Getting PDB7 sig from binary

WINDBG
1

I would like to provide the option to manually download symbols for the
current version of the OS that the client is running for systems without an
internet connection.

The manifest tool seems to do just that but I would like to provide an
integrated solution without having to distribute the manifest tool along and
capturing its command line output.

There are DbgHelp functions such as SymGetModuleInfoW64 but it requires
symbols to be available in order to be able to extract a PDB7 sig from a
binary. If not, the PDB7 remains zeroed.

The manifest tool instead does not use DbgHelp but relies on symbolcheck.dll
which is redistributable but unfortunately comes without a header file or
documentation or I must have missed something.

So I would like to ask, does anybody know of a way to programmatically
extract a PDB7 signature from a binary
without connceting to a symbol store or server ?

//Daniel

2

Yes, i do.

I dont have the information in front of me, but basically, the
IMAGE_DEBUG_DIRECTORY entry will have a type of CODEVIEW, and the rva of an
RSDS header, which will have the uuid and age (as shown by dumpbin
/HEADERS).

When I get to work in a bit, I’ll clean up this answer, but that’s
basically it.

Mm
On Jan 29, 2012 11:45 PM, wrote:

> I would like to provide the option to manually download symbols for the
> current version of the OS that the client is running for systems without an
> internet connection.
>
> The manifest tool seems to do just that but I would like to provide an
> integrated solution without having to distribute the manifest tool along
> and
> capturing its command line output.
>
> There are DbgHelp functions such as SymGetModuleInfoW64 but it requires
> symbols to be available in order to be able to extract a PDB7 sig from a
> binary. If not, the PDB7 remains zeroed.
>
> The manifest tool instead does not use DbgHelp but relies on
> symbolcheck.dll
> which is redistributable but unfortunately comes without a header file or
> documentation or I must have missed something.
>
> So I would like to ask, does anybody know of a way to programmatically
> extract a PDB7 signature from a binary
> without connceting to a symbol store or server ?
>
> //Daniel
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

3

dumpbin /pdbpath

File Type: DLL
PDB file found at
‘F:\symbols\user32.pdb\D18A41B74E7F458CAAAC1847E2D8BF022\user32.pdb’

dumpbin /headers

Time Type Size RVA Pointer

48025D7A cv 23 00060260 5F660 Format: RSDS,
{D18A41B7-4E7F-458C-AAAC-1847E2D8BF02}, 2, user32.pdb
48025D7A ( A) 4 0006025C 5F65C BB030E38

netmon rip

Http: Response, HTTP/1.1, Status: Ok, URL:
/download/symbols/user32.pdb/D18A41B74E7F458CAAAC1847E2D8BF022/user32.pd_

On 1/30/12, Martin O’Brien wrote:
> Yes, i do.
>
> I dont have the information in front of me, but basically, the
> IMAGE_DEBUG_DIRECTORY entry will have a type of CODEVIEW, and the rva of an
> RSDS header, which will have the uuid and age (as shown by dumpbin
> /HEADERS).
>
> When I get to work in a bit, I’ll clean up this answer, but that’s
> basically it.
>
> Mm
> On Jan 29, 2012 11:45 PM, wrote:
>
>> I would like to provide the option to manually download symbols for the
>> current version of the OS that the client is running for systems without
>> an
>> internet connection.
>>
>> The manifest tool seems to do just that but I would like to provide an
>> integrated solution without having to distribute the manifest tool along
>> and
>> capturing its command line output.
>>
>> There are DbgHelp functions such as SymGetModuleInfoW64 but it requires
>> symbols to be available in order to be able to extract a PDB7 sig from a
>> binary. If not, the PDB7 remains zeroed.
>>
>> The manifest tool instead does not use DbgHelp but relies on
>> symbolcheck.dll
>> which is redistributable but unfortunately comes without a header file or
>> documentation or I must have missed something.
>>
>> So I would like to ask, does anybody know of a way to programmatically
>> extract a PDB7 signature from a binary
>> without connceting to a symbol store or server ?
>>
>> //Daniel
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

4

SO:

IMAGE_OPTIONAL_HEADER::RvaAndSizes[IMAGE_DEBUG_DIRECTORY_ENTRY].Rva + base
-> IMAGE_DEBUG_DIRECTORY

IMAGE_DEBUG_DIRECTORY::Type==IMAGE_DEBUG_TYPE_CODEVIEW
IMAGE_DEBUG_DIRECTORY::PointerToRawData + base -> PDB70_INFO

PDB70_INFO::CodeviewSignature==‘RSDS’

struct PDB70_INFO
{
DWORD CodeviewSignature;
UUID PdbSignature;
DWORD PdbAge;
UCHAR PdbFilename[1];
};

PdbFilename is NULL terminated.

