dbghelp.dll

  • File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\dbghelp.dll
  • Description: Windows Image Helper

Hashes

Type Hash
MD5 EE45933C019AB4DA83A76054E9E181D3
SHA1 36A3BC61DF22B87EB5690BAC3402F98D38143678
SHA256 86E6A1C7927451292A7ABD3803280E1F1D5ABF09E9785DC30F512803E9383BB1
SHA384 6FDBD110A44EDCCF077BC78C38F08FD7B4536F657352FFEED4AAEB6BA78756CBB3076C7B8430DEDC8895AAFCB53EF8B4
SHA512 A8A824F0B46CDC05120DF3FF30E3364C7BC29CDDE7A8CF0D4AD140892A8069A097470E5E1F9C7BCCF0C41DA5D7AAE47A58653F1534CAE4915A27722A35063C63
SSDEEP 24576:5mRJbFmBRDhOQnPR20KEpbhnO0At4lukzUdyqkvOz/D4/2Up+gM0OtA3+CpIc2Ip:UdF1QnPU0Ke/M7+2kjGttCpHGyr3FcaF
IMP DC44D29771563C6C3E0FF86FC7A91133
PESHA1 198DAF75CB535D88F42446D90A20D9C4C7F14ED3
PE256 1B42A74CC9E5AC8AEA2F68F6234DC4ABD2EF6E8D18DFCEC68F6B49D2BA42DBAF

DLL Exports:

