PDB Information

Overview

Evidence: PDB Information Description: Collect Program Database Information Category: System Platform: Windows Short Name: pdbinf Is Parsed: Yes - PDB information extracted from PE headers Sent to Investigation Hub: Yes Collect File(s): No

Background

Program Database (PDB) files contain debugging symbols for compiled binaries. PE executables and DLLs embed references to their PDB files including the PDB file name, GUID, and age. This information is used by debuggers and crash analysis tools to load the correct symbols.

PDB information can be used to verify the authenticity of system binaries and detect malware that may have corrupted or replaced system files.

Data Collected

Collection Method

This collector extracts PDB information from critical system binaries:

• C:\Windows\System32\NTOSKRNL.EXE

• C:\Windows\System32\NTKRNLPA.EXE

• C:\Windows\System32\NTKRNLMP.EXE

• C:\Windows\System32\NTKRPAMP.EXE

• C:\Windows\System32\drivers\ntfs.sys

• C:\Windows\System32\HAL.dll

• C:\Windows\System32\ntdll.dll

• C:\Windows\SysWOW64\ntdll.dll

• C:\Windows\System32\kernel32.dll

• C:\Windows\SysWOW64\kernel32.dll

For each binary, it parses the PE debug directory to extract CodeView PDB information.

Usage

PDB information helps verify system binary integrity and supports advanced debugging scenarios. Investigators use this data to verify system file authenticity, detect rootkit kernel modifications, identify mismatched system files, support crash dump analysis, validate OS patch levels, and correlate with symbol servers for verification.

Known Limitations

• Only checks predefined list of critical files

• Files must exist to extract PDB info

• Doesn't verify PDB file availability

• Limited to specific system binaries

Notes

The PDB GUID and signature uniquely identify the build of a binary. This can be used with Microsoft Symbol Server to download matching symbols or to verify that system files haven't been tampered with.