Reverse Engineering Asked on January 24, 2021
I want to download the .pdb
files of Windows binaries (e.g., notpad.exe
) on machines where the user doesn’t have admin rights, nor has any debugger available. I was wondering if it is possible to download the PDB files using Windows built-in functionalities such as cmd/batch, Powershell, or WSH VBScript or JScript?
I think the first step is to find the globally unique identifier (GUID) of the binary, and then probably there are some URL queries one can use to download the specific program database file of the built.
P.S.1. Apparently the New Technology Symbolic Debugger (NTSD) used to come built into the Windows OS. I am not aware of the OS includes any debuggers by default anymore.
P.S.2. From this comment, I was pointed towards the right URI to download the exact PDB file, given the GUID of the binary. Now the problem is to know how to extract the GUID from the binary itself.
P.S.3. I am wondering if the CLSID/GUID/ProgID of all binaries are stored in the registry and one can manually map them to the specific .dll
/.exe
files.
You can use PDB downloader which doesn’t require any installation https://docs.microsoft.com/en-us/archive/blogs/webtopics/pdb-downloader. Or you could use its source below to see how you could recreate with PowerShell or some other method.
https://github.com/rajkumar-rangaraj/PDB-Downloader
You can also just copy the WinDBg files from a machine where it’s been installed and it will run without requiring admin rights.
Also you can taken SymChk.exe from Windows debugging tools for download symbols, or if machine doesn’t have internet access generate a manifest to download from another machine https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/using-a-manifest-file-with-symchk
To get the Debug GUID refer to https://github.com/rajkumar-rangaraj/PDB-Downloader/blob/master/SymbolFetch/PeHeaderReader.cs You need to extract from the PE Header’s debug directory refer to struct IMAGE_DEBUG_DIRECTORY_RAW You can also look for structure starting with signature RSDS (0x53445352), is followed by a GUID (16 bytes), a counter (4 bytes) and then the PDB pathname.
CLSID/ProgID are stored in the registry for COM class objects under HKCRCLSID which maps to HKLMSoftwareClasses and HKCUSoftwareClasses (in 32-bit and 64-bit views of registry) But this is the GUID for initializing the COM object, not related to the GUID used for PDB files.
Answered by chentiangemalc on January 24, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP