dbghelp.dll

  • File Path: C:\Program Files (x86)\Cisco Systems\Cisco Jabber\dbghelp.dll
  • Description: Windows Image Helper

Hashes

Type Hash
MD5 7328F8D7D70D9663C987E36324675DD4
SHA1 C8875542CDC910058C702251693B9E19A0AD2687
SHA256 FFD4EDFBE5A42D99E627ACA1090B7C886DE666A86D9ECD98F55E1395D0EAF6E1
SHA384 1C0AF465BD2F03C19D647C3772E79DAE128BF8A1DA552D6952DBBEB2B9BB966ECB02EC3ACBE702236239EF7FE011D84E
SHA512 1E5A8CD46E5FCB397E879CBA4B26AFF47ABD650660EA4F9BD0C64779593A090EEA79E5016F8E76DD0BE1529AE5FDC2D01BCDCD69EA945C7D47AD480210965FF6
SSDEEP 24576:D+PxwpJhRJpc9aFbwEVig9LiFrF5a3gkLsOyEngXTcqhUfv:6C7hzpc9aFbwEViSL8re3gAsCngoN
IMP F7CB4432172D116632ABC77471A1A600
PESHA1 6831AE917C12D0053F5F81E8980A19252DBE9E93
PE256 A7F3CD62709FDEAC959EA1EAFC2511CA0651258383DE8E6BFA12F113BDD4450E

DLL Exports:

