如果我有一个可执行文件(比如 ntoskrnl.exe),我可以从 Microsoft 获取它的 .pdb 文件。有没有可能做相反的事情?如果我有 .pdb 可以获取 .exe 吗?或者唯一的方法是希望它在我的符号服务器上的某个地方并通过 pdb 签名和/或时间戳查找?
为给定的 .pdb 文件获取 .exe/.dll/.sys
逆向工程
视窗
调试
调试符号
2021-07-07 19:20:38
2个回答
二进制文件(exe、sys、dll)是通过它们的 time_date_stamp 和大小从 ms 符号服务器获取的
windbg 命令 !chkimg 通常为小型转储获取二进制文件,它使用SymFindFileInPath函数
它需要三个不同的 id,对于 pdbs 和二进制文件,您可以查看 id 定义函数的备注部分
没有反向匹配 afaik 即给定一个 pdb,您无法检索成功检索所需的二进制文件的时间戳和大小
剩下的唯一办法是为类似命名的二进制文件grep本地驱动器
使用dumpbin和windbg打包工具dbh.exe
请注意,缓存中有两个 pdb,而我只有一个二进制文件与系统中的第二个 pdb 匹配 注意仔细,年龄会附加到 srvind 输出中的 guid 中,而年龄则打印在转储箱输出中的单独一行中
既然您知道该文件,您就可以在需要时从 ms 符号服务器获取原始副本,方法是转储时间戳/大小并将它们附加到一个字符串中,并使用 useragent 作为 microsoft-symbol-server(或现在的任何内容)调用 httpget(我对 useragent 的记忆已有好几年了,为最新的用户代理字符串抓取网络数据包)
C:\>dbh srvind e:\SYMBOLS\cdfs.pdb\6FA7C1B9FB96447B8608B2F31CEADB312\cdfs.pdb
e:\SYMBOLS\cdfs.pdb\6FA7C1B9FB96447B8608B2F31CEADB312\cdfs.pdb : 6FA7C1B9FB96447
B8608B2F31CEADB312
C:\>dbh srvind e:\SYMBOLS\cdfs.pdb\D457507255544405BD9A5C4D3EBCCBAE2\cdfs.pdb
e:\SYMBOLS\cdfs.pdb\D457507255544405BD9A5C4D3EBCCBAE2\cdfs.pdb : D45750725554440
5BD9A5C4D3EBCCBAE2
C:\>dumpbin /headers "c:\Windows\System32\drivers\cdfs.sys" | grep -i rsds
4A5BBF12 cv 21 000028C0 1CC0 Format: RSDS, {D4575072-5554-
4405-BD9A-5C4D3EBCCBAE}, 2, cdfs.pdb
这是一个垃圾桶与实际的转储和 !itoldyouso 输出
C:\>dumpbin /headers "c:\Windows\System32\drivers\cdfs.sys" | grep -i "size of i
mage"
16000 size of image
C:\>dumpbin /headers "c:\Windows\System32\drivers\cdfs.sys" | grep -i date
4A5BBF12 time date stamp Tue Jul 14 04:41:14 2009
C:\>cdb -z c:\Windows\System32\drivers\cdfs.sys
0:000> !itoldyouso cdfs
cdfs.sys
Timestamp: 4A5BBF12
SizeOfImage: 16000
pdb: cdfs.pdb
pdb sig: D4575072-5554-4405-BD9A-5C4D3EBCCBAE
age: 2
Loaded pdb is e:\symbols\cdfs.pdb\D457507255544405BD9A5C4D3EBCCBAE2\cdfs.pdb
cdfs.pdb
pdb sig: D4575072-5554-4405-BD9A-5C4D3EBCCBAE
age: 2
MATCH: cdfs.pdb and cdfs.sys
这是一个网络数据包标头,其中包含用于二进制提取的最新用户代理字符串
{
"Host Name":"msdl.microsoft.com",
"Method":"GET",
"Path":"/download/symbols/calc.exe/4CE7979Dc0000/calc.ex_",
"User Agent":"Microsoft-Symbol-Server/10.0.0.0",
"Response Code":"200",
"Response String":"OK",
"Content Type":"application/octet-stream",
"Referer":"",
"Content Encoding":"",
"Transfer Encoding":"",
"Server":"Microsoft-IIS/8.5",
"Content Length":"295985",
"Connection":"",
"Cache Control":"public",
"Location":"",
"Server Time":"6/24/2017 4:37:26 PM",
"Expiration Time":"",
"Last Modified Time":"12/16/2010 8:20:21 AM",
"Cookie":"",
"Client Address":"xxx.xxx.xx.xx:xxxxx",
"Server Address":"204.79.197.219:80",
"Request Time":"00:07:23.331",
"Response Time":"1444 ms",
"URL":"http://msdl.microsoft.com/download/symbols/calc.exe/4CE7979Dc0000/calc.ex_"
}
以及从列表模块输出中获取的时间戳和大小详细信息
0:000> dx -r0 @$lmvmcalc = Debugger.Utility.Control.ExecuteCommand("lmvm calc")
@$lmvmcalc = Debugger.Utility.Control.ExecuteCommand("lmvm calc")
0:000> dx -r0 @$lmvmcalc[8] ; dx -r0 @$lmvmcalc[6]
