fix: add missing symbol store and PDB debug info sources

These files were referenced in CMakeLists.txt and main.cpp but never committed, breaking the CI build.
2026-05-10 19:59:21 +00:00 · 2026-03-14 08:13:58 -06:00
parent 5b2cf1ae1f
commit 5d2d324946
7 changed files with 664 additions and 6 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -147,6 +147,12 @@ add_executable(Reclass
    src/mcp/mcp_bridge.cpp
    src/addressparser.h
    src/addressparser.cpp
+    src/symbolstore.h
+    src/symbolstore.cpp
+    src/symbol_downloader.h
+    src/symbol_downloader.cpp
+    src/imports/pe_debug_info.h
+    src/imports/pe_debug_info.cpp
    src/disasm.h
    src/disasm.cpp
    third_party/fadec/decode.c
@@ -415,7 +421,7 @@ if(BUILD_TESTING)
    if(BUILD_UI_TESTS)

        add_executable(test_controller tests/test_controller.cpp
-        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp
+        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp src/symbolstore.cpp
        src/processpicker.cpp src/processpicker.ui src/providerregistry.cpp
        src/typeselectorpopup.cpp
        src/themes/theme.cpp src/themes/thememanager.cpp ${DISASM_SRCS})
@@ -429,7 +435,7 @@ if(BUILD_TESTING)
        add_test(NAME test_controller COMMAND test_controller)

        add_executable(test_context_menu tests/test_context_menu.cpp
-        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp
+        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp src/symbolstore.cpp
        src/processpicker.cpp src/processpicker.ui src/providerregistry.cpp
        src/typeselectorpopup.cpp
        src/themes/theme.cpp src/themes/thememanager.cpp ${DISASM_SRCS})
@@ -443,7 +449,7 @@ if(BUILD_TESTING)
        add_test(NAME test_context_menu COMMAND test_context_menu)

        add_executable(test_source_management tests/test_source_management.cpp
-        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp
+        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp src/symbolstore.cpp
        src/processpicker.cpp src/processpicker.ui src/providerregistry.cpp
        src/typeselectorpopup.cpp
        src/themes/theme.cpp src/themes/thememanager.cpp ${DISASM_SRCS})
@@ -475,7 +481,7 @@ if(BUILD_TESTING)
        add_test(NAME test_rendered_view COMMAND test_rendered_view)

        add_executable(test_type_selector tests/test_type_selector.cpp
-        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp
+        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp src/symbolstore.cpp
        src/processpicker.cpp src/processpicker.ui src/providerregistry.cpp
        src/typeselectorpopup.cpp
        src/themes/theme.cpp src/themes/thememanager.cpp ${DISASM_SRCS})
@@ -489,7 +495,7 @@ if(BUILD_TESTING)
        add_test(NAME test_type_selector COMMAND test_type_selector)

        add_executable(test_type_visibility tests/test_type_visibility.cpp
-        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp
+        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp src/symbolstore.cpp
        src/processpicker.cpp src/processpicker.ui src/providerregistry.cpp
        src/typeselectorpopup.cpp
        src/themes/theme.cpp src/themes/thememanager.cpp ${DISASM_SRCS})
@@ -509,7 +515,7 @@ if(BUILD_TESTING)
        add_test(NAME test_options_dialog COMMAND test_options_dialog)

        add_executable(test_source_provider tests/test_source_provider.cpp
-        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp
