First, what is the PDB file
PDB (Program DataBase), called "program database" file. All debugging information data storage program. When the compiler, if the / debug option or the / debug choice: full option, the latest Microsoft linker to create the program database (PDB) file at link time. pdb file contains information about the executable file is created, also contains the latest information symbol codeview format. The executable file contains the path and file name and identification code PDB file on the local computer, in order to find the correct PDB file.
It contains the new version of the Visual c + + 1.0 debug information storage format for introduction. Change the format of the most important motivation is permitted for the first time in Visual c + + version 2.0 introduced incremental linking change debug version of the program. The current format version is 7.0. It may also change in the future, such as .PDB file will also retain the status information of other projects in the future.
Two, PDB file storage format
Similar format pdb file format disk file systems. The disk file system is divided into a plurality of blocks of data, called a fixed-size data "sector." The data contained in those files is identified when a file is written to disk backup sector, but they are not necessarily contiguous. File directory location tracking data on the disk. In pdb file, data blocks called "pages", the data in the file called "stream" and the file directory called "stream directory" may be more appropriate.
PDB file format not disclosed, but Microsoft provides an API to read the data in the PDB, refer to CCI open source project. Although the official format not disclosed, but The RSDS pdb format of the PDB file format to do a more detailed description. PDB file format similar to the disk file system, each disk is divided into a number of sectors as the size of the data file to be stored in different sectors, without the need to ensure that the sectors on the disk is continuous of. PDB files with page partitioning, similar sectors, stream file is similar to, stream similar to the Directory file directory.
Here we look at the PDB with winhex those information stored in the end of it.
2.1 PDB data organization structures
2.2 PDB head structure
Figure above PDB header information analysis as follows:
| Offset address | type of data | data | Remark |
|---|---|---|---|
| + 0h | byte string | Microsoft C / C ++ MSF 7:00 | PDB version information, the different versions are not the same string length |
| +1Ah | byte | EOF | PDB marks the end of a string version information |
| + 1Bh | byte string | DS | signature |
| + 1Eh | byte | null-terminator | Terminator |
| +20h | dword | 00000400h(1024) | page size (unit: bytes) |
| 24h + | dword | 00000002h(2) | unknown |
| +28h | dword | 00000293h(659) | How many entire document page occupancy |
| +2ch | dword | 00000AE0h(2784) | stream directory occupancy size (unit: bytes) |
| + 30h | dword | 00000000h (0) | unknown |
| + 34h | dword | 00000291h(657) | stream directory pointer page address (unit: p) |
2.3 PDB Stream Directory Pointers information structure
Can be calculated based on the information stream directory pointer address A4400h, the corresponding information is as follows:
As can be seen from the figure the page address stored stream of three pointers, respectively 028Eh, 028Fh, 0290h, the reason is because the three stream occupied Directory 0AE0 (2784) bytes required to store three page.
Note: pointer here need not be continuous, but here it just is continuous.
2.4 PDB Stream Directory Information Structure
Stream Directory data structure is shown below:
| Offset address | type of data | Note |
|---|---|---|
| + 0h | dword | The number of stream |
| + 4h | dword | stream size (unit: bytes), and ignoring 0 -1 (FFFFFFFF) |
| +?h | dword | stream array of pointers |
In 028Eh example, after 400h obtained by multiplying A3800h, corresponding to the address information is as follows:
从上图可以看出该stream directory中存在002Fh(47)个stream,而接下来的47个dword分别表示每个stream的大小。因此page指针将从A38C0h处开始。
前3个stream信息解析如下:
| Streams | size | page pointers |
|---|---|---|
| Stream1 | 0000001Ch | 00000004h |
| Stream2 | 00000072h | 0000028Ch |
| Stream3 | 00050FD0h | 0000028Dh,00000134h,... |
2.5 PDB Stream信息结构
不同的stream包含不同信息,这里主要介绍下存放PDB文件真实性相关的信息。一般Stream2包含了这些信息。通过计算可以得到Stream2在文件中的地址为A3000h,对应地址的信息如下:
红框中记录的就是前面通过PEView工具查看CODEVIEW中的GUID,在它前面的dword就是对应的age字段。
参考
https://www.jianshu.com/p/7ad20a047bb4