Function Name Ordinal Type
SymGetSymFromName64 121 Exported Function
SymGetSymFromName 122 Exported Function
SymGetSymFromAddr64 119 Exported Function
SymGetSymPrev 126 Exported Function
SymGetSymNext64 123 Exported Function
SymGetSymNext 124 Exported Function
SymGetSourceVarFromTokenW 118 Exported Function
SymGetSourceVarFromToken 117 Exported Function
SymGetSourceFileW 116 Exported Function
SymGetSymFromAddr 120 Exported Function
SymGetSymbolFileW 128 Exported Function
SymGetSymbolFile 127 Exported Function
SymGetSymPrev64 125 Exported Function
SymLoadModule64 136 Exported Function
SymLoadModule 137 Exported Function
SymInitializeW 135 Exported Function
SymMatchFileName 140 Exported Function
SymLoadModuleExW 139 Exported Function
SymLoadModuleEx 138 Exported Function
SymGetTypeInfo 131 Exported Function
SymGetTypeFromNameW 130 Exported Function
SymGetTypeFromName 129 Exported Function
SymInitialize 134 Exported Function
SymGetUnwindInfo 133 Exported Function
SymGetTypeInfoEx 132 Exported Function
SymGetSourceFileTokenW 115 Exported Function
SymGetModuleBase 100 Exported Function
SymGetLinePrevW64 98 Exported Function
SymGetLinePrev64 96 Exported Function
SymGetModuleInfo64 101 Exported Function
SymGetModuleInfo 102 Exported Function
SymGetModuleBase64 99 Exported Function
SymGetLineNext 94 Exported Function
SymGetLineFromNameW64 92 Exported Function
SymGetLineFromName64 90 Exported Function
SymGetLinePrev 97 Exported Function
SymGetLineNextW64 95 Exported Function
SymGetLineNext64 93 Exported Function
SymGetModuleInfoW 104 Exported Function
SymGetSourceFile 111 Exported Function
SymGetSearchPathW 110 Exported Function
SymGetSearchPath 109 Exported Function
SymGetSourceFileToken 114 Exported Function
SymGetSourceFileFromTokenW 113 Exported Function
SymGetSourceFileFromToken 112 Exported Function
SymGetOmaps 105 Exported Function
SymGetOmapBlockBase 4 Exported Function
SymGetModuleInfoW64 103 Exported Function
SymGetScopeW 108 Exported Function
SymGetScope 107 Exported Function
SymGetOptions 106 Exported Function
SymSrvGetSupplement 174 Exported Function
SymSrvGetFileIndexStringW 171 Exported Function
SymSrvGetFileIndexString 170 Exported Function
SymSrvIsStoreW 177 Exported Function
SymSrvIsStore 176 Exported Function
SymSrvGetSupplementW 175 Exported Function
SymSrvGetFileIndexes 172 Exported Function
SymSrvDeltaNameW 167 Exported Function
SymSrvDeltaName 166 Exported Function
SymSrvGetFileIndexInfoW 169 Exported Function
SymSrvGetFileIndexInfo 168 Exported Function
SymSrvGetFileIndexesW 173 Exported Function
SymSrvStoreFile 178 Exported Function
UnDecorateSymbolNameW 187 Exported Function
UnDecorateSymbolName 186 Exported Function
SymUnloadModule64 184 Exported Function
WinDbgExtensionDllInit 189 Exported Function
vc7fpo 205 Exported Function
UnmapDebugInformation 188 Exported Function
SymSrvStoreSupplementW 181 Exported Function
SymSrvStoreSupplement 180 Exported Function
SymSrvStoreFileW 179 Exported Function
SymUnloadModule 185 Exported Function
SymUnDName64 182 Exported Function
SymUnDName 183 Exported Function
symsrv 204 Exported Function
SymRefreshModuleList 149 Exported Function
SymPrevW 148 Exported Function
SymPrev 147 Exported Function
SymRegisterCallbackW64 152 Exported Function
SymRegisterCallback64 150 Exported Function
SymRegisterCallback 151 Exported Function
SymMatchStringA 143 Exported Function
SymMatchString 142 Exported Function
SymMatchFileNameW 141 Exported Function
SymNextW 146 Exported Function
SymNext 145 Exported Function
SymMatchStringW 144 Exported Function
SymRegisterFunctionEntryCallback 154 Exported Function
SymSetScopeFromAddr 162 Exported Function
SymSetParentWindow 161 Exported Function
SymSetOptions 160 Exported Function
SymSetSearchPathW 165 Exported Function
SymSetSearchPath 164 Exported Function
SymSetScopeFromIndex 163 Exported Function
SymSearchW 156 Exported Function
SymSearch 155 Exported Function
SymRegisterFunctionEntryCallback64 153 Exported Function
SymSetHomeDirectoryW 159 Exported Function
SymSetHomeDirectory 158 Exported Function
SymSetContext 157 Exported Function
SymGetLineFromName 91 Exported Function
lminfo 198 Exported Function
lmi 197 Exported Function
itoldyouso 196 Exported Function
MiniDumpReadDumpStream 33 Exported Function
MapDebugInformation 32 Exported Function
MakeSureDirectoryPathExists 31 Exported Function
ImagehlpApiVersionEx 30 Exported Function
ImagehlpApiVersion 29 Exported Function
ImageDirectoryEntryToDataEx 25 Exported Function
ImageRvaToVa 28 Exported Function
ImageRvaToSection 27 Exported Function
