While IDA comes with a rich set of type libraries for Windows API, they don’t cover the whole set of types used in Windows. Our libraries are based on the official Windows SDK/DDK headers, which tend to only include public, stable information which is common to multiple Windows versions. A new Windows build may introduce new types or use some of the previously reserved fields. Because some of these structures are critical for proper debugging, Microsoft usually publishes a subset of actual, up-to-date types in the PDBs for the core Windows modules (
ntdll.dll for user mode,
ntoskrnl.exefor kernel mode). Thus, usually you can use these files to get types matching the Windows version you’re analyzing.
Loading types from PDB
To load an additional PDB file, use File > Load file > PDB File…
Here, you can specify either an already downloaded PDB, or a path to .exe or .dll. In the latter case, IDA will try to fetch the matching PDB from the symbol servers. Because we’re loading the PDB which does not actually match the currently loaded file, check “Types only” so that the global symbols from it are not applied unnecessarily.
After downloading and processing the PDB, the new types can be consulted in the Local Types view.
Igor’s tip of the week #55: Using debug symbols