C++ 使用WinDBG识别有缺陷的功能
我已经从7.1 Windows SDK安装了WinDBG。然后,我用VC++2008制作了一个程序“CleanPayload.exe”,它只包含一个“main”和一个对故意包含缺陷的函数的调用。它是一个包含调试符号的发布版本。我把那个程序打开到WindDBG,然后C++ 使用WinDBG识别有缺陷的功能,c++,windows,debugging,windbg,C++,Windows,Debugging,Windbg,我已经从7.1 Windows SDK安装了WinDBG。然后,我用VC++2008制作了一个程序“CleanPayload.exe”,它只包含一个“main”和一个对故意包含缺陷的函数的调用。它是一个包含调试符号的发布版本。我把那个程序打开到WindDBG,然后 执行了.sympath+以指示该程序的PDB位置 是否使用ld*加载所有符号 执行lm验证是否加载了所有符号(我的程序的专用符号,Windows库的公用符号) 然后我运行了这个程序,它抛出了一个first chance异常,这是意料之
.sympath+
以指示该程序的PDB位置李>
ld*
加载所有符号lm
验证是否加载了所有符号(我的程序的专用符号,Windows库的公用符号)(910.12a0): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!LdrpDoDebuggerBreak+0x2c:
771e0f2b cc int 3
但是,当我要求WinDBG向我显示堆栈时,它没有显示我的程序“CleanPayload.exe”的任何内容。相反,它向我展示了:
0:000:x86> kb
ChildEBP RetAddr Args to Child
004bf5ec 771c122b 7efdd000 7efde000 7724206c ntdll32!LdrpDoDebuggerBreak+0x2c
004bf764 77192187 004bf7d8 77140000 7c185e6a ntdll32!LdrpInitializeProcess+0x132f
004bf7b4 77179e89 004bf7d8 77140000 00000000 ntdll32!_LdrpInitialize+0x78
004bf7c4 00000000 004bf7d8 77140000 00000000 ntdll32!LdrInitializeThunk+0x10
我需要做什么才能让它显示一个堆栈跟踪(1)包括我的程序和(2)引发异常的函数
更新我按照Larry的建议,运行第一个异常,并得到以下结果:
0:000:x86> g
ntdll!NtTerminateProcess+0xa:
00000000`76faf97a c3 ret
0:000> kb
RetAddr : Args to Child : Call Site
00000000`74c6601a : 00000000`00000000 00000000`000de600 00000000`000ddc80 00000000`74c60304 : ntdll!NtTerminateProcess+0xa
00000000`74c5cf87 : 00000000`0030f988 00000000`0030dba8 00000000`7efdb000 00000000`0030f934 : wow64!whNtTerminateProcess+0x46
00000000`74be276d : 00000000`77150190 00000000`74c50023 00000000`00000000 00000000`0030fab8 : wow64!Wow64SystemServiceEx+0xd7
00000000`74c5d07e : 00000000`00000000 00000000`74be1920 00000000`000de820 00000000`76f93501 : wow64cpu!TurboDispatchJumpAddressEnd+0x24
00000000`74c5c549 : 00000000`00000000 00000000`00000000 00000000`74c54ac8 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`76faae27 : 00000000`004a3100 00000000`00000000 00000000`7707a1e0 00000000`7efdf000 : wow64!Wow64LdrpInitialize+0x429
00000000`76fa72f8 : 00000000`00000000 00000000`76fa8641 00000000`76fb84e0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x1780
00000000`76f92ace : 00000000`000df1b0 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x2af20
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
0:000> g
ModLoad: 00000000`76d40000 00000000`76e5f000 WOW64_IMAGE_SECTION
ModLoad: 00000000`74f90000 00000000`75090000 WOW64_IMAGE_SECTION
ModLoad: 00000000`76d40000 00000000`76e5f000 NOT_AN_IMAGE
ModLoad: 00000000`76e60000 00000000`76f5a000 NOT_AN_IMAGE
ModLoad: 00000000`71160000 00000000`711c0000 C:\Windows\syswow64\verifier.dll
Page heap: pid 0x1A54: page heap enabled with flags 0x3.
AVRF: CleanPayload.exe: pid 0x1A54: flags 0x80643027: application verifier enabled
ModLoad: 00000000`71130000 00000000`7115b000 C:\Windows\SysWOW64\vrfcore.dll
ModLoad: 00000000`710d0000 00000000`71128000 C:\Windows\SysWOW64\vfbasics.dll
ModLoad: 00000000`74f90000 00000000`75090000 C:\Windows\syswow64\kernel32.dll
ModLoad: 00000000`76830000 00000000`76876000 C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 00000000`715c0000 00000000`7164e000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\MSVCP90.dll
ModLoad: 00000000`73dc0000 00000000`73e63000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\MSVCR90.dll
(1a54.17dc): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!LdrpDoDebuggerBreak+0x2c:
771e0f2b cc int 3
0:000:x86> !avrf
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: wow64!_TEB32 ***
*** ***
*************************************************************************
Application verifier is not enabled for this process.
Use appverif.exe tool to enable it.
