如何修复 VB6 APPCRASH ntdll.dll 错误 [英] How to fix VB6 APPCRASH ntdll.dll error on make

问题描述

我正在从现有的 VB6 项目制作一个 exe.在 Make 期间，VB 崩溃并显示以下消息

I am making an exe from an existing VB6 project. During Make, VB crashes with the following message

Visual Basic has stopped working

Problem Event Name: APPCRASH
Application Name: vb6.exe
Application Version: 6.0.97.82
Fault Module Name: ntdll.dll

异常代码:c0000005

我可以毫无困难地从 VB6 运行该项目.当我尝试制作 exe 时出现问题.

I am able to run the project from VB6 without any trouble. The problem occurs when I try to make the exe.

请您告诉我可能出了什么问题?

Please could you let me know what could be wrong?

谢谢！

推荐答案

这一切都需要在有故障的电脑上完成.我无法加载我的 ntdll.dll，因为它是不同的版本，地址将与您的不同.

This all needs to be done on the computer with the fault. I cannot load my ntdll.dll as it a different version and the addresses will be different to yours.

下载并安装 Windows 调试工具

Download and install Debugging Tools for Windows

http://msdn.microsoft.com/en-us/windows/hardware/hh852363

安装 Windows SDK，但只需选择调试工具.

Install the Windows SDK but just choose the debugging tools.

在C:\

这允许 WinDbg 获取您的 ntdll.dll 版本的符号.启动Windbg.File 菜单 - Symbol File Path 并输入

This allows WinDbg to get the symbols for your version of ntdll.dll. Start Windbg. File menu - Symbol File Path and enter

srv*C:\symbols*http://msdl.microsoft.com/download/symbols

然后

在 WinDbg 中打开 ntdll 作为 crashdump.

Open ntdll in WinDbg as a crashdump.

它会显示加载地址.

输入 WinDbg

ln <modloadaddress> + 7c911780 

这将为您提供离崩溃最近的符号.它可能没有用，但让我们看看.

This will give you the nearest symbol to the crash. It probably isn't useful but lets see.

您也可以在 WinDbg 下运行 VB6(确保 WinDbg 以管理员身份运行).当您崩溃时进行堆栈跟踪.

You can also run VB6 under WinDbg (make sure WinDbg is run as admin). When you crash do a stack trace.

当你崩溃时也做一个!Analyze.它适用于蓝屏，但会提供有关 appcrash 的信息.

Also do an !Analyze when you crash. It is meant for blue screens but will give info on appcrash.

输入 WinDbg 命令提示符

Type in the WinDbg command prompt

!analyze -v

-v 代表 Verbose，如果崩溃是由程序引起的，而不是硬件或驱动程序，它会出现在列表的中间.

-v stands for Verbose and if the crash was originated by a program, as opposed to hardware or a driver, it will appear in the middle of the listing.

例如

PROCESS_NAME:java.exeIMAGE_NAME:ntkrnlmp.exe

PROCESS_NAME: java.exe IMAGE_NAME: ntkrnlmp.exe

PROCESS_NAME 仅出现在 analyze -v 输出中，并且仅当程序发起错误调用时才出现.

PROCESS_NAME only appears in the analyze -v output and only if a program originated the call that faulted.

WinDbg 命令

打开为可执行.

windbg -o -g -G c:\windows\system32\cmd.exe/k batfile.bat

windbg -o -g -G c:\windows\system32\cmd.exe /k batfile.bat

您可以按 F12 停止它，kb 将显示调用堆栈(g 继续程序).如果有错误，它也会停止并显示出来.

You can press F12 to stop it and kb will show the call stack (g continues the program). If there's errors it will also stop and show them.

在加载之后但在运行任何代码之前有一个断点.按 g 继续.同样，在所有代码运行之后但在卸载之前也有一个断点.

There is a breakpoint after loading but before any code is run. Press g to continue. Likewise there is a breakpoint after all code has run but before it is unloaded.

输入 lm 列出加载的模块，x *!* 列出符号，bp symbolname 设置断点

Type lm to list loaded modules, x *!* to list the symbols and bp symbolname to set a breakpoint

如果在 VB6 中编程，那么这个环境变量 link=/pdb:none 将符号存储在 dll 中而不是单独的文件中.确保使用No Optimisations 编译程序并勾选Create Symbolic Debug Info 框.都在项目属性的编译选项卡上.

