How does symstore calculate the directory hash value

Question

I am looking for the hash algorithm that symstore uses to create the directory name. I found this link Microsoft Symbol Server / Local Cache Hash Algorithm that describes the data elements that are used to generate the hash, but it does not go into any detail on how the hash value is calculated. I am interested to see how symstore generates the hash directory and if anyone has any sample code that they can show, that would be great!

Answer 1

symstore.exe calculates hash directory names as follows:

For PDB files, the GUID + Age, are used. Here is a python example:

pdb = pdbparse.parse("some.pdb")
pdb.STREAM_PDB.load()
guid = pdb.STREAM_PDB.GUID
guid_str = "%.8X%.4X%.4X%s" % (guid.Data1, guid.Data2, guid.Data3,
                               guid.Data4.encode("hex").upper())

symstore_hash = "%s%s" % (guid_str, pdb.STREAM_PDB.Age)

For PE (exe/dll) files, the TimeDateStamp (from IMAGE_FILE_HEADER) and SizeOfImage (from IMAGE_OPTIONAL_HEADER) are used. Here is a python example:

pe = pefile.PE("some.exe")

symstore_hash = "%X%X" % (pe.FILE_HEADER.TimeDateStamp,
                          pe.OPTIONAL_HEADER.SizeOfImage)

Here is an example python script that prints symstore hash values for PDB and PE files:

https://gist.github.com/lennartblanco/9a70961a5aa66fe49df6

Answer 2

Not sure if you have already reviewed this but it is the U.S. Patent describing the symbol store process. Its pretty dense as you can imagine but it does describe in quite a bit of detail how the symbol store directories are expanded and deleted (specifically in sections 6, 7, 8). Hope this helps or points you in the right direction.