Windbg 从崩溃转储获取GDI句柄计数的命令
我有一个崩溃转储,我怀疑GDI泄漏是导致崩溃的原因Windbg 从崩溃转储获取GDI句柄计数的命令,windbg,Windbg,我有一个崩溃转储,我怀疑GDI泄漏是导致崩溃的原因 从完整的崩溃转储中,有没有找到进程崩溃时使用的GDI句柄数?这是不可能的,因为自w2k版本以来,GDI任务中定制的唯一调试器扩展gdikdx.dll没有得到积极维护,我相信他们停止了发布,因为没有多少人入侵GDI内部——根据我在一个新闻组中偶然发现的某人的声明——因此它不再投资于。 您只剩下几个选项,不幸的是,所有这些选项都与运行时故障排除有关 您可以从nirsoft之类的工具开始监控应用程序中GDI资源的使用情况,然后进入任何运行时检测选项:
从完整的崩溃转储中,有没有找到进程崩溃时使用的GDI句柄数?这是不可能的,因为自w2k版本以来,GDI任务中定制的唯一调试器扩展gdikdx.dll没有得到积极维护,我相信他们停止了发布,因为没有多少人入侵GDI内部——根据我在一个新闻组中偶然发现的某人的声明——因此它不再投资于。 您只剩下几个选项,不幸的是,所有这些选项都与运行时故障排除有关 您可以从nirsoft之类的工具开始监控应用程序中GDI资源的使用情况,然后进入任何运行时检测选项:
- 在msdn上描述
顺便问一下,你能更具体地说明你这次车祸的实际原因吗?苔丝谈到了类似的情况,也许这会给你一个线索
我已经创建了一个Windbg脚本来转储GDI句柄表中的所有GDI句柄。看 当您将其倾倒两次时,您可以看到发生了什么变化:
0:013> $$>a<"D:\GdiDump\DumpGdi.txt"
GDI Handle Table 00000000013e0000 0000000001561000
GDI Handle Count 14
DeviceContexts: 4
Regions: 2
Bitmaps: 2
Palettes: 0
Fonts: 3
Brushes: 3
Pens: 0
Uncategorized: 0
0:013> g
0:014> $$>a<"D:\GdiDump\DumpGdi.txt"
GDI Handle Table 00000000013e0000 0000000001561000
GDI Handle Count 1021
DeviceContexts: 8
Regions: 3
Bitmaps: 1003
Palettes: 0
Fonts: 3
Brushes: 4
Pens: 0
Uncategorized: 0
0:013>$$$>a g
0:014>$$>aa这里有一个从GdiSharedHandleTable转储gdi句柄的替代脚本,它可以在live usermode/live kernelmode/dump模式下使用
它也可以用在!对于_,每个_进程命令字符串将在内核模式调试中从所有正在运行的进程中转储gdi句柄
它使用.catch块打印摘要
在kd中,有时GdiSharedhandleTable页面将被调出/截断到小于其分配大小,peb头被调出等问题出现
因此,该脚本尝试尽可能多地读取数据,当发生内存访问冲突时,它会离开catch块并打印数据摘要
它能打捞到什么
顺便说一句,这个脚本是32位对64位的,伪寄存器需要根据需要进行调整
r $t19=0;r $t18=0;r $t17=0;r $t16=0;r $t15=0;r $t14=0;r $t13=0;r $t12=0;
r $t0 = @@c++(@$Peb->GdiSharedHandleTable)
r $t1 = (@@c++(@$Peb->GdiSharedHandleTable) + 0xffffff )
r $t2 = 0
.catch {
.printf /D "<b>gdioffs Kaddr Pid Count Handle Type Tname
IsLive UAddr </b>\n";
.while(@$t0 < @$t1) {
.while( wo(@$t0+4) != @$tpid) {
r $t0 = @$t0+0x10 ; r $t2 = @$t2+1
}
.printf "%08x " , @$t0 ; .printf "%08x " , dwo(@$t0)
.printf "%08x " , wo(@$t0+4) ;.printf "%08x " , wo(@$t0+6)
.printf "%08x " , (wo(@$t0+8)<<0x10)+@$t2 ; .printf "%08x " , by(@$t0+a)
.if( by(@$t0+a) == 1 ) {r $t19=@$t19+1;.printf "DC "}
.elsif( by(@$t0+a) == 4 ) {r $t18=@$t18+1;.printf "Region "}
.elsif( by(@$t0+a) == 5 ) {r $t17=@$t17+1;.printf "Bitmap "}
.elsif( by(@$t0+a) == 8 ) {r $t16=@$t16+1;.printf "Pallete "}
.elsif( by(@$t0+a) == a ) {r $t15=@$t15+1;.printf "Font "}
.elsif( by(@$t0+a) == 10) {r $t14=@$t14+1;.printf "Brush "}
.elsif( by(@$t0+a) == 30) {r $t13=@$t13+1;.printf "Pen "}
.else {r $t12=@$t12+1;.printf "Unknown "}
.printf "%08x " , by(@$t0+b)
.printf "%08x\n" , dwo(@$t0+c)
r $t0 = @$t0+0x10
r $t2 = @$t2+1
}
}
r? @$t11 = @@c++(@$peb->ProcessParameters->ImagePathName.Buffer)
