Undocumented Windows Kernel Functions – Symbol PDB, C Header

January 13, 2021 / Coding / , , / Leave a Comment

Undocumented Windows Kernel Functions – Structures, Enumerations, Unions and Symbols

Main files that contain many undocumented Windows Kernel Functions – Structures, Enumerations and Unions (these are useful for Debugging and Reverse Engineering):

C:\Windows\System32\hal.dll
C:\Windows\System32\ntdll.dll
C:\Windows\System32\ntoskrnl.exe
C:\Windows\System32\drivers\ndis.sys

To obtain the Structures, Enumerations and Unions of these files you need to obtain their Symbols PDB files (Program Database). You can do it from WinDbg, Microsoft Visual Studio Debugger and other software that works with symbols. You can also obtain it manually.

Obtaining / Downloading Symbols PDB files

Microsoft PDB Downloader

The easiest way would be to use Microsoft PDB Downloader. This is not maintained, but as of this date currently working. Since the PDB Downloader Source is stored on GitHub anyone can contribute. The tool is portable and does not require any installation. You only need to provide a file that you want to download the Symbol PDB file for.
PDB Downloader Usage:
1. Download Latest Release of Compiled PDB Downloader from GitHub
2. Run it and [Open File(s)]
3. Select the EXE or DLL files and [Open]
4. By default the PDB files will be saved to “C:\Symbols”, clicking on this path will open selection dialog for the destination directory.
5. [Start]

pdbfetch – written in GO

Similar to PDB Downloader is pdbfetch. The tool is written in GO and you can check pdbfetch GitHub page for information and Usage. You can use it under Linux also (off course you provide Windows files for input). The link to the Microsoft Public Symbol Server is built the same way as the others:

https://msdl.microsoft.com/download/symbols/{PDB_NAME}/{PDB_GUID}+{PDB_AGE}/{PDB_NAME}

symchk – Windows Debugger Tools

Another way is to use Windows Debugger Tools and specifically “symchk”.
Windows Debugger Tools symchk Usage:
1. Download Microsoft Windows SDK
2. While setting up you don’t have to install everything, you can select only the

[V] Debugging Tools for Windows

3. After the installation you may use architecture specific version. I used x64:

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symchk.exe

4. Syntax for using the “symchk”:

symchk -v -os C:\Windows\System32\ntdll.dll

Some explanations:
-v: verbose mode, will show all the process that symchk is performing
-os: print full path of the symbol files in the output
C:\Windows\System32\ntdll.dll: full path to the source file

You can also specify only the System32 folder with “/r” switch. This will obtain PDB files for the entire System32 directory Recursively.

Other PDB Downloading Tools

Other tools exist for downloading PDB files (dbh.exe, dumpbin.exe) and downloading source code from server (srctool.exe, pdbstr).

Additional note for any of the Debugging Tools

You will need to setup the

_NT_SYMBOL_PATH

Environment variable. If you use the Windows SDK setup, you are probably all good.
To show all the Environment Variables, run in CMD:

set

Checking this particular Environment Variable:

echo %_NT_SYMBOL_PATH%

To set this particular variable to the Microsoft’s public Symbols server run in CMD:

set _NT_SYMBOL_PATH=srv*c:\symbols*https://msdl.microsoft.com/download/symbols

Where “c:\symbols” is the directory where the symbols will be cached and “https://msdl.microsoft.com/download/symbols” is Microsoft’s Public Symbol Server.
You can implement more features with this Environment Variable.

You can find more information on Microsoft DOCs Debugging with Symbols. There are steps on how to setup Symbols server and how Symbols work in general. You can setup local Symbols server and obtain PDB files recursively from a location that has them. In addition, each DLL / EXE has its own GUID that is connected by this GUID to the PDB file on the server.

Microsoft Internet Symbol Server

The URL for Microsoft Internet Symbol Server:

https://msdl.microsoft.com/download/symbols/

This is the main download server for all the Microsoft Symbol PDB files.
Example for a directory of “ntdll.pdb” where you will find all the GUID (actually it’s PDB GUID + PDB Age) directories of all the “ntdll.pdb” kernel versions available on the server:

https://msdl.microsoft.com/download/symbols/ntdll.pdb/

Example of a specific “ntdll.pdb” with specific GUID + Age:

https://msdl.microsoft.com/download/symbols/ntdll.pdb/30FDDC9FEE194D1EA102E5B0695B698F1/ntdll.pdb

Navigating there from your Browser will give you an error page, since it is built mainly for debugger tools (WinDbg, Visual Studio Debugger, etc.). The User Agent that is used to navigate there by the debugger software should be:

Microsoft-Symbol-Server/10.0.0.0

You can check this with Chrome and Chromium based browser with an Extension:
“User-Agent Switcher”, Offered by: www.toolshack.com
What is my User Agent – Will help you understand that your User Agent was definitely changed.
Parsing User Agent to readable Browser Name – Will show you the real name of your Browser parsing the User Agent string.

Using Symbol PDB and Source files in VS Debugger – This page in Microsoft DOCs will help you configuring Symbol PDB files downloading and usage in Microsoft Visual Studio Debugger.
Symbols for Windows debugging – This Microsoft DOCs page contains links to basic information and explanations about Symbols and their usage in Windows Debugging tools (WinDbg).

PDBEX – PDB Converter to C Header files

pdbex GitHub Page – This is a portable executable that can convert obtained PDB files to C Header files (H files). You can compile this from source that is located on GitHub or use the latest release. Some usage example:
1. Download pdbex latest compiled release
2. Use this Syntax to produce the C Header file from PDB:

pdbex * ntdll.pdb -o ntdll.h

*** Some explanations:
*: The wildcard is used the dump all the structures, enumerations and unions
ntdll.pdb: is the input PDB file that you want to decompress
-o: Output switch
ntdll.h: The name of the file that will be used with the Output switch

If you will not use the “-o” switch – the output will be showed in the CMD console. Example:

pdbex * ntdll.pdb

If you want to show a specific structure, enumeration or union, use its name instead of a wildcard:

pdbex _SID ntdll.pdb

For help use:

pdbex -h

For more usage examples check the pdbex GitHub page.

If you get an error, like:

File not found

Try using full paths, if it won’t help and you used the compiled version from release -, you need to place the msdia140.dll x86 Support Library in the same location as the “pdbex.exe”.

Links that contain Undocumented Windows Kernel Functions – Structures, Enumerations and Unions or C Header files

Vergilius Project Windows Kernels – Great site with many Undocumented Windows Kernel Functions – Structures, Enumerations and Unions in C of Windows Kernels per Windows version and architecture. These cannot be found as C Header files in Microsoft Windows SDK or WDK. The functions are from uncompressed PDB files as per “About” page.

Vergilius Project site scrapper – Python script stored in GitHub that Scraps and Parses the Vergilius Project site and exports the C code of the Structures, Enumerations and Unions to one C header file (“kernel.h”).

Vergilius Project GitHub Page – Looks like the whole site is also on the site’s creators GitHub page.

Windows Kernel PDBs parsed in YAML – GitHub repository of the creators of the Vergilius Project site with Windows Kernel PDB files parsed into YAML.

C Headers of Windows Kernel files of undocumented functions – This GitHub page contains C header files with Structures, Enumerations and Unions of main Windows Kernel files with undocumented functions (hal.dll, ndis.sys, ntdll.dll, ntoskrnl.exe). These are stored by Windows version and architecture (x64, x86, ARM64 – where appropriate). There are C Header files that include all the functions in the same H file and there are standalone header files for each Structure, Enumeration or Union. These files are from the same dev that wrote “pdbex” to convert PDB files into C Header files.

The C Header files that are in the “headers” directory are part of the NTDIFF kernel comparison application. You can compare the Structures, Enumerations and Unions of Symbols of each version of the basic kernel files and see what was changed between the versions.

Windows Kernel Header Files – Geoff Chappel on Windows Kernel Header files, their structure and other useful information. The site contains also vast amount of information about PDB files, Structures, Enumerations, Kernel and Debugging. Very recommended read.

Microsoft DOCs Links and Symbol Concepts

Windows Kernel Opaque Structures – Microsoft Docs page with list of Windows Kernel Opaque Structures and some explanations.
Symbol Stores and Symbol Servers
Using a Manifest File with SymChk

Other useful links regarding different subjects covered

Setting WinDbg Symbol Path – This article covers some Symbol error in WinDbg like “Please fix your symbols” and “Your kernel symbols are wrong” and a way to fix them (they set local Symbol Server).
PDB Parser – Inspecting the Content of PDB files
Program Database (PDB) File Format – GitHub page explaining the structure of the PDB file.
Windows Driver Kit C Headers and Scripts for Debugging
Explanations about _EPROCESS structure
EPROCESS and PEB and Memory Forensics Concepts

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.