ImageNtHeader 26 Exported Function
MiniDumpWriteDump 34 Exported Function
sym 203 Exported Function
StackWalk64 37 Exported Function
StackWalk 38 Exported Function
SymAddSourceStreamW 3 Exported Function
SymAddSourceStreamA 2 Exported Function
SymAddSourceStream 1 Exported Function
SearchTreeForFileW 36 Exported Function
SearchTreeForFile 35 Exported Function
omap 199 Exported Function
stackdbg 202 Exported Function
stack_force_ebp 201 Exported Function
srcfiles 200 Exported Function
ImageDirectoryEntryToData 24 Exported Function
EnumerateLoadedModules 10 Exported Function
EnumDirTreeW 8 Exported Function
EnumDirTree 7 Exported Function
EnumerateLoadedModulesExW 12 Exported Function
EnumerateLoadedModulesEx 11 Exported Function
EnumerateLoadedModules64 9 Exported Function
dbghelp 192 Exported Function
chksym 191 Exported Function
block 190 Exported Function
dh 193 Exported Function
DbgHelpCreateUserDumpW 6 Exported Function
DbgHelpCreateUserDump 5 Exported Function
EnumerateLoadedModulesW64 13 Exported Function
FindFileInSearchPath 22 Exported Function
FindFileInPath 21 Exported Function
FindExecutableImageExW 20 Exported Function
homedir 195 Exported Function
GetTimestampForLoadedLibrary 23 Exported Function
fptr 194 Exported Function
FindDebugInfoFileEx 16 Exported Function
FindDebugInfoFile 15 Exported Function
ExtensionApiVersion 14 Exported Function
FindExecutableImageEx 19 Exported Function
FindExecutableImage 18 Exported Function
FindDebugInfoFileExW 17 Exported Function
SymFindFileInPathW 73 Exported Function
SymFindFileInPath 72 Exported Function
SymFindExecutableImageW 71 Exported Function
SymFromIndex 76 Exported Function
SymFromAddrW 75 Exported Function
SymFromAddr 74 Exported Function
SymEnumTypesW 60 Exported Function
SymEnumTypesByNameW 59 Exported Function
SymEnumTypesByName 58 Exported Function
SymFindExecutableImage 70 Exported Function
SymFindDebugInfoFileW 69 Exported Function
SymFindDebugInfoFile 68 Exported Function
SymFromIndexW 77 Exported Function
SymGetHomeDirectoryW 86 Exported Function
SymGetHomeDirectory 85 Exported Function
SymGetFileLineOffsets64 84 Exported Function
SymGetLineFromAddrW64 89 Exported Function
SymGetLineFromAddr64 87 Exported Function
SymGetLineFromAddr 88 Exported Function
SymFromToken 80 Exported Function
SymFromNameW 79 Exported Function
SymFromName 78 Exported Function
SymFunctionTableAccess64 82 Exported Function
SymFunctionTableAccess 83 Exported Function
SymFromTokenW 81 Exported Function
SymEnumTypes 57 Exported Function
SymEnumerateSymbols 65 Exported Function
SymEnumerateModulesW64 63 Exported Function
SymEnumerateModules64 61 Exported Function
SymEnumerateSymbolsW64 66 Exported Function
SymEnumerateSymbolsW 67 Exported Function
SymEnumerateSymbols64 64 Exported Function
SymCleanup 41 Exported Function
SymAddSymbolW 40 Exported Function
SymAddSymbol 39 Exported Function
SymEnumerateModules 62 Exported Function
SymDeleteSymbolW 43 Exported Function
SymDeleteSymbol 42 Exported Function
SymEnumLines 44 Exported Function
SymEnumSymbols 53 Exported Function
SymEnumSym 52 Exported Function
SymEnumSourceLinesW 51 Exported Function
SymEnumSymbolsW 56 Exported Function
SymEnumSymbolsForAddrW 55 Exported Function
SymEnumSymbolsForAddr 54 Exported Function
SymEnumSourceFiles 48 Exported Function
SymEnumProcesses 46 Exported Function
SymEnumLinesW 45 Exported Function
SymEnumSourceLines 50 Exported Function
SymEnumSourceFileTokens 47 Exported Function
SymEnumSourceFilesW 49 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 61469ECB000400000065
  • Thumbprint: 564E01066387F26C912010D06BD78D3CF1E845AB
  • Issuer: CN=Microsoft Code Signing PCA, OU=Copyright (c) 2000 Microsoft Corp., O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DBGHELP.DLL
  • Product Name: Debugging Tools for Windows(R)
  • Company Name: Microsoft Corporation
  • File Version: 6.7.0005.1 (debuggers(dbg).070515-1751)
  • Product Version: 6.7.0005.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/ffd4edfbe5a42d99e627aca1090b7c886de666a86d9ecd98f55e1395d0eaf6e1/detection/

Possible Misuse

The following table contains possible examples of dbghelp.dll being misused. While dbghelp.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_dbghelp_dbgcore_load.yml description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\dbghelp.dll' DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml - 'dbghelp.dll' DRL 1.0
signature-base apt_donotteam_ytyframework.yar $s9 = “dbghelp.dll” wide fullword CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.