@$lmvmcalc[8] : ImageSize: 000C0000
@$lmvmcalc[6] : Timestamp: Sat Nov 20 15:10:45 2010 (4CE7979D)
以及使用 wget 和与本地文件比较的没有 symsrv.dll 的提取
C:\>md testfetchwithwget
C:\>cd testfetchwithwget
C:\testfetchwithwget>ls -l
total 0
wgetting 与用户代理和调试喷涌而出
C:\testfetchwithwget>wget -d -c -U="Microsoft-Symbol-Server/10.0.0.0" "http://msdl.microsoft.com/dow
nload/symbols/calc.exe/4CE7979Dc0000/calc.ex_"
Setting --continue (continue) to 1
Setting --user-agent (useragent) to =Microsoft-Symbol-Server/10.0.0.0
DEBUG output created by Wget 1.12.1-dev Mar 04 2010 (mainline-013c8e2f5997) on Windows-MinGW.
--2017-06-24 22:35:20-- http://msdl.microsoft.com/download/symbols/calc.exe/4CE7979Dc0000/calc.ex_
Resolving msdl.microsoft.com... seconds 0.00, 204.79.197.219
Caching msdl.microsoft.com => 204.79.197.219
Connecting to msdl.microsoft.com|204.79.197.219|:80... seconds 0.00, connected.
Created socket 204.
Releasing 0x00893e38 (new refcount 1).
---request begin---
GET /download/symbols/calc.exe/4CE7979Dc0000/calc.ex_ HTTP/1.0
User-Agent: =Microsoft-Symbol-Server/10.0.0.0
Accept: */*
Host: msdl.microsoft.com
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 295985
Content-Type: application/octet-stream
Last-Modified: Thu, 16 Dec 2010 08:20:21 GMT
Accept-Ranges: bytes
ETag: "7367f914fa9ccb1:0"
Server: Microsoft-IIS/8.5
X-MSEdge-Ref: Ref A: A80831FD9CD34C76B235D9794A671A8B Ref B: BOM02EDGE0109 Ref C: Sat Jun 24 10:05:3
3 2017 PST
X-MSEdge-Ref-OriginShield: Ref A: 5B1085618AB14BDBA7B8195D249E26E2 Ref B: BOM01EDGE0317 Ref C: Sat J
un 24 07:42:52 2017 PST
Date: Sat, 24 Jun 2017 17:05:33 GMT
Connection: keep-alive
---response end---
200 OK
Registered socket 204 for persistent reuse.
Length: 295985 (289K) [application/octet-stream]
Saving to: `calc.ex_'
100%[==========================================================>] 295,985 15.1K/s in 25s
2017-06-24 22:35:51 (11.3 KB/s) - `calc.ex_' saved [295985/295985]
比较
C:\testfetchwithwget>ls -l
total 292
-rw-rw-rw- 1 HP 0 295985 2010-12-16 13:50 calc.ex_
C:\testfetchwithwget>expand -R calc.ex_ calc.exe
Microsoft (R) File Expansion Utility Version 6.1.7600.16385
Copyright (c) Microsoft Corporation. All rights reserved.
Adding C:\testfetchwithwget\calc.exe to Extraction Queue
Expanding Files ....
Expanding Files Complete ...
Cannot expand a file onto itself: calc.exe.
C:\testfetchwithwget>ls -l
total 1052
-rw-rw-rw- 1 HP 0 295985 2010-12-16 13:50 calc.ex_
-rwxrwxrwx 1 HP 0 776192 2010-12-15 20:21 calc.exe
C:\testfetchwithwget>ls -l c:\Windows\System32\calc.exe
-rwxrwxrwx 2 HP 0 776192 2010-11-20 04:16 c:\Windows\System32\calc.exe
C:\testfetchwithwget>fc /b c:\Windows\System32\calc.exe .\calc.exe
Comparing files C:\WINDOWS\SYSTEM32\calc.exe and .\CALC.EXE
FC: no differences encountered
尚未尝试过,但如果符号服务器上存在图像,则可能会起作用。我知道 WinDbg/Visual Studio 在某些情况下能够下载故障转储中引用的图像,并且它们可能使用这个或类似的功能。SymFindExecutableImage