Microsoft符号服务器/本地缓存散列算法 [英] Microsoft Symbol Server / Local Cache Hash Algorithm
问题描述
例如,本地缓存可能类似于以下内容
/ p>
L:\符号
\ browseui.dll
\44FBC679fe000
browsue.dll
\ browseui.pdb
\ 44F402F62
browseui.pdb
\explorer.exe
\ 3EBF1F14f7000
explorer.exe
\\ \\explorer.pdb
\ 3EBF1F141
explorer.pdb
\msvcr71.pdb
\60D915C6AB6A4F3586E9096E2F8856482
msvcr71.pdb
文件和其调试数据库之间似乎有某种对应关系。除此之外,我不知道如何生成这些(大概)十六进制字符串文件夹的名称。
其中一些是9位数字,大约13位数字,其他人是33位数字。它看起来像一个实际的活动文件(出于某种原因存储在符号缓存中)具有13位散列,而其(几乎相似)调试数据库获得9位散列。一些调试数据库会得到一个13位数的散列;不知道是什么让这些特殊的东西,虽然他们没有相应的生活文件。
我已经尝试用各种散列哈希文件算法,我知道的(他们中的39个),没有任何匹配(直线上升,颠倒,交替endian'd等)
任何想法? p>
更新
我想我终于找到了它。从符号存储格式:
SymStore使用文件系统本身作为数据库。它创建了一个大型的目录树,目录名称基于诸如符号文件时间戳,签名,年龄和其他数据之类的内容。
编辑
Dang,不幸的是它只提到目录名是从各个方面派生出来的(不是我猜的哈希值),但没有说明具体如何。搜索继续...: - (
此页面 有关于计算符号文件以及可执行文件/ DLL的ID的信息。 / p>
基本上,对于可执行文件和DLL,您可以从Griff链接的页面中列出的PE头中提取时间戳和文件大小,但对于PDB文件,您需要DBH命令,只需将PDB文件加载到DBH中,然后使用INFO命令获取 PdbSig / PdbSig70 和 PdbAge 。Bam!就是这样。
我刚刚为我的SYSTEM32文件夹中出于某种原因的PDB文件创建了适当的文件夹,并最终将它们移动到本地符号存储。
I am trying to figure out what hashing algorithm is used for the Microsoft Symbol Local Cache directory.
For example, the local cache can be something like the following
L:\Symbols
\browseui.dll
\44FBC679fe000
browsue.dll
\browseui.pdb
\44F402F62
browseui.pdb
\explorer.exe
\3EBF1F14f7000
explorer.exe
\explorer.pdb
\3EBF1F141
explorer.pdb
\msvcr71.pdb
\60D915C6AB6A4F3586E9096E2F8856482
msvcr71.pdb
There seems to be some sort of correspondence between a file and its debug database. Other than that, I can’t figure out how the names of these (presumably) hexadecimal string folders are being generated.
Some of them are 9 digits, some 13 digits, and others are 33 digits. It looks like an actual, live-file (which for some reason is stored in the symbol cache) has a 13-digit hash while its (nearly similar) debug database gets a 9-digit hash. Some debug databases get a 13-digit hash; can’t figure out what makes these ones special, although they don’t have a corresponding live-file.
I’ve tried hashing the files with every kind of hash algorithm that I know of (39 of them) and none match in any way (straight up, reversed, alternate endian’d, etc.)
Any ideas?
Update I think I finally found it. From Symbol Storage Format:
SymStore uses the file system itself as a database. It creates a large tree of directories, with directory names based on such things as the symbol file time stamps, signatures, age, and other data.
Edit Dang, unfortunately it only mentions that the directory name is derived from various aspects (not quite a hash I guess), but does not say exactly how. The search continues… :-(
This page has info on calculating the IDs for the symbol files as well as executables/DLLs.
Basically, for executables and DLLs, you extract the timestamp and filesize from the PE header as listed in the page that Griff linked to. For PDB files however, you will need the DBH command from the Windows Debugging Tools. Simply load the PDB file into DBH and use the INFO command to get the PdbSig/PdbSig70 and PdbAge. Bam! That’s it.
I just created the appropriate folders for the PDB files that I had in my SYSTEM32 folder for some reason, and finally moved them to the local symbol store.
这篇关于Microsoft符号服务器/本地缓存散列算法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
