如何在ucrtbase.dll中找到在指定偏移量处执行的代码？ [英] How Can I Find the Code Executed at the Specified Offset in ucrtbase.dll?

问题描述

查看此评论 ucrtbase上的Windows c ++服务出现故障启动时的.dll

（与邮局重复）

ucrtbase + 7350e是CRT中止功能中的int 0x29指令。这是具有代码FAST_FAIL_FATAL_APP_EXIT（7）的KERNEL_SECURITY_CHECK_FAILURE的__fastfail内在函数。该中断由KiRaiseSecurityCheckFailure处理，从而引发STATUS_STACK_BUFFER_OVERRUN（0xC0000409）

从调试的角度来看，那里提供的信息很有用（在学术上非常有用） ，这不是运行时的错误，即发生了溢出，他只是倒霉的一个人），这个用户如何确定呢？

我意识到提供了C语言运行时的代码，但是如何从偏移量过渡到源文件呢？

我有一个类似的问题，我试图在此处查找：

 故障模块名称：ucrtbase.dll 
故障模块版本：10.0.14393.2097 
故障模块时间戳：5a820a13 
异常偏移量：000000000006eabe 
异常代码：c0000409 
  

我在寻找ucrtbase + 6eade上的代码

解决方案

有可能知道应用程序所在的行即使它未在调试器下运行或内存转储不可用，也会出错。它可能不会告诉您它为什么失败，但是它将至少为您提供一个开始调查的地方。

应用程序失败后，请查看Windows事件记录以下条目：

正在对应用程序yourapp.exe进行故障修复，版本1.0.0.0，时间戳为
0x49e0238，故障模块yourmodule.dll，版本1.1.0.0，时间戳记
0x09ec5a57，异常代码0xc0000005，故障偏移量
0x000000000051000e，进程ID 0x00，应用程序启动时间0x00。

使用 windbg.exe -zc：\yourmodule.dll 加载发生故障的模块（确保有符号！ ）
列出加载的模块（在这种情况下为 yourmodule.dll ）

  0：000> lm 
起始结束模块名称
 00000000`00300000 00000000`00425000 yourmodule（私有pdb符号）c：\yourmodule.pdb 
  

通过将事件查看器中报告的故障偏移量添加到模块的起始地址来查找崩溃所在的行

  0：000> ln 300000 + 5100e 
c：\sources\myclass.cpp（130）+ 0x14 
  

如果您的符号与生产中的模块不完全匹配，则可以尝试 windbg 命令'.symopt + 0x40'；

See this comment Windows c++ service faulting on ucrtbase.dll when starting

(Duplicated from the Post)

ucrtbase + 7350e is the int 0x29 instruction in the CRT's abort function. This is the __fastfail intrinsic for a KERNEL_SECURITY_CHECK_FAILURE with the code FAST_FAIL_FATAL_APP_EXIT (7). The interrupt gets serviced by KiRaiseSecurityCheckFailure, which raises STATUS_STACK_BUFFER_OVERRUN (0xC0000409)

The information provided there is useful from a debugging perspective (well academically useful, its not the runtime's fault that an overflow has occurred, he's just the unlucky guy to report it), how was this user able to determine this?

I realize that some of the code to the C Language Runtime is provided but how do you transition from the offset to the source file?

I have a similar issue I am trying to track down here:

Fault Module Name:  ucrtbase.dll
Fault Module Version:   10.0.14393.2097
Fault Module Timestamp: 5a820a13
Exception Offset:   000000000006eabe
Exception Code: c0000409

I am looking for the code at ucrtbase + 6eade

解决方案

It is possible to know the line where an application faulted even if it was not running under debugger or memory dump is not available. It won’t probably tell you why it failed, but it will give you at least a point where to start investigating.

After the application failed, look at the Windows Event Logs for an entry like this:

"Faulting application yourapp.exe, version 1.0.0.0, time stamp 0x49e0238, faulting module yourmodule.dll, version 1.1.0.0, time stamp 0x09ec5a57, exception code 0xc0000005, fault offset 0x000000000051000e, process id 0x00, application start time 0x00."

Load the module that faulted using windbg.exe -z c:\yourmodule.dll (make sure you have symbols!) List the modules loaded (yourmodule.dll in this case)

0:000> lm
start             end                 module name
00000000`00300000 00000000`00425000   yourmodule    (private pdb symbols)  c:\yourmodule.pdb

Find the line where it crashed by adding the 'fault offset' reported in the event viewer to the 'start' address of your module

0:000> ln 300000+5100e
c:\sources\myclass.cpp(130)+0x14

If your symbols don’t match exactly the module that is in production, you can try in windbg the command ‘.symopt +0x40’; it will make it less restrictive.

这篇关于如何在ucrtbase.dll中找到在指定偏移量处执行的代码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！