views:

320

answers:

2

Hi,

I am trying to figure out what hashing algorithm is used for the Microsoft Symbol Local Cache directory.

For example, the local cache can be something like the following

  L:\Symbols
      \browseui.dll
        \44FBC679fe000
          browsue.dll
      \browseui.pdb
        \44F402F62
          browseui.pdb
      \explorer.exe
        \3EBF1F14f7000
          explorer.exe
      \explorer.pdb
        \3EBF1F141
          explorer.pdb
      \msvcr71.pdb
        \60D915C6AB6A4F3586E9096E2F8856482
          msvcr71.pdb

There seems to be some sort of correspondence between a file and its debug database. Other than that, I can’t figure out how the names of these (presumably) hexadecimal string folders are being generated.

Some of them are 9 digits, some 13 digits, and others are 33 digits. It looks like an actual, live-file (which for some reason is stored in the symbol cache) has a 13-digit hash while its (nearly similar) debug database gets a 9-digit hash. Some debug databases get a 13-digit hash; can’t figure out what makes these ones special, although they don’t have a corresponding live-file.

I’ve tried hashing the files with every kind of hash algorithm that I know of (39 of them) and none match in any way (straight up, reversed, alternate endian’d, etc.)

Any ideas?

Update I think I finally found it. From Symbol Storage Format:

SymStore uses the file system itself as a database. It creates a large tree of directories, with directory names based on such things as the symbol file time stamps, signatures, age, and other data.

Edit Dang, unfortunately it only mentions that the directory name is derived from various aspects (not quite a hash I guess), but does not say exactly how. The search continues… :-(

+2  A: 

This page has info on calculating the IDs for the symbol files as well as executables/DLLs.

Basically, for executables and DLLs, you extract the timestamp and filesize from the PE header as listed in the page that Griff linked to. For PDB files however, you will need the DBH command from the Windows Debugging Tools. Simply load the PDB file into DBH and use the INFO command to get the PdbSig/PdbSig70 and PdbAge. Bam! That’s it.


I just created the appropriate folders for the PDB files that I had in my SYSTEM32 folder for some reason, and finally moved them to the local symbol store.

Synetech inc.
+1  A: 

Try looking at http://msdn.microsoft.com/en-us/library/ms680667%28VS.85%29.aspx

Griff
Well that certainly helps. Those IDs do seem to be what the strings are made from, however I still have to figure out how to calculate those IDs.
Synetech inc.