From b1321850c1d34493febf7471a5431465b6dca0b7 Mon Sep 17 00:00:00 2001
From: Maxime Meignan <maxime.meignan@wavestone.com>
Date: Fri, 3 Nov 2023 15:06:34 +0100
Subject: [PATCH] ExtractOffsets.py: detect invalid PDB

---
 Offsets/ExtractOffsets.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/Offsets/ExtractOffsets.py b/Offsets/ExtractOffsets.py
index c1428fc..c921808 100644
--- a/Offsets/ExtractOffsets.py
+++ b/Offsets/ExtractOffsets.py
@@ -225,7 +225,21 @@ def get_pdb(pe: PE, pe_path, keep_ondisk=True, verbose=False):
             print(f"[!] ERROR : Could not download PDB of {pe_path} (URL: {pdb_url}): {str(e)}.")
             return None, None
     elif os.path.isfile(pdb_file_path):
-        # todo: check the PDB and PE GUID are identical
+        pdb = Pdb(path=pdb_file_path)
+        pe.parse_data_directories(directories=[DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_DEBUG"]])
+        guid_string = (
+            f"{pe.DIRECTORY_ENTRY_DEBUG[0].entry.Signature_Data1:08x}-"
+            + f"{pe.DIRECTORY_ENTRY_DEBUG[0].entry.Signature_Data2:04x}-"
+            + f"{pe.DIRECTORY_ENTRY_DEBUG[0].entry.Signature_Data3:04x}-"
+            + f"{pe.DIRECTORY_ENTRY_DEBUG[0].entry.Signature_Data4:02x}"
+            + f"{pe.DIRECTORY_ENTRY_DEBUG[0].entry.Signature_Data5:02x}-"
+            + pe.DIRECTORY_ENTRY_DEBUG[0].entry.Signature_Data6.hex().lower()
+        )
+        if str(pdb.PDBStream.Guid).lower() != guid_string:
+            print(f"[!] ERROR : PDB {pdb_file_path} does match {pe_path}. Redownloading")
+            del pdb
+            os.remove(pdb_file_path)
+            return get_pdb(pe, pe_path, keep_ondisk, verbose)
         return pdb_file_path, None