如何在minidump中更改模块的校验和？ [英] How can I change a module's checksum in a minidump?

问题描述

我写（和销售）的软件在发布之前经过压缩和加密。每次我发布一个新的构建，我保留所有.map文件和生成的二进制文件包括exe之前，它是压缩和加密。

The software that I write (and sell) is compressed and encrypted before I distribute it. Everytime I release a new build, I keep all the .map files and the generated binaries including the exe before it is compressed and encrypted.

当它崩溃在客户端的机器我得到一个minidump回来。我在Visual Studio中打开这些minidump并在那里探索它们。

When it crashes on a client's machine I get a minidump back. I open these minidumps in Visual Studio and explore them there.

我通过搜索.map文件中的地址，很好地利用了这些minidumps。这通常会让我在正确的代码区域，我一般可以解释为什么崩溃发生并修复它，但这是非常耗时。

I have made good use of these minidumps by searching for addresses in the .map files. This will typically get me in the correct area of the code and I can generally reason about why the crash occured and fix it but this is VERY time consuming.

如果我可以使用我从原始版本中保存的符号在minidump的调试中有用。

It would be helpful if I could use the symbols that I saved from the original build in the debugging of the minidump.

我的问题是，我收到关于无法找到正确的警告符号。我的研究导致我相信，这是因为exe在客户端的机器上的校验和不匹配Visual Studio构建的exe的校验和。我明白为什么，它已经压缩和encypted。当然校验和不匹配。

My problem is that I get warnings about being unable to find the right symbols. My research leads me to believe that this is because the checksum of the exe on the client's machine does not match the checksum of the exe that Visual Studio built. And I understand why, it has been compressed and encypted. Of course the checksums don't match.

我想我可以手动编辑minidump或更改保存的二进制文件的校验和，以匹配可分发的校验和。我更喜欢操作存储的副本，所以我不必修改每个转储进来，但我是estatic与任何一个。

I figure I can manually edit the minidump or change the checksum of the saved binaries to match the checksum of the distributable. I would prefer to manipulate the stored copies so I don't have to modify every dump that comes in, but I'd be estatic with either.

所以，我的问题是：我如何找到这些校验和，找出我应该替换它们？作为一个辅助问题：有更好的方法吗？

So, my question is: How can I locate these checksums and figure out what I should replace them with? As an auxiliary question: Is there a better way?

推荐答案

不知道你是如何压缩和加密你的二进制文件，对我来说非常具体。

Without knowing how exactly you are compressing and encrypting your binaries, it's hard for me to be very specific.

这博客文章由John Robbins指出，可执行映像通过嵌入在其中的GUID与其PDB相关联可执行文件的PE头。您应该能够通过在可执行文件上运行DUMPBIN / HEADERS并查找Debug目录的输出来查看它。如果你的压缩和加密修改了PE头文件，使这些信息不可用（或正确），那么它将解释你的调试器为什么找不到任何东西。

This blog post by John Robbins points out that executable images are associated with their PDBs via a GUID that's embedded in the executable's PE header. You should be able to view it by running DUMPBIN /HEADERS on the executable, and looking for the output of Debug Directories. If your compression and encryption has modified the PE headers such that this information isn't available (or correct), then it would explain why your debugger can't find anything.

有几种方法，我认为你可以采取解决这个问题。要真正尝试让这个工作，你可能想考虑使用WinDbg而不是Visual Studio调试器。你会明白我为什么我建议这一刻...

There are a few approaches that I think that you could take to resolve this issue. To really try to get this to work, you might want to consider using WinDbg instead of the Visual Studio debugger. You'll understand why I am recommending this in a moment...

WinDbg提供了一些选项，允许放松加载符号文件。使用此选项的想法是，如果源代码没有更改，但二进制文件来自与PDB不同的构建，则可以放弃GUID检查，并加载不匹配的符号文件。我不知道这将与你的压缩和加密如何工作，所以YMMV。

WinDbg provides some options that allow the relaxed loading of symbol files. The idea with this option is that, if the source code hasn't changed but the binaries are from a different build than the PDB, the GUID check can be waived and the mismatched symbol file can be loaded. I don't know how well this will work with your compression and encryption, so YMMV.

WinDbg及其附带的工具可以用于从可执行文件和PDB，但我现在省略，因为我希望这些步骤不是必要的。

WinDbg and its accompanying tools can be used to dump the GUID from both the executable and the PDB, but I'm omitting that for now because I am hoping that those steps won't be necessary.

在WinDbg中打开你的minidump后，需要在命令行中输入几个命令才能使这一切正常工作：

After you have opened your minidump in WinDbg, you will need to enter several commands into the command line to get this all to work:

.symopt +0x40
!sym noisy
ld <exe name>

第一个命令启用 SYMOPT_LOAD_ANYTHING 选项跳过GUID检查。 ！sym 命令启用符号加载的详细输出，以便您可以看到更详细的错误消息。 ld 命令指示WinDbg尝试加载要在< exe name> 。如果你重复 ld 命令，WinDbg将指示它是否成功加载符号第一次。

The first command enables the SYMOPT_LOAD_ANYTHING option that skips the GUID check. The !sym command enables verbose output for symbol loading so that you may see more detailed error messages. The ld command directs WinDbg to try to load the symbols for the executable name that you will type in the place of <exe name>. If you repeat the ld command, WinDbg will indicate if it successfully loaded the symbols the first time.

希望这个帮助 - 再次，我不知道这将与您的压缩和加密，将是如何工作，但它是值得尝试。

Hopefully this helps -- again, I don't know how well this will work with your compression and encryption, but it's worth trying.

这篇关于如何在minidump中更改模块的校验和？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！