www.tripwire.com Open in urlscan Pro
2606:4700::6812:fb0  Public Scan

Form analysis
1 forms found in the DOM

GET /search

<form action="/search" method="get" id="views-exposed-form-site-search-page-1" accept-charset="UTF-8" __bizdiag="3288564" __biza="WJ__">
  <div class="form-row">
    <fieldset class="js-form-item js-form-type-textfield form-type-textfield js-form-item-keys form-item-keys form-no-label form-group">
      <label for="edit-keys" class="sr-only">Keywords</label>
      <input data-bef-auto-submit-exclude="" placeholder="Search for keywords" data-drupal-selector="edit-keys" type="text" id="edit-keys" name="keys" value="" size="30" maxlength="128" class="form-text form-control">
    </fieldset>
    <fieldset class="js-form-item js-form-type-select form-type-select js-form-item-sort-bef-combine form-item-sort-bef-combine form-no-label form-group">
      <label for="edit-sort-bef-combine" class="sr-only">Sort</label>
      <select class="form-control form-select" data-drupal-selector="edit-sort-bef-combine" id="edit-sort-bef-combine" name="sort_bef_combine">
        <option value="published_at_DESC" selected="selected">Newest first</option>
        <option value="published_at_ASC">Oldest first</option>
        <option value="search_api_relevance_1_DESC">Best match</option>
        <option value="title_ASC">Title A-Z</option>
        <option value="title_DESC">Title Z-A</option>
      </select>
    </fieldset>
    <div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-group" id="edit-actions"><input data-bef-auto-submit-click="" class="search-button button js-form-submit form-submit btn btn-primary form-control"
        data-drupal-selector="edit-submit-site-search" type="submit" id="edit-submit-site-search" value="">
    </div>
  </div>
</form>

Text Content

Cookie Preferences
Ghidra 101: Loading Windows Symbols (PDB files) | Tripwire Skip to main content
 * Email Us
 * 800-328-1000


SECONDARY NAVIGATION

 * Customer Portal
 * Partner Portal
 * GET A DEMO

 * Products Toggle Dropdown
    * Tripwire Enterprise
    * Tripwire ExpertOps
    * Tripwire IP360
    * Tripwire Industrial Visibility
    * Tripwire LogCenter
    * View All Products

 * Solutions Toggle Dropdown
    * Security Configuration Management
    * File Integrity and Change Monitoring
    * Vulnerability Management
    * Cloud
    * Compliance
    * Industries

 * Services
 * Resources Toggle Dropdown
    * Upcoming Events
    * On-Demand Webinars
    * Datasheets
    * Case Studies
    * Guides
    * Training
    * View all Resources

 * Blog
 * About Toggle Dropdown
    * Careers
    * Leadership
    * Newsroom
    * Partners
    * Contact Us

Keywords Sort Newest firstOldest firstBest matchTitle A-ZTitle Z-A


 1. Home
 2. Blog
 3. Ghidra 101: Loading Windows Symbols (PDB files)

GHIDRA 101: LOADING WINDOWS SYMBOLS (PDB FILES)


Posted on March 8, 2021


Image


In this blog series, I will be putting the spotlight on useful Ghidra features
you may have missed. Each post will look at a different feature and show how it
helps you save time and be more effective in your reverse engineering workflows.
Ghidra is an incredibly powerful tool, but much of this power comes from knowing
how to use it effectively.

The process of transforming source code into application binaries is a lossy
process, but at least some of this data can be reincorporated into a Ghidra
analysis by loading debug information. In fact, Microsoft maintains a repository
of program database (PDB) files with debugging information about each published
executable file. The PDB files generated when linking an application can be used
to correlate particular instructions with source code file name and line numbers
as well as to label variables and functions with symbolic names from the source.
Although not strictly necessary for a successful analysis, loading a PDB file
can greatly accelerate the reversing process by giving a glimpse into the
authors’ thought process.

Ghidra helpfully provides functionality for identifying and downloading PDB
files from a symbol server. Although initial releases of Ghidra required
Windows, the release of version 9.2 in November 2020 has introduced a
platform-independent PDB parser, thereby opening the doors for Linux and macOS
users to easily analyze Windows components complete with symbol information. In
this post, I will briefly recap the steps for using Ghidra to analyze a Windows
binary with details loaded from Microsoft’s symbol server.

Being able to do this natively in Ghidra without a Windows computer is a big
productivity boost for those of us who must occasionally dissect Windows
binaries but who do not primarily use Windows as a native OS. It is really
fantastic to see the Ghidra developers adding features that directly improve my
workflow, and I can’t wait to see what’s in the pipeline for new features.

Without further introduction, here are the steps for identifying, downloading
and applying Windows PDB files from Microsoft’s public symbol server. The steps
were tested on macOS running Ghidra 9.2.2 via Amazon Corretto for JDK 11:

Step 1: Import a Windows executable or library into a Ghidra project.

Step 2: Open the program in CodeBrowser and select ‘No’ when asked to analyze
the program.

Step 3: Select ‘Download PDB’ from the File menu

Image


Step 4: Select ‘PDB’ when prompted to choose between PDB and XML

Image


Step 5: The next prompt asks about using a search path specified in the
executable. Select ‘No’ and then select a local folder where PDB files should be
downloaded.

Step 6: Click ‘Choose from known URLs’ to select an appropriate download URL and
click ‘Download from URL.’

Image


Step 7: After a pop-up confirming the download success, select ‘Yes’ to apply
the PDB.

Image


Step 8: Confirm the PDB load options by clicking ‘Apply.’

Image


Step 9: Be patient while the symbols load. This can take a few minutes.

Image


Step 10: Observe that the symbol tree has been populated with descriptive symbol
names.

Image


All available Ghidra views and plugins should now be integrated with the
debugging information from the PDB.

NOTICE: These instructions were written for Ghidra 9.2.x. An updated post for
loading symbols in Ghidra 10.x is coming soon.

READ MORE ABOUT GHIDRA

Ghidra 101: Cursor Text Highlighting

Ghidra 101: Creating Structures in Ghidra

Ghidra 101: Decoding Stack Strings

Ghidra 101: Slice Highlighting

Ghidra 101: Loading Windows Symbols (PDB files) in Ghidra 10.x

CRAIG YOUNG



View Profile


FOOTER MENU


PRODUCTS & SERVICES

 * Tripwire Industrial Visibility
 * Tripwire IP360
 * Tripwire LogCenter
 * Tripwire ExpertOps
 * Services
 * View All Products


SOLUTIONS

 * By Security Need
 * By Compliance Need
 * By Industry


RESOURCES

 * Upcoming Events
 * On-Demand Webinars
 * Datasheets
 * Training


ABOUT

 * Fortra
 * Patents
 * Customer Support
 * Report a Vulnerability


CONTACT INFORMATION


PRIVACY POLICY


COOKIE POLICY


IMPRESSUM

Copyright © Fortra, LLC and its group of companies. All trademarks and
registered trademarks are the property of their respective owners.















Subscribe for 

Weekly Security Insights

Join over 20,000 IT Security pros who get relevant insights delivered to their
inbox weekly. 

Subscribe Now

Learn more about us!