Private HAL/Kernel Symbols in WDK... "oops" or new policy?

Alex_Ionescu-2 · March 5, 2006, 7:18am

It seems that the WDK now includes the complete private PDBs for the
kernel and the hal in the /debug directory. Instead of merely including
the stripped symbols (only containing some “public” types/enumerations),
these symbols include every single private type used in the kernel/hal
(all ~90 NtQuerySystemInformation classes and their structures, for
example), as well as the prototype for every external and internal
structure, line number information, even variable names. Maybe it’s a
time for a “Native API Reference” reprint/update?

In any case, is this an accidental leak or a new policy? I know that the
new ASSERT macro causes an “annotation” to be added in the PDB, instead
of the actual string being in the binary (thus decreasing the size of
checked builds), so it’s possible that annotations can only be seen in
the private PDBs… In any case, I just used the PDBs today on a crash
dump I made, and the information was a *lot* more helpful, so I hope it
stays this way. Nevertheless, I’m not sure if exposing the guts of the
kernel/HAL is what Microsoft intended… altough it’s fun to use the
native API sometimes and play in undocumented land (for self-education
or sysinternals-like utilities), this might lower the bar for a lot of
rootkits and malware out there in terms of research required.

Best regards,
Alex Ionescu

Dan_Partelly · March 5, 2006, 9:25am

Who knows, It happend before. But of course it is a gold mine in right
hands,
since you can debug so much easier and learn a lot about internal OS
structure.

Dan

----- Original Message -----
From: “Alex Ionescu [397670]”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Sunday, March 05, 2006 2:17 PM
Subject: [ntdev] Private HAL/Kernel Symbols in WDK… “oops” or new policy?

> It seems that the WDK now includes the complete private PDBs for the
> kernel and the hal in the /debug directory. Instead of merely including
> the stripped symbols (only containing some “public” types/enumerations),
> these symbols include every single private type used in the kernel/hal
> (all ~90 NtQuerySystemInformation classes and their structures, for
> example), as well as the prototype for every external and internal
> structure, line number information, even variable names. Maybe it’s a time
> for a “Native API Reference” reprint/update?
>
> In any case, is this an accidental leak or a new policy? I know that the
> new ASSERT macro causes an “annotation” to be added in the PDB, instead of
> the actual string being in the binary (thus decreasing the size of checked
> builds), so it’s possible that annotations can only be seen in the private
> PDBs… In any case, I just used the PDBs today on a crash dump I made,
> and the information was a lot more helpful, so I hope it stays this way.
> Nevertheless, I’m not sure if exposing the guts of the kernel/HAL is what
> Microsoft intended… altough it’s fun to use the native API sometimes and
> play in undocumented land (for self-education or sysinternals-like
> utilities), this might lower the bar for a lot of rootkits and malware out
> there in terms of research required.
>
> Best regards,
> Alex Ionescu
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 6, 2006, 3:22pm

ALEX:

What version of the WDK are you using? I’ve examined the PDB’s (both
HAL and KERNEL, all processors) using DIA2DUMP for the 5112 WDK (from
MSDN), and they seem to contain no type information. Here are the dates
and sizes for the AMD64 versions:

HAL.DLL: 2005-07-20; 328, 192 bytes
HAL.PDB: 2005-07-20; 322, 560 bytes
NTOSKRNL.EXE: 2005-07-20; 6, 778, 880 bytes
NTOSKNRL.PDB: 2005-07-20; 3, 255, 296 bytes

I would greatly like to look at this information, so any help would be
appreciated. Any version of the WDK that contains this information
would do what I need.

Thanks very much,

MM

>> xxxxx@videotron.ca 2006-03-05 07:17 >>>
It seems that the WDK now includes the complete private PDBs for the
kernel and the hal in the /debug directory. Instead of merely including

the stripped symbols (only containing some “public”
types/enumerations),
these symbols include every single private type used in the kernel/hal

(all ~90 NtQuerySystemInformation classes and their structures, for
example), as well as the prototype for every external and internal
structure, line number information, even variable names. Maybe it’s a
time for a “Native API Reference” reprint/update?

In any case, is this an accidental leak or a new policy? I know that
the
new ASSERT macro causes an “annotation” to be added in the PDB, instead

of the actual string being in the binary (thus decreasing the size of
checked builds), so it’s possible that annotations can only be seen in

the private PDBs… In any case, I just used the PDBs today on a crash

dump I made, and the information was a *lot* more helpful, so I hope it

stays this way. Nevertheless, I’m not sure if exposing the guts of the

kernel/HAL is what Microsoft intended… altough it’s fun to use the
native API sometimes and play in undocumented land (for self-education

or sysinternals-like utilities), this might lower the bar for a lot of

rootkits and malware out there in terms of research required.

Best regards,
Alex Ionescu

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 6, 2006, 3:31pm

As beta releases are sort of NDA’d I think the OP can’t really respond.
Perhaps he means a later beta.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Martin O’Brien
Sent: Monday, March 06, 2006 3:21 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Private HAL/Kernel Symbols in WDK… “oops” or new
policy?