• windbg自行下载的sos.dll存放路径“..SOS_x86_x86_4.7.3132.00.dll5B5543296ee000”里的“5B5543296ee000”是什么?


    问题的引出

    我在调试某个崩溃问题时,要跟踪clr的栈,于是,我先执行了指令.loadby sos clrjit,没有报错,然后我又执行!clrstack,结果却有如下输出:
    0:000:x86> !clrstack
    CLRDLL: Consider using ".cordll -lp <path>" command to specify .NET runtime directory.
    Failed to load data access DLL, 0x80004005
    Verify that 1) you have a recent build of the debugger (6.2.14 or newer)
                2) the file mscordacwks.dll that matches your version of clr.dll is
                    in the version directory or on the symbol path
                3) or, if you are debugging a dump file, verify that the file
                    mscordacwks_<arch>_<arch>_<version>.dll is on your symbol path.
                4) you are debugging on supported cross platform architecture as
                    the dump file. For example, an ARM dump file must be debugged
                    on an X86 or an ARM machine; an AMD64 dump file must be
                    debugged on an AMD64 machine.

    You can also run the debugger command .cordll to control the debugger's
    load of mscordacwks.dll.  .cordll -ve -u -l will do a verbose reload.
    If that succeeds, the SOS command should work on retry.

    If you are debugging a minidump, you need to make sure that your executable
    path is pointing to clr.dll as well.
    也就是说执行失败了,看不了栈,根据输出建议执行.cordll -ve -u -l,有如下输出
    0:000:x86> .cordll -ve -u -l
    CLRDLL: C:WindowsMicrosoft.NETFrameworkv4.0.30319mscordacwks.dll:4.8.4042.00 f:8
    doesn't match desired version 4.7.3132.00 f:8
    CLRDLL: Unable to find mscordacwks_x86_x86_4.7.3132.00.dll by mscorwks search
    CLRDLL: Unable to find 'mscordacwks_x86_x86_4.7.3132.00.dll' on the path
    CLRDLL: Unable to get version info for 'f:debug_symbolsymbols32clr.dll5B5543296ee000mscordacwks_x86_x86_4.7.3132.00.dll', Win32 error 0n87
    Cannot Automatically load SOS
    CLRDLL: ERROR: Unable to load DLL mscordacwks_x86_x86_4.7.3132.00.dll, Win32 error 0n87
    CLRDLL: Consider using ".cordll -lp <path>" command to specify .NET runtime directory.
    CLR DLL status: ERROR: Unable to load DLL mscordacwks_x86_x86_4.7.3132.00.dll, Win32 error 0n87
    傻子都知道发生了什么问题,就是没有“mscordacwks_x86_x86_4.7.3132.00.dll”和"SOS_x86_x86_4.7.3132.00.dll",由于我机子是联网的,也配好了windows符号服务器,应该说在上面的过程中应该已经下载下来了,现在没有,只能是到出问题的机器上考这两个文件了。

    考了这两个文件,按理说我可以放在任何目录,可是我想放载windbg设置的符号目录,于是我将考过来的"mscordacwks.dll"和"SOS.dll"改名为“mscordacwks_x86_x86_4.7.3132.00.dll”和"SOS_x86_x86_4.7.3132.00.dll",然后在windbg设置的符号目录下以这两个文件名新建两个子文件夹,把这两个文件分别考到对应的子文件夹,在次执行 .cordll -ve -u -l,跟上次输出一样,我看了下之前Windbg自行下载的其他版本的目录,发现,在还有一级目录,如下:

    也就是说,我也还要需要在建立一级子目录,可是这个目录名称我该用什么呢,瞎折腾一阵,我后来注意到 .cordll -ve -u -l的输出有这么一句:

    0:000:x86> .cordll -ve -u -l
    CLRDLL: C:WindowsMicrosoft.NETFrameworkv4.0.30319mscordacwks.dll:4.8.4042.00 f:8
    doesn't match desired version 4.7.3132.00 f:8
    CLRDLL: Unable to find mscordacwks_x86_x86_4.7.3132.00.dll by mscorwks search
    CLRDLL: Unable to find 'mscordacwks_x86_x86_4.7.3132.00.dll' on the path
    CLRDLL: Unable to get version info for 'f:debug_symbolsymbols32clr.dll5B5543296ee000mscordacwks_x86_x86_4.7.3132.00.dll', Win32 error 0n87
    Cannot Automatically load SOS
    CLRDLL: ERROR: Unable to load DLL mscordacwks_x86_x86_4.7.3132.00.dll, Win32 error 0n87
    CLRDLL: Consider using ".cordll -lp <path>" command to specify .NET runtime directory.
    CLR DLL status: ERROR: Unable to load DLL mscordacwks_x86_x86_4.7.3132.00.dll, Win32 error 0n87