.printf /D "<b>Gdi Handles for %mu</b>\n", @$t11
.printf "Total Gdi Handles = %d\n", (@$t19+@$t18+@$t17+@$t16+@$t15+@$t14+@$t13+@$t12)
.printf "DC = %d\n" , @$t19 ; .printf "Font = %d\n" , @$t18
.printf "Region = %d\n" , @$t17 ; .printf "Brush = %d\n" , @$t16
.printf "Bitmap = %d\n" , @$t15 ; .printf "Pen = %d\n" , @$t14
.printf "Pallete = %d\n" , @$t13 ; .printf "Unknpown = %d\n" , @$t12
r$t19=0;r$t18=0;r$t17=0;r$t16=0;r$t15=0;r$t14=0;r$t13=0;r$t12=0;
r$t0=@@c++(@$Peb->GdiSharedHandleTable)
r$t1=(@@c++(@$Peb->GdiSharedHandleTable)+0xffffff)
r$t2=0
.接住{
.printf/D“gdioffs Kaddr Pid计数句柄类型Tname
IsLive UAddr\n“;
.而(@$t0<@$t1){
.而(wo(@$t0+4)!=@$tpid){
r$t0=@$t0+0x10;r$t2=@$t2+1
}
.printf“%08x”,@$t0;.printf“%08x”,dwo(@$t0)
.printf“%08x”,wo(@$t0+4);.printf“%08x”,wo(@$t0+6)
.printf“%08x”,(wo(@$t0+8)ImagePathName.Buffer)
.printf/D“用于%mu的Gdi句柄\n”,@$t11
.printf“总Gdi句柄=%d\n”,(@$t19+@$t18+@$t17+@$t16+@$t15+@$t14+@$t13+@$t12)
.printf“DC=%d\n”,@$t19;.printf“Font=%d\n”,@$t18
.printf“Region=%d\n”,@$t17;.printf“Brush=%d\n”,@$t16
.printf“位图=%d\n”,@$t15;.printf“笔=%d\n”,@$t14
.printf“Pallete=%d\n”@$t13;.printf“unknown=%d\n”@$t12
执行结果
0:000> $$>a< c:\wdscr\dumpgdi.txt
gdioffs Kaddr Pid Count Handle Type Tname ;IsLive UAddr
00472b30 fe6b5728 00000ca4 00000000 0d0102b3 00000001 DC 00000040 000e0cb0
00472be0 fdf73da8 00000ca4 00000000 420502be 00000005 Bitmap 00000040 00000000
004737b0 fddac108 00000ca4 00000000 9605037b 00000005 Bitmap 00000040 00000000
00474030 fe76eda8 00000ca4 00000000 eb050403 00000005 Bitmap 00000040 00000000
00474c90 fddde008 00000ca4 00000000 d70a04c9 0000000a Font 00000040 001fb1e8
0047ab80 fddab008 00000ca4 00000000 ba050ab8 00000005 Bitmap 00000040 00000000
0047f270 fddbcda8 00000ca4 00000000 16050f27 00000005 Bitmap 00000040 00000000
0047fef0 fdee4da8 00000ca4 00000000 cd050fef 00000005 Bitmap 00000040 00000000
004809f0 fe72eda8 00000ca4 00000000 3405109f 00000005 Bitmap 00000040 00000000
00480e50 fdda5aa8 00000ca4 00000000 0e0510e5 00000005 Bitmap 00000040 00000000
00481cf0 ffb0fda8 00000ca4 00000000 df0511cf 00000005 Bitmap 00000040 00000000
00481d70 fddb0da8 00000ca4 00000000 930511d7 00000005 Bitmap 00000040 00000000
00482020 ff4a1da8 00000ca4 00000000 d4051202 00000005 Bitmap 00000040 00000000
00482060 fddd4008 00000ca4 00000000 39051206 00000005 Bitmap 00000040 00000000
00482170 fddb6008 00000ca4 00000000 20051217 00000005 Bitmap 00000040 00000000
00483140 ff4a0008 00000ca4 00000000 4e051314 00000005 Bitmap 00000040 00000000
00483870 ff427980 00000ca4 00000000 6d051387 00000005 Bitmap 00000040 00000000
