Update 2015-10-22:
On patch day Microsoft (2015-10-13) and KB3088195, characters are again available.
However, no symbols were provided for the broken version, so below may still be useful.
In the past, Microsoft has already published "good" characters for ntdll containing type information of type _TEB or _KPRCB . Starting in mid-July 2015, Microsoft still publishes characters for ntdll , but does not contain this information.
So it depends on the version of ntdll if you get type information or not. Old dumps that reference the old version of ntdll will load old PDBs containing type information, while new dumps refer to newer versions of ntdll , and WinDbg (or any other debugger) loads the PDB without type information.
Can Microsoft delete information like “good” characters retroactively, making them “bad”?
Yes. As described in this answer , there is a tool to remove type information from existing PDBs. Doing this and replacing the PDB will have this effect.
Can Microsoft publish a “good” version of those PDBs that are currently “bad”?
This is hard to say, because we don’t know if Microsoft retained a copy of the “good” version to replace the “bad” version on the character server with the “good” one. Restoring ntdll from the same source code and thus creating new PDB sounds is possible, but PDB gets a new timestamp and checksum. This can be fixed manually, especially Microsoft, as they need to know about the internal PDB format, but IMHO they are unlikely to do it. Everything can go wrong, and MS is unlikely to have tests to guarantee the correctness of such a thing.
So what can I do?
IMHO you can not do anything to really fix the situation.
It can be assumed that the types in ntdll not changed so much. This will allow you to take the older version of wntdll.pdb and the new version of ntdll.dll and apply ChkMatch -m to it. This will copy the timestamp and checksum from the DLL to the PDB. After you have done this (in an empty folder), replace the existing wntdll.pdb in the symbol directory with a hacked one.
WinDbg walkthrough (with reduced output to relevant things). I am using the latest version of wntdll.pdb that I could find on my PC.
WARNING: following these steps may correct the type information, but will likely destroy the correctness of the calls. Because any changes to the implementation (which are likely to be fixed from a security point of view) will change the method biases.
0:005> dt nt!_PEB ************************************************************************* *** *** *** Either you specified an unqualified symbol, or your debugger *** ... *** Type referenced: nt!_PEB *** *** *** ************************************************************************* Symbol nt!_PEB not found. 0:005> lm m ntdll start end module name 773f0000 77570000 ntdll (pdb symbols) e:\debug\symbols\wntdll.pdb\FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb 0:005> .shell cmd /c copy C:\Windows\SysWOW64\ntdll.dll e:\debug\temp\ntdllhack\ntdll.dll 1 file(s) copied. 0:005> .shell cmd /c copy "E:\Windows SDk\8.0\Debuggers\x86\sym\wntdll.pdb\B081677DFC724CC4AC53992627BEEA242\wntdll.pdb" e:\debug\temp\ntdllhack\wntdll.pdb 1 file(s) copied. 0:005> .shell cmd /c E:\debug\temp\ntdllhack\chkmatch.exe -m E:\debug\temp\ntdllhack\ntdll.dll E:\debug\temp\ntdllhack\wntdll.pdb ... Executable: E:\debug\temp\ntdllhack\ntdll.dll Debug info file: E:\debug\temp\ntdllhack\wntdll.pdb Executable: TimeDateStamp: 55a69e20 Debug info: 2 ( CodeView ) TimeStamp: 55a68c18 Characteristics: 0 MajorVer: 0 MinorVer: 0 Size: 35 RVA: 000e63e0 FileOffset: 000d67e0 CodeView format: RSDS Signature: {fa9c48f9-c11d-4e08-94b8-970decd92c97} Age: 2 PdbFile: wntdll.pdb Debug info: 10 ( Unknown ) TimeStamp: 55a68c18 Characteristics: 0 MajorVer: 565 MinorVer: 6526 Size: 4 RVA: 000e63dc FileOffset: 000d67dc Debug information file: Format: PDB 7.00 Signature: {b081677d-fc72-4cc4-ac53-992627beea24} Age: 4 Writing to the debug information file... Result: Success. 0:005> .shell cmd /c copy E:\debug\temp\ntdllhack\wntdll.pdb E:\debug\symbols\wntdll.pdb\FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb 1 file(s) copied. 0:005> .reload Reloading current modules ............................. 0:005> dt nt!_PEB ntdll!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar ... 0:005> !heap -s LFH Key : 0x219ab08b Termination on corruption : DISABLED Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast (k) (k) (k) (k) length blocks cont. heap ----------------------------------------------------------------------------- Virtual block: 00920000 - 00920000 (size 00000000) Virtual block: 02c60000 - 02c60000 (size 00000000) Virtual block: 02e10000 - 02e10000 (size 00000000) ...
Note: using ChkMatch similar to this has the advantage that you do not need to include .symopt- 100 , since this option will affect all PDB files, and you will not find potential other character problems. If you don't mind using .symopt , you can simply copy the old wntdll.pdb on top of the new one.