    “CLRDLL: Unable to get version info for 'f:debug_symbolsymbols32clr.dll5B5543296ee000mscordacwks_x86_x86_4.7.3132.00.dll"这里有个”5B5543296ee000“,于是我也在对应的目录下建立子文件夹”5B5543296ee000“,然后把两个文件考进去,再次执行.cordll -ve -u -l

     0:000:x86> .cordll -ve -u -l
    CLRDLL: C:WindowsMicrosoft.NETFrameworkv4.0.30319mscordacwks.dll:4.8.4042.00 f:8
    doesn't match desired version 4.7.3132.00 f:8
    SYMSRV:  BYINDEX: 0x36
             f:debug_symbolsymbols32
             mscordacwks_x86_x86_4.7.3132.00.dll
             5B5543296ee000
    SYMSRV:  PATH: f:debug_symbolsymbols32mscordacwks_x86_x86_4.7.3132.00.dll5B5543296ee000mscordacwks_x86_x86_4.7.3132.00.dll
    SYMSRV:  RESULT: 0x00000000
    DBGHELP: f:debug_symbolsymbols32mscordacwks_x86_x86_4.7.3132.00.dll5B5543296ee000mscordacwks_x86_x86_4.7.3132.00.dll - OK
    CLRDLL: Loaded DLL f:debug_symbolsymbols32mscordacwks_x86_x86_4.7.3132.00.dll5B5543296ee000mscordacwks_x86_x86_4.7.3132.00.dll
    SYMSRV:  BYINDEX: 0x37
             f:debug_symbolsymbols32
             SOS_x86_x86_4.7.3132.00.dll
             5B5543296ee000
    SYMSRV:  PATH: f:debug_symbolsymbols32SOS_x86_x86_4.7.3132.00.dll5B5543296ee000SOS_x86_x86_4.7.3132.00.dll
    SYMSRV:  RESULT: 0x00000000
    DBGHELP: f:debug_symbolsymbols32SOS_x86_x86_4.7.3132.00.dll5B5543296ee000SOS_x86_x86_4.7.3132.00.dll - OK
    Automatically loaded SOS Extension
    CLR DLL status: Loaded DLL f:debug_symbolsymbols32mscordacwks_x86_x86_4.7.3132.00.dll5B5543296ee000mscordacwks_x86_x86_4.7.3132.00.dll
    也就是加载成功了。

    问题---“5B5543296ee000”文件夹名称是怎么来的?

    加载成功,那么问题也随之而来---““5B5543296ee000”文件夹名称是怎么来的?”。

    我注意到前面失败时的输出信息里:

    “CLRDLL: Unable to get version info for 'f:debug_symbolsymbols32clr.dll5B5543296ee000mscordacwks_x86_x86_4.7.3132.00.dll"

    对,还是这句话,不过这次的信息的重点不是“5B5543296ee000”,而是上面标粗的"clr.dll"了,它们能放在一起,说明一点:“5B5543296ee000”和“clr.dll”有关。

    打开对应目录

    查看下这个文件的属性

     处了版本是一样外,没有获得其他信息,后来我想到“5B5543296ee000”是不是跟一些PE信息有关呢?

    打开命令行,定位到clr.dll的目录,执行“dumpbin /headers clr.dll

    我注意到,在PE的FILE_HEADER里image timestamp的值为0x5B554329,在OPTIONAL HEADER里image size的值是0x6EE000,这两个值拼接在一起就是“5B5543296ee000”。

    验证结论

    我们上面的结论是对的吗?只能是在找一个相同结论的例子就可以,我找了之前windbg自行下载的

    拿“”搜索,可以看到

    也是这样的存储结构

    dumpbin下clr.dll

    根据之前的计算方式image timestamp和image size拼接为“5D490E656ef000”,完全正确,说明上面我们得出的结论完全正确

  • 相关阅读:
    ORM是什么?及ORM框架是什么?
    Spring与其两大核心
    装箱和拆箱
    ==和equals的比较
    Vue中ESlint配置文件eslintrc.js文件详解
    RESTful API规范
    CORS跨域djangosetting.py 配置
    LDAP
    模拟浏览器发送请求报文
    学HTTP协议所要知道的基础知识(微总结)
  • 原文地址:https://www.cnblogs.com/yilang/p/11989327.html
Copyright © 2020-2023  润新知