00483d80 fe7d04b0 00000ca4 00000000 bd0513d8 00000005 Bitmap 00000040 00000000
00484620 ff437eb8 00000ca4 00000000 0d101462 00000010 Brush 00000040 000f0fd8
004846a0 fddc2da8 00000ca4 00000000 d305146a 00000005 Bitmap 00000040 00000000
00484b80 fdf1a728 00000ca4 00000000 530114b8 00000001 DC 00000040 000e0ae0
Memory access error at ') != @$tpid) <-------- jumps out of catch block here
Gdi Handles for C:\Windows\system32\calc.exe
Total Gdi Handles = 21
DC = 2
Font = 0
Region = 17
Brush = 0
Bitmap = 1
Pen = 1
Pallete = 0
Unknpown = 0
0:000>$$>a!handles
将列出转储中的所有句柄,但我认为它不包括GDI句柄,只包括在中列出的句柄。您好。您介意看一下吗?这是关于WOW64崩溃转储需要的后续信息。谢谢。
0:000> $$>a< c:\wdscr\dumpgdi.txt
gdioffs Kaddr Pid Count Handle Type Tname ;IsLive UAddr
00472b30 fe6b5728 00000ca4 00000000 0d0102b3 00000001 DC 00000040 000e0cb0
00472be0 fdf73da8 00000ca4 00000000 420502be 00000005 Bitmap 00000040 00000000
004737b0 fddac108 00000ca4 00000000 9605037b 00000005 Bitmap 00000040 00000000
00474030 fe76eda8 00000ca4 00000000 eb050403 00000005 Bitmap 00000040 00000000
00474c90 fddde008 00000ca4 00000000 d70a04c9 0000000a Font 00000040 001fb1e8
0047ab80 fddab008 00000ca4 00000000 ba050ab8 00000005 Bitmap 00000040 00000000
0047f270 fddbcda8 00000ca4 00000000 16050f27 00000005 Bitmap 00000040 00000000
0047fef0 fdee4da8 00000ca4 00000000 cd050fef 00000005 Bitmap 00000040 00000000
004809f0 fe72eda8 00000ca4 00000000 3405109f 00000005 Bitmap 00000040 00000000
00480e50 fdda5aa8 00000ca4 00000000 0e0510e5 00000005 Bitmap 00000040 00000000
00481cf0 ffb0fda8 00000ca4 00000000 df0511cf 00000005 Bitmap 00000040 00000000
00481d70 fddb0da8 00000ca4 00000000 930511d7 00000005 Bitmap 00000040 00000000
00482020 ff4a1da8 00000ca4 00000000 d4051202 00000005 Bitmap 00000040 00000000
00482060 fddd4008 00000ca4 00000000 39051206 00000005 Bitmap 00000040 00000000
00482170 fddb6008 00000ca4 00000000 20051217 00000005 Bitmap 00000040 00000000
00483140 ff4a0008 00000ca4 00000000 4e051314 00000005 Bitmap 00000040 00000000
00483870 ff427980 00000ca4 00000000 6d051387 00000005 Bitmap 00000040 00000000
00483d80 fe7d04b0 00000ca4 00000000 bd0513d8 00000005 Bitmap 00000040 00000000
00484620 ff437eb8 00000ca4 00000000 0d101462 00000010 Brush 00000040 000f0fd8
004846a0 fddc2da8 00000ca4 00000000 d305146a 00000005 Bitmap 00000040 00000000
00484b80 fdf1a728 00000ca4 00000000 530114b8 00000001 DC 00000040 000e0ae0
Memory access error at ') != @$tpid) <-------- jumps out of catch block here
Gdi Handles for C:\Windows\system32\calc.exe
Total Gdi Handles = 21
DC = 2
Font = 0
Region = 17
Brush = 0
Bitmap = 1
Pen = 1
Pallete = 0
Unknpown = 0