+        src/editor.cpp src/compose.cpp src/format.cpp src/addressparser.cpp src/controller.cpp src/symbolstore.cpp
        src/processpicker.cpp src/processpicker.ui src/providerregistry.cpp
        src/typeselectorpopup.cpp
        src/themes/theme.cpp src/themes/thememanager.cpp ${DISASM_SRCS}
--- a/src/imports/pe_debug_info.cpp
+++ b/src/imports/pe_debug_info.cpp
@@ -0,0 +1,193 @@
+#include "pe_debug_info.h"
+#include "../providers/provider.h"
+#include <cstring>
+
+namespace rcx {
+
+// Minimal PE structures (no Windows SDK dependency)
+#pragma pack(push, 1)
+struct DosHeader {
+    uint16_t e_magic;     // 'MZ'
+    uint8_t  pad[58];
+    int32_t  e_lfanew;    // offset to PE signature
+};
+
+struct CoffHeader {
+    uint16_t Machine;
+    uint16_t NumberOfSections;
+    uint32_t TimeDateStamp;
+    uint32_t PointerToSymbolTable;
+    uint32_t NumberOfSymbols;
+    uint16_t SizeOfOptionalHeader;
+    uint16_t Characteristics;
+};
+
+struct DataDirectory {
+    uint32_t VirtualAddress;
+    uint32_t Size;
+};
+
+// Only the fields we need from the optional header
+struct OptionalHeader32 {
+    uint16_t Magic;  // 0x10b = PE32, 0x20b = PE32+
+    uint8_t  pad[90];
+    uint32_t NumberOfRvaAndSizes;
+    // DataDirectory[0] = Export, [1] = Import, ... [6] = Debug
+};
+
+struct OptionalHeader64 {
+    uint16_t Magic;  // 0x20b = PE32+
+    uint8_t  pad[106];
+    uint32_t NumberOfRvaAndSizes;
+};
+
+struct DebugDirectory {
+    uint32_t Characteristics;
+    uint32_t TimeDateStamp;
+    uint16_t MajorVersion;
+    uint16_t MinorVersion;
+    uint32_t Type;
+    uint32_t SizeOfData;
+    uint32_t AddressOfRawData;  // RVA when loaded
+    uint32_t PointerToRawData;  // file offset (not used for memory reads)
+};
+
+struct CvInfoPdb70 {
+    uint32_t Signature;  // 'RSDS'
+    uint8_t  Guid[16];
+    uint32_t Age;
+    // char PdbFileName[] follows
+};
+#pragma pack(pop)
+
+static constexpr uint16_t kMZ      = 0x5A4D;
+static constexpr uint32_t kPE      = 0x00004550;
+static constexpr uint16_t kPE32    = 0x10b;
+static constexpr uint16_t kPE32P   = 0x20b;
+static constexpr uint32_t kRSDS    = 0x53445352;
+static constexpr uint32_t kDebugType_CodeView = 2;
+
+static QString guidToString(const uint8_t guid[16]) {
+    // Windows GUID is mixed-endian: Data1(4B LE), Data2(2B LE), Data3(2B LE), Data4(8B sequential)
+    // MS symbol server expects native integer values for Data1/2/3, sequential for Data4
+    uint32_t d1; memcpy(&d1, guid, 4);
+    uint16_t d2; memcpy(&d2, guid + 4, 2);
+    uint16_t d3; memcpy(&d3, guid + 6, 2);
+    QString s = QStringLiteral("%1%2%3")
+        .arg(d1, 8, 16, QLatin1Char('0'))
+        .arg(d2, 4, 16, QLatin1Char('0'))
+        .arg(d3, 4, 16, QLatin1Char('0'));
+    for (int i = 8; i < 16; i++)
+        s += QStringLiteral("%1").arg(guid[i], 2, 16, QLatin1Char('0'));
+    return s.toUpper();
+}
+
+PdbDebugInfo extractPdbDebugInfo(const Provider& prov, uint64_t moduleBase) {
+    PdbDebugInfo result;
+
+    // Read DOS header
+    DosHeader dos;
+    if (!prov.read(moduleBase, &dos, sizeof(dos)))
+        return result;
+    if (dos.e_magic != kMZ)
+        return result;
+
+    uint64_t peOffset = moduleBase + dos.e_lfanew;
+
+    // Read PE signature
+    uint32_t peSig = 0;
+    if (!prov.read(peOffset, &peSig, 4))
+        return result;
+    if (peSig != kPE)
+        return result;
+
+    // Read COFF header
+    uint64_t coffOffset = peOffset + 4;
+    CoffHeader coff;
+    if (!prov.read(coffOffset, &coff, sizeof(coff)))
+        return result;
