Windbg NTDLL的错误符号（错误3）。流产_Windbg

Windbg NTDLL的错误符号（错误3）。流产

windbg

Windbg NTDLL的错误符号（错误3）。流产,windbg,Windbg,可能导致错误的原因： Bad symbols for NTDLL (error 3). Aborting. 使用时！cs命令我正在分析一个键盘强制完全转储，并设置了MS symbol服务器的符号路径 lml未将ntdll列为已加载 .sym噪音和重新加载显示： 3: kd> .reload ntdll "ntdll" was not found in the image list. Debugger will attempt to load "ntdll" at given base

可能导致错误的原因：

Bad symbols for NTDLL (error 3). Aborting.

使用时！cs命令

我正在分析一个键盘强制完全转储，并设置了MS symbol服务器的符号路径

lml未将ntdll列为已加载

.sym噪音和重新加载显示：

3: kd> .reload ntdll

"ntdll" was not found in the image list.
Debugger will attempt to load "ntdll" at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
DBGENG:  ntdll - Partial symbol image load missing image info
DBGHELP: No header for ntdll.  Searching for dbg file
DBGHELP: .\ntdll.dbg - file not found
DBGHELP: ntdll missing debug info.  Searching for pdb anyway
DBGHELP: Can't use symbol server for ntdll.pdb - no header information available
DBGHELP: ntdll.pdb - file not found

DBGHELP: ntdll - no symbols loaded
Unable to add module at 00000000`00000000
3: kd> .reload nt

DBGHELP: nt - public symbols  
        c:\symbols\ntkrnlmp.pdb\BF9E190359784C2D8796CF5537B238B42\ntkrnlmp.pdb

我只是没有正确设置windbg，或者这些命令是用于其他类型的转储吗？

您以前似乎已经完成了用户模式调试。现在您处于内核模式，您可以从

x:kd>

提示符中看到

内核模式调试与用户模式调试有些不同。最重要的IMHO：并非所有应用程序内存（虚拟内存）都可用，只是转储（物理内存）时RAM中的部分。工作集（特定进程的物理内存）

您可以使用

搜索可执行文件！处理0 0

不幸的是，此时不可能进行通配符搜索。然后，您可以使用

切换到该流程。流程：
要查看线程，请使用！过程2
：
0: kd> !process ff3b58f0 2
PROCESS ff3b58f0  SessionId: 0  Cid: 05ac    Peb: 7ffde000  ParentCid: 039c
    DirBase: 018c02e0  ObjectTable: e165d728  HandleCount:  35.
    Image: NotMyfault.exe

        THREAD ff1d4020  Cid 05ac.05b0  Teb: 7ffdd000 Win32Thread: e1c6e2b0 RUNNING on processor 0

接下来，使用！线程
以获得类似于
~

的输出：

0: kd> !thread ff1d4020
THREAD ff1d4020  Cid 05ac.05b0  Teb: 7ffdd000 Win32Thread: e1c6e2b0 RUNNING on processor 0
IRP List:
    81942f68: (0006,0094) Flags: 40000000  Mdl: 00000000
Not impersonating
DeviceMap                 e169ffd0
Owning Process            0       Image:         <Unknown>
Attached Process          ff3b58f0       Image:         NotMyfault.exe
Wait Start TickCount      13575          Ticks: 0
Context Switch Count      653            IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.078
Win32 Start Address NotMyfault (0x01002945)
Start Address kernel32!BaseProcessStartThunk (0x7c8106f5)
Stack Init f36f1000 Current f36f030c Base f36f1000 Limit f36ec000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child              
f36f0ad0 8052036a 00000050 81617000 00000001 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f36f0b38 80544578 00000001 81617000 00000000 nt!MmAccessFault+0x9a8 (FPO: [Non-Fpo])
f36f0b38 fca6161d 00000001 81617000 00000000 nt!KiTrap0E+0xd0 (FPO: [0,0] TrapFrame @ f36f0b50)
f36f0bd8 fca61a24 81942f68 f36f0c1c fca61b26 myfault+0x61d
f36f0be4 fca61b26 80fa7350 00000001 00000000 myfault+0xa24
f36f0c1c 804ef18f 80f7b600 81942f68 806e6428 myfault+0xb26
...

