Microsoft 符号服务器/本地缓存哈希算法 [英] Microsoft Symbol Server / Local Cache Hash Algorithm

问题描述

我想弄清楚 Microsoft Symbol Local Cache 目录使用的是什么散列算法.

比如本地缓存可以是下面这样的

<前>L:符号rowseui.dll44FBC679fe000浏览器.dllrowseui.pdb44F402F62浏览器界面资源管理器.exe3EBF1F14f7000资源管理器资源管理器.pdb3EBF1F141资源管理器msvcr71.pdb60D915C6AB6A4F3586E9096E2F8856482msvcr71.pdb

文件与其调试数据库之间似乎存在某种对应关系.除此之外，我无法弄清楚这些(大概)十六进制字符串文件夹的名称是如何生成的.

有些是9位数，有些是13位数，有些是33位数.它看起来像一个实际的实时文件(由于某种原因存储在符号缓存中)具有 13 位哈希值，而其(几乎相似的)调试数据库获得 9 位哈希值.一些调试数据库得到一个 13 位的哈希值；尽管它们没有相应的实时文件，但无法弄清楚是什么让这些文件与众不同.

我尝试过使用我所知道的各种哈希算法(其中 39 种)对文件进行哈希处理，但没有任何方式匹配(直接、反向、交替字节序等)

有什么想法吗?

更新我想我终于找到了.来自 符号存储格式:

<块引用>

SymStore 使用文件系统本身作为数据库.它创建了一个大目录树，目录名称基于符号文件时间戳、签名、年龄和其他数据.

编辑当当，不幸的是它只提到目录名称是从各个方面派生的(我猜不是一个散列)，但没有说明具体是如何派生的.搜索继续...... :-(

解决方案

此页面 包含有关计算符号文件以及可执行文件/DLL 的 ID 的信息.

基本上，对于可执行文件和 DLL，您从 Griff 链接到的页面中列出的 PE 标头中提取时间戳和文件大小.但是，对于 PDB 文件，您将需要来自 Windows 调试工具的 DBH 命令.只需将 PDB 文件加载到 DBH 并使用 INFO 命令获取 PdbSig/PdbSig70 和 PdbAge.砰！就是这样.

出于某种原因，我刚刚为 SYSTEM32 文件夹中的 PDB 文件创建了适当的文件夹，最后将它们移动到本地符号存储.

I am trying to figure out what hashing algorithm is used for the Microsoft Symbol Local Cache directory.

For example, the local cache can be something like the following

  L:Symbols
      rowseui.dll
        44FBC679fe000
          browsue.dll
      rowseui.pdb
        44F402F62
          browseui.pdb
      explorer.exe
        3EBF1F14f7000
          explorer.exe
      explorer.pdb
        3EBF1F141
          explorer.pdb
      msvcr71.pdb
        60D915C6AB6A4F3586E9096E2F8856482
          msvcr71.pdb

There seems to be some sort of correspondence between a file and its debug database. Other than that, I can’t figure out how the names of these (presumably) hexadecimal string folders are being generated.

Some of them are 9 digits, some 13 digits, and others are 33 digits. It looks like an actual, live-file (which for some reason is stored in the symbol cache) has a 13-digit hash while its (nearly similar) debug database gets a 9-digit hash. Some debug databases get a 13-digit hash; can’t figure out what makes these ones special, although they don’t have a corresponding live-file.

I’ve tried hashing the files with every kind of hash algorithm that I know of (39 of them) and none match in any way (straight up, reversed, alternate endian’d, etc.)

Any ideas?

Update I think I finally found it. From Symbol Storage Format:

SymStore uses the file system itself as a database. It creates a large tree of directories, with directory names based on such things as the symbol file time stamps, signatures, age, and other data.

Edit Dang, unfortunately it only mentions that the directory name is derived from various aspects (not quite a hash I guess), but does not say exactly how. The search continues… :-(

解决方案

This page has info on calculating the IDs for the symbol files as well as executables/DLLs.

Basically, for executables and DLLs, you extract the timestamp and filesize from the PE header as listed in the page that Griff linked to. For PDB files however, you will need the DBH command from the Windows Debugging Tools. Simply load the PDB file into DBH and use the INFO command to get the PdbSig/PdbSig70 and PdbAge. Bam! That’s it.

I just created the appropriate folders for the PDB files that I had in my SYSTEM32 folder for some reason, and finally moved them to the local symbol store.

这篇关于Microsoft 符号服务器/本地缓存哈希算法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！