WinDBG无法加载符号表是很痛苦的事情,明明符号表的路径已经加载进去了,可是还是无法加断点,下面直接进入主题:
符号表无法加载,无法触发断点。
1、检查sympath是否正确
kd> .sympath
Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;C:Windowssymbols;D:VSSDataBaseTrueCryptDriverobj_driver_debugi386
Expanded Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;c:windowssymbols;d:vssdatabase ruecryptdriverobj_driver_debugi386
之前的尝试,以为符号表的路径在前面和在后面关系很大,毕竟是依次查找路径的嘛,只要查找正确了,路径前后和符号表在什么位置又有什么关系呢。
src*与;之前的区别:src*是符号表服务器上找,而;是去本地路径上去找,对于一台机子来说就一样的。
2、!lmi truecrypt查找相应的模块信息
kd> !lmi truecrypt
Loaded Module Info: [truecrypt]
Module: truecrypt
Base Address: ee21b000
Image Name: truecrypt.sys
Machine Type: 332 (I386)
Time Stamp: 4d889673 Tue Mar 22 20:30:43 2011
Size: 4ef80
CheckSum: 55776
Characteristics: 102
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 5c, 43fc8, 43fc8 RSDS - GUID: {1B9489BA-E47D-4E48-89EB-D0CB60055F22}
Age: 1, Pdb: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb
Image Type: MEMORY - Image read successfully from loaded memory.
Symbol Type: EXPORT - PDB not found
Load Report: export symbols
Symbol Type: EXPORT - PDB not found 符号表没有找到
Export
没有发现符号文件,使用映像文件的输出信息(如DLL的Export)作为符号
3、检查符号表加载详细情况
!sym noisy
当Windbg加载Symbol文件的时候,显示Symbol的路径,默认情况下是不显示的。
YMSRV: 无法与服务器建立连接
SYMSRV: c:windowssymbols ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found
!sym quiet 不显示路径
SYMSRV: truecrypt.pdb not found
kd> !sym noisy
noisy mode - symbol prompts on
kd> .reload /f truecrypt.sys
SYMSRV: 无法与服务器建立连接
SYMSRV: c:windowssymbols ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/truecrypt.pdb/1B9489BAE47D4E4889EBD0CB60055F221/truecrypt.pdb not found
DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb - mismatched pdb
DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386sys ruecrypt.pdb - file not found
DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386symbolssys ruecrypt.pdb - file not found
SYMSRV: 无法与服务器建立连接
SYMSRV: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found
SYMSRV: c:windowssymbols ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/truecrypt.pdb/1B9489BAE47D4E4889EBD0CB60055F221/truecrypt.pdb not found
DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb - mismatched pdb
DBGHELP: Couldn't load mismatched pdb for truecrypt.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for truecrypt.sys -
DBGHELP: truecrypt - export symbols
注意上面那一行,符号表的位置是正确的,也找对了,但是结果却是mismatched pdb,于是我就将debug目录下内容,删除后重新生成,并拷贝到虚拟机里,结果仍然是一样的,
仍然是mismatched pdb。
4、模块详情对照
!IToldYouSo tests the validity of a module against a symbol file.The module can be specified by either its name or base address.If a symbol file is not specified, then the loaded symbol is tested.
Otherwise, if a pdb or dbg symbol file path is specified, it is tested against the loaded module.
kd> !itoldyouso truecrypt d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb
truecrypt.sys
Timestamp: 4D889673
SizeOfImage: 4EF80
pdb: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb
pdb sig: 1B9489BA-E47D-4E48-89EB-D0CB60055F22
age: 1
truecrypt.pdb
pdb sig: 329A35FA-70B8-4A97-BB0E-99BA6342AB6A
age: 1
sig MISMATCH: truecrypt.pdb and truecrypt.sys
签名不一样,结果说明我虚拟机里装载的驱动和我重新生成的符号表不一致。经过检查发现,truecrypt.exe启动时候装载的truecrypt.sys并不是在C:WindowsSystem32Drivers下面,
而是在truecrypt.exe本身的安装目录下,替换之后,已经能够成功装载符号表了。
如下:
kd> !lmi truecrypt
Loaded Module Info: [truecrypt]
Module: truecrypt
Base Address: ee1ef000
Image Name: truecrypt.sys
Machine Type: 332 (I386)
Time Stamp: 4d8c8e61 Fri Mar 25 20:45:21 2011
Size: 4f180
CheckSum: 5b7fa
Characteristics: 102
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 5c, 44148, 44148 RSDS - GUID: {160409E4-8EFC-4412-B760-4E9BF8F1A05A}
Age: 1, Pdb: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb
Image Type: MEMORY - Image read successfully from loaded memory.
Symbol Type: PDB - Symbols loaded successfully from symbol search path.
d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb
Compiler: Resource - front end [0.0 bld 0] - back end [9.0 bld 30729]
Load Report: private symbols & lines, not source indexed
d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb