Login/Register
Microsoft Symbol Server / Local Cache Hash Algorithm
Asked Answered
Solved hashsymbol-serversymstore
D

5

14

I am trying to figure out what hashing algorithm is used for the Microsoft Symbol Local Cache directory.

For example, the local cache can be something like the following

  L:\Symbols
      \browseui.dll
        \44FBC679fe000
          browsue.dll
      \browseui.pdb
        \44F402F62
          browseui.pdb
      \explorer.exe
        \3EBF1F14f7000
          explorer.exe
      \explorer.pdb
        \3EBF1F141
          explorer.pdb
      \msvcr71.pdb
        \60D915C6AB6A4F3586E9096E2F8856482
          msvcr71.pdb

There seems to be some sort of correspondence between a file and its debug database. Other than that, I can’t figure out how the names of these (presumably) hexadecimal string folders are being generated.

Some of them are 9 digits, some 13 digits, and others are 33 digits. It looks like an actual, live-file (which for some reason is stored in the symbol cache) has a 13-digit hash while its (nearly similar) debug database gets a 9-digit hash. Some debug databases get a 13-digit hash; can’t figure out what makes these ones special, although they don’t have a corresponding live-file.

I’ve tried hashing the files with every kind of hash algorithm that I know of (39 of them) and none match in any way (straight up, reversed, alternate endian’d, etc.)

Any ideas?

Update I think I finally found it. From Symbol Storage Format:

SymStore uses the file system itself as a database. It creates a large tree of directories, with directory names based on such things as the symbol file time stamps, signatures, age, and other data.

Edit Dang, unfortunately it only mentions that the directory name is derived from various aspects (not quite a hash I guess), but does not say exactly how. The search continues… :-(

Detumescence answered 14/9, 2009 at 1:38 Comment(0)
D
9

This page has info on calculating the IDs for the symbol files as well as executables/DLLs.

Basically, for executables and DLLs, you extract the timestamp and filesize from the PE header as listed in the page that Griff linked to. For PDB files however, you will need the DBH command from the Windows Debugging Tools. Simply load the PDB file into DBH and use the INFO command to get the PdbSig/PdbSig70 and PdbAge. Bam! That’s it.


I just created the appropriate folders for the PDB files that I had in my SYSTEM32 folder for some reason, and finally moved them to the local symbol store.

Detumescence answered 14/9, 2009 at 2:57 Comment(2)
That page doesn't work anymore. Don't you have copy anywhere?Doorn
Not even the Wayback Machine has that page anymore. But judging from the URL, I'm guessing it's a copy of this thread: "Resyncing PDB and EXE", which also mentions the thread "Minidumps and source indexing"Rabato
D
3

Finding PE files

The format for the path to a PE file in a symbol server share is:

"%s\%s\%08X%x\%s" % (serverName, peName, timeStamp, imageSize, peName)

Example:

https://msdl.microsoft.com/download/symbols/ntdll.dll/B29ECF521f0000/ntdll.dll

Finding PDB files

The format for the path to a PDB file in a symbol server share is:

"%s\%s\%s%x\%s" % (serverPath, pdbName, guid, age, pdbName)

Example:

https://msdl.microsoft.com/download/symbols/ntdll.pdb/4BC147AE72E8D05022366D6570A8E3461/ntdll.pdb

Source: Symbols the Microsoft Way by Bruce Dawson.

Devoe answered 28/5, 2020 at 12:14 Comment(0)
C
2

Try looking at this page: Symbol Server Callback Function

Congregationalist answered 30/9, 2009 at 18:21 Comment(1)
Well that certainly helps. Those IDs do seem to be what the strings are made from, however I still have to figure out how to calculate those IDs.Detumescence
H
2

EXE/DLL directory name is created by concatenating hex string of the "file modified" time-stamp and "SizeOfImage" from IMAGE_OPTIONAL_HEADER

Hilliary answered 16/9, 2017 at 14:52 Comment(0)
A
1

You can find the answer,

SYMBOL RETRIEVER SHELL EXTENSION ; http://www.vitoplantamura.com/index.aspx?page=symretriever

DebugDir.cpp ; http://www.debuginfo.com/examples/src/DebugDir.cpp

PDB File Internals ; http://www.informit.com/articles/article.aspx?p=22685

Afterlife answered 13/5, 2015 at 13:27 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.