ntdll模块在windbg中没有正确加载,但为什么? [英] ntdll module not loading correctly in windbg, but why?
问题描述
我之前使用过windbg进行用户模式调试,但是我怀疑我对我的系统做了一些事情,因为我不记得使用例如扩展命令!heap之前出现问题。
I've used windbg for user mode debugging before, but I suspect I did something to my system because I don't recall having a problem using for example the extension command !heap before.
我可以清楚地看到ntdll是一个加载的模块:
I can clearly see ntdll is a loaded module:
77760000 778e0000 ntdll (pdb symbols) C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\wntdll.pdb\FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb
0:001> lmvm ntdll
start end module name
77760000 778e0000 ntdll (pdb symbols) C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\wntdll.pdb \FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb
Loaded symbol image file: C:\Windows\SysWOW64\ntdll.dll
Image path: C:\Windows\SysWOW64\ntdll.dll
Image name: ntdll.dll
Timestamp: Wed Jul 15 13:53:36 2015 (55A69E20)
CheckSum: 00142A8B
ImageSize: 00180000
File version: 6.1.7601.18933
Product version: 6.1.7601.18933
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntdll.dll
OriginalFilename: ntdll.dll
ProductVersion: 6.1.7601.18933
FileVersion: 6.1.7601.18933 (win7sp1_gdr.150715-0600)
FileDescription: NT Layer DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.
和
0:001> !chksym ntdll
C:\Windows\SysWOW64\ntdll.dll
Timestamp: 55A69E20
SizeOfImage: 180000
pdb: wntdll.pdb
pdb sig: FA9C48F9-C11D-4E08-94B8-970DECD92C97
age: 2
Loaded pdb is C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\wntdll.pdb\FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb
wntdll.pdb
pdb sig: FA9C48F9-C11D-4E08-94B8-970DECD92C97
age: 2
MATCH: wntdll.pdb and C:\Windows\SysWOW64\ntdll.dll<code>
当我尝试使用我的堆扩展名时,我得到:
When I try to use my heap extension, I get:
0:001> !heap -stat
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: ntdll!_PEB ***
*** ***
.symopt- 100 不帮助
如果我尝试使用关键部分扩展名,我会收到类似的错误:
and if I try to use the critical section extension I get a similar error:
Bad symbols for NTDLL (error 3). Aborting.
我已经看到这可能会发生,如果你不符合32和64bit之间,或者你只是没有符号正确设置在第一位,但我已经使用 .symfix ,可以强制我的符号重新加载 .reload / f ,我在x86进程或32位转储中使用x86调试器,所以我看不到这些问题是如何发挥的。
I've read this can occur if you have a mismatch between 32 and 64bit or if you simply don't have symbols properly set up in the first place but I've used .symfix and can force my symbols to reload with .reload /f, I'm using the x86 debugger on an x86 process or a 32-bit dump so I don't see how those issues are at play.
我已经完全启动了新的和卸载的windbg,并从MSDN重新安装Windows的调试工具,但仍遇到同样的问题。确实我缺少一些明显的东西?
I've started fresh and uninstalled windbg completely and reinstalled the debugging tools for windows from MSDN and still run into the same issue. Surely I'm missing something obvious?
推荐答案
MS正在摆脱最新的Windows 7 PDB中的所有类型信息。这打破了!heap 。这是一个关于它的开始的谈话,由Alex Ionescu,Windows内部第六版的合着者开始: https://twitter.com/aionescu/status/634028737458114560
MS is getting rid of all type information in the latest Windows 7 PDBs. This breaks !heap. Here's a twitter conversation about it started by Alex Ionescu, a co-author of "Windows Internals, Sixth Edition": https://twitter.com/aionescu/status/634028737458114560
更新:10/12/2015 :可能的解决方法将类型信息从一个PDB复制到另一个PDB类型的盗版Python脚本。用法是将类型信息从具有在以后的PDB中删除的类型信息的旧PDB复制。此链接具有所有详细信息: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/PDB-Type-Theft/ba-p/6801065#.Vhv2gPm6fmE
UPDATE: 10/12/2015: Possible workaround using the PDB Type Theft python script which copies type information from one PDB to another. The usage would be to copy the type information from an older PDB that has the type information that was removed in later PDBs. This link has all the details: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/PDB-Type-Theft/ba-p/6801065#.Vhv2gPm6fmE
更新:10/22/2015 :随着Microsoft补丁日(2015-10-13)和 KB3088195 ,符号再次可用。然而,破解版本的符号尚未提供,因此上述可能仍然有用。
UPDATE: 10/22/2015: With the Microsoft patch day (2015-10-13) and KB3088195, symbols are available again. However, symbols for the broken version have not been provided, so above may still be useful.
这篇关于ntdll模块在windbg中没有正确加载,但为什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
