ntdll module not loading correctly in windbg, but why?

Question

I\'ve used windbg for user mode debugging before, but I suspect I did something to my system because I don\'t recall having a problem using for example the extension command

Answer 1

It seems that with the Windows Updates distributed on 20151013 , the heap information is available again.

0:018> !chksym ntdll

C:\Windows\SysWOW64\ntdll.dll
Timestamp: 56099FFA
SizeOfImage: 180000
      pdb: wntdll.pdb
  pdb sig: C2B37FDB-B631-4EA7-8A6D-7F51123F151E
      age: 2

Loaded pdb is microsoft\wntdll.pdb   \C2B37FDBB6314EA78A6D7F51123F151E2\wntdll.pdb

wntdll.pdb
  pdb sig: C2B37FDB-B631-4EA7-8A6D-7F51123F151E
      age: 2

MATCH: wntdll.pdb and C:\Windows\SysWOW64\ntdll.dll

and

0:018> lm v m *ntdll*
start    end        module name
77530000 776b0000   ntdll      (pdb symbols)        microsoft\wntdll.pdb\C2B37FDBB6314EA78A6D7F51123F151E2\wntdll.pdb
Loaded symbol image file: C:\Windows\SysWOW64\ntdll.dll
Image path: C:\Windows\SysWOW64\ntdll.dll
Image name: ntdll.dll
Timestamp:        Mon Sep 28 22:15:54 2015 (56099FFA)
CheckSum:         001412F8
ImageSize:        00180000
File version:     6.1.7601.23223
Product version:  6.1.7601.23223
File flags:       0 (Mask 3F)
File OS:          40004 NT Win32
File type:        2.0 Dll
File date:        00000000.00000000
Translations:     0409.04b0
CompanyName:      Microsoft Corporation
ProductName:      Microsoft® Windows® Operating System
InternalName:     ntdll.dll
OriginalFilename: ntdll.dll
ProductVersion:   6.1.7601.23223
FileVersion:      6.1.7601.23223 (win7sp1_ldr.150928-0600)
FileDescription:  NT Layer DLL
LegalCopyright:   © Microsoft Corporation. All rights reserved.

Can you install the updates, rebuild your application and try again?

Answer 2

MS is getting rid of all type information in the latest Windows 7 PDBs. This breaks !heap. Here's a twitter conversation about it started by Alex Ionescu, a co-author of "Windows Internals, Sixth Edition": https://twitter.com/aionescu/status/634028737458114560

UPDATE: 10/12/2015: Possible workaround using the PDB Type Theft python script which copies type information from one PDB to another. The usage would be to copy the type information from an older PDB that has the type information that was removed in later PDBs. This link has all the details: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/PDB-Type-Theft/ba-p/6801065#.Vhv2gPm6fmE

UPDATE: 10/22/2015: With the Microsoft patch day (2015-10-13) and KB3088195, symbols are available again. However, symbols for the broken version have not been provided, so above may still be useful.