WinDBG加载符号表的一点心得体会

  • Post author:
  • Post category:其他



新建一个环境变量_NT_SYMBOL_PATH 值为: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols

WinDBG无法加载符号表是很痛苦的事情,明明符号表的路径已经加载进去了,可是还是无法加断点,下面直接进入主题:

符号表无法加载,无法触发断点。

1、检查sympath是否正确

kd> .sympath

Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;C:\Windows\symbols;D:\VSSDataBase\TrueCrypt\Driver\obj_driver_debug\i386

Expanded Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;c:\windows\symbols;d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386

之前的尝试,以为符号表的路径在前面和在后面关系很大,毕竟是依次查找路径的嘛,只要查找正确了,路径前后和符号表在什么位置又有什么关系呢。

src*与;之前的区别:src*是符号表服务器上找,而;是去本地路径上去找,对于一台机子来说就一样的。


sys文件会记录PDB文件的位置,从而找到符号表,所以设置目录必须是编译时候的目录,即使把编译目录下的文件拷贝出来放到其他地方 然后在把windbg符号目录设置成那个目录 windbg也是不认识的 因为windbg对SYS的符号文件的寻找只会去SYS指定的那个目录寻找 这点很奇特 以前配置windbg的时候百思不得其解

2、!lmi truecrypt查找相应的模块信息

kd> !lmi truecrypt

Loaded Module Info: [truecrypt]

Module: truecrypt

Base Address: ee21b000

Image Name: truecrypt.sys

Machine Type: 332 (I386)

Time Stamp: 4d889673 Tue Mar 22 20:30:43 2011

Size: 4ef80

CheckSum: 55776

Characteristics: 102

Debug Data Dirs: Type  Size     VA  Pointer

CODEVIEW    5c, 43fc8,   43fc8 RSDS – GUID: {1B9489BA-E47D-4E48-89EB-D0CB60055F22}

Age: 1, Pdb: d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386\truecrypt.pdb

Image Type: MEMORY   – Image read successfully from loaded memory.


Symbol Type: EXPORT   – PDB not found


Load Report: export symbols

Symbol Type: EXPORT   – PDB not found 符号表没有找到

Export

没有发现符号文件,使用映像文件的输出信息(如DLL的Export)作为符号

3、检查符号表加载详细情况

!sym noisy

当Windbg加载Symbol文件的时候,显示Symbol的路径,默认情况下是不显示的。

YMSRV:  无法与服务器建立连接

SYMSRV:  c:\windows\symbols\truecrypt.pdb\1B9489BAE47D4E4889EBD0CB60055F221\truecrypt.pdb not found

!sym quiet 不显示路径

SYMSRV: truecrypt.pdb not found

kd> !sym noisy

noisy mode – symbol prompts on

kd> .reload /f truecrypt.sys

SYMSRV: 无法与服务器建立连接

SYMSRV: c:\windows\symbols\truecrypt.pdb\1B9489BAE47D4E4889EBD0CB60055F221\truecrypt.pdb not found

SYMSRV: http://msdl.microsoft.com/download/symbols/truecrypt.pdb/1B9489BAE47D4E4889EBD0CB60055F221/truecrypt.pdb not found

DBGHELP: d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386\truecrypt.pdb – mismatched pdb

DBGHELP: d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386\sys\truecrypt.pdb – file not found

DBGHELP: d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386\symbols\sys\truecrypt.pdb – file not found

SYMSRV: 无法与服务器建立连接

SYMSRV: d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386\truecrypt.pdb\1B9489BAE47D4E4889EBD0CB60055F221\truecrypt.pdb not found

SYMSRV: c:\windows\symbols\truecrypt.pdb\1B9489BAE47D4E4889EBD0CB60055F221\truecrypt.pdb not found

SYMSRV: http://msdl.microsoft.com/download/symbols/truecrypt.pdb/1B9489BAE47D4E4889EBD0CB60055F221/truecrypt.pdb not found


DBGHELP: d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386\truecrypt.pdb – mismatched pdb


DBGHELP: Couldn’t load mismatched pdb for truecrypt.sys

*** ERROR: Symbol file could not be found. Defaulted to export symbols for truecrypt.sys –

DBGHELP: truecrypt – export symbols

注意上面那一行,符号表的位置是正确的,也找对了,但是结果却是mismatched pdb,于是我就将debug目录下内容,删除后重新生成,并拷贝到虚拟机里,结果仍然是一样的,

仍然是mismatched pdb。

4、模块详情对照

!IToldYouSo tests the validity of a module against a symbol file.The module can be specified by either its name or base address.If a symbol file is not specified, then the loaded symbol is tested.

Otherwise, if a pdb or dbg symbol file path is specified, it is tested against the loaded module.

kd> !itoldyouso truecrypt d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386\truecrypt.pdb

truecrypt.sys

Timestamp: 4D889673

SizeOfImage: 4EF80

pdb: d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386\truecrypt.pdb


pdb sig: 1B9489BA-E47D-4E48-89EB-D0CB60055F22


age: 1

truecrypt.pdb


pdb sig: 329A35FA-70B8-4A97-BB0E-99BA6342AB6A


age: 1

sig MISMATCH: truecrypt.pdb and truecrypt.sys

签名不一样,结果说明我虚拟机里装载的驱动和我重新生成的符号表不一致。经过检查发现,truecrypt.exe启动时候装载的truecrypt.sys并不是在C:\Windows\System32\Drivers下面,

而是在truecrypt.exe本身的安装目录下,替换之后,已经能够成功装载符号表了。

如下:

kd> !lmi truecrypt

Loaded Module Info: [truecrypt]

Module: truecrypt

Base Address: ee1ef000

Image Name: truecrypt.sys

Machine Type: 332 (I386)

Time Stamp: 4d8c8e61 Fri Mar 25 20:45:21 2011

Size: 4f180

CheckSum: 5b7fa

Characteristics: 102

Debug Data Dirs: Type  Size     VA  Pointer

CODEVIEW    5c, 44148,   44148 RSDS – GUID: {160409E4-8EFC-4412-B760-4E9BF8F1A05A}

Age: 1, Pdb: d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386\truecrypt.pdb

Image Type: MEMORY   – Image read successfully from loaded memory.

Symbol Type: PDB      – Symbols loaded successfully from symbol search path.

d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386\truecrypt.pdb

Compiler: Resource – front end [0.0 bld 0] – back end [9.0 bld 30729]

Load Report: private symbols & lines, not source indexed

d:\vssdatabase\truecrypt\driver\obj_driver_debug\i386\truecrypt.pdb

转载于:https://blog.51cto.com/whatday/1382685


关闭菜单