【发布时间】:2021-03-09 02:52:11
【问题描述】:
每次使用!process 0 0 时我都会遇到同样的错误 - 是否处于内核调试模式似乎没有任何改变。
这是打开notepad.exe时的命令链
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: C:\Windows\System32\notepad.exe
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
DBGHELP: Symbol Search Path: cache*;SRV*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff6`27eb0000 00007ff6`27ee8000 notepad.exe
ModLoad: 00007ffe`fb890000 00007ffe`fba86000 ntdll.dll
ModLoad: 00007ffe`f9990000 00007ffe`f9a4d000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffe`f90b0000 00007ffe`f9379000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffe`fb820000 00007ffe`fb84a000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffe`f8fd0000 00007ffe`f8ff2000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffe`f9580000 00007ffe`f968b000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffe`f9380000 00007ffe`f941d000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffe`f9420000 00007ffe`f9520000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffe`faff0000 00007ffe`fb190000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffe`fa110000 00007ffe`fa466000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffe`fb440000 00007ffe`fb56b000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffe`fadc0000 00007ffe`fae6e000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffe`fa4d0000 00007ffe`fa56e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffe`e2d70000 00007ffe`e300b000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.746_none_ca02b4b61b8320a4\COMCTL32.dll
(1208.ff0): Break instruction exception - code 80000003 (first chance)
SYMSRV: BYINDEX: 0x1
C:\ProgramData\Dbg\sym
ntdll.pdb
432F2B8588C52E47219EE25E35F653491
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb\432F2B8588C52E47219EE25E35F653491\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb\432F2B8588C52E47219EE25E35F653491\ntdll.pdb
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffe`fb960670 cc int 3
.sympath 命令:
0:000> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: cache*;SRV*https://msdl.microsoft.com/download/symbols
************* Path validation summary **************
Response Time (ms) Location
Deferred
.reload 命令:
0:000> .reload
Reloading current modules
...............SYMSRV: BYINDEX: 0x3
C:\ProgramData\Dbg\sym
ntdll.pdb
432F2B8588C52E47219EE25E35F653491
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb\432F2B8588C52E47219EE25E35F653491\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb\432F2B8588C52E47219EE25E35F653491\ntdll.pdb
最后是!process 0 0 命令:
0:000> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
Could not get address of nt!KdVersionBlock.
unable to get nt!MmUserProbeAddress
NT symbols are incorrect, please fix symbols
我不知道发生了什么。我尝试删除sym\ntdll.pdb文件夹并重新下载,但无济于事。
编辑 - 应要求提供更多信息:
0:000> !lmi nt
Loaded Module Info: [nt]
DBGHELP: SharedUserData - virtual symbol module
nt not found
0:000> vertarget
Windows 10 Version 19042 MP (16 procs) Free x64
Product: WinNt, suite: SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Build layer: ->
Build layer: ->
Build layer: ->
Machine Name:
Debug session time: Wed Mar 10 18:26:22.757 2021 (UTC + 1:00)
System Uptime: 0 days 14:38:24.474
Process Uptime: 0 days 0:00:51.162
Kernel time: 0 days 0:00:00.015
User time: 0 days 0:00:00.000
0:000> lm
start end module name
00007ff6`54910000 00007ff6`54948000 notepad (deferred)
00007ffe`f9c40000 00007ffe`f9eda000 COMCTL32 (deferred)
00007fff`09350000 00007fff`09372000 win32u (deferred)
00007fff`09540000 00007fff`095dd000 msvcp_win (deferred)
00007fff`09690000 00007fff`09959000 KERNELBASE (deferred)
00007fff`099e0000 00007fff`09ae0000 ucrtbase (deferred)
00007fff`09b30000 00007fff`09c3b000 gdi32full (deferred)
00007fff`09c70000 00007fff`09d0e000 msvcrt (deferred)
00007fff`09e20000 00007fff`09ece000 shcore (deferred)
00007fff`0a8d0000 00007fff`0a98d000 KERNEL32 (deferred)
00007fff`0aa60000 00007fff`0aa8a000 GDI32 (deferred)
00007fff`0aad0000 00007fff`0ac70000 USER32 (deferred)
00007fff`0ad00000 00007fff`0ae2b000 RPCRT4 (deferred)
00007fff`0b810000 00007fff`0bb65000 combase (deferred)
00007fff`0bc10000 00007fff`0be05000 ntdll (pdb symbols) C:\ProgramData\Dbg\sym\ntdll.pdb\53F12BFE149A2F50205C8D5D66290B481\ntdll.pdb
0:000> .reload /f nt
"nt" was not found in the image list.
Debugger will attempt to load "nt" at given base 00000000`00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
SYMSRV: BYINDEX: 0xD
C:\ProgramData\Dbg\sym
nt
FFFFFFFE
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\nt - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\n_ - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\file.ptr - path not found
SYMSRV: RESULT: 0x80070003
SYMSRV: BYINDEX: 0xE
C:\ProgramData\Dbg\sym*https://msdl.microsoft.com/download/symbols
nt
FFFFFFFE
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\nt - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\n_ - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\file.ptr - path not found
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/nt
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/n_
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/file.ptr
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: RESULT: 0x80190194
DBGHELP: C:\WINDOWS\system32\nt - file not found
SYMSRV: BYINDEX: 0xF
https://msdl.microsoft.com/download/symbols
nt
FFFFFFFE
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\nt - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\n_ - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\file.ptr - path not found
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/nt
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/n_
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/file.ptr
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: RESULT: 0x80190194
DBGENG: nt - Image mapping disallowed by non-local path.
DBGHELP: No header for nt. Searching for dbg file
DBGHELP: .\nt.dbg - file not found
DBGHELP: nt missing debug info. Searching for pdb anyway
DBGHELP: Can't use symbol server for nt.pdb - no header information available
DBGHELP: nt.pdb - file not found
*** WARNING: Unable to verify timestamp for nt
*** ERROR: Module load completed but symbols could not be loaded for nt
DBGHELP: nt_0 - no symbols loaded
Unable to add module at 00000000`00000000
【问题讨论】:
-
内核符号名是
nt;你能粘贴!lmi nt和vertarget命令的输出吗?有时符号服务器没有某些版本的 Windows 的符号(特别是如果您在内部程序中,它也会不时发生在稳定版本中)。 -
@Neitsa 我进行了更新 - 未找到 nt。如果有帮助,我最近做了所有可能的 Windows 更新——特别是 20H2 版。我不在内部计划中。
-
好吧奇怪,我有完全相同的版本,但我们可能有不同的内核。在调试器中,您可以尝试发出
!sym noisy,然后发出.reload /f nt;这应该会给你一些关于符号发生了什么的信息。如果您想了解更多信息,请尝试symchk.exe(与 windbg 相同的文件夹(不是预览)):symchk.exe /v c:\windows\system32\ntoskrnl.exe。这将为您提供有关内核符号信息的大量信息(以及它是否可以从符号服务器下载符号)。你可能想用这些信息更新你的帖子。 -
我正在使用 WinDbg Preview 是这个问题吗?我使用
lm和.reload /f nt进行了编辑。我在我的系统上找不到 symchk.exe。 -
哦,好吧,我以为你在进行内核会话调试...
!process仅用于内核调试,它不能在用户模式下工作,因为在在这种情况下,调试器需要从内核空间本身读取信息。尝试.hh !process并查看帮助文件。每个命令都带有一个“上下文”,它告诉您可以在哪种模式(内核与用户)下运行命令。
标签: windows-10 windbg