0:kd>！螺纹ff1d4020
线程ff1d4020 Cid 05ac.05b0 Teb:7ffdd000 Win32线程：e1c6e2b0在处理器0上运行
IRP列表：
81942f68:（00060094）标志：40000000 Mdl:00000000
不冒充
设备映射e169ffd0
拥有进程0映像：
附加的进程ff3b58f0映像：NotMyfault.exe
等待开始滴答声13575滴答声：0
上下文开关计数653 IdealProcessor:0 LargeStack
用户时间00:00:00.000
内核时间00:00:00.078
Win32开始地址NotMyfault（0x01002945）
启动地址内核32！BaseProcessStartThunk（0x7c8106f5）
堆栈初始化f36f1000当前f36f030c基f36f1000限制f36ec000调用0
优先级9基本优先级8优先级递减0递减计数16
ChildEBP将参数重新寻址到Child
f36f0ad0 8052036A00000050 81617000 00000001 nt！KeBugCheckEx+0x1b（FPO:[非FPO]）
f36f0b38 80544578 00000001 81617000 00000000新台币！MmAccessFault+0x9a8（FPO:[非FPO]）
f36f0b38 fca6161d 00000001 81617000 00000000新台币！KiTrap0E+0xd0（FPO:[0,0]框架@f36f0b50）
f36f0bd8 fca61a24 81942f68 f36f0c1c fca61b26 myfault+0x61d
f36f0be4 fca61b26 80fa7350 0000000 1 00000000 myfault+0xa24
f36f0c1c 804ef18f 80f7b600 81942f68 806e6428 myfault+0xb26
...

如果在加载符号时遇到问题，请在使用

.process

后尝试

.reload/user

。我主要关心的是，如果我不知道过程会怎样？是唯一的选择！处理0 7并对所有等待的线程进行排序？

0: kd> .process ff3b58f0
Implicit process is now ff3b58f0

0: kd> !process ff3b58f0 2
PROCESS ff3b58f0  SessionId: 0  Cid: 05ac    Peb: 7ffde000  ParentCid: 039c
    DirBase: 018c02e0  ObjectTable: e165d728  HandleCount:  35.
    Image: NotMyfault.exe

        THREAD ff1d4020  Cid 05ac.05b0  Teb: 7ffdd000 Win32Thread: e1c6e2b0 RUNNING on processor 0

0: kd> !thread ff1d4020
THREAD ff1d4020  Cid 05ac.05b0  Teb: 7ffdd000 Win32Thread: e1c6e2b0 RUNNING on processor 0
IRP List:
    81942f68: (0006,0094) Flags: 40000000  Mdl: 00000000
Not impersonating
DeviceMap                 e169ffd0
Owning Process            0       Image:         <Unknown>
Attached Process          ff3b58f0       Image:         NotMyfault.exe
Wait Start TickCount      13575          Ticks: 0
Context Switch Count      653            IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.078
Win32 Start Address NotMyfault (0x01002945)
Start Address kernel32!BaseProcessStartThunk (0x7c8106f5)
Stack Init f36f1000 Current f36f030c Base f36f1000 Limit f36ec000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child              
f36f0ad0 8052036a 00000050 81617000 00000001 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f36f0b38 80544578 00000001 81617000 00000000 nt!MmAccessFault+0x9a8 (FPO: [Non-Fpo])
f36f0b38 fca6161d 00000001 81617000 00000000 nt!KiTrap0E+0xd0 (FPO: [0,0] TrapFrame @ f36f0b50)
f36f0bd8 fca61a24 81942f68 f36f0c1c fca61b26 myfault+0x61d
f36f0be4 fca61b26 80fa7350 00000001 00000000 myfault+0xa24
f36f0c1c 804ef18f 80f7b600 81942f68 806e6428 myfault+0xb26
...