- Notifications
You must be signed in to change notification settings - Fork163
pdbex is a utility for reconstructing structures and unions from the PDB into compilable C headers
License
wbenny/pdbex
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
pdbex is a utility for reconstructing structures and unions from thePDB files into compilable C headers.
PDB files, among others, contain information about structures and unions.These information can be very useful - for instance structures and unions fromntdll.dll orntoskrnl.exe can be useful for experimenting with Windows internals.But information in the PDB files are limited only to the symbol name, member name, its type and offset.Information about nested anonymous structures and unions are lost.However, with a bit of work, they can be formed back.
I am not aware of any utility which could make a compilable and offset-accurate C header representation of symbols in the PDB file.Although there do existsomepublicservers which list some of the structures, it is only limited subset of various symbols of files of various Windows versions.Not to say that many of them are not offset-accurate.The fact that we haveReactOS andVolatility does not help. They will not provide header file for any given PDB file.
>pdbex.exe_SIDntdll.pdb/* * PDB file: ntdll.pdb * Image architecture: x86 * * Dumped by pdbex tool v0.1, by wbenny */typedefstruct_SID_IDENTIFIER_AUTHORITY{/* 0x0000 */unsignedcharValue[6];}SID_IDENTIFIER_AUTHORITY,*PSID_IDENTIFIER_AUTHORITY;typedefstruct_SID{/* 0x0000 */unsignedcharRevision;/* 0x0001 */unsignedcharSubAuthorityCount;/* 0x0002 */struct_SID_IDENTIFIER_AUTHORITYIdentifierAuthority;/* 0x0008 */unsigned longSubAuthority[1];}SID,*PSID;
This command will dump not only specified symbol, but also all symbols referenced by it - and in correct order.If you insist on dumping only the specified symbol, you can disable this feature by-j- option:
>pdbex.exe_SIDntdll.pdb-j--k-typedefstruct_SID{/* 0x0000 */unsignedcharRevision;/* 0x0001 */unsignedcharSubAuthorityCount;/* 0x0002 */struct_SID_IDENTIFIER_AUTHORITYIdentifierAuthority;/* 0x0008 */unsigned longSubAuthority[1];}SID,*PSID;
(-k- switch is responsible for ommiting the header.)
You can even control if definition of referenced symbols should be inlined by-e [n|i|a] option.
- n - will not inline anything (unnamed symbols are created separately and named asTAG_UNNAMED_###
- i - will inline only unnamed structures and union (default behavior)
- a - will inline everything
Example of inlining everything:
>pdbex.exe_SIDntdll.pdb-ea-k-typedefstruct_SID{/* 0x0000 */unsignedcharRevision;/* 0x0001 */unsignedcharSubAuthorityCount;struct_SID_IDENTIFIER_AUTHORITY {/* 0x0002 */unsignedcharValue[6]; }IdentifierAuthority;/* 0x0008 */unsigned longSubAuthority[1];}SID,*PSID;
Example of not inlining anything:
>pdbex.exe_LARGE_INTEGERntdll.pdb-en-k-typedefstruct_TAG_UNNAMED_1{/* 0x0000 */unsigned longLowPart;/* 0x0004 */longHighPart;}TAG_UNNAMED_1,*PTAG_UNNAMED_1;typedefunion_LARGE_INTEGER{union {struct {/* 0x0000 */unsigned longLowPart;/* 0x0004 */longHighPart; };/* 0x0000 */struct_TAG_UNNAMED_1u;/* 0x0000 */__int64QuadPart; };}LARGE_INTEGER,*PLARGE_INTEGER;
Default behavior:
>pdbex.exe_LARGE_INTEGERntdll.pdb-ei-k-typedefunion_LARGE_INTEGER{union {struct {/* 0x0000 */unsigned longLowPart;/* 0x0004 */longHighPart; };struct// _TAG_UNNAMED_1 {/* 0x0000 */unsigned longLowPart;/* 0x0004 */longHighPart; }u;/* 0x0000 */__int64QuadPart; };}LARGE_INTEGER,*PLARGE_INTEGER;
You can also dump all symbols using"*" as the symbol name to dump:
> pdbex.exe * ntdll.pdb -o ntdll.hThis command will dump all structures and unions to the filentdll.h.
- Pointers to functions are represented only asvoid* with additional comment/* function */.
- Produced structures expectpacking alignment to be set at 1 byte.
- Producedunions have one extraunion nested inside of it (you could notice few lines above). This is a known cosmetic bug.
- pdbex is designed to dump headers from C project only - C++ classes are not supported.
Compilepdbex using Visual Studio 2017. Solution file is included. No other dependencies are required.
There are 2 files in theScripts folder:
- env.bat - sets environment variables for Microsoft Visual C++ 2015
- test.py - testing script
test.py dumps all symbols from the provided PDB file. It also generates C file which tests if offsets of the members of structures and unions do match the original offsets in the PDB file. The C file is then compiled usingmsbuild and ran. If the resulting program prints a line starting with[!], it is considered as error. In that case, line also contains information about struct/union + member + offset that did not match. It prints nothing on success.
Because thetest.py usesmsbuild for creating tests, special environment variables must be set. It can be accomplished either by runningtest.py from the developer console or by callingenv.bat.env.bat file exists only for convenience and does nothing else than running theVsDevCmd.bat from the default Visual Studio 2015 installation directory. The environment variables are set in the current console process, therefore this script can be called only once.
pdbex -h should make it:
Version v0.18pdbex <symbol> <path> [-o <filename>] [-t <filename>] [-e <type>] [-u <prefix>] [-s prefix] [-r prefix] [-g suffix] [-p] [-x] [-m] [-b] [-d] [-i] [-l]<symbol> Symbol name to extract Use '*' if all symbols should be extracted. Use '%' if all symbols should be extracted separately.<path> Path to the PDB file. -o filename Specifies the output file. (stdout) -t filename Specifies the output test file. (off) -e [n,i,a] Specifies expansion of nested structures/unions. (i) n = none Only top-most type is printed. i = inline unnamed Unnamed types are nested. a = inline all All types are nested. -u prefix Unnamed union prefix (in combination with -d). -s prefix Unnamed struct prefix (in combination with -d). -r prefix Prefix for all symbols. -g suffix Suffix for all symbols.Following options can be explicitly turned off by adding trailing '-'.Example: -p- -p Create padding members. (T) -x Show offsets. (T) -m Create Microsoft typedefs. (T) -b Allow bitfields in union. (F) -d Allow unnamed data types. (T) -i Use types from stdint.h instead of native types. (F) -j Print definitions of referenced types. (T) -k Print header. (T) -n Print declarations. (T) -l Print definitions. (T) -f Print functions. (F) -z Print #pragma pack directives. (T) -y Sort declarations and definitions. (F)All the code in this repository is open-source under the MIT license. See theLICENSE.txt file in this repository.
If you find this project interesting, you can buy me a coffee
BTC 3GwZMNGvLCZMi7mjL8K6iyj6qGbhkVMNMF LTC MQn5YC7bZd4KSsaj8snSg4TetmdKDkeCYkAbout
pdbex is a utility for reconstructing structures and unions from the PDB into compilable C headers