因此,不幸的是,我仍然没有看到相关的堆栈跟踪信息。在执行上述步骤之前,我还尝试了.effmachx86
命令,但似乎没有效果。顺便说一句,我还重新执行了整个测试,为我正在测试的目标程序激活了app-verifier。我得到了非常矛盾的结果:
0:000:x86> g
ntdll!NtTerminateProcess+0xa:
00000000`76faf97a c3 ret
0:000> kb
RetAddr : Args to Child : Call Site
00000000`74c6601a : 00000000`00000000 00000000`000de600 00000000`000ddc80 00000000`74c60304 : ntdll!NtTerminateProcess+0xa
00000000`74c5cf87 : 00000000`0030f988 00000000`0030dba8 00000000`7efdb000 00000000`0030f934 : wow64!whNtTerminateProcess+0x46
00000000`74be276d : 00000000`77150190 00000000`74c50023 00000000`00000000 00000000`0030fab8 : wow64!Wow64SystemServiceEx+0xd7
00000000`74c5d07e : 00000000`00000000 00000000`74be1920 00000000`000de820 00000000`76f93501 : wow64cpu!TurboDispatchJumpAddressEnd+0x24
00000000`74c5c549 : 00000000`00000000 00000000`00000000 00000000`74c54ac8 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`76faae27 : 00000000`004a3100 00000000`00000000 00000000`7707a1e0 00000000`7efdf000 : wow64!Wow64LdrpInitialize+0x429
00000000`76fa72f8 : 00000000`00000000 00000000`76fa8641 00000000`76fb84e0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x1780
00000000`76f92ace : 00000000`000df1b0 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x2af20
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
0:000> g
ModLoad: 00000000`76d40000 00000000`76e5f000 WOW64_IMAGE_SECTION
ModLoad: 00000000`74f90000 00000000`75090000 WOW64_IMAGE_SECTION
ModLoad: 00000000`76d40000 00000000`76e5f000 NOT_AN_IMAGE
ModLoad: 00000000`76e60000 00000000`76f5a000 NOT_AN_IMAGE
ModLoad: 00000000`71160000 00000000`711c0000 C:\Windows\syswow64\verifier.dll
Page heap: pid 0x1A54: page heap enabled with flags 0x3.
AVRF: CleanPayload.exe: pid 0x1A54: flags 0x80643027: application verifier enabled
ModLoad: 00000000`71130000 00000000`7115b000 C:\Windows\SysWOW64\vrfcore.dll
ModLoad: 00000000`710d0000 00000000`71128000 C:\Windows\SysWOW64\vfbasics.dll
ModLoad: 00000000`74f90000 00000000`75090000 C:\Windows\syswow64\kernel32.dll
ModLoad: 00000000`76830000 00000000`76876000 C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 00000000`715c0000 00000000`7164e000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\MSVCP90.dll
ModLoad: 00000000`73dc0000 00000000`73e63000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\MSVCR90.dll
(1a54.17dc): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!LdrpDoDebuggerBreak+0x2c:
771e0f2b cc int 3
0:000:x86> !avrf
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: wow64!_TEB32 ***
*** ***
*************************************************************************
Application verifier is not enabled for this process.
Use appverif.exe tool to enable it.
上面的执行说明
AVRF:Cleanpayload.exe。。。应用程序验证程序已启用
,这表示它已锁定到目标。但是随后的!avrf
命令显示调试符号不正确,即使lm
命令显示它们都已正确加载!这里到底发生了什么?您正在运行64位版本的windbg和32位应用程序。初始断点以64位代码运行
如果您点击“g”,您应该点击32位应用程序的初始断点,您应该能够从那里开始
要从64位调试切换到32位调试(例如,如果按CTRL-C),请键入:
.effmach x86
这将使调试器从64位模式切换到32位模式。一旦软件打包并发送给QA或客户,您是否试图找出如何调试真正的问题?如果是,您可以使用另一个工具adplus。Adplus在后台启动调试器,并且只有一个目的(如果在挂起模式下运行,实际上有两个目的,但这不是您想要的),那就是等待异常。当异常发生时,它将生成一个进程内存转储文件,该文件可以加载到WinDbg中 使用这种方法,您不必依赖QA或您的客户来了解如何使用WinDbg。您只需指示他们如何运行一个命令行。运行之后,他们只需压缩整个输出目录并将其发送给您进行分析
加载到WinDbg后,内存转储文件将向您显示异常的确切位置以及当时的所有本地/成员变量(尽管如果代码经过优化,您可能需要查找这些值)。显然,64位WinDbg中的32位调试是问题的一半。另一半是为32位程序找到正确的调试符号。请注意此讨论:
http://www.eggheadcafe.com/software/aspnet/29430292/teb32-and-peb32-type-info-missing-from-public-wow64pdb.aspx
。也就是说,如果我正在调试一个64位应用程序,为了让“应用程序验证程序”满意,我必须确保将“c:\windows\system32”放在“srv*”之前的符号路径中。很好,我也忘记了符号路径问题。@LO:你能进一步解释一下吗?64位代码中的初始断点是什么意思?具体来说,您能否将其与windbg32下的相同场景进行比较?此外,生成的初始异常:是否由调试器插入,以便调试器在调用时停止?谢谢。当您在64位windbg中启动32位应用程序时,初始断点位于WOW64(Windows On Windows 64位)初始化中。您需要再次点击“G”以点击32位初始断点。它是32位应用程序如何在64位调试器下工作的产物。我不知道确切的原因,但我知道这只是你必须做的事情。作者已经获得了垃圾场。但他在分析它时遇到了问题。@YauheniSivukha-当我发布这个答案时,可能不会。。。三年多前,你找到异常原因了吗?