In [1]:
import comtypes
import comtypes.client

# this has to be before the import that follows
msdia = comtypes.client.GetModule(r'C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll')

from comtypes.gen.Dia2Lib import *

try:
    dia = comtypes.client.CreateObject(msdia.DiaSource)
except Exception as exc:
    print("Exception creating DIA object: %s\nTry to regsrv32.dll msdia90.dll" % (str(exc)))
    sys.exit(1)


In [2]:
import pefile

class PEFile(pefile.PE):
    def __init__(self, path):
        pefile.PE.__init__(self, self.path)
        
        self.path = path
        self.pdbFileName = None
        self.pdbObj = None
        self.symbols = None

In [3]:
SYMBOLS_SERVER = 'https://msdl.microsoft.com/download/symbols'


def getPDBURL(pe: PEFile):
    #pe.parse_data_directories()
    string_version_info = {}
    for fileinfo in pe.FileInfo[0]:
        if fileinfo.Key.decode() == 'StringFileInfo':
                for st in fileinfo.StringTable:
                        for entry in st.entries.items():
                            string_version_info[entry[0].decode()] = entry[1].decode()
    verStr = string_version_info['ProductVersion']
    for directory in pe.DIRECTORY_ENTRY_DEBUG:
        debug_entry = directory.entry
        if hasattr(debug_entry, 'PdbFileName'):
            pdb_file = debug_entry.PdbFileName[:-1].decode('ascii')
            guid = f'{debug_entry.Signature_Data1:08x}'
            guid += f'{debug_entry.Signature_Data2:04x}'
            guid += f'{debug_entry.Signature_Data3:04x}'
            guid += f'{int.from_bytes(debug_entry.Signature_Data4, byteorder="big"):016x}'
            guid = guid.upper()
            url = f'/{pdb_file}/{guid}{debug_entry.Age:x}/{pdb_file}'
            pdbFileName = f'{pdb_file[:-4]}-{verStr}.pdb'
            return url, pdbFileName
    return None

import os
import requests
import shutil
def downloadPDB(path, localCache=r'E:\Symbols'):
    pdbUrl, pdbFileName = getPDBURL(path)
    pdbPath = localCache + pdbUrl
    pdbPath = os.path.realpath(pdbPath)
    if not os.path.exists(pdbPath):
        with open(pdbPath, 'wb') as f:
            f.write(requests.get(pdbUrl).content)
    shutil.copyfile(pdbPath, pdbFileName)
    return pdbFileName

twinuipcshell = PEFile(r'C:\Windows\System32\twinui.pcshell.dll')
twinuipcshell.pdbFileName = downloadPDB(twinuipcshell)
actxprxy = PEFile(r'C:\Windows\System32\actxprxy.dll')
actxprxy.pdbFileName = downloadPDB(actxprxy)
#print(twinuipcshell_pdbfile, actxprxy_pdbfile)

In [5]:
def loadPDB(pdbFile):
    try:
        dia = comtypes.client.CreateObject(msdia.DiaSource)
        dia.loadDataFromPdb(pdbFile)
        return dia.openSession()
    except Exception as exc:
        print(('[!] loadDataFromPdb() error %s' % (str(exc))))

twinuipcshell.pdbObj = loadPDB(twinuipcshell.pdbFileName)
actxprxy.pdbObj = loadPDB(actxprxy.pdbFileName)

In [18]:
udtEnumToStr = ('struct', 'class', 'union', 'interface')
# Utility class for capturing some of the data from UDT symbol list in PDB file
class PDBSymbol:

    @classmethod
    def fromDia(cls, symbol_data):
        return PDBSymbol(udtEnumToStr[symbol_data.udtKind], symbol_data.name, symbol_data.undecoratedName, symbol_data.virtualAddress, symbol_data.length)
    
    def __init__(self, kind = '', name = '', undName = '', rva = 0, size = 0):

        self.kind = kind
        self.name = name
        self.undName = undName
        self.rva = rva
        self.size = size

    def __str__(self):

        sstr = '0x%08x (%4dB) %s\t%s' % (self.rva, self.size, self.kind, self.name)

        return sstr

    def __repr__(self):
        return f'<PDBSymbol {str(self)}>'

    # required for hash
    def __hash__(self):
        return hash((self.name, self.rva, self.kind))

    # required for hash, when buckets contain multiple items
    def __eq__(self, other):
        return (self.name == other.name and self.rva == other.rva and self.kind == other.kind)
    
    def __contains__(self, key):
        return self.__eq__(key)

# EOF

In [11]:
symb = twinuipcshell.pdbObj.globalScope.findChildren(SymTagPublicSymbol, None, 0)[100]
symbol_data = symb.QueryInterface(IDiaSymbol)
print(symbol_data.name, symbol_data.virtualAddress, )
hex(twinuipcshell.get_dword_at_rva(symbol_data.virtualAddress))

??1WindowTabHostLivePreviewThumbnailRequested@WindowTabHostTelemetry@@QEAA@XZ 6074484


'0x83485340'

In [20]:
# parse the input PDB
def parsePDB(pdbObj):
    syms = set()

    # iterate the public syms to find all vtables
    for symb in pdbObj.globalScope.findChildren(SymTagPublicSymbol, None, 0):
        symbol_data = symb.QueryInterface(IDiaSymbol)
        symbol_obj = PDBSymbol.fromDia(symbol_data)
    
        syms.add(symbol_obj)

        #print(symbol_data.undecoratedName, symbol_data.name)

    # iterate all UDT/private? symbols
    for symb in pdbObj.globalScope.findChildren(SymTagUDT, None, 0):
        symbol_data = symb.QueryInterface(IDiaSymbol)
        #print(symbol_data.undecoratedName, symbol_data.name)
        symbol_obj = PDBSymbol.fromDia(symbol_data)
    
        syms.add(symbol_obj)

    return list(syms)

twinuiSyms = parsePDB(twinuipcshell.pdbObj)
actxprxySyms = parsePDB(actxprxy.pdbObj)

In [33]:
actxprxySymMap = {c.name: c for c in actxprxySyms}
twinuiSymMap = {c.name: c for c in twinuiSyms}

In [41]:
# dump guid
def GUIDToStr(guidbytes):
    return '%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X' % (
        int.from_bytes(guidbytes[:4], 'little'),
        int.from_bytes(guidbytes[4:6], 'little'),
        int.from_bytes(guidbytes[6:8], 'little'),
        *[int.from_bytes(guidbytes[i:i+1], 'little') for i in range(8, 16)]
    )

IID_IVirtualDesktopManagerInternal = GUIDToStr(actxprxy.get_data(actxprxySymMap["IID_IVirtualDesktopManagerInternal"].rva, 16))
IID_IVirtualDesktopManager = GUIDToStr(twinuipcshell.get_data(twinuiSymMap["IID_IVirtualDesktopManager"].rva, 16))
IID_IVirtualDesktop = GUIDToStr(twinuipcshell.get_data(twinuiSymMap["IID_IVirtualDesktop"].rva, 16))

KeyError: 'IID_IVirtualDesktop'

In [42]:
# dump vft
def dumpVFT(pe: PEFile, vftName):
    pe.get_data(pe['??_7CVirtualDesktopManager@@6BIVirtualDesktopManagerInternal@@@'].rva, 16)

<PDBSymbol 0x006ef540 (0184B) struct	??_7CVirtualDesktopManager@@6BIVirtualDesktopManagerInternal@@@>