How to keep source code information in generated PDB files?

4hV5t4r4xT

We use SmartAssembly to add CrashReporting to our software.

We also have a watchdog which monitors the application, to be able to diagnoes deadlocks.

If the application/ui is unresponsive for too long, the watchdog will create a minidump and send it to us.

You application build by a Build Server which saves all the pdbs on a network share.

We have added this network share as a Symbols location in Visual Studio.

When we analyze a mini dump, we simply open it in Visual Studio and start "debugging". Visual Studio will than load the needed Symboles files from the network share.

If Information about the source code is included in the PDBs Visual Studio will than directly show the source code from which the Assemblies where compiled.

But if we use SmartAssembly to add the CrashReporting and generate new PDBs there is no information about the source code in the PDBs.

We have tried two options for including source information in PDBs:

1. SourceLink (https://github.com/dotnet/sourcelink)

  This will add a mapping between SourceCode paths and a Url, which is then used to retrieve the source code.

  After compiling the pdb includes a CustomDebugInformation entry for the SourceLink information.

  But after we run SmartAssembly the CustomDebugInformation entry is missing.

 

2. EmbedAllSources

  For this we only need to add "<EmbedAllSources>True</EmbedAllSources>" into a PropertyGroup of the project file.

  This will as the name says embed all the source files in the PDB.

  After compiling the PDB includes CustomDebugInformationEntries for each source file and the content for the source files are stored as blobs.

 

  

  But after running SmartAssembly the CustomDebugInformation entries and blobs are missing. 

  

Is there any way to keep the information about the source code when using Smart Assembly?

At the moment we need to manually locate the binaries used to generate the mini dump and use a decompiler to be able to debug.

This adds complexity to our process and does not always work because some assemblies just cannot be decompiled correctly.

Peter_Laws

Hello 4hV5t4r4xT,

Thank you for your question. Please can you verify, in your SA project, do you have 'I want to generate the debugging information.' enabled?

4hV5t4r4xT

Hi @Peter_Laws,

yes the "I want to generate the debugging informaton." option is enabled.

The other enabled feature of SmartAssembly is the "Automated Error Reporting".

Peter_Laws

My apologies, first time around I missed you were using SourceLink. I'm afraid that the meta data SourceLink uses will not survive the build process. The intention behind this behaviour when Smart Assembly was written, when was that such data could be identifying and may aid an attacker in reverse engineering efforts.

4hV5t4r4xT

Hi @Peter_Laws,

how would these entries in the pdb files (Which are not distributed to customers) help attackers to reverse engineer software?

Even if we would distribute the pdb files when using source link. The only info the attacker would gain is a Url to the repository, which is only accessible from the company network.

I think, it would be way more efficient for an attacker to simply use a decompiler. (At least if the assembly has not been obfuscated)

Are there any plans to support source link or embedded sources?
Or are there any alternative workflows for debugging you support?

Peter_Laws

That was poorly worded of me, I was referring to the SourceLink metadata, not the pdb files, for as you say, that's not a consideration.

The last time we discussed it internally there was minimal request for SourceLink fro mthe customer base so it's not presently being considered I'm afraid.

Sadly, based on what you've shared, it appears to the only way to achieve what you want with our tool is indeed the manual association you're already performing. I'm sorry, our tool might not be the best fit for your workflow.