• WinDBG加载符号表的一点心得体会


    WinDBG无法加载符号表是很痛苦的事情,明明符号表的路径已经加载进去了,可是还是无法加断点,下面直接进入主题:

    符号表无法加载,无法触发断点。

    1、检查sympath是否正确

    kd> .sympath
    Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;C:Windowssymbols;D:VSSDataBaseTrueCryptDriverobj_driver_debugi386
    Expanded Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;c:windowssymbols;d:vssdatabase ruecryptdriverobj_driver_debugi386

    之前的尝试,以为符号表的路径在前面和在后面关系很大,毕竟是依次查找路径的嘛,只要查找正确了,路径前后和符号表在什么位置又有什么关系呢。

    src*与;之前的区别:src*是符号表服务器上找,而;是去本地路径上去找,对于一台机子来说就一样的。

    2、!lmi truecrypt查找相应的模块信息

    kd> !lmi truecrypt
    Loaded Module Info: [truecrypt] 
             Module: truecrypt
       Base Address: ee21b000
         Image Name: truecrypt.sys
       Machine Type: 332 (I386)
         Time Stamp: 4d889673 Tue Mar 22 20:30:43 2011
               Size: 4ef80
           CheckSum: 55776
    Characteristics: 102  
    Debug Data Dirs: Type  Size     VA  Pointer
                 CODEVIEW    5c, 43fc8,   43fc8 RSDS - GUID: {1B9489BA-E47D-4E48-89EB-D0CB60055F22}
                   Age: 1, Pdb: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb
         Image Type: MEMORY   - Image read successfully from loaded memory.
        Symbol Type: EXPORT   - PDB not found
        Load Report: export symbols



    Symbol Type: EXPORT   - PDB not found 符号表没有找到
    Export
    没有发现符号文件,使用映像文件的输出信息(如DLL的Export)作为符号
    3、检查符号表加载详细情况
    !sym noisy
    当Windbg加载Symbol文件的时候,显示Symbol的路径,默认情况下是不显示的。
    YMSRV:  无法与服务器建立连接
    SYMSRV:  c:windowssymbols ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found
    !sym quiet 不显示路径
    SYMSRV: truecrypt.pdb not found

    kd> !sym noisy
    noisy mode - symbol prompts on

    kd> .reload /f truecrypt.sys
    SYMSRV: 无法与服务器建立连接
    SYMSRV: c:windowssymbols ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found
    SYMSRV: http://msdl.microsoft.com/download/symbols/truecrypt.pdb/1B9489BAE47D4E4889EBD0CB60055F221/truecrypt.pdb not found
    DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb - mismatched pdb
    DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386sys ruecrypt.pdb - file not found
    DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386symbolssys ruecrypt.pdb - file not found
    SYMSRV: 无法与服务器建立连接
    SYMSRV: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found
    SYMSRV: c:windowssymbols ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found
    SYMSRV: http://msdl.microsoft.com/download/symbols/truecrypt.pdb/1B9489BAE47D4E4889EBD0CB60055F221/truecrypt.pdb not found
    DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb - mismatched pdb
    DBGHELP: Couldn't load mismatched pdb for truecrypt.sys
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for truecrypt.sys -
    DBGHELP: truecrypt - export symbols


    注意上面那一行,符号表的位置是正确的,也找对了,但是结果却是mismatched pdb,于是我就将debug目录下内容,删除后重新生成,并拷贝到虚拟机里,结果仍然是一样的,
    仍然是mismatched pdb。
    4、模块详情对照
    !IToldYouSo tests the validity of a module against a symbol file.The module can be specified by either its name or base address.If a symbol file is not specified, then the loaded symbol is tested.
    Otherwise, if a pdb or dbg symbol file path is specified, it is tested against the loaded module.

    kd> !itoldyouso truecrypt d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb

    truecrypt.sys
        Timestamp: 4D889673
      SizeOfImage: 4EF80
              pdb: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb
          pdb sig: 1B9489BA-E47D-4E48-89EB-D0CB60055F22
              age: 1

    truecrypt.pdb
          pdb sig: 329A35FA-70B8-4A97-BB0E-99BA6342AB6A
              age: 1

    sig MISMATCH: truecrypt.pdb and truecrypt.sys



    签名不一样,结果说明我虚拟机里装载的驱动和我重新生成的符号表不一致。经过检查发现,truecrypt.exe启动时候装载的truecrypt.sys并不是在C:WindowsSystem32Drivers下面,
    而是在truecrypt.exe本身的安装目录下,替换之后,已经能够成功装载符号表了。
    如下:

    kd> !lmi truecrypt
    Loaded Module Info: [truecrypt] 
             Module: truecrypt
       Base Address: ee1ef000
         Image Name: truecrypt.sys
       Machine Type: 332 (I386)
         Time Stamp: 4d8c8e61 Fri Mar 25 20:45:21 2011
               Size: 4f180
           CheckSum: 5b7fa
    Characteristics: 102  
    Debug Data Dirs: Type  Size     VA  Pointer
                 CODEVIEW    5c, 44148,   44148 RSDS - GUID: {160409E4-8EFC-4412-B760-4E9BF8F1A05A}
                   Age: 1, Pdb: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb
         Image Type: MEMORY   - Image read successfully from loaded memory.
        Symbol Type: PDB      - Symbols loaded successfully from symbol search path.
                     d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb
           Compiler: Resource - front end [0.0 bld 0] - back end [9.0 bld 30729]
        Load Report: private symbols & lines, not source indexed 
                     d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb

  • 相关阅读:
    opensuse的一些软件使用
    love2d新闻
    好用的在线工具收集
    POJ2531 Network Saboteur 枚举||随机化
    Acdream Path 动态规划
    Acdream Xor 简单数学
    POJ2676 Sudoku 搜索
    Acdream 1015 Double Kings 搜索
    Acdream Multiplication 基础题
    Acdream Cut 贪心
  • 原文地址:https://www.cnblogs.com/YaoHearthStone/p/3477270.html
Copyright © 2020-2023  润新知