dbghelp.dll

  • File Path: C:\Windows\system32\dbghelp.dll
  • Description: Windows Image Helper

Hashes

Type Hash
MD5 D0DE7DDBC3590657C68F246D53D229A9
SHA1 4010FFEDF02F5C6C7FD242807D28F47CBC0A1C0E
SHA256 735D07693CFBC08330E322675815ED1DE7B53F4E8FD970DBAAA9FD842E7E68C3
SHA384 1148E733AF60B4015F1958AE3552FC44499BDE56D57074416C503F56C74970B721E911038D44405EAE979BC8B4768252
SHA512 F52D24FF39827EF47C0BE088C43803DC24CF66D4A685391DE433115CEA7F2A2F831E8444CEE5EAFA1204B0823FCF7E9DFFEDD771E3F1D42F1E93E0FE7758F9A8
SSDEEP 24576:jGfMp2mJoLU+FK+Y05wUWP2s7518nzGJatkC/4nOElMU2Faz:jGfMp2mJxV0uUps7P8zNtk+85l5
IMP CE4AD83A987BB290F3A8EBD351252F29
PESHA1 4F83C0196D08E0335ACE6115F8C1E32D250952A8
PE256 2782167835E18C53DEB5C2E4C37819D419F153F31E1252E262792F23C93A6950

DLL Exports:

Function Name Ordinal Type
SymGetSourceFileToken 1261 Exported Function
SymGetSourceFileFromTokenW 1260 Exported Function
SymGetSourceFileFromToken 1259 Exported Function
SymGetSourceFileTokenW 1262 Exported Function
SymGetSourceVarFromTokenW 1265 Exported Function
SymGetSourceVarFromToken 1264 Exported Function
SymGetSourceFileW 1263 Exported Function
SymGetSourceFileChecksumW 1258 Exported Function
SymGetScopeW 1253 Exported Function
SymGetScope 1252 Exported Function
SymGetOptions 1251 Exported Function
SymGetSearchPath 1254 Exported Function
SymGetSourceFileChecksum 1257 Exported Function
SymGetSourceFile 1256 Exported Function
SymGetSearchPathW 1255 Exported Function
SymGetTypeFromName 1276 Exported Function
SymGetSymPrev64 1273 Exported Function
SymGetSymPrev 1272 Exported Function
SymGetTypeFromNameW 1277 Exported Function
SymGetUnwindInfo 1280 Exported Function
SymGetTypeInfoEx 1279 Exported Function
SymGetTypeInfo 1278 Exported Function
SymGetSymNext64 1271 Exported Function
SymGetSymFromAddr 1266 Exported Function
SymGetSymbolFileW 1275 Exported Function
SymGetSymbolFile 1274 Exported Function
SymGetSymFromAddr64 1267 Exported Function
SymGetSymNext 1270 Exported Function
SymGetSymFromName64 1269 Exported Function
SymGetSymFromName 1268 Exported Function
SymGetLineFromName 1235 Exported Function
SymGetLineFromInlineContextW 1234 Exported Function
SymGetLineFromInlineContext 1233 Exported Function
SymGetLineFromName64 1236 Exported Function
SymGetLineNext 1238 Exported Function
SymGetLineFromNameW64 1237 Exported Function
SymGetLineFromNameEx 1120 Exported Function
SymGetLineFromAddrW64 1232 Exported Function
SymGetHomeDirectory 1228 Exported Function
SymGetFileLineOffsets64 1227 Exported Function
SymGetExtendedOption 1226 Exported Function
SymGetHomeDirectoryW 1229 Exported Function
SymGetLineFromAddrEx 1114 Exported Function
SymGetLineFromAddr64 1231 Exported Function
SymGetLineFromAddr 1230 Exported Function
SymGetModuleInfo64 1247 Exported Function
SymGetModuleInfo 1246 Exported Function
SymGetModuleBase64 1245 Exported Function
SymGetModuleInfoW 1248 Exported Function
SymGetOmaps 1250 Exported Function
SymGetOmapBlockBase 1123 Exported Function
SymGetModuleInfoW64 1249 Exported Function
SymGetModuleBase 1244 Exported Function
SymGetLineNextW64 1240 Exported Function
SymGetLineNextEx 1121 Exported Function
SymGetLineNext64 1239 Exported Function
SymGetLinePrev 1241 Exported Function
SymGetLinePrevW64 1243 Exported Function
SymGetLinePrevEx 1122 Exported Function
SymGetLinePrev64 1242 Exported Function
SymInitialize 1281 Exported Function
SymSrvGetFileIndexInfo 1318 Exported Function
SymSrvGetFileIndexesW 1323 Exported Function
SymSrvGetFileIndexes 1322 Exported Function
SymSrvGetFileIndexInfoW 1319 Exported Function
SymSrvGetSupplement 1324 Exported Function
SymSrvGetFileIndexStringW 1321 Exported Function
SymSrvGetFileIndexString 1320 Exported Function
SymSrvDeltaNameW 1317 Exported Function
SymSetScopeFromInlineContext 1313 Exported Function
SymSetScopeFromIndex 1312 Exported Function
SymSetScopeFromAddr 1311 Exported Function
SymSetSearchPath 1314 Exported Function
SymSrvDeltaName 1316 Exported Function
symsrv 1356 Exported Function
SymSetSearchPathW 1315 Exported Function
SymUnloadModule64 1335 Exported Function
SymUnloadModule 1334 Exported Function
SymUnDName64 1333 Exported Function
UnDecorateSymbolName 1336 Exported Function
WinDbgExtensionDllInit 1338 Exported Function
vc7fpo 1357 Exported Function
UnDecorateSymbolNameW 1337 Exported Function
SymUnDName 1332 Exported Function
SymSrvIsStoreW 1327 Exported Function
SymSrvIsStore 1326 Exported Function
SymSrvGetSupplementW 1325 Exported Function
SymSrvStoreFile 1328 Exported Function
SymSrvStoreSupplementW 1331 Exported Function
SymSrvStoreSupplement 1330 Exported Function
SymSrvStoreFileW 1329 Exported Function
SymNext 1292 Exported Function
SymMatchStringW 1291 Exported Function
SymMatchStringA 1290 Exported Function
SymNextW 1293 Exported Function
SymQueryInlineTrace 1296 Exported Function
SymPrevW 1295 Exported Function
SymPrev 1294 Exported Function
SymMatchString 1289 Exported Function
SymLoadModule64 1284 Exported Function
SymLoadModule 1283 Exported Function
SymInitializeW 1282 Exported Function
SymLoadModuleEx 1285 Exported Function
SymMatchFileNameW 1288 Exported Function
SymMatchFileName 1287 Exported Function
SymLoadModuleExW 1286 Exported Function
SymSetExtendedOption 1306 Exported Function
SymSetDiaSession 1124 Exported Function
SymSetContext 1305 Exported Function
SymSetHomeDirectory 1307 Exported Function
SymSetParentWindow 1310 Exported Function
SymSetOptions 1309 Exported Function
SymSetHomeDirectoryW 1308 Exported Function
SymSearchW 1304 Exported Function
SymRegisterCallback64 1299 Exported Function
SymRegisterCallback 1298 Exported Function
SymRefreshModuleList 1297 Exported Function
SymRegisterCallbackW64 1300 Exported Function
SymSearch 1303 Exported Function
SymRegisterFunctionEntryCallback64 1302 Exported Function
SymRegisterFunctionEntryCallback 1301 Exported Function
MiniDumpWriteDump 1155 Exported Function
MiniDumpReadDumpStream 1154 Exported Function
MakeSureDirectoryPathExists 1153 Exported Function
omap 1349 Exported Function
RangeMapAddPeImageSections 1156 Exported Function
optdbgdumpaddr 1351 Exported Function
optdbgdump 1350 Exported Function
lminfo 1348 Exported Function
ImageRvaToSection 1149 Exported Function
ImageNtHeader 1148 Exported Function
ImagehlpApiVersionEx 1152 Exported Function
ImageRvaToVa 1150 Exported Function
lmi 1347 Exported Function
itoldyouso 1346 Exported Function
inlinedbg 1345 Exported Function
SetSymLoadError 1167 Exported Function
SetCheckUserInterruptShared 1166 Exported Function
SearchTreeForFileW 1165 Exported Function
srcfiles 1352 Exported Function
StackWalk 1168 Exported Function
stackdbg 1354 Exported Function
stack_force_ebp 1353 Exported Function
SearchTreeForFile 1164 Exported Function
RangeMapRead 1159 Exported Function
RangeMapFree 1158 Exported Function
RangeMapCreate 1157 Exported Function
RangeMapRemove 1160 Exported Function
ReportSymbolLoadSummary 1163 Exported Function
RemoveInvalidModuleList 1162 Exported Function
RangeMapWrite 1161 Exported Function
EnumerateLoadedModules64 1131 Exported Function
EnumerateLoadedModules 1130 Exported Function
EnumDirTreeW 1129 Exported Function
EnumerateLoadedModulesEx 1132 Exported Function
ExtensionApiVersion 1135 Exported Function
EnumerateLoadedModulesW64 1134 Exported Function
EnumerateLoadedModulesExW 1133 Exported Function
EnumDirTree 1128 Exported Function
chksym 1340 Exported Function
block 1339 Exported Function
_EFN_DumpImage 1125 Exported Function
dbghelp 1341 Exported Function
dh 1342 Exported Function
DbgHelpCreateUserDumpW 1127 Exported Function
DbgHelpCreateUserDump 1126 Exported Function
GetTimestampForLoadedLibrary 1145 Exported Function
GetSymLoadError 1144 Exported Function
fptr 1343 Exported Function
homedir 1344 Exported Function
ImagehlpApiVersion 1151 Exported Function
ImageDirectoryEntryToDataEx 1147 Exported Function
ImageDirectoryEntryToData 1146 Exported Function
FindFileInSearchPath 1143 Exported Function
FindDebugInfoFileExW 1138 Exported Function
FindDebugInfoFileEx 1137 Exported Function
FindDebugInfoFile 1136 Exported Function
FindExecutableImage 1139 Exported Function
FindFileInPath 1142 Exported Function
FindExecutableImageExW 1141 Exported Function
FindExecutableImageEx 1140 Exported Function
StackWalk64 1169 Exported Function
SymFindDebugInfoFileW 1208 Exported Function
SymFindDebugInfoFile 1207 Exported Function
SymEnumTypesW 1199 Exported Function
SymFindExecutableImage 1209 Exported Function
SymFindFileInPathW 1212 Exported Function
SymFindFileInPath 1211 Exported Function
SymFindExecutableImageW 1210 Exported Function
SymEnumTypesByNameW 1198 Exported Function
SymEnumSymbolsForAddr 1193 Exported Function
SymEnumSymbolsExW 1192 Exported Function
SymEnumSymbolsEx 1191 Exported Function
SymEnumSymbolsForAddrW 1194 Exported Function
SymEnumTypesByName 1197 Exported Function
SymEnumTypes 1196 Exported Function
SymEnumSymbolsW 1195 Exported Function
SymFromTokenW 1222 Exported Function
SymFromToken 1221 Exported Function
SymFromNameW 1220 Exported Function
SymFunctionTableAccess 1223 Exported Function
SymGetDiaSession 1113 Exported Function
SymFunctionTableAccess64AccessRoutines 1225 Exported Function
SymFunctionTableAccess64 1224 Exported Function
SymFromName 1219 Exported Function
SymFromAddrW 1214 Exported Function
SymFromAddr 1213 Exported Function
SymFreeDiaString 1112 Exported Function
SymFromIndex 1215 Exported Function
SymFromInlineContextW 1218 Exported Function
SymFromInlineContext 1217 Exported Function
SymFromIndexW 1216 Exported Function
SymCompareInlineTrace 1178 Exported Function
SymCleanup 1177 Exported Function
SymAllocDiaString 1111 Exported Function
SymDeleteSymbol 1179 Exported Function
SymEnumerateModules64 1201 Exported Function
SymEnumerateModules 1200 Exported Function
SymDeleteSymbolW 1180 Exported Function
SymAddSymbolW 1175 Exported Function
SymAddrIncludeInlineTrace 1176 Exported Function
sym 1355 Exported Function
StackWalkEx 1170 Exported Function
SymAddSourceStream 1171 Exported Function
SymAddSymbol 1174 Exported Function
SymAddSourceStreamW 1173 Exported Function
SymAddSourceStreamA 1172 Exported Function
SymEnumSourceFileTokens 1184 Exported Function
SymEnumSourceFilesW 1186 Exported Function
SymEnumSourceFiles 1185 Exported Function
SymEnumSourceLines 1187 Exported Function
SymEnumSymbols 1190 Exported Function
SymEnumSym 1189 Exported Function
SymEnumSourceLinesW 1188 Exported Function
SymEnumProcesses 1183 Exported Function
SymEnumerateSymbols64 1204 Exported Function
SymEnumerateSymbols 1203 Exported Function
SymEnumerateModulesW64 1202 Exported Function
SymEnumerateSymbolsW 1205 Exported Function
SymEnumLinesW 1182 Exported Function
SymEnumLines 1181 Exported Function
SymEnumerateSymbolsW64 1206 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DBGHELP.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.488 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.488
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/62
  • VirusTotal Link: https://www.virustotal.com/gui/file/735d07693cfbc08330e322675815ed1de7b53f4e8fd970dbaaa9fd842e7e68c3/detection/

Possible Misuse

The following table contains possible examples of dbghelp.dll being misused. While dbghelp.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_dbghelp_dbgcore_load.yml description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\dbghelp.dll' DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml - 'dbghelp.dll' DRL 1.0
signature-base apt_donotteam_ytyframework.yar $s9 = “dbghelp.dll” wide fullword CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.