API tools faq
paste
cakemaker

function arguments parsing/extraction from PDB symbol files

cakemaker
Aug 25th, 2024 (edited)
149
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.69 KB | Software | 0 0
raw download clone embed print report
  1. Why locals/arguments names and types retrieval from private PDBs could be useful?
  2.  
  3. Occasionally there are private symbols available for some binaries. So not only function names are available, but also function return types, and names and types of func arguments and locals.
  4. Unfortunately, the version of such symbol-rich binaries often doesn't match the version of of binaries one would like to reverse. E.g. there are symbols for decade-old binaries, or binaries of different architecture, or one doesn't have binaries for the private symbols at all.
  5.  
  6. So what one can do is extract as much info from these mismatching private PDB files as possible and apply it to the current, actual binaries. Structure extraction from PDB is well-established. But function info is not.
  7. Currently to extract func info one can either open old binary in IDA and e.g. produce header; or open binary as dump in Windbg, and exec "dt -v FUNC; dv /i /t /V /f FUNC" for each function, then possible parse output with regex or something. Both options are cumbersome. And if only PDB is available, but not binary, then Windbg is the only option.
  8.  
  9. Thus it would be awesome if PDB extraction tool could produce function declarations from PDB, as C header file. With correct argument names and types. Header then could be equally well ingested by other tools or examined manually.
  10. Since it seems like locals are right near the arguments in the function descriptors in the PDB, it would be nice extra addition to also have local names and types listed, as comments.
  11.  
  12. Example of produced declaration (that prototype is well-known, but will do as example):
  13. ```
  14. long
  15. __fastcall // may be drop it? esp. if it's not straightforward to get
  16. NtRaiseException(
  17. struct _EXCEPTION_RECORD* ExceptionRecord,
  18. struct _CONTEXT* ContextRecord,
  19. uchar FirstChance
  20. );
  21. // long Status
  22. // struct _KEXCEPTION_FRAME ExceptionFrame
  23. ^ two locals as comments
  24. ```
  25.  
  26. A few things to note:
  27. 1. Struct refs are declared in full form (with "struct"), as to avoid requiring structure definitions.
  28. 2. No attempt is made to show location of local vars "Status" and "ExceptionFrame", they are just listed as comments. Location is not very actionable, as it is too volatile in different binaries.
  29. 3. Still, if static vars are handled like locals (I'm not sure), there might be need to add extra comment/mark for the statics.
  30. 4. No attempt is made to show location of arguments. They are sometimes transfered in "unexpected" registers, such as EDI or R10, and PDBs have that info, but I think such information is too volatile. May be at user discretion __usercall convention could be produced with correct regs, but I tend to think it mostly won't be needed.
  31.  
  32. And that's it!
Tags: functions parsing Motivation symbols arguments pdb locals
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!