{"id":13420012,"url":"https://github.com/wbenny/pdbex","last_synced_at":"2025-05-16T11:03:56.571Z","repository":{"id":3125382,"uuid":"48516744","full_name":"wbenny/pdbex","owner":"wbenny","description":"pdbex is a utility for reconstructing structures and unions from the PDB into compilable C headers","archived":false,"fork":false,"pushed_at":"2024-08-26T23:39:36.000Z","size":1329,"stargazers_count":817,"open_issues_count":11,"forks_count":162,"subscribers_count":36,"default_branch":"master","last_synced_at":"2024-10-30T02:41:10.796Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wbenny.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-12-24T00:25:35.000Z","updated_at":"2024-10-28T06:56:50.000Z","dependencies_parsed_at":"2024-10-26T16:53:44.333Z","dependency_job_id":"72d666b3-3455-46b6-b31c-ba12ace08879","html_url":"https://github.com/wbenny/pdbex","commit_stats":{"total_commits":56,"total_committers":7,"mean_commits":8.0,"dds":0.125,"last_synced_commit":"562ef14af14ac2d8eb36c8a45dd64f3aec1957f7"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wbenny%2Fpdbex","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wbenny%2Fpdbex/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wbenny%2Fpdbex/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wbenny%2Fpdbex/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wbenny","download_url":"https://codeload.github.com/wbenny/pdbex/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254518384,"owners_count":22084374,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T22:01:24.494Z","updated_at":"2025-05-16T11:03:56.549Z","avatar_url":"https://github.com/wbenny.png","language":"C++","readme":"[![Build status](https://ci.appveyor.com/api/projects/status/8e24lcfhp1ltngfu?svg=true)](https://ci.appveyor.com/project/wbenny/pdbex)\n\n# pdbex\n\npdbex is a utility for reconstructing structures and unions from the [PDB files][msdn-symbols] into compilable C headers.\n\n### Why?\n\nPDB files, among others, contain information about structures and unions.\nThese information can be very useful - for instance structures and unions from **ntdll.dll** or **ntoskrnl.exe** can be useful for experimenting with Windows internals.\nBut information in the PDB files are limited only to the symbol name, member name, its type and offset.\nInformation about nested anonymous structures and unions are lost.\nHowever, with a bit of work, they can be formed back.\n\nI am not aware of any utility which could make a compilable and offset-accurate C header representation of symbols in the PDB file.\nAlthough there do exist [some][headers-mirt] [public][headers-nirsoft] [servers][headers-moonsoft] which list some of the structures, it is only limited subset of various symbols of files of various Windows versions.\nNot to say that many of them are not offset-accurate.\nThe fact that we have [ReactOS][headers-reactos] and [Volatility][headers-volatility] does not help. They will not provide header file for any given PDB file.\n\n### Usage\n\n```c\n\u003e pdbex.exe _SID ntdll.pdb\n\n/*\n * PDB file: ntdll.pdb\n * Image architecture: x86\n *\n * Dumped by pdbex tool v0.1, by wbenny\n */\n\ntypedef struct _SID_IDENTIFIER_AUTHORITY\n{\n /* 0x0000 */ unsigned char Value[6];\n} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;\n\ntypedef struct _SID\n{\n /* 0x0000 */ unsigned char Revision;\n /* 0x0001 */ unsigned char SubAuthorityCount;\n /* 0x0002 */ struct _SID_IDENTIFIER_AUTHORITY IdentifierAuthority;\n /* 0x0008 */ unsigned long SubAuthority[1];\n} SID, *PSID;\n```\n\nThis command will dump not only specified symbol, but also all symbols referenced by it - and in correct order.\nIf you insist on dumping only the specified symbol, you can disable this feature by **-j-** option:\n\n```c\n\u003e pdbex.exe _SID ntdll.pdb -j- -k-\n\ntypedef struct _SID\n{\n /* 0x0000 */ unsigned char Revision;\n /* 0x0001 */ unsigned char SubAuthorityCount;\n /* 0x0002 */ struct _SID_IDENTIFIER_AUTHORITY IdentifierAuthority;\n /* 0x0008 */ unsigned long SubAuthority[1];\n} SID, *PSID;\n```\n\n_(**-k-** switch is responsible for ommiting the header.)_\n\nYou can even control if definition of referenced symbols should be inlined by **-e [n|i|a]** option.\n\n* n - will not inline anything (unnamed symbols are created separately and named as _TAG_UNNAMED\\_###_\n* i - will inline only unnamed structures and union (default behavior)\n* a - will inline everything\n\nExample of inlining everything:\n```c\n\u003e pdbex.exe _SID ntdll.pdb -e a -k-\n\ntypedef struct _SID\n{\n /* 0x0000 */ unsigned char Revision;\n /* 0x0001 */ unsigned char SubAuthorityCount;\n struct _SID_IDENTIFIER_AUTHORITY\n {\n /* 0x0002 */ unsigned char Value[6];\n } IdentifierAuthority;\n /* 0x0008 */ unsigned long SubAuthority[1];\n} SID, *PSID;\n```\n\nExample of not inlining anything:\n```c\n\u003e pdbex.exe _LARGE_INTEGER ntdll.pdb -e n -k-\n\ntypedef struct _TAG_UNNAMED_1\n{\n /* 0x0000 */ unsigned long LowPart;\n /* 0x0004 */ long HighPart;\n} TAG_UNNAMED_1, *PTAG_UNNAMED_1;\n\ntypedef union _LARGE_INTEGER\n{\n union\n {\n struct\n {\n /* 0x0000 */ unsigned long LowPart;\n /* 0x0004 */ long HighPart;\n };\n /* 0x0000 */ struct _TAG_UNNAMED_1 u;\n /* 0x0000 */ __int64 QuadPart;\n };\n} LARGE_INTEGER, *PLARGE_INTEGER;\n\n```\n\nDefault behavior:\n```c\n\u003e pdbex.exe _LARGE_INTEGER ntdll.pdb -e i -k-\n\ntypedef union _LARGE_INTEGER\n{\n union\n {\n struct\n {\n /* 0x0000 */ unsigned long LowPart;\n /* 0x0004 */ long HighPart;\n };\n struct // _TAG_UNNAMED_1\n {\n /* 0x0000 */ unsigned long LowPart;\n /* 0x0004 */ long HighPart;\n } u;\n /* 0x0000 */ __int64 QuadPart;\n };\n} LARGE_INTEGER, *PLARGE_INTEGER;\n\n```\n\nYou can also dump all symbols using **\"\\*\"** as the symbol name to dump:\n\n```\n\u003e pdbex.exe * ntdll.pdb -o ntdll.h\n```\n\nThis command will dump all structures and unions to the file **ntdll.h**.\n\n\n### Remarks\n\n* Pointers to functions are represented only as **void\\*** with additional comment **/\\* function \\*/**.\n* Produced structures expect **packing alignment to be set at 1 byte**.\n* Produced **union**s have one extra **union** nested inside of it (you could notice few lines above). This is a known cosmetic bug.\n* **pdbex** is designed to dump headers from C project only - C++ classes are not supported.\n\n### Compilation\n\nCompile **pdbex** using Visual Studio 2017. Solution file is included. No other dependencies are required.\n\n### Testing\n\nThere are 2 files in the _Scripts_ folder:\n\n* env.bat - sets environment variables for Microsoft Visual C++ 2015\n* test.py - testing script\n\n**test.py** dumps all symbols from the provided PDB file. It also generates C file which tests if offsets of the members of structures and unions do match the original offsets in the PDB file. The C file is then compiled using **msbuild** and ran. If the resulting program prints a line starting with **[!]**, it is considered as error. In that case, line also contains information about struct/union + member + offset that did not match. It prints nothing on success.