Debugging Win32应用程序的崩溃调试

我正在调试一个文件解析器（Win32）。每次当我向它传送某个文件时，它都会在同一位置崩溃。我无法访问该应用程序的源代码。我试图分析崩溃的根本原因，它似乎是一种数组越界读取错误。但我不确定里面是否有内存被破坏了。我使用ADPlus进行崩溃转储，下面我添加了迷你转储和ADPlus日志

https://dl.dropboxusercontent.com/u/107519001/MINIDUMP_FirstChance_av_AccessViolation_FileParser.exe__0e04_2013-10-25_20-26-29-893_084c.dmp

&

调试信息：

https://dl.dropboxusercontent.com/u/107519001/vc90.pdb

有谁能帮我找出访问违规崩溃的根本原因吗

提前感谢,

0:000> .ecxr
eax=00b80000 ebx=3fb80000 ecx=0012f514 edx=0012f448 esi=0012f628 edi=0012f650
eip=00407212 esp=0012f4fc ebp=00000000 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206
FileParser+0x7212:
00407212 8b530c          mov     edx,dword ptr [ebx+0Ch] ds:0023:3fb8000c=????????
0:000> kvn
 *** Stack trace for last set context - .thread/.cxr resets it
# ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00000000 00000000 00000000 00000000 00000000 FileParser+0x7212

我们必须有FileParser.pdb才能有机会找出发生了什么。

---

@ebp看起来不太好，

文件解析器从

inline1.exe

读取二进制数据，并希望看到有效的偏移量和结构布局，但会发生访问冲突。该二进制文件没有有效的头文件。可能二进制文件被压缩或加密了

手动堆栈重建：

0:000> kn =0012f674 0012f674 004071f1
 # ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0012f674 73dd1eb6 FileParser+0x71f1
01 0012f6ec 73dd1b9b mfc42!CWnd::OnWndMsg+0x2f4
02 0012f70c 73dd1b05 mfc42!CWnd::WindowProc+0x24
03 0012f76c 73dd2c9c mfc42!AfxCallWndProc+0x91
04 0012f790 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x36
05 0012f7b8 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x6a
06 0012f7e0 73ddca6f mfc42!CWnd::SendMessageToDescendants+0x6a
07 0012f808 73ddca0a mfc42!CFrameWnd::InitialUpdateFrame+0x5d
08 0012f814 73de3bd2 mfc42!CDocTemplate::InitialUpdateFrame+0x11
09 0012f844 73de13cf mfc42!CMultiDocTemplate::OpenDocumentFile+0x101
0a 0012fb78 73e3929c mfc42!CDocManager::OpenDocumentFile+0x14c
0b 0012fca0 73dd1fd3 mfc42!CFrameWnd::OnDropFiles+0x76
0c 0012fd1c 73dd1b9b mfc42!CWnd::OnWndMsg+0x411
0d 0012fd3c 73dd1b05 mfc42!CWnd::WindowProc+0x24
0e 0012fd9c 73dd1a58 mfc42!AfxCallWndProc+0x91
0f 0012fdbc 73e6847d mfc42!AfxWndProc+0x36
10 0012fde8 77d48709 mfc42!AfxWndProcBase+0x39
11 0012fe14 77d487eb user32!InternalCallWinProc+0x28
12 0012fe7c 77d489a5 user32!UserCallWinProcCheckWow+0x150
13 0012fedc 77d4bccc user32!DispatchMessageWorker+0x306
14 0012feec 73dd125a user32!DispatchMessageA+0xf
15 0012fefc 73ddb55f mfc42!CWinThread::PumpMessage+0x3c
16 0012ff14 73ddcf95 mfc42!CWinThread::Run+0x48
17 0012ff24 00409472 mfc42!AfxWinMain+0x6a
18 0012ffc0 7c816d4f FileParser+0x9472
19 0012fff0 00000000 kernel32!BaseProcessStart+0x23

从

文件解析器+0x71f1

取消装配，直到

文件解析器+0x7212

发生访问冲突

004071ec e8e71b0000      call    FileParser+0x8dd8 (00408dd8)   
004071f1 84db            test    bl,bl
004071f3 0f846f050000    je      FileParser+0x7768 (00407768)
004071f9 8b442414        mov     eax,dword ptr [esp+14h]    *Base address of inline1.exe binary 
004071fd 8b483c          mov     ecx,dword ptr [eax+3Ch]    *must be offset at _IMAGE_NT_HEADERS 
00407200 8b5c0178        mov     ebx,dword ptr [ecx+eax+78h]*must be _IMAGE_DATA_DIRECTORY
00407204 8d4c0118        lea     ecx,[ecx+eax+18h]      *must be _IMAGE_OPTIONAL_HEADER
00407208 03d8            add     ebx,eax            *must be VA _IMAGE_DATA_DIRECTORY
0040720a 8d4c2418        lea     ecx,[esp+18h]      * 
0040720e 895c2434        mov     dword ptr [esp+34h],ebx    *
00407212 8b530c          mov     edx,dword ptr [ebx+0Ch]    *Access violation here 

由于

ebx

指向

3fb80000

而不是从

b80000

到

ImageSize:00006000

inline1.exe中的基址加载到

eax

寄存器中<代码>mov eax，dword ptr[esp+14h]

0:000> dps esp+14 L1
0012f510  00b80000 inline1
0:000> lmvm inline1
start    end        module name
00b80000 00b86000   inline1  T (no symbols)           
Loaded symbol image file: inline1.exe
Image path: C:\Documents and Settings\debasish mandal\Desktop\inline1.exe
Image name: inline1.exe
Timestamp:        Sat Sep 28 21:27:18 2013 (52471176)
CheckSum:         00011C84
ImageSize:        00006000
File version:     0.0.0.0
Product version:  0.0.0.0
File flags:       0 (Mask 0)
File OS:          0 Unknown Base
File type:        0.0 Unknown
File date:        00000000.00000000
Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

---

嗨，基尔，我不确定，但我希望这会有帮助。。谢谢您的回复。不，应该命名为FileParser.pdb，您可能必须在项目的链接器属性页中启用调试信息才能生成它。您如何找到kn=0012f674 0012f674中使用的BasePtr StackPtr指令PTR004071f1@sergmat-但是

3fb00000

从何而来？您是否有任何链接描述您所做的

图像*

引用？@KjellGunnar我查看了原始堆栈，试图找到当前eip附近的有效对ReturnAddress和当前esp附近的BasePointer。我在第四次或第五次尝试时找到了它。@LievenKeersmaekers

mov ebx，dword ptr[ecx+eax+78h]

读取二进制文件中的数据并将其加载到

ebx

eax

包含inline1.exe的基址

00b80000

ecx

包含存储在偏移量

3c

处的数据，这在MZ/PE图像中必须是典型的

e8

（e_lfanew）。我认为从那里添加了错误的

3f000000

。这说明了

图像头

0:000> dps esp+14 L1
0012f510  00b80000 inline1
0:000> lmvm inline1
start    end        module name
00b80000 00b86000   inline1  T (no symbols)           
Loaded symbol image file: inline1.exe
Image path: C:\Documents and Settings\debasish mandal\Desktop\inline1.exe
Image name: inline1.exe
Timestamp:        Sat Sep 28 21:27:18 2013 (52471176)
CheckSum:         00011C84
ImageSize:        00006000
File version:     0.0.0.0
Product version:  0.0.0.0
File flags:       0 (Mask 0)
File OS:          0 Unknown Base
File type:        0.0 Unknown
File date:        00000000.00000000
Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4