+
+    // Read optional header magic to determine PE32 vs PE32+
+    uint64_t optOffset = coffOffset + sizeof(CoffHeader);
+    uint16_t optMagic = 0;
+    if (!prov.read(optOffset, &optMagic, 2))
+        return result;
+
+    // Locate debug data directory (index 6)
+    uint32_t numRvaAndSizes = 0;
+    uint64_t dataDirsOffset = 0;
+
+    if (optMagic == kPE32) {
+        // PE32: NumberOfRvaAndSizes at offset 92, data dirs at offset 96
+        if (!prov.read(optOffset + 92, &numRvaAndSizes, 4))
+            return result;
+        dataDirsOffset = optOffset + 96;
+    } else if (optMagic == kPE32P) {
+        // PE32+: NumberOfRvaAndSizes at offset 108, data dirs at offset 112
+        if (!prov.read(optOffset + 108, &numRvaAndSizes, 4))
+            return result;
+        dataDirsOffset = optOffset + 112;
+    } else {
+        return result;
+    }
+
+    if (numRvaAndSizes <= 6)
+        return result; // no debug directory
+
+    DataDirectory debugDir;
+    if (!prov.read(dataDirsOffset + 6 * sizeof(DataDirectory), &debugDir, sizeof(debugDir)))
+        return result;
+
+    if (debugDir.VirtualAddress == 0 || debugDir.Size == 0)
+        return result;
+
+    // Read debug directory entries
+    int numEntries = debugDir.Size / sizeof(DebugDirectory);
+    for (int i = 0; i < numEntries; i++) {
+        DebugDirectory entry;
+        uint64_t entryAddr = moduleBase + debugDir.VirtualAddress + i * sizeof(DebugDirectory);
+        if (!prov.read(entryAddr, &entry, sizeof(entry)))
+            continue;
+
+        if (entry.Type != kDebugType_CodeView)
+            continue;
+
+        // Read CodeView info (RSDS)
+        if (entry.AddressOfRawData == 0 || entry.SizeOfData < sizeof(CvInfoPdb70) + 1)
+            continue;
+
+        CvInfoPdb70 cv;
+        uint64_t cvAddr = moduleBase + entry.AddressOfRawData;
+        if (!prov.read(cvAddr, &cv, sizeof(cv)))
+            continue;
+
+        if (cv.Signature != kRSDS)
+            continue;
+
+        // Read PDB filename (null-terminated string after the struct)
+        int nameMaxLen = entry.SizeOfData - sizeof(CvInfoPdb70);
+        if (nameMaxLen > 260) nameMaxLen = 260;
+        char nameBuf[261] = {};
+        if (!prov.read(cvAddr + sizeof(CvInfoPdb70), nameBuf, nameMaxLen))
+            continue;
+        nameBuf[nameMaxLen] = '\0';
+
+        result.pdbName = QString::fromLatin1(nameBuf);
+        // Extract just the filename if it contains a path
+        int lastSlash = result.pdbName.lastIndexOf('\\');
+        if (lastSlash >= 0)
+            result.pdbName = result.pdbName.mid(lastSlash + 1);
+        int lastFwdSlash = result.pdbName.lastIndexOf('/');
+        if (lastFwdSlash >= 0)
+            result.pdbName = result.pdbName.mid(lastFwdSlash + 1);
+
+        result.guidString = guidToString(cv.Guid);
+        result.age = cv.Age;
+        result.valid = true;
+        return result;
+    }
+
+    return result;
+}
+
+} // namespace rcx
--- a/src/imports/pe_debug_info.h
+++ b/src/imports/pe_debug_info.h
@@ -0,0 +1,20 @@
+#pragma once
+#include <QString>
+#include <cstdint>
+
+namespace rcx {
+
+class Provider;
+
+struct PdbDebugInfo {
+    QString pdbName;      // e.g. "ntoskrnl.pdb"
+    QString guidString;   // 32 hex chars, no dashes, uppercase
+    uint32_t age = 0;
+    bool valid = false;
+};
+
+// Extract PDB debug info (GUID, age, filename) from a PE module in memory.
+// Reads DOS header → PE header → debug directory → CodeView RSDS record.
