Undocumented Windows Kernel Functions, Symbol PDB, C Header

Leave a Comment / By /

Undocumented Windows Kernel Functions – Structures, Enumerations, Unions, and Symbols

Main files that contain many undocumented Windows Kernel Functions – Structures, Enumerations, and Unions (these are useful for Debugging and Reverse Engineering):

Affiliate: Experience limitless no-code automation, streamline your workflows, and effortlessly transfer data between apps with Make.com.

C:\Windows\System32\hal.dll
C:\Windows\System32\ntdll.dll
C:\Windows\System32\ntoskrnl.exe
C:\Windows\System32\drivers\ndis.sys

To obtain the undocumented Windows kernel functions Structures, Enumerations, and Unions of these files, you need to get their Symbols PDB files (Program Database). You can do it from WinDbg, Microsoft Visual Studio Debugger, and other software that works with symbols. You can also obtain it manually.

Obtaining / Downloading Symbols PDB files for undocumented Windows kernel functions

Microsoft PDB Downloader

The easiest way would be to use Microsoft PDB Downloader. The tool is not maintained, but as of this date currently working. Since the PDB Downloader Source is stored on GitHub, anyone can contribute. The tool is portable and does not require any installation. You only need to provide a file you want to download, the Symbol PDB file.
PDB Downloader Usage:
1. Download Latest Release of Compiled PDB Downloader from GitHub
2. Run it and [Open File(s)]
3. Select the EXE or DLL files and [Open]
4. By default, the PDB files will get to “C:\Symbols”; clicking this path will open a selection dialog for the destination directory.
5. [Start]

pdbfetch – written in GO

Similar to PDB Downloader is pdbfetch. The tool is in GO language, and you can check pdbfetch GitHub page for information and usage. You can use it under Linux also (of course, you provide Windows files for input). The link structure to the Microsoft Public Symbol Server is the same as the others:

https://msdl.microsoft.com/download/symbols/{PDB_NAME}/{PDB_GUID}+{PDB_AGE}/{PDB_NAME}

symchk – Windows Debugger Tools – for undocumented Windows kernel functions

Another way is to use Windows Debugger Tools and specifically “symchk”.
Windows Debugger Tools symchk Usage:
1. Download Microsoft Windows SDK
2. While setting up, you don’t have to install everything; you can select only the

[V] Debugging Tools for Windows

3. After the installation, you may use an architecture-specific version. I used x64:

C:\Program Files (x86)\Windows Kits\Debuggers\x64\symchk.exe

4. Syntax for using the “symchk”:

symchk -v -os C:\Windows\System32\ntdll.dll

Some explanations:
-v: verbose mode, will show all the processes that symchk is performing
-os: Print the full path of the symbol files in the output
C:\Windows\System32\ntdll.dll: full path to the source file

In addition, you can specify only the System32 folder with the “/r” switch. The action will obtain PDB files for the entire System32 directory Recursively.

Other PDB Downloading Tools

Other tools exist for downloading PDB files (dbh.exe, dumpbin.exe) and downloading source code from server (srctool.exe, pdbstr).

Additional note for any of the Debugging Tools

You will need to set up the

_NT_SYMBOL_PATH

Environment variable. If you use the Windows SDK setup, you are all good.
To show all the Environment Variables, run in CMD:

set

Checking this particular Environment Variable:

echo %_NT_SYMBOL_PATH%

To set this particular variable to Microsoft’s public Symbols server run in CMD:

set _NT_SYMBOL_PATH=srv*c:\symbols*https://msdl.microsoft.com/download/symbols

“c:\symbols” is the directory to cache the symbols, and “https://msdl.microsoft.com/download/symbols” is Microsoft’s Public Symbol Server.
You can implement more features with this Environment Variable.

You can find more information on Microsoft DOCs Debugging with Symbols. There are steps to set up the Symbols server and how Symbols work in general. You can set up a local Symbols server and recursively obtain PDB files from a location with them. In addition, each DLL / EXE has its GUID connected by this GUID to the PDB file on the server. There is more to undocumented Windows kernel functions.

Microsoft Internet Symbol Server

The URL for Microsoft Internet Symbol Server:

https://msdl.microsoft.com/download/symbols/

This server is the central download server for all the Microsoft Symbol PDB files.
Example for a directory of “ntdll.pdb” where you will find all the GUID (actually, it’s PDB GUID + PDB Age) directories of all the “ntdll.pdb” kernel versions available on the server:

https://msdl.microsoft.com/download/symbols/ntdll.pdb/

Example of a specific “ntdll.pdb” with specific GUID + Age:

https://msdl.microsoft.com/download/symbols/ntdll.pdb/30FDDC9FEE194D1EA102E5B0695B698F1/ntdll.pdb

Navigating there from your browser will give you an error page since it is built mainly for debugger tools (WinDbg, Visual Studio Debugger, and others). The User-Agent to navigate there by the debugger software should be:

Microsoft-Symbol-Server/10.0.0.0

You can check this with Chrome and Chromium-based browser with an Extension:
“User-Agent Switcher,” Offered by: www.toolshack.com
What is my User Agent – This will help you understand if there was a change in your User Agent.
You can also paste a User Agent to Parse User Agent to readable Browser Name.
Also, a good option for finding user agent data is: https://www.whatismybrowser.com

Using Symbol PDB and Source files in VS Debugger – This page in Microsoft DOCs will help you configuring Symbol PDB files downloading and usage in Microsoft Visual Studio Debugger.
Symbols for Windows debugging – This Microsoft DOCs page contains links to essential information about undocumented Windows kernel functions and explanations about Symbols and their usage in Windows Debugging tools (WinDbg).

PDBEX – PDB Converter to C Header files

pdbex GitHub Page – This is a portable executable that can convert obtained PDB files to C Header files (H files). You can compile this from a source on GitHub or use the latest release. Some usage examples:
1. Download pdbex latest compiled release
2. Use this Syntax to produce the C Header file from PDB:

pdbex * ntdll.pdb -o ntdll.h

Some explanations:
*: The wildcard is used the dump all the structures, enumerations, and unions
ntdll.pdb: is the input PDB file that you want to decompress
-o: Output switch
ntdll.h: The name of the file with the Output switch

If you will not use the “-o” switch – the output will be in the CMD console. Example:

pdbex * ntdll.pdb

If you want to show a specific structure, enumeration, or union, use its name instead of a wildcard:

pdbex _SID ntdll.pdb

For help, use the following:

pdbex -h

For more usage examples, check the pdbex GitHub page.

If you get an error like:

File not found

Try using full paths. If it won’t help and you used the compiled version from release, you need to place the msdia140.dll x86 Support Library in the exact location as the “pdbex.exe.”

Vergilius Project Windows Kernels – Great site with many Undocumented Windows Kernel Functions – Structures, Enumerations, and Unions in C of Windows Kernels per Windows version and architecture. Microsoft Windows SDK or WDK does not include these as C Header files. The functions are from uncompressed PDB files per the “About” page.

Vergilius Project site scrapper – Python script stored in GitHub that Scraps and Parses the Vergilius Project site and exports the C code of the Structures, Enumerations, and Unions to one C header file (“kernel.h”).

Vergilius Project GitHub Page – It looks like the whole site is also on the site’s creator GitHub page.

Windows Kernel PDBs parsed in YAML – GitHub repository of the creators of the Vergilius Project site with Windows Kernel PDB files parsed into YAML.

C Headers of undocumented Windows kernel functions – This GitHub page contains C header files with Structures, Enumerations, and Unions of main undocumented Windows kernel functions in files (hal.dll, ndis.sys, ntdll.dll, ntoskrnl.exe). These are available by Windows version and architecture (x64, x86, ARM64 – where appropriate). There are C Header files that include all the functions in the same H file, and there are standalone header files for each Structure, Enumeration, or Union. These files are from the same dev that wrote “pdbex” to convert PDB files into C Header files.

The C Header files that are in the “headers” directory are part of the NTDIFF kernel comparison application. You can compare the undocumented Windows kernel functions and Structures, Enumerations, and Unions of Symbols of each version of the essential kernel files and see the changes between versions.

Windows Kernel Header Files – Geoff Chappel on Windows Kernel Header files, their structure and other helpful information. The site also contains much information about PDB files, Structures, Enumerations, Kernel, and Debugging – a recommended read.

Windows Kernel Opaque Structures – Microsoft Docs page with a list of Windows Kernel Opaque Structures and some explanations.
Symbol Stores and Symbol Servers
Using a Manifest File with SymChk

Setting WinDbg Symbol Path – This article covers some Symbol errors in WinDbg like “Please fix your symbols” and “Your kernel symbols are wrong” and a way to fix them (they set local Symbol Server).
PDB Parser – Inspecting the Content of PDB files
Program Database (PDB) File Format – GitHub page explaining the structure of the PDB file.
Windows Driver Kit C Headers and Scripts for Debugging
EPROCESS and PEB and Memory Forensics Concepts

Related Posts:

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.