Function Name Ordinal Type
SymGetSourceFile 1257 Exported Function
SymGetSourceFileChecksum 1258 Exported Function
SymGetSearchPath 1255 Exported Function
SymGetSearchPathW 1256 Exported Function
SymGetSourceFileFromTokenW 1261 Exported Function
SymGetSourceFileToken 1262 Exported Function
SymGetSourceFileChecksumW 1259 Exported Function
SymGetSourceFileFromToken 1260 Exported Function
SymGetModuleInfoW64 1249 Exported Function
SymGetOmapBlockBase 1123 Exported Function
SymGetModuleInfo64 1247 Exported Function
SymGetModuleInfoW 1250 Exported Function
SymGetScope 1253 Exported Function
SymGetScopeW 1254 Exported Function
SymGetOmaps 1251 Exported Function
SymGetOptions 1252 Exported Function
SymGetSymNext 1272 Exported Function
SymGetSymNext64 1271 Exported Function
SymGetSymFromName 1270 Exported Function
SymGetSymFromName64 1269 Exported Function
SymGetTypeFromName 1277 Exported Function
SymGetTypeFromNameW 1278 Exported Function
SymGetSymPrev 1274 Exported Function
SymGetSymPrev64 1273 Exported Function
SymGetSourceVarFromToken 1265 Exported Function
SymGetSourceVarFromTokenW 1266 Exported Function
SymGetSourceFileTokenW 1263 Exported Function
SymGetSourceFileW 1264 Exported Function
SymGetSymFromAddr 1268 Exported Function
SymGetSymFromAddr64 1267 Exported Function
SymGetSymbolFile 1275 Exported Function
SymGetSymbolFileW 1276 Exported Function
SymGetDiaSession 1122 Exported Function
SymGetExtendedOption 1227 Exported Function
SymFunctionTableAccess64 1224 Exported Function
SymFunctionTableAccess64AccessRoutines 1225 Exported Function
SymGetHomeDirectoryW 1230 Exported Function
SymGetLineFromAddr 1232 Exported Function
SymGetFileLineOffsets64 1228 Exported Function
SymGetHomeDirectory 1229 Exported Function
SymFromInlineContextW 1219 Exported Function
SymFromName 1220 Exported Function
SymFromIndexW 1217 Exported Function
SymFromInlineContext 1218 Exported Function
SymFromTokenW 1223 Exported Function
SymFunctionTableAccess 1226 Exported Function
SymFromNameW 1221 Exported Function
SymFromToken 1222 Exported Function
SymGetLinePrev 1243 Exported Function
SymGetLinePrev64 1242 Exported Function
SymGetLineNext64 1239 Exported Function
SymGetLineNextW64 1241 Exported Function
SymGetModuleBase64 1245 Exported Function
SymGetModuleInfo 1248 Exported Function
SymGetLinePrevW64 1244 Exported Function
SymGetModuleBase 1246 Exported Function
SymGetLineFromInlineContext 1234 Exported Function
SymGetLineFromInlineContextW 1235 Exported Function
SymGetLineFromAddr64 1231 Exported Function
SymGetLineFromAddrW64 1233 Exported Function
SymGetLineFromNameW64 1238 Exported Function
SymGetLineNext 1240 Exported Function
SymGetLineFromName 1237 Exported Function
SymGetLineFromName64 1236 Exported Function
SymGetTypeInfo 1279 Exported Function
SymSrvGetFileIndexesW 1324 Exported Function
SymSrvGetFileIndexInfo 1319 Exported Function
SymSrvDeltaNameW 1318 Exported Function
SymSrvGetFileIndexes 1323 Exported Function
SymSrvGetFileIndexStringW 1322 Exported Function
SymSrvGetSupplement 1325 Exported Function
SymSrvGetFileIndexInfoW 1320 Exported Function
SymSrvGetFileIndexString 1321 Exported Function
SymSetScopeFromIndex 1313 Exported Function
SymSetScopeFromInlineContext 1314 Exported Function
SymSetParentWindow 1311 Exported Function
SymSetScopeFromAddr 1312 Exported Function
symsrv 1358 Exported Function
SymSrvDeltaName 1317 Exported Function
SymSetSearchPath 1315 Exported Function
SymSetSearchPathW 1316 Exported Function
SymUnloadModule64 1335 Exported Function
UnDecorateSymbolName 1337 Exported Function
SymUnDName64 1333 Exported Function
SymUnloadModule 1336 Exported Function
vc7fpo 1359 Exported Function
WinDbgExtensionDllInit 1340 Exported Function
UnDecorateSymbolNameW 1338 Exported Function
UnmapDebugInformation 1339 Exported Function
SymSrvIsStoreW 1328 Exported Function
SymSrvStoreFile 1329 Exported Function
SymSrvGetSupplementW 1326 Exported Function
SymSrvIsStore 1327 Exported Function
SymSrvStoreSupplementW 1332 Exported Function
SymUnDName 1334 Exported Function
SymSrvStoreFileW 1330 Exported Function
SymSrvStoreSupplement 1331 Exported Function
SymMatchString 1290 Exported Function
SymMatchStringA 1291 Exported Function
SymMatchFileName 1288 Exported Function
SymMatchFileNameW 1289 Exported Function
SymNextW 1294 Exported Function
SymPrev 1295 Exported Function
SymMatchStringW 1292 Exported Function
SymNext 1293 Exported Function
SymInitialize 1282 Exported Function
SymInitializeW 1283 Exported Function
SymGetTypeInfoEx 1280 Exported Function
SymGetUnwindInfo 1281 Exported Function
SymLoadModuleEx 1286 Exported Function
SymLoadModuleExW 1287 Exported Function
SymLoadModule 1285 Exported Function
SymLoadModule64 1284 Exported Function
SymSetContext 1306 Exported Function
SymSetDiaSession 1124 Exported Function
SymSearch 1304 Exported Function
SymSearchW 1305 Exported Function
SymSetHomeDirectoryW 1309 Exported Function
SymSetOptions 1310 Exported Function
SymSetExtendedOption 1307 Exported Function
SymSetHomeDirectory 1308 Exported Function
SymRefreshModuleList 1298 Exported Function
SymRegisterCallback 1300 Exported Function
SymPrevW 1296 Exported Function
SymQueryInlineTrace 1297 Exported Function
SymRegisterFunctionEntryCallback 1303 Exported Function
SymRegisterFunctionEntryCallback64 1302 Exported Function
SymRegisterCallback64 1299 Exported Function
SymRegisterCallbackW64 1301 Exported Function
SymFromIndex 1216 Exported Function
omap 1351 Exported Function
optdbgdump 1352 Exported Function
MiniDumpReadDumpStream 1155 Exported Function
MiniDumpWriteDump 1156 Exported Function
Ordinal1102 1102 Exported Function
Ordinal1103 1103 Exported Function
optdbgdumpaddr 1353 Exported Function