+PdbDebugInfo extractPdbDebugInfo(const Provider& prov, uint64_t moduleBase);
+
+} // namespace rcx
--- a/src/symbol_downloader.cpp
+++ b/src/symbol_downloader.cpp
@@ -0,0 +1,123 @@
+#include "symbol_downloader.h"
+#include <QNetworkAccessManager>
+#include <QNetworkReply>
+#include <QNetworkRequest>
+#include <QDir>
+#include <QFile>
+#include <QFileInfo>
+#include <QStandardPaths>
+#include <QUrl>
+
+namespace rcx {
+
+SymbolDownloader::SymbolDownloader(QObject* parent)
+    : QObject(parent)
+    , m_nam(new QNetworkAccessManager(this))
+{
+}
+
+QString SymbolDownloader::cacheDir() {
+    QString base = QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation);
+    return base + QStringLiteral("/SymbolCache");
+}
+
+QString SymbolDownloader::findCached(const DownloadRequest& req) const {
+    // Cache layout: cacheDir/pdbName/GUID+age/pdbName
+    QString path = cacheDir() + QStringLiteral("/%1/%2%3/%1")
+        .arg(req.pdbName, req.guidString, QString::number(req.age, 16));
+    if (QFile::exists(path))
+        return path;
+    return {};
+}
+
+QString SymbolDownloader::findLocal(const QString& moduleFullPath, const QString& pdbName) {
+    if (moduleFullPath.isEmpty() || pdbName.isEmpty())
+        return {};
+    // Check same directory as the module
+    QString dir = QFileInfo(moduleFullPath).absolutePath();
+    QString candidate = dir + QStringLiteral("/") + pdbName;
+    if (QFile::exists(candidate))
+        return candidate;
+    return {};
+}
+
+void SymbolDownloader::download(const DownloadRequest& req) {
+    // URL: https://msdl.microsoft.com/download/symbols/{pdbName}/{GUID}{age}/{pdbName}
+    QString url = QStringLiteral("https://msdl.microsoft.com/download/symbols/%1/%2%3/%1")
+        .arg(req.pdbName, req.guidString, QString::number(req.age, 16));
+
+    QUrl reqUrl(url);
+    QNetworkRequest netReq(reqUrl);
+    netReq.setHeader(QNetworkRequest::UserAgentHeader,
+        QStringLiteral("Microsoft-Symbol-Server/10.0.0.0"));
+    netReq.setAttribute(QNetworkRequest::RedirectPolicyAttribute,
+        QNetworkRequest::NoLessSafeRedirectPolicy);
+
+    cancel(); // cancel any previous
+    m_activeReply = m_nam->get(netReq);
+
+    QString moduleName = req.moduleName;
+    QString pdbName = req.pdbName;
+    QString guidString = req.guidString;
+    uint32_t age = req.age;
+
+    connect(m_activeReply, &QNetworkReply::downloadProgress,
+            this, [this, moduleName](qint64 received, qint64 total) {
+        emit progress(moduleName, static_cast<int>(received), static_cast<int>(total));
+    });
+
+    connect(m_activeReply, &QNetworkReply::finished,
+            this, [this, moduleName, pdbName, guidString, age]() {
+        auto* reply = m_activeReply;
+        m_activeReply = nullptr;
+
+        if (!reply) return;
+        reply->deleteLater();
+
+        if (reply->error() != QNetworkReply::NoError) {
+            emit finished(moduleName, {}, false,
+                QStringLiteral("Download failed: %1").arg(reply->errorString()));
+            return;
+        }
+
+        int httpStatus = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
+        if (httpStatus != 200) {
+            emit finished(moduleName, {}, false,
+                QStringLiteral("HTTP %1").arg(httpStatus));
+            return;
+        }
+
+        QByteArray data = reply->readAll();
+        if (data.isEmpty()) {
+            emit finished(moduleName, {}, false, QStringLiteral("Empty response"));
+            return;
+        }
+
+        // Save to cache
+        QString dir = cacheDir() + QStringLiteral("/%1/%2%3")
+            .arg(pdbName, guidString, QString::number(age, 16));
+        QDir().mkpath(dir);
+        QString path = dir + QStringLiteral("/") + pdbName;
+
+        QFile f(path);
+        if (!f.open(QIODevice::WriteOnly)) {
+            emit finished(moduleName, {}, false,
+                QStringLiteral("Cannot write: %1").arg(f.errorString()));
+            return;
+        }
+        f.write(data);
+        f.close();
+
+        emit finished(moduleName, path, true, {});
+    });
+}
+
+void SymbolDownloader::cancel() {