\n\nBecause the **test.py** uses **msbuild** for creating tests, special environment variables must be set. It can be accomplished either by running **test.py** from the developer console or by calling **env.bat**. **env.bat** file exists only for convenience and does nothing else than running the **VsDevCmd.bat** from the default Visual Studio 2015 installation directory. The environment variables are set in the current console process, therefore this script can be called only once.\n\n### Documentation\n\n**pdbex -h** should make it:\n\n```\nVersion v0.18\n\npdbex \u003csymbol\u003e \u003cpath\u003e [-o \u003cfilename\u003e] [-t \u003cfilename\u003e] [-e \u003ctype\u003e]\n [-u \u003cprefix\u003e] [-s prefix] [-r prefix] [-g suffix]\n [-p] [-x] [-m] [-b] [-d] [-i] [-l]\n\n\u003csymbol\u003e Symbol name to extract\n Use '*' if all symbols should be extracted.\n Use '%' if all symbols should be extracted separately.\n\u003cpath\u003e Path to the PDB file.\n -o filename Specifies the output file. (stdout)\n -t filename Specifies the output test file. (off)\n -e [n,i,a] Specifies expansion of nested structures/unions. (i)\n n = none Only top-most type is printed.\n i = inline unnamed Unnamed types are nested.\n a = inline all All types are nested.\n -u prefix Unnamed union prefix (in combination with -d).\n -s prefix Unnamed struct prefix (in combination with -d).\n -r prefix Prefix for all symbols.\n -g suffix Suffix for all symbols.\n\nFollowing options can be explicitly turned off by adding trailing '-'.\nExample: -p-\n -p Create padding members. (T)\n -x Show offsets. (T)\n -m Create Microsoft typedefs. (T)\n -b Allow bitfields in union. (F)\n -d Allow unnamed data types. (T)\n -i Use types from stdint.h instead of native types. (F)\n -j Print definitions of referenced types. (T)\n -k Print header. (T)\n -n Print declarations. (T)\n -l Print definitions. (T)\n -f Print functions. (F)\n -z Print #pragma pack directives. (T)\n -y Sort declarations and definitions. (F)\n```\n\n\n### License\n\nAll the code in this repository is open-source under the MIT license. See the **LICENSE.txt** file in this repository.\n\nIf you find this project interesting, you can buy me a coffee\n\n```\n BTC 3GwZMNGvLCZMi7mjL8K6iyj6qGbhkVMNMF\n LTC MQn5YC7bZd4KSsaj8snSg4TetmdKDkeCYk\n```\n\n [msdn-symbols]: \u003chttps://msdn.microsoft.com/en-us/library/windows/desktop/ee416588(v=vs.85).aspx\u003e\n [headers-nirsoft]: \u003chttp://www.nirsoft.net/kernel_struct/vista/index.html\u003e\n [headers-moonsoft]: \u003chttp://msdn.moonsols.com/\u003e\n [headers-reactos]: \u003chttp://doxygen.reactos.org/df/d7e/structETHREAD-members.html\u003e\n [headers-mirt]: \u003chttp://msdn.mirt.net/\u003e\n [headers-volatility]: \u003chttp://volatilityfoundation.github.io/volatility/classvolatility_1_1plugins_1_1overlays_1_1windows_1_1vista_1_1___e_t_h_r_e_a_d.html\u003e\n\n","funding_links":[],"categories":["TODO scan for Android support in followings","\u003ca id=\"a76463feb91d09b3d024fae798b92be6\"\u003e\u003c/a\u003e侦察\u0026\u0026信息收集\u0026\u0026子域名发现与枚举\u0026\u0026OSINT","\u003ca id=\"170048b7d8668c50681c0ab1e92c679a\"\u003e\u003c/a\u003e工具","C++"],"sub_categories":["\u003ca id=\"375a8baa06f24de1b67398c1ac74ed24\"\u003e\u003c/a\u003e信息收集\u0026\u0026侦查\u0026\u0026Recon\u0026\u0026InfoGather"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwbenny%2Fpdbex","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwbenny%2Fpdbex","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwbenny%2Fpdbex/lists"}