Ordinal1101 1101 Exported Function
inlinedbg 1347 Exported Function
itoldyouso 1348 Exported Function
ImageRvaToSection 1149 Exported Function
ImageRvaToVa 1150 Exported Function
MakeSureDirectoryPathExists 1153 Exported Function
MapDebugInformation 1154 Exported Function
lmi 1349 Exported Function
lminfo 1350 Exported Function
Ordinal1114 1114 Exported Function
Ordinal1115 1115 Exported Function
Ordinal1112 1112 Exported Function
Ordinal1113 1113 Exported Function
Ordinal1118 1118 Exported Function
Ordinal1119 1119 Exported Function
Ordinal1116 1116 Exported Function
Ordinal1117 1117 Exported Function
Ordinal1106 1106 Exported Function
Ordinal1107 1107 Exported Function
Ordinal1104 1104 Exported Function
Ordinal1105 1105 Exported Function
Ordinal1110 1110 Exported Function
Ordinal1111 1111 Exported Function
Ordinal1108 1108 Exported Function
Ordinal1109 1109 Exported Function
EnumerateLoadedModules64 1130 Exported Function
EnumerateLoadedModulesEx 1132 Exported Function
EnumDirTreeW 1129 Exported Function
EnumerateLoadedModules 1131 Exported Function
ExtensionApiVersion 1135 Exported Function
FindDebugInfoFile 1136 Exported Function
EnumerateLoadedModulesExW 1133 Exported Function
EnumerateLoadedModulesW64 1134 Exported Function
chksym 1342 Exported Function
dbghelp 1343 Exported Function
_EFN_DumpImage 1125 Exported Function
block 1341 Exported Function
dh 1344 Exported Function
EnumDirTree 1128 Exported Function
DbgHelpCreateUserDump 1126 Exported Function
DbgHelpCreateUserDumpW 1127 Exported Function
homedir 1346 Exported Function
ImageDirectoryEntryToData 1146 Exported Function
GetSymLoadError 1144 Exported Function
GetTimestampForLoadedLibrary 1145 Exported Function
ImagehlpApiVersionEx 1152 Exported Function
ImageNtHeader 1148 Exported Function
ImageDirectoryEntryToDataEx 1147 Exported Function
ImagehlpApiVersion 1151 Exported Function
FindExecutableImage 1139 Exported Function
FindExecutableImageEx 1140 Exported Function
FindDebugInfoFileEx 1137 Exported Function
FindDebugInfoFileExW 1138 Exported Function
FindFileInSearchPath 1143 Exported Function
fptr 1345 Exported Function
FindExecutableImageExW 1141 Exported Function
FindFileInPath 1142 Exported Function
RangeMapAddPeImageSections 1157 Exported Function
SymEnumSourceLines 1188 Exported Function
SymEnumSourceLinesW 1189 Exported Function
SymEnumSourceFilesW 1187 Exported Function
SymEnumSourceFileTokens 1185 Exported Function
SymEnumSymbolsEx 1192 Exported Function
SymEnumSymbolsExW 1193 Exported Function
SymEnumSym 1190 Exported Function
SymEnumSymbols 1191 Exported Function
SymEnumerateSymbolsW 1207 Exported Function
SymEnumerateSymbolsW64 1206 Exported Function
SymEnumerateSymbols 1205 Exported Function
SymEnumerateSymbols64 1204 Exported Function
SymEnumProcesses 1184 Exported Function
SymEnumSourceFiles 1186 Exported Function
SymEnumLines 1182 Exported Function
SymEnumLinesW 1183 Exported Function
SymFindExecutableImageW 1211 Exported Function
SymFindFileInPath 1212 Exported Function
SymFindDebugInfoFileW 1209 Exported Function
SymFindExecutableImage 1210 Exported Function
SymFromAddr 1214 Exported Function
SymFromAddrW 1215 Exported Function
SymFindFileInPathW 1213 Exported Function
SymFreeDiaString 1121 Exported Function
SymEnumSymbolsW 1196 Exported Function
SymEnumTypes 1197 Exported Function
SymEnumSymbolsForAddr 1194 Exported Function
SymEnumSymbolsForAddrW 1195 Exported Function
SymEnumTypesW 1200 Exported Function
SymFindDebugInfoFile 1208 Exported Function
SymEnumTypesByName 1198 Exported Function
SymEnumTypesByNameW 1199 Exported Function
SetSymLoadError 1168 Exported Function
srcfiles 1354 Exported Function
SearchTreeForFileW 1166 Exported Function
SetCheckUserInterruptShared 1167 Exported Function
StackWalk 1170 Exported Function
StackWalk64 1169 Exported Function
stack_force_ebp 1355 Exported Function
stackdbg 1356 Exported Function
RangeMapRead 1160 Exported Function
RangeMapRemove 1161 Exported Function
RangeMapCreate 1158 Exported Function
RangeMapFree 1159 Exported Function
ReportSymbolLoadSummary 1164 Exported Function
SearchTreeForFile 1165 Exported Function
RangeMapWrite 1162 Exported Function
RemoveInvalidModuleList 1163 Exported Function
SymCompareInlineTrace 1179 Exported Function
SymDeleteSymbol 1180 Exported Function
SymAllocDiaString 1120 Exported Function
SymCleanup 1178 Exported Function
SymEnumerateModules64 1201 Exported Function
SymEnumerateModulesW64 1203 Exported Function
SymDeleteSymbolW 1181 Exported Function
SymEnumerateModules 1202 Exported Function
SymAddrIncludeInlineTrace 1177 Exported Function
SymAddSourceStream 1172 Exported Function
StackWalkEx 1171 Exported Function
sym 1357 Exported Function
SymAddSymbol 1175 Exported Function
SymAddSymbolW 1176 Exported Function
SymAddSourceStreamA 1173 Exported Function
SymAddSourceStreamW 1174 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 33000002CF6D2CC57CAA65A6D80000000002CF
  • Thumbprint: 1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DBGHELP.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/86e6a1c7927451292a7abd3803280e1f1d5abf09e9785dc30f512803e9383bb1/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\srcsrv\dbghelp.dll 97

Possible Misuse

The following table contains possible examples of dbghelp.dll being misused. While dbghelp.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_dbghelp_dbgcore_load.yml description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\dbghelp.dll' DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml - 'dbghelp.dll' DRL 1.0
signature-base apt_donotteam_ytyframework.yar $s9 = “dbghelp.dll” wide fullword CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.