+    if (m_activeReply) {
+        m_activeReply->abort();
+        m_activeReply->deleteLater();
+        m_activeReply = nullptr;
+    }
+}
+
+} // namespace rcx
--- a/src/symbol_downloader.h
+++ b/src/symbol_downloader.h
@@ -0,0 +1,50 @@
+#pragma once
+#include <QObject>
+#include <QString>
+#include <QVector>
+#include <cstdint>
+
+class QNetworkAccessManager;
+class QNetworkReply;
+
+namespace rcx {
+
+class SymbolDownloader : public QObject {
+    Q_OBJECT
+public:
+    explicit SymbolDownloader(QObject* parent = nullptr);
+
+    struct DownloadRequest {
+        QString moduleName;   // display name (e.g. "ntoskrnl.exe")
+        QString pdbName;      // PDB filename (e.g. "ntoskrnl.pdb")
+        QString guidString;   // 32 hex chars, no dashes
+        uint32_t age = 0;
+    };
+
+    // Check if PDB exists in local cache. Returns path or empty.
+    QString findCached(const DownloadRequest& req) const;
+
+    // Check if PDB exists next to the module on disk. Returns path or empty.
+    static QString findLocal(const QString& moduleFullPath, const QString& pdbName);
+
+    // Start downloading a PDB from MS symbol server.
+    // Emits finished() when done (success or failure).
+    void download(const DownloadRequest& req);
+
+    // Cancel any in-progress download.
+    void cancel();
+
+    // Local symbol cache directory.
+    static QString cacheDir();
+
+signals:
+    void progress(const QString& moduleName, int bytesReceived, int bytesTotal);
+    void finished(const QString& moduleName, const QString& localPath,
+                  bool success, const QString& error);
+
+private:
+    QNetworkAccessManager* m_nam = nullptr;
+    QNetworkReply* m_activeReply = nullptr;
+};
+
+} // namespace rcx
--- a/src/symbolstore.cpp
+++ b/src/symbolstore.cpp
@@ -0,0 +1,171 @@
+#include "symbolstore.h"
+#include "providers/provider.h"
+#include <QDebug>
+
+namespace rcx {
+
+uint64_t SymbolStore::getModuleBase(const Provider* provider, const QString& canonical) const {
+    if (!provider)
+        return 0;
+    uint64_t base = provider->symbolToAddress(canonical);
+    if (base == 0)
+        base = provider->symbolToAddress(canonical + QStringLiteral(".exe"));
+    if (base == 0)
+        base = provider->symbolToAddress(canonical + QStringLiteral(".dll"));
+    if (base == 0)
+        base = provider->symbolToAddress(canonical + QStringLiteral(".sys"));
+    return base;
+}
+
+int SymbolStore::addModule(const QString& moduleName, const QString& pdbPath,
+                            const QVector<QPair<QString, uint32_t>>& symbols) {
+    QString canonical = resolveAlias(moduleName);
+
+    PdbSymbolSet set;
+    set.pdbPath = pdbPath;
+    set.moduleName = canonical;
+    set.nameToRva.reserve(symbols.size());
+    set.rvaToName.reserve(symbols.size());
+
+    for (const auto& sym : symbols) {
+        if (set.nameToRva.contains(sym.first))
+            continue;
+        set.nameToRva.insert(sym.first, sym.second);
+        set.rvaToName.append({sym.second, sym.first});
+    }
+
+    set.sortRvaIndex();
+    int count = set.nameToRva.size();
+
+    // Register the raw module name as an alias if it differs from canonical
+    QString rawLower = moduleName.toLower();
+    if (rawLower.endsWith(QStringLiteral(".exe")) || rawLower.endsWith(QStringLiteral(".dll")) ||
+        rawLower.endsWith(QStringLiteral(".sys")))
+        rawLower = rawLower.left(rawLower.lastIndexOf('.'));
+    if (rawLower != canonical)
+        m_aliases[rawLower] = canonical;
+
+    m_modules[canonical] = std::move(set);
+
+    qDebug() << "[SymbolStore] loaded" << count << "symbols for module" << canonical
+             << "(from" << pdbPath << ")";
+    return count;
+}
+
+void SymbolStore::unloadModule(const QString& moduleName) {
+    QString canonical = resolveAlias(moduleName);
+    m_modules.remove(canonical);
+}
+
+uint64_t SymbolStore::resolve(const QString& token, const Provider* provider, bool* ok) const {
+    *ok = false;
+
+    // Check for "module!symbol" syntax
+    int bangIdx = token.indexOf('!');
+    if (bangIdx > 0 && bangIdx < token.size() - 1) {
