Load windbg symbols

[Ana06]

From #252 (comment) (got lost as we only installed windbg when we closed that issue):

Load explorer.exe, it will take some time (~30min), but will load many symbols so that you don't have to wait when working on other samples.
We can use .reload /f.

Not sure if it should be part of the windbg.vm package or something like windbg.symbols.vm (so that we make downloading symbols optional).

I think I tend to prefer windbg.symbols.vm, other ideas?

[cxiao]

Hi @Ana06, I'm not sure how you feel about pulling in another dependency, but I've had good success in the past with the tool pdblister for enumerating and downloading PDB files for a Windows analysis machine: https://github.com/microsoft/pdblister

It's much faster at both enumeration and download than WinDbg's .reload /f, or symchk, as it parallelizes both the enumeration and download process.

# Enumerate PDB paths of all PE files inside System32, recursively, and dump them to a manifest file in the current directory, named `manifest`
./pdblister.exe manifest C:\Windows\System32

# Read the generated manifest file, and download all symbols listed inside them to C:\Symbols
./pdblister.exe download SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols

Here is an idea of how fast it is, for my analysis machine with 5421 PDBs (about 4.9 GB) from PE files in C:\Windows\System32. It downloads multiple PDB files in parallel, and saturates my ~70Mbps internet connection.

In this case I did the enumeration on an offline Windows VM (using the Windows version of pdblister) and the download on an online Linux VM (using the Linux version of pdblister), and then moved the downloaded symbols back to the Linux machine. However, you can do both the enumeration and download on the same Windows machine, using the same pdblister binary.

PS> Measure-Command { .\pdblister.exe manifest C:\Windows\System32\ } | Format-List TotalSeconds

TotalSeconds : 24.047701

$ time ./pdblister download "SRV*./symbols*https://msdl.microsoft.com/download/symbols"
Original manifest has 5421 PDBs
Deduped manifest has 5117 PDBs
[00:19:54] ███████████████████████████████████████████████████████████████████████       5117/5117       (0s) 143 files failed to download
0 files already downloaded
4974 files downloaded successfully
Success!

________________________________________________________
Executed in   19.91 mins    fish           external
   usr time   22.11 secs  175.00 micros   22.11 secs
   sys time  180.54 secs  419.00 micros  180.54 secs
   
$ du --human-readable --summarize ./symbols/
4.9G    ./symbols/

[binjo]

That amount of storage for symbols is probably not ideal for distribution. pdblister looks great for a package candidate, and gives the user options to download after installation.

[schrodyn]

I would very much like to see symbols appearing in my FLARE-VM builds. Another alternative to downloading the symbols efficiently would be PDBReSym from the STrace project.

https://github.com/mandiant/STrace/blob/main/Rust/PDBReSym/src/main.rs#L437-L443

I've spoken with the author and depending on bandwidth and VM resources the tool completes downloading symbols in about 3 minutes =)

[stevemk14ebr]

+1 to Conor's comment, I maintain PDBReSym publicly (releases here: https://github.com/mandiant/STrace/releases/tag/v1.3.2) as part of my STrace project. Afaik it is the fastest tool to download and cache all windows symbols. It's written in rust so is safe, and is something we should probably include as FLARE-VM as a Misc tool. Then as part of the FLARE-VM build we can have it run with the cachesyms flag which will automatically enumerate all C:\Windows binaries and cache their symbols in a format identically to how windbg and other tools do with the cache in C:\symbols by default, use cachefolder flag to change this default.

If we are concerned about symbol cache size. We could make this a configuration option to run the tool, but at least include the tool in the VM image.

[Ana06]

Thanks for the input @schrodyn and @stevemk14ebr! Does installing STrace downloads the symbols? Or do we need to do something else apart from installing STrace? We can create a package in this repository for STrace that install the tool and perform any additional needed steps.

How much of a size increase would this imply?

FLARE is at the moment creating two builds, one is the default configuration and the other one (which we can full) includes Visual Studio as well. We do not have Visual Studio in the default configuration because of the increase in size. We can also share this configuration with the community by adding a full configuration in the flare-vm repo. Depending on the size increase, we can add this to either the default configuration or the full one.

[Ana06]

@mandiant/flare-vm which category should we add STrace to?

[schrodyn]

FLARE-VM would just need to run PDBReSym.exe cachesyms and it will do the job. It will recurse through, by default, through C:\Windows\System32\ and download all symbols and store them into C:\symbols. See help below.

The only issue that I can see might be the fact that PDBReSym isn't shipped as a compiled executable in the STrace releases. Maybe this is something Stephen can amend? Otherwise, the rust language toolchain would need to be installed in FLARE-VM and cargo build executed for PDBReSym and the executable placed into a suitable PATH.

In my malware analysis VM I ran PDBReSym.exe cachesyms and it was done in around 5 minutes while I was typing this comment and formatting it =)

C:\Users\user\Tools>PDBReSym.exe -h
Usage: PDBReSym.exe [OPTIONS] [COMMAND]

Commands:
  symbolicate  Symbolicate the given logfile and write out the symbolicated version. May download PDBs as necessary
  cachesyms    Iterates the specified sysdir and downloads all PDBs concurrently
  getpdb       Downloads the PDB for the given PE file
  downloadpe   Rather than downloading a PDB, download a PE from the symbol server
  help         Print this message or the help of the given subcommand(s)

Options:
      --cachefolder <cachefolder>  Path to directory to cache PDBs [default: C:\symbols]
  -h, --help                       Print help

C:\Users\user\Downloads\Tools>PDBReSym.exe cachesyms -h
Iterates the specified sysdir and downloads all PDBs concurrently

Usage: PDBReSym.exe cachesyms [OPTIONS]

Options:
      --sysdir <sysdir>  Path to folder containing windows system binaries [default: C:\Windows\System32\]
  -h, --help             Print help

C:\Users\user\Downloads\Tools>

[schrodyn]

Just FYI, not sure how big my symbols folder was before I ran the tool, I already had a lot of symbols downloaded, but the size of the folder is now 8.96GB for my Windows 10 VM.

[Ana06]

@stevemk14ebr has confirmed he can provide the PDBReSym binary in ~1-2 weeks. We'll create a package that install it and run the command @schrodyn provided after that. 😉

[Ana06]

@stevemk14ebr provided the binary we need in the last release: https://github.com/mandiant/STrace/releases/tag/v1.3.3, thanks @stevemk14ebr!