Good luck,

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Monday, January 30, 2012 4:14 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Getting PDB7 sig from binary

dumpbin /pdbpath

File Type: DLL
PDB file found at
‘F:\symbols\user32.pdb\D18A41B74E7F458CAAAC1847E2D8BF022\user32.pdb’

dumpbin /headers

Time Type Size RVA Pointer

48025D7A cv 23 00060260 5F660 Format: RSDS,
{D18A41B7-4E7F-458C-AAAC-1847E2D8BF02}, 2, user32.pdb
48025D7A ( A) 4 0006025C 5F65C BB030E38

netmon rip

Http: Response, HTTP/1.1, Status: Ok, URL:
/download/symbols/user32.pdb/D18A41B74E7F458CAAAC1847E2D8BF022/user32.pd_

On 1/30/12, Martin O’Brien wrote:
> Yes, i do.
>
> I dont have the information in front of me, but basically, the
> IMAGE_DEBUG_DIRECTORY entry will have a type of CODEVIEW, and the rva
> of an RSDS header, which will have the uuid and age (as shown by
> dumpbin /HEADERS).
>
> When I get to work in a bit, I’ll clean up this answer, but that’s
> basically it.
>
> Mm
> On Jan 29, 2012 11:45 PM, wrote:
>
>> I would like to provide the option to manually download symbols for
>> the current version of the OS that the client is running for systems
>> without an internet connection.
>>
>> The manifest tool seems to do just that but I would like to provide
>> an integrated solution without having to distribute the manifest tool
>> along and capturing its command line output.
>>
>> There are DbgHelp functions such as SymGetModuleInfoW64 but it
>> requires symbols to be available in order to be able to extract a
>> PDB7 sig from a binary. If not, the PDB7 remains zeroed.
>>
>> The manifest tool instead does not use DbgHelp but relies on
>> symbolcheck.dll which is redistributable but unfortunately comes
>> without a header file or documentation or I must have missed
>> something.
>>
>> So I would like to ask, does anybody know of a way to
>> programmatically extract a PDB7 signature from a binary without
>> connceting to a symbol store or server ?
>>
>> //Daniel
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

On 30-Jan-2012 09:45, xxxxx@resplendence.com wrote:

So I would like to ask, does anybody know of a way to programmatically
extract a PDB7 signature from a binary
without connceting to a symbol store or server ?

Sure. This one finds the pdb path without any external dependencies
(actually, with a goal to erase it).
http://tinyurl.com/7aox6aj

– pa

6

I’ve been researching PDB’s a pretty good bit lately and have found the old faithful “Undocumented Windows 2000 Secrets” to have all the answers you need regarding PDB/DBG file internals:

http://sveta.rawol.com/?topic=2
^^author has provided full PDF version of the book for free, legally, since it is out of print

The book’s companion CD also came with a PDB parsing tool (recently updated) which probably has some sample code you can use for your purposes:
http://undocumented.rawol.com/win_pdbx.zip

7

Thanks for these useful replies

//Daniel

8

well one more way for future searchers

if you dont have dumpbin but have windbg installed you can use dbh
that comes with windbg installation to extract the pdb signature

C:\Documents and Settings\Admin>dbh c:\WINDOWS\system32\user32.dll

user32 [1000000]: info

ImageName : c:\WINDOWS\system32\user32.dll
LoadedImageName : c:\WINDOWS\system32\user32.dll
LoadedPdbName : F:\symbols\user32.pdb\D18A41B74E7F458CAAAC1847E2D8BF022\user3
2.pdb
CVSig : 0x53445352
CVData : user32.pdb
PdbSig : 0x0
PdbSig70 : 0xd18a41b7, 0x4e7f, 0x458c, 0xaa, 0xac, 0x18, 0x47, 0xe2, 0xd
8, 0xbf, 0x02
PdbAge : 0x2

user32 [1000000]: q

goodbye

C:\Documents and Settings\Admin>

On 1/31/12, xxxxx@resplendence.com wrote:
> Thanks for these useful replies
>
> //Daniel
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

9

well one more way for future searchers

if you dont have dumpbin but have windbg installed you can use dbh
that comes with windbg installation to extract the pdb signature

C:\Documents and Settings\Admin>dbh c:\WINDOWS\system32\user32.dll

user32 [1000000]: info

ImageName : c:\WINDOWS\system32\user32.dll
LoadedImageName : c:\WINDOWS\system32\user32.dll
LoadedPdbName : F:\symbols\user32.pdb\D18A41B74E7F458CAAAC1847E2D8BF022\user3
2.pdb
CVSig : 0x53445352
CVData : user32.pdb
PdbSig : 0x0
PdbSig70 : 0xd18a41b7, 0x4e7f, 0x458c, 0xaa, 0xac, 0x18, 0x47, 0xe2, 0xd
8, 0xbf, 0x02
PdbAge : 0x2

user32 [1000000]: q

goodbye

C:\Documents and Settings\Admin>

On 1/31/12, xxxxx@resplendence.com wrote:
> Thanks for these useful replies
>
> //Daniel
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>