+        QString modPart = token.left(bangIdx);
+        QString symPart = token.mid(bangIdx + 1);
+        QString canonical = resolveAlias(modPart);
+
+        auto modIt = m_modules.find(canonical);
+        if (modIt == m_modules.end())
+            return 0;
+
+        auto symIt = modIt->nameToRva.find(symPart);
+        if (symIt == modIt->nameToRva.end())
+            return 0;
+
+        uint32_t rva = *symIt;
+        uint64_t moduleBase = getModuleBase(provider, canonical);
+        // Also try the user-supplied module name form
+        if (moduleBase == 0)
+            moduleBase = getModuleBase(provider, modPart);
+
+        *ok = true;
+        return moduleBase + rva;
+    }
+
+    // Bare symbol — search all loaded modules
+    uint32_t foundRva = 0;
+    QString foundModule;
+    int matches = 0;
+
+    for (auto it = m_modules.begin(); it != m_modules.end(); ++it) {
+        auto symIt = it->nameToRva.find(token);
+        if (symIt != it->nameToRva.end()) {
+            foundRva = *symIt;
+            foundModule = it.key();
+            matches++;
+            if (matches > 1)
+                return 0; // ambiguous
+        }
+    }
+
+    if (matches == 1) {
+        uint64_t moduleBase = getModuleBase(provider, foundModule);
+        *ok = true;
+        return moduleBase + foundRva;
+    }
+
+    // Fallback: treat bare token as a module name (e.g. "ntdll" → ntdll base)
+    if (matches == 0) {
+        QString canonical = resolveAlias(token);
+        uint64_t moduleBase = getModuleBase(provider, canonical);
+        if (moduleBase != 0) {
+            *ok = true;
+            return moduleBase;
+        }
+    }
+
+    return 0;
+}
+
+QString SymbolStore::getSymbolForAddress(uint64_t addr, const Provider* provider) const {
+    if (m_modules.isEmpty() || !provider)
+        return {};
+
+    for (auto it = m_modules.begin(); it != m_modules.end(); ++it) {
+        const PdbSymbolSet& set = *it;
+
+        uint64_t moduleBase = getModuleBase(provider, set.moduleName);
+        if (moduleBase == 0)
+            continue;
+
+        if (addr < moduleBase)
+            continue;
+
+        uint32_t rva = static_cast<uint32_t>(addr - moduleBase);
+
+        if (set.rvaToName.isEmpty())
+            continue;
+
+        // Binary search: find last entry with RVA <= target
+        auto upper = std::upper_bound(set.rvaToName.begin(), set.rvaToName.end(), rva,
+            [](uint32_t val, const QPair<uint32_t, QString>& entry) {
+                return val < entry.first;
+            });
+
+        if (upper == set.rvaToName.begin())
+            continue;
+
+        --upper;
+        uint32_t displacement = rva - upper->first;
+
+        static constexpr uint32_t kMaxDisplacement = 0x1000;
+        if (displacement > kMaxDisplacement)
+            continue;
+
+        if (displacement == 0)
+            return set.moduleName + QStringLiteral("!") + upper->second;
+        return set.moduleName + QStringLiteral("!") + upper->second
+             + QStringLiteral("+0x") + QString::number(displacement, 16);
+    }
+
+    return {};
+}
+
+void SymbolStore::addAlias(const QString& alias, const QString& canonicalModule) {
+    m_aliases[alias.toLower()] = canonicalModule.toLower();
+}
+
+} // namespace rcx
--- a/src/symbolstore.h
+++ b/src/symbolstore.h
@@ -0,0 +1,95 @@
+#pragma once
+#include <QString>
+#include <QStringList>
+#include <QHash>
+#include <QVector>
+#include <QPair>
+#include <algorithm>
+
+namespace rcx {
+
+class Provider;  // forward declaration
+
+struct PdbSymbolSet {
+    QString pdbPath;
+    QString moduleName;          // canonical lowercase name (e.g. "ntoskrnl")
+    QHash<QString, uint32_t> nameToRva;
+    QVector<QPair<uint32_t, QString>> rvaToName;  // sorted by RVA for binary search
+
+    void sortRvaIndex() {
+        std::sort(rvaToName.begin(), rvaToName.end(),
+            [](const auto& a, const auto& b) { return a.first < b.first; });
+    }
+};
+
+class SymbolStore {
+public:
+    static SymbolStore& instance() {
+        static SymbolStore s;
+        return s;
+    }
+
+    // Add a pre-extracted symbol set for a module.
