Jump to content











Photo

Fetching a .PDB from Microsoft


  • Please log in to reply
7 replies to this topic

#1 Sha0

Sha0

    WinVBlock Dev

  • Developer
  • 1682 posts
  • Location:reboot.pro Forums
  • Interests:Booting
  •  
    Canada

Posted 24 February 2011 - 09:52 PM

You need these two files from Microsoft's Debugging Tools for Windows[1]:

\Program Files\Debugging Tools for Windows\dbh.exe

\Program Files\Debugging Tools for Windows\dbghelp.dll

Load Notepad:

dbh \windows\system32\notepad.exe

Take note of some of the details[2]:

notepad [1000000]: info

...

          PdbSig : 0x0

        PdbSig70 : 0xAAAAAAAA, 0xBBBB, 0xCCCC, 0xDD, 0xEE, 0xFF, 0xGG, 0xHH, 0xII, 0xJJ, 0xKK

          PdbAge : 0xL

...

Now mash some of those digits together, as in AAAAAAAABBBBCCCCDDEEFFGGHHIIJJKKL.

You can download the Program Database File (.PDB) using curl:

curl --user-agent "Microsoft-Symbol-Server" http://msdl.microsoft.com/download/symbols/notepad.pdb/AAAAAAAABBBBCCCCDDEEFFGGHHIIJJKKL/notepad.pd_ --output notepad.pd_

or using wget:

wget --user-agent="Microsoft-Symbol-Server" http://msdl.microsoft.com/download/symbols/notepad.pdb/AAAAAAAABBBBCCCCDDEEFFGGHHIIJJKKL/notepad.pd_


Unfortunately, the wget I tested only uses HTTP 1.0, and Microsoft's symbol server doesn't seem to like that.

Now let's try the OSLoader.Exe embedded in the Windows NTLDR boot-loader.

You need to extract OsLoader.Exe. Use a hex-editor (such as TinyHexer), open NTLDR, and search for the MZ signature. Copy everything from (and including) the MZ to the end of the file. Copy and paste it into a new file, then save that file as OsLoader.Exe.
Please do not disassemble Microsoft Windows programs if your End-User License Agreement denies you that use. For example, see section 4, LIMITATIONS ON REVERSE ENGINEERING, DECOMPILATION, AND DISASSEMBLY, of \I386\EULA.TXT on your Windows XP/2003 installation disc:

You may not reverse engineer, decompile, or disassemble the
Software, except and only to the extent that such activity
is expressly permitted by applicable law notwithstanding
this limitation.


Expand OsLoader.Exe from your XP/2003 installation disc:

expand d:\i386\osloader.ex_ osloader.exe


Follow the example procedure detailed above to fetch the Microsoft-provided .PDB for your licensed copy of OsLoader.Exe. Expand the .PDB to the same directory as your OsLoader.Exe:

expand osloader.pd_ osloader.pdb


Examine the OsLoader.Exe symbols:

dbh osloader.exe

x


Make a note of the address of any interesting functions, such as NtfsOpen and NtfsRead. Maybe even the address of an exported function, such as ScsiPortInitialize.

Just for fun.

[1] http://msdn.microsof...e/gg463009.aspx
[2] http://stackoverflow...-hash-algorithm

#2 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 09 August 2011 - 11:25 AM

Why do I get this for PdbSig?

PdbSig70 : 0x00000000, 0x0000, 0x0000, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00

Edited by AceInfinity, 09 August 2011 - 11:52 AM.


#3 betrand

betrand

    Frequent Member

  • Advanced user
  • 467 posts
  •  
    France

Posted 25 September 2011 - 12:44 PM

I get this too.


PdbSig70 : 0x00000000, 0x0000, 0x0000, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00


I tried dumpbin.exe also, I get the date, time, not size, or it's not in msdl symbol format.

#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13752 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 September 2011 - 12:58 PM

Why do I get this for PdbSig?

I get this too.

Running WHICH EXACT command?
After having setup EXACTLY HOW your environment?
Running WHICH EXACT Windows OS?
Etc., etc. etc..... :frusty:

http://homepages.tes...ard-litany.html

:cheers:
Wonko

#5 betrand

betrand

    Frequent Member

  • Advanced user
  • 467 posts
  •  
    France

Posted 25 September 2011 - 01:26 PM

Running WHICH EXACT command?
After having setup EXACTLY HOW your environment?
Running WHICH EXACT Windows OS?
Etc., etc. etc.....

http://homepages.tes...ard-litany.html


Wonko

OK, .


