumSymbolsForAddr 54 Exported Function
SymEnumSourceFiles 48 Exported Function
SymEnumProcesses 46 Exported Function
SymEnumLinesW 45 Exported Function
SymEnumSourceLines 50 Exported Function
SymEnumSourceFileTokens 47 Exported Function
SymEnumSourceFilesW 49 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 6105F71E000000000032
  • Thumbprint: D468FAEB5190BF9DECD9827AF470F799C41A769C
  • Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DBGHELP.DLL
  • Product Name: Debugging Tools for Windows(R)
  • Company Name: Microsoft Corporation
  • File Version: 6.12.0002.633 (debuggers(dbg).100201-1203)
  • Product Version: 6.12.0002.633
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f/detection/

Possible Misuse

The following table contains possible examples of dbghelp.dll being misused. While dbghelp.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_dbghelp_dbgcore_load.yml description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\dbghelp.dll' DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml - 'dbghelp.dll' DRL 1.0
signature-base apt_donotteam_ytyframework.yar $s9 = “dbghelp.dll” wide fullword CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.