Microsoft 符号服务器/本地缓存哈希算法

发布于 2024-08-04 20:08:44 字数 1067 浏览 18 评论 0原文

我试图弄清楚 Microsoft 符号本地缓存目录使用什么哈希算法。

例如,本地缓存可以如下所示

  L:\Symbols
      \browseui.dll
        \44FBC679fe000
          browsue.dll
      \browseui.pdb
        \44F402F62
          browseui.pdb
      \explorer.exe
        \3EBF1F14f7000
          explorer.exe
      \explorer.pdb
        \3EBF1F141
          explorer.pdb
      \msvcr71.pdb
        \60D915C6AB6A4F3586E9096E2F8856482
          msvcr71.pdb

文件与其调试数据库之间似乎存在某种对应关系。除此之外,我无法弄清楚这些(大概)十六进制字符串文件夹的名称是如何生成的。

有的为9位,有的为13位,有的为33位。它看起来像一个实际的实时文件(由于某种原因存储在符号缓存中)具有 13 位哈希值,而其(几乎相似的)调试数据库则具有 9 位哈希值。一些调试数据库获得 13 位哈希;尽管它们没有相应的实时文件,但无法弄清楚是什么让这些特别。

我尝试过使用我所知道的各种哈希算法(其中 39 种)对文件进行哈希处理,但没有任何匹配方式(直接、反向、交替字节序等)。

有什么想法吗?

更新 我想我终于找到了。来自符号存储格式

SymStore 使用文件系统本身作为数据库。它创建一个大型目录树,目录名称基于符号文件时间戳、签名、年龄和其他数据。

编辑 该死,不幸的是它只提到目录名称是从各个方面派生的(我猜不完全是散列),但没有具体说明如何派生。搜索仍在继续……:-(

I am trying to figure out what hashing algorithm is used for the Microsoft Symbol Local Cache directory.

For example, the local cache can be something like the following

  L:\Symbols
      \browseui.dll
        \44FBC679fe000
          browsue.dll
      \browseui.pdb
        \44F402F62
          browseui.pdb
      \explorer.exe
        \3EBF1F14f7000
          explorer.exe
      \explorer.pdb
        \3EBF1F141
          explorer.pdb
      \msvcr71.pdb
        \60D915C6AB6A4F3586E9096E2F8856482
          msvcr71.pdb

There seems to be some sort of correspondence between a file and its debug database. Other than that, I can’t figure out how the names of these (presumably) hexadecimal string folders are being generated.

Some of them are 9 digits, some 13 digits, and others are 33 digits. It looks like an actual, live-file (which for some reason is stored in the symbol cache) has a 13-digit hash while its (nearly similar) debug database gets a 9-digit hash. Some debug databases get a 13-digit hash; can’t figure out what makes these ones special, although they don’t have a corresponding live-file.

I’ve tried hashing the files with every kind of hash algorithm that I know of (39 of them) and none match in any way (straight up, reversed, alternate endian’d, etc.)

Any ideas?

Update
I think I finally found it. From Symbol Storage Format:

SymStore uses the file system itself as a database. It creates a large tree of directories, with directory names based on such things as the symbol file time stamps, signatures, age, and other data.

Edit
Dang, unfortunately it only mentions that the directory name is derived from various aspects (not quite a hash I guess), but does not say exactly how. The search continues… :-(

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

难理解 2024-08-11 20:08:44

此页面包含有关计算符号文件以及可执行文件/DLL 的 ID 的信息。

基本上,对于可执行文件和 DLL,您可以从 Griff 链接到的页面中列出的 PE 标头中提取时间戳和文件大小。然而,对于 PDB 文件,您将需要 Windows 调试工具中的 DBH 命令。只需将 PDB 文件加载到 DBH 中并使用 INFO 命令即可获取 PdbSig/PdbSig70PdbAge。嘭!就是这样。

由于某种原因,我刚刚为 SYSTEM32 文件夹中的 PDB 文件创建了适当的文件夹,最后将它们移动到本地符号存储中。

This page has info on calculating the IDs for the symbol files as well as executables/DLLs.

Basically, for executables and DLLs, you extract the timestamp and filesize from the PE header as listed in the page that Griff linked to. For PDB files however, you will need the DBH command from the Windows Debugging Tools. Simply load the PDB file into DBH and use the INFO command to get the PdbSig/PdbSig70 and PdbAge. Bam! That’s it.

I just created the appropriate folders for the PDB files that I had in my SYSTEM32 folder for some reason, and finally moved them to the local symbol store.

水中月 2024-08-11 20:08:44

查找 PE 文件

符号服务器共享中 PE 文件的路径格式为:

"%s\%s\%08X%x\%s" % (serverName, peName, timeStamp, imageSize, peName)< /code>

示例:

https://msdl.microsoft.com/download/symbols/ntdll.dll/B29ECF521f0000/ntdll.dll

查找 PDB 文件

符号中 PDB 文件路径的格式服务器共享为:

"%s\%s\%s%x\%s" % (serverPath, pdbName, guid,age, pdbName)

示例:

https://msdl.microsoft .com/download/symbols/ntdll.pdb/4BC147AE72E8D05022366D6570A8E3461/ntdll.pdb


来源:象征 Microsoft 之道,作者:Bruce Dawson。

Finding PE files

The format for the path to a PE file in a symbol server share is:

"%s\%s\%08X%x\%s" % (serverName, peName, timeStamp, imageSize, peName)

Example:

https://msdl.microsoft.com/download/symbols/ntdll.dll/B29ECF521f0000/ntdll.dll

Finding PDB files

The format for the path to a PDB file in a symbol server share is:

"%s\%s\%s%x\%s" % (serverPath, pdbName, guid, age, pdbName)

Example:

https://msdl.microsoft.com/download/symbols/ntdll.pdb/4BC147AE72E8D05022366D6570A8E3461/ntdll.pdb


Source: Symbols the Microsoft Way by Bruce Dawson.

嗫嚅 2024-08-11 20:08:44

尝试查看此页面:符号服务器回调函数< /a>

Try looking at this page: Symbol Server Callback Function

稳稳的幸福 2024-08-11 20:08:44

EXE/DLL 目录名称是通过连接“文件修改”时间戳的十六进制字符串和来自 IMAGE_OPTIONAL_HEADER

EXE/DLL directory name is created by concatenating hex string of the "file modified" time-stamp and "SizeOfImage" from IMAGE_OPTIONAL_HEADER

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文