Load PDB for MemoryModule-loaded DLL in x64dbg

Question

I need to debug a DLL, which I have a PDB file for.

The debug target is a program, that loads the DLL using MemoryModule library from Github.

The loaded module isn't listed as a module in x64dbg, since it has been loaded with MemoryLoadLibraryEx function, but module handle is still valid and it's all been successfully loaded and initialized.

I've tried symload x64dbg command with address as the argument pointing to the beginning of the memory-loaded module MZ..., tried pointing to PE... signature as well, but no success.

How do I tell x64dbg that memory at an address is a valid module, so that I could load a PDB for that module?

Answer 1

x64dbg has the virtualmod command, which (in theory) can be used to detect modules loaded from memory, rather than via LoadLibrary* APIs:

virtualmod

Tell the debugger to treat a memory range as a virtual module.

Arguments:
arg1 the user-supplied module name.
arg2 the base of the memory range.
[arg3] the size of the memory range.

However, this command seems to be broken at the time of writing this answer. I've experimented a little bit and managed to make it functional, see this commit in a forked repository for reference. This will allow you to see the module in x64dbg, as well as its symbols, exports, imports etc. For a fully native experience, though, a fix is needed in MemoryModule as well - see this commit in a forked repository for reference.

To use it, execute the following in x64dbg:

virtualmod some_module_name.dll, 0xsome_base_address

If you don't mind building your own x64dbg and MemoryModule and applying these fixes, this should work out-of-the-box (no promises though). I've also opened an issue in x64dbg to discuss the state of virtualmod and whether it can be fixed in the main branch as well.