Is there a known issue relating to Windows 7 Kernel Symbols?

by

Update 2015-10-22:

With the Microsoft patch day (2015-10-13) and KB3088195, symbols are available again.

However, symbols for the broken version have not been provided, so below may still be useful.

Microsoft has already published “good” symbols for ntdll in the past, containing type information like _TEB or _KPRCB. Starting from mid of July 2015, Microsoft has still published symbols for ntdll, but not containing that information.

So it depends on the version of ntdll whether you get type information or not. Old dumps referencing an old version of ntdll will download old PDBs containing type information while new dumps reference new versions of ntdll and WinDbg (or any other debugger) downloads PDBs without type information.

Could Microsoft remove type information of “good” symbols retroactively, thus making them “bad”?

Yes. As described in this answer, there is a tool to remove type information from existing PDBs. Doing that and replacing the PDB would result in such an effect.

Can Microsoft publish the “good” version of those PDBs which are currently “bad”?

That’s hard to tell, since we don’t know whether Microsoft has kept a copy of the “good” version so they could replace the “bad” version on the symbol server with the “good” one. Rebuilding ntdll from the same source code and thus creating new PDBs sounds possible, but the PDB gets a new time stamp and checksum. This can potentially be corrected manually, especially be Microsoft, since they should have the knowledge about the PDB internal format, but IMHO it’s unlikely they’ll do that. Things may go wrong and MS will hardly have tests to guarantee the correctness of such a thing.

So what can I do?

IMHO you can do nothing to really correct the situation.

You could assume that the types in ntdll have not changed so much. This would allow you to take an older version of wntdll.pdb and the new version of ntdll.dll and apply ChkMatch -m to it. This will copy the timestamp and checksum from the DLL to the PDB. After you did that (in an empty folder), replace the existing wntdll.pdb in your symbols directory with the hacked one.

WinDbg walkthrough (with output shortened to relevant things). I am using the latest version of wntdll.pdb I could find on my PC.

WARNING: doing the following may fix the type information but will likely destroy the correctness of the callstacks. Since any changes in the implementation (which are likely for security fixes) will change the method offsets.

0:005> dt nt!_PEB
*************************************************************************
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
...
***    Type referenced: nt!_PEB                                       ***
***                                                                   ***
*************************************************************************
Symbol nt!_PEB not found.

0:005> lm m ntdll
start    end        module name
773f0000 77570000   ntdll      (pdb symbols)          e:\debug\symbols\wntdll.pdb\FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb

0:005> .shell cmd /c copy C:\Windows\SysWOW64\ntdll.dll e:\debug\temp\ntdllhack\ntdll.dll
        1 file(s) copied.

0:005> .shell cmd /c copy "E:\Windows SDk\8.0\Debuggers\x86\sym\wntdll.pdb\B081677DFC724CC4AC53992627BEEA242\wntdll.pdb" e:\debug\temp\ntdllhack\wntdll.pdb
        1 file(s) copied.

0:005> .shell cmd /c E:\debug\temp\ntdllhack\chkmatch.exe -m E:\debug\temp\ntdllhack\ntdll.dll E:\debug\temp\ntdllhack\wntdll.pdb
...
Executable: E:\debug\temp\ntdllhack\ntdll.dll 
Debug info file: E:\debug\temp\ntdllhack\wntdll.pdb 

Executable: 
TimeDateStamp: 55a69e20 
Debug info: 2 ( CodeView ) 
TimeStamp: 55a68c18  Characteristics: 0  MajorVer: 0  MinorVer: 0 
Size: 35  RVA: 000e63e0  FileOffset: 000d67e0  
CodeView format: RSDS 
Signature: {fa9c48f9-c11d-4e08-94b8-970decd92c97}  Age: 2  
PdbFile: wntdll.pdb 
Debug info: 10 ( Unknown ) 
TimeStamp: 55a68c18  Characteristics: 0  MajorVer: 565  MinorVer: 6526 
Size: 4  RVA: 000e63dc  FileOffset: 000d67dc  

Debug information file: 
Format: PDB 7.00 
Signature: {b081677d-fc72-4cc4-ac53-992627beea24}  Age: 4 

Writing to the debug information file... 
Result: Success.

0:005> .shell cmd /c copy E:\debug\temp\ntdllhack\wntdll.pdb E:\debug\symbols\wntdll.pdb\FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb
        1 file(s) copied.

0:005> .reload
Reloading current modules
.............................

0:005> dt nt!_PEB
ntdll!_PEB
   +0x000 InheritedAddressSpace : UChar
   +0x001 ReadImageFileExecOptions : UChar
...

0:005> !heap -s
LFH Key                   : 0x219ab08b
Termination on corruption : DISABLED
  Heap     Flags   Reserv  Commit  Virt   Free  List   UCR  Virt  Lock  Fast 
                    (k)     (k)    (k)     (k) length      blocks cont. heap 
-----------------------------------------------------------------------------
Virtual block: 00920000 - 00920000 (size 00000000)
Virtual block: 02c60000 - 02c60000 (size 00000000)
Virtual block: 02e10000 - 02e10000 (size 00000000)
...

Note: using ChkMatch like this has the benefit that you do not need to turn on .symopt- 100, since that option would affect all PDB files, and you would not find potential other symbol issues. If you don’t mind using .symopt, you could simply copy an old wntdll.PDB over the new one.

More Related Contents:

  1. How to set up symbols in WinDbg?
  2. How can I test a trigger function in GAS?
  3. What does status=canceled for a resource mean in Chrome Developer Tools?
  4. Visual Studio debugger – Displaying integer values in Hex
  5. What are the debug memory fill patterns in Visual Studio C++ and Windows?
  6. Debugging iframes with Chrome developer tools
  7. How do I see the expanded macro code that’s causing my compile error?
  8. Attach IntelliJ IDEA debugger to a running Java process
  9. Release generating .pdb files, why?
  10. How to use trace and dbg in Erlang to debug and trace my program?
  11. What is the difference between Step Into and Step Over in a debugger
  12. Drop into interpreter during arbitrary scala code location
  13. Step through JDK source code in IntelliJ IDEA
  14. How do I skip external code when debugging in VS Code
  15. Debugging in Clojure? [closed]
  16. What flags do you set for your GFORTRAN debugger/compiler to catch faulty code?
  17. How to debug Google Apps Script (aka where does Logger.log log to?)
  18. How to get a Windows symbol server set up
  19. Android Studio IDE: Break on Exception
  20. LOH fragmentation – 2015 update
  21. How can I inspect the file system of a failed `docker build`?
  22. How do I debug a stand-alone VBScript script?
  23. Visual Studio 2010 “Cannot find or open the PDB file”
  24. How to check release / debug builds using cfg in Rust?
  25. How to set level logging to DEBUG in Tomcat?
  26. Functions debugging in VS Code
  27. Getting the state of variables after an error occurs in R
  28. Chrome Typescript debugging references wrong ‘this’
  29. how to access Angular2 component specific data in console?
  30. Should I compile release builds with debug info as “full” or “pdb-only”?

Leave a Comment