mspdb_overlays
|
| Trees | Indices | Help |
|
|---|
|
|
These plugins are for manipulating Microsoft PDB file.
References:
https://code.google.com/p/pdbparse/
http://moyix.blogspot.de/2007/10/types-stream.html
http://undocumented.rawol.com/win_pdbx.zip
Our goal here is not to be a complete parser for PDB files. Rather, we are
trying to extract only the important information we need in order to build a
Rekall profile. This means that we dont necessarily care about modifiers like
"const" "volatile" etc, but mostly care about struct, enums, bitfields etc.
If you are comparing the code here with the code in the pdbparse project, be
aware that due to the crazy way the construct library (which is used by
pdbparse) splits up bits, the ordering in the pdbparse code does not follow the
correct bit number (bits are defined in the order they appear in the bit stream,
which for a little endian number is non intuitive). e.g.
CV_property = BitStruct("prop",
Flag("fwdref"),
Flag("opcast"),
Flag("opassign"),
Flag("cnested"),
Flag("isnested"),
Flag("ovlops"),
Flag("ctor"),
Flag("packed"),
BitField("reserved", 7, swapped=True),
Flag("scoped"),
)
Actually is this struct (i.e. above the first field is bit 7, then 6 etc until
bit 0 the bit 15 down to 8):
typedef struct _CV_prop_t
{
/*000.0*/ WORD packed : 1;
/*000.1*/ WORD ctor : 1;
/*000.2*/ WORD ovlops : 1;
/*000.3*/ WORD isnested : 1;
/*000.4*/ WORD cnested : 1;
/*000.5*/ WORD opassign : 1;
/*000.6*/ WORD opcast : 1;
/*000.7*/ WORD fwdref : 1;
/*001.0*/ WORD scoped : 1;
/*001.1*/ WORD reserved : 7;
/*002*/ }
CV_prop_t, *PCV_prop_t, **PPCV_prop_t;
Since we are lazy and do not want to hand code all the structure definitions, we
simply build a profile from the C implementation, and then use it here directly
using the "mspdb" profile (which is available in the profile repository).
http://undocumented.rawol.com/win_pdbx.zip: ./sbs_sdk/include/pdb_info.h
Other known implementations of PDB parsing:
https://chromium.googlesource.com/syzygy/+/master/pdb
The closest thing to official documentation can be found here:
http://pierrelib.pagesperso-orange.fr/exec_formats/MS_Symbol_Type_v1.0.pdf
Author: Michael Cohen <scudette@gmail.com>
| Classes | |
|
FetchPDB Fetch the PDB file for an executable from the Microsoft PDB server. |
|
|
TestFetchPDB Disable this test. |
|
|
StreamBasedAddressSpace An address space which combines together the page lists. |
|
|
lfClass Represents a class or struct. |
|
|
lfEnumerate A SubRecord describing a single enumeration definition. |
|
|
lfBitfield A range of bits. |
|
| lfNestType | |
|
lfUnion A Union is basically the same as a struct, except members may overlap. |
|
| lfModifier | |
|
lfEnum Represents an enumeration definition. |
|
|
lfPointer A Pointer object. |
|
|
lfProc A Function object. |
|
|
lfArray An array of the same object. |
|
|
lfMember A member in a struct (or class). |
|
| DBIExHeaders | |
| DBI | |
|
PDBProfile A profile to parse Microsoft PDB files. |
|
|
PDBParser Parses a Microsoft PDB file. |
|
|
ParsePDB Parse the PDB streams. |
|
| Functions | |||
|
|||
| Variables | |
LEAF_ENUM_TO_TYPE = |
|
LEAF_ENUM_TO_SUBRECORD = |
|
SYM_ENUM_TO_SYM = |
|
mspdb_overlays = |
|
__package__ = |
|
| Variables Details |
LEAF_ENUM_TO_TYPE
|
LEAF_ENUM_TO_SUBRECORD
|
mspdb_overlays
|
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:47 2017 | http://epydoc.sourceforge.net |