+    // moduleName is the canonical name (e.g. "ntoskrnl").
+    // Returns the number of unique symbols stored.
+    int addModule(const QString& moduleName, const QString& pdbPath,
+                  const QVector<QPair<QString, uint32_t>>& symbols);
+
+    // Unload symbols for a module.
+    void unloadModule(const QString& moduleName);
+
+    // Resolve a token from the expression parser.
+    // Handles "module!symbol" (qualified) and bare "symbol" (unqualified).
+    // Uses provider->symbolToAddress() to get the module's runtime base address.
+    uint64_t resolve(const QString& token, const Provider* provider, bool* ok) const;
+
+    // Reverse lookup: given an absolute address and a provider, find the nearest symbol.
+    // Returns "module!symbol" or "module!symbol+0xN", or empty if no match.
+    QString getSymbolForAddress(uint64_t addr, const Provider* provider) const;
+
+    // Check if any symbols are loaded.
+    bool hasSymbols() const { return !m_modules.isEmpty(); }
+
+    // List loaded module names.
+    QStringList loadedModules() const { return m_modules.keys(); }
+
+    // Number of loaded modules.
+    int moduleCount() const { return m_modules.size(); }
+
+    // Access module data by name (returns nullptr if not found).
+    const PdbSymbolSet* moduleData(const QString& moduleName) const {
+        QString canonical = resolveAlias(moduleName);
+        auto it = m_modules.find(canonical);
+        return it != m_modules.end() ? &*it : nullptr;
+    }
+
+    // Add a module alias (e.g. "nt" → "ntoskrnl").
+    void addAlias(const QString& alias, const QString& canonicalModule);
+
+    // Resolve alias to canonical module name (public for callers that need it)
+    QString resolveAlias(const QString& name) const {
+        QString lower = name.toLower();
+        if (lower.endsWith(QStringLiteral(".exe")) || lower.endsWith(QStringLiteral(".dll")) ||
+            lower.endsWith(QStringLiteral(".sys")))
+            lower = lower.left(lower.lastIndexOf('.'));
+        auto it = m_aliases.find(lower);
+        return it != m_aliases.end() ? *it : lower;
+    }
+
+private:
+    SymbolStore() {
+        // Common Windows kernel aliases
+        m_aliases[QStringLiteral("nt")] = QStringLiteral("ntoskrnl");
+        m_aliases[QStringLiteral("ntkrnlmp")] = QStringLiteral("ntoskrnl");
+        m_aliases[QStringLiteral("ntkrnlpa")] = QStringLiteral("ntoskrnl");
+        m_aliases[QStringLiteral("ntkrpamp")] = QStringLiteral("ntoskrnl");
+    }
+
+    // Get the module base address, trying various name forms
+    uint64_t getModuleBase(const Provider* provider, const QString& canonical) const;
+
+    QHash<QString, PdbSymbolSet> m_modules;  // canonical lowercase name → symbol set
+    QHash<QString, QString> m_aliases;        // alias → canonical name
+};
+
+} // namespace rcx