If programming in VB6 then this environmental variable link=/pdb:none stores the symbols in the dll rather than separate files. Make sure you compile the program with No Optimisations and tick the box for Create Symbolic Debug Info. Both on the Compile tab in the Project's Properties.

样本来自最近符号搜索的输出.

Sample output from a nearest symbol search.

加载转储文件 [C:\Windows\System32\ntdll.dll] 符号搜索路径

Loading Dump File [C:\Windows\System32\ntdll.dll] Symbol search path

是:srvc:\symbolshttp://msdl.microsoft.com/download/symbols

可执行搜索路径为:ModLoad: 4b280000 4b3f9000

Executable search path is: ModLoad: 4b280000 4b3f9000

C:\Windows\System32\ntdll.dll eax=00000000 ebx=00000000 ecx=00000000

C:\Windows\System32\ntdll.dll eax=00000000 ebx=00000000 ecx=00000000

edx=00000000 esi=00000000 edi=00000000 eip=4b280000 esp=00000000

edx=00000000 esi=00000000 edi=00000000 eip=4b280000 esp=00000000

ebp=00000000 iopl=0 nv up di pl nz na pe nc cs=0000 ss=0000

ebp=00000000 iopl=0 nv up di pl nz na pe nc cs=0000 ss=0000

ds=0000 es=0000 fs=0000 gs=0000 efl=00000000

ds=0000 es=0000 fs=0000 gs=0000 efl=00000000

ntdll!__guard_fids_table (ntdll+0x0): 4b280000 4d

ntdll!__guard_fids_table (ntdll+0x0): 4b280000 4d

十二月末 0:000>ln 4b280000 + 65534 (4b2e5520)

dec ebp 0:000> ln 4b280000 + 65534 (4b2e5520)

ntdll!RtlInitializeBitMap+0x14 |(4b2e5540)

ntdll!TpCallbackUnloadDllOnCompletion

示例堆栈跟踪.

你遵循什么函数调用什么函数.所以你是从下往上读的.它具有传递给函数的前 4 个参数.你发现调试器启动了额外的线程，所以我们需要找到我们程序的线程.

You follow what function called what functions. So you read it from the bottom up. It has the first 4 parameters that were passed to the function. You find the debugger starts additional threads so we need to find our program's one.

~

列出所有线程

~<threadid> e <command>

在所有线程上执行 KB，直到找到主要线程.

Do a KB on all threads until you find the main one.

0:004>~0 e kb

ChildEBP RetAddr Args to Child 04bdfc30

ChildEBP RetAddr Args to Child 04bdfc30

75ae325a 04bdfc70 00000000 00000000 USER32!NtUserGetMessage+0xc

75ae325a 04bdfc70 00000000 00000000 USER32!NtUserGetMessage+0xc

04bdfc4c 00895eb6 04bdfc70 00000000 00000000 USER32!GetMessageW+0x2a

04bdfc4c 00895eb6 04bdfc70 00000000 00000000 USER32!GetMessageW+0x2a

04bdfc8c 008a5b41 00890000 00000000 04e2336f 记事本！WinMain+0xe6

04bdfc8c 008a5b41 00890000 00000000 04e2336f notepad!WinMain+0xe6

04bdfd20 74ad3744 7f229000 74ad3720 10fde46e

04bdfd20 74ad3744 7f229000 74ad3720 10fde46e

记事本！WinMainCRTStartup+0x151 04bdfd34 7755a064 7f229000 b0c1107f

notepad!WinMainCRTStartup+0x151 04bdfd34 7755a064 7f229000 b0c1107f

00000000 KERNEL32!BaseThreadInitThunk+0x24 04bdfd7c 7755a02f ffffffff

00000000 KERNEL32!BaseThreadInitThunk+0x24 04bdfd7c 7755a02f ffffffff

7757d7c9 00000000 ntdll！__RtlUserThreadStart+0x2f 04bdfd8c 00000000

7757d7c9 00000000 ntdll!__RtlUserThreadStart+0x2f 04bdfd8c 00000000

008a59f0 7f229000 00000000 ntdll!_RtlUserThreadStart+0x1b

008a59f0 7f229000 00000000 ntdll!_RtlUserThreadStart+0x1b

假设 04bdfc70 是 HWnd.这是因为文档是这样说的.但假设它是一个字符串的地址.这将显示那里有什么.

Assume that 04bdfc70 is an HWnd. Which it is because the documentation says so. But assume it an address of a string. This displays what is there.

ds 775a1300

或查看值

db 775a1300

这篇关于如何修复 VB6 APPCRASH ntdll.dll 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！