[Notes] Using PDB symbol files to export Windows kernel data structures

Basic system files provided by Windows (dependencies from top to bottom)

• msvcrt.dll ucrtbase.dll provides basic CRT (C language runtime) libraries, such as fopen , _sleep , etc. The former msvcrt bound to the MSVC version number, and different versions are not fully compatible (this is also the reason why you will install Microsoft Runtime when installing a lot of software), the latter is a new general version from Microsoft, the so-called Universal CRT
• kernel32.dll kernelbase.dll provides Win32 compatible API functions, such as basic CreateFileW (note that CreateFile is a macro not a function) and SleepEx , etc. These functions are all user-oriented
• ntdll.dll provides the user-side WinNT kernel function entry, such as NtCreateFile and NtDelayExecution . These functions starting with Nt are the lowest-level functions of the Windows system that the user can access. The parameter requirements are strict (for example, all require wchar_t encoding, and the path name requires the strange NTFS format), and the implementation is all syscall
• ntoskrnl.exe WinNT system kernel image (NT Operating System KeRNeL). The real kernel code is stored here, which is not accessible by the user, and the entry is ntdll above.

Wikipedia: https://en.wikipedia.org/wiki/Windows_API

The Windows APIs exposed by Microsoft are inherited from the Win32 APIs of the ancient Windows 95 era, namely those provided by kernel* . Full documentation is available on MDSN, and Windows SDK has full header files. Microsoft (nominally) guarantees dual compatibility of API and ABI, which is why programs that run on WinXP and even some Win98 can run directly on Win11.

But Windows NT kernel, WinNT API is the essence. For example, the special behavior of Sleep(0) in Win32 API can be clearly distinguished as NtDelayExecution and NtYieldExecution in WinNT API. ntdll provides a large number of powerful functions close to the kernel. First, Microsoft does not provide documentation and header file definitions, and second, it does not guarantee AxI compatibility between different versions (for example, this time IoRing ABI is incompatible, which made me debug for a long time), I want to use it sometimes. You have to manually LoadLibrary (of course, in most cases, the link ntdll.lib enough)

If you want to use WinNT API, you must first know which functions WinNT provides can be used. The easiest way here is to use PE Viewer (I use XPEViewer ) Open ntdll.dll and view the export function table

These functions are very standard Pascal names, you can guess the purpose by looking at the names, and then search on the Internet. If you scroll down, you can also see that ntdll also defines many functions in the CRT.

Only function names can be seen through the PE Viewer, and their precise declarations are required to call them. Part of the declaration can be found in the symbol file (PDB) at ntoskrnl.exe

The PDB is public and can be downloaded from Microsoft's Symbol Server. Some symbol files ( kernel32.pdb , ntdll.pdb , etc.) are automatically downloaded when debugging system dlls in MSVC, but never down to ntoskrnl.pdb . Here you can use PDBDownloader to download manually.

The downloaded pdb file can be read with PDBRipper

PDBRipper now has a bug that does not support anonymous unions in structs.

You can also use pdbex to directly export the header file, and there is no anonymous community bug

The data structures (structures and unions) used in most functions can be obtained in the PDB file, but there is still no precise function declaration. Some function declarations can be found online, and I don't know where to get the rest ;)