You need these two files from Microsoft's Debugging Tools for Windows[1]:


\Program Files\Debugging Tools for Windows\dbh.exe

\Program Files\Debugging Tools for Windows\dbghelp.dll

Ok.

Load Notepad:


dbh \windows\system32\notepad.exe

OK.


Expand OsLoader.Exe from your XP/2003 installation disc:


I did the Mz to osloader.exe (minus 16bit part) thing.


Follow the example procedure detailed above

ie,


Load Notepad:


dbh \windows\system32\notepad.exe

Take note of some of the details[2]:

notepad [1000000]: info


I did:



dbh \user\folder\osloader.exe
osloader [1000000]: info


Follow the example procedure detailed above to fetch the Microsoft-provided .PDB


I wonder if:

for your licensed copy of OsLoader.Exe

Means the extracted Mz .exe would not work.with Msdl. edit, no I had tried with an Osloader.exe from a XP/2003 installation disc too.
Os, win7 32bit.

Cheers.




Edit, more info..

You need these two files from Microsoft's Debugging Tools for Windows[1]:

http://msdn.microsof...e/gg463009.aspx
Would a different version of the files be the prob? (different O.S, I mean)

edit,

Tried these, http://msdn.microsof...gg463016.aspx#a. No better.





Btw, Pdb Guids are as follows:http://code.google.c...DBHeadersFormat

#6 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 28 September 2011 - 05:12 AM

dbh "C:\Windows\System32\notepad.exe"

Then "info" on:
notepad [1000000]:

and I get:
SizeOfStruct : 0x688

BaseOfImage : 0x1677721664x

ImageSize : 0x1000000

TimeDateStamp : 0x4a5bc9b3

CheckSum : 0x3e749

NumSyms : 0x0

SymType : SymNone

ModuleName : notepad

ImageName : C:\Windows\System32\notepad.exe

LoadedImageName : C:\Windows\System32\notepad.exe

LoadedPdbName :

CVSig : 0x53445352

CVData : notepad.pdb

PdbSig : 0x0

PdbSig70 : 0x00000000, 0x0000, 0x0000, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00

PdbAge : 0x0

PdbUnmatched : false

DbgUnmatched : false

LineNumbers : false

GlobalSymbols : false

TypeInfo : false

SourceIndexed : false

PublicSymbols : false

Windows 7 64 bit.

I have an environment variable set for dbh.exe so I don't have to put it in my System32 folder.

@betrand: How did you manage to get that far if your PdbSig70 output shows 0x00000000, 0x0000, 0x0000, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 :confused1:

#7 betrand

betrand

    Frequent Member

  • Advanced user
  • 467 posts
  •  
    France

Posted 28 September 2011 - 01:15 PM

dbh "C:\Windows\System32\notepad.exe"

Then "info" on:
notepad [1000000]:


Notepad.exe is just for the example. You don't need to do

dbh "C:\Windows\System32\notepad.exe"

(if you want ntldr.pdb :dubbio: )

and I get:

SizeOfStruct : 0x688

BaseOfImage : 0x1677721664x

ImageSize : 0x1000000

TimeDateStamp : 0x4a5bc9b3

CheckSum : 0x3e749

NumSyms : 0x0

SymType : SymNone

ModuleName : notepad

ImageName : C:\Windows\System32\notepad.exe

LoadedImageName : C:\Windows\System32\notepad.exe

LoadedPdbName :

CVSig : 0x53445352

CVData : notepad.pdb

PdbSig : 0x0

PdbSig70 : 0x00000000, 0x0000, 0x0000, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00

PdbAge : 0x0

PdbUnmatched : false

DbgUnmatched : false

LineNumbers : false

GlobalSymbols : false

TypeInfo : false

SourceIndexed : false

PublicSymbols : false

I mention trying dumpbin.exe, just another util to get timestamp etc. With dbh.exe we could maybe, it is just a supposition, try to rebuild the timestamp and size code, with:

ImageSize : 0x1000000

TimeDateStamp : 0x4a5bc9b3

(see links above)


@betrand: How did you manage to get that far if your PdbSig70 output shows 0x00000000, 0x0000, 0x0000, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 :confused1:

We got as far :)
(I mean, how far do you think I went? :))

#8 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 28 September 2011 - 10:21 PM

lol okay :) I know, I was just using Notepad as a test to begin with, however paint didn't result in anything either for me. Not sure why, i'll go retest.

Edit: Still get a bunch of 0's for mspaint.exe

(I'm using the 64 bit windows debugging tools kit)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users