首页 > 其他分享 >记录一次windbg定位dump问题——livekd真是很好用,自动下载symbols

记录一次windbg定位dump问题——livekd真是很好用,自动下载symbols

时间:2023-07-26 15:56:38浏览次数:40  
标签:00007fff windbg dump 00000000 22 symbols 00000079 EDRMaster 000001ed 

下载LiveKd和windbg,其中livekd运行时候,设置下symbols目录:
LiveKd v5.63 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2020 Mark Russinovich and Ken Johnson


Symbols are not configured. Would you like LiveKd to set the _NT_SYMBOL_PATH
directory to reference the Microsoft symbol server so that symbols can be
obtained automatically? (y/n) y

Enter the folder to which symbols download (default is c:\symbols): Launching C:\Program Files\Debugging Tools for Windows (x64)\kd.exe:

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available

Comment: 'LiveKD live system view'
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 9200 MP (6 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406

  

 

如果不下载符号文件,则会一直提示错误。

*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************

符号文件那里获得?当然Microsoft符号服务器是http://msdl.microsoft.com/download/symbols啦
怎么下载? 1)通过livekd.exe(http://live.sysinternals.com/livekd.exe)工具下载符号文件到本地.
运行 livekd.exe前需配置一个系统环境变量,
变量名:_NT_SYMBOL_PATH
变量值:srv*C:/WINDOWS/Symbols*http://msdl.microsoft.com/download/symbols(表示从符号服务器上下载文件到C:/WINDOWS/Symbols,这路径可以随意)
双击运行livekd.exe 就会自动开始下载符号文件。
2)立即下载一个符号文件,在windbg的命令行中,输入ld user32, 就会马上下载user32的符号文件
当然要先设置windbg的符号文件的路径,为srv*C:/WINDOWS/Symbols*http://msdl.microsoft.com/download/symbols

 

然后,试用windbg加载dump文件,我的分析过程:

 

0:061> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

APPLICATION_VERIFIER_HEAPS_FIRST_CHANCE_ACCESS_VIOLATION (13)
First chance access violation for current stack trace.
This is the most common application verifier stop. Typically it is caused by a
buffer overrun error. The heap verifier places a non-accessible page at the end
of a heap allocation and a buffer overrun will cause an exception by
touching this page. To debug this stop identify the access address that caused
the exception and then use the following debugger command:
    !heap -p -a ACCESS_ADDRESS
This command will give details about the nature of the error and what heap block is
overrun. It will also give the stack trace for the block allocation.
There are several other causes for this stop. For example accessing a heap block
after being freed. The same debugger command will be useful for this case too. 
Arguments:
Arg1: 000001ed55cab000, Invalid address causing the exception. 
Arg2: 00007ff635834127, Code address executing the invalid access. 
Arg3: 0000007927dff4b0, Exception record. 
Arg4: 0000007927dfefc0, Context record. 
GetPageUrlData failed, server returned HTTP status 504
URL requested: http://watson.microsoft.com/StageOne/EDRMaster_exe/1_1_10_18/64bf97dc/vrfcore_dll/10_0_22621_755/2a413d3b/80000003/000026ee.htm?Retriage=1

FAULTING_IP: 
EDRMaster+4b4127
00007ff6`35834127 803c1a00        cmp     byte ptr [rdx+rbx],0

EXCEPTION_RECORD:  0000007927dff4b0 -- (.exr 0x7927dff4b0)
ExceptionAddress: 00007ff635834127 (EDRMaster+0x00000000004b4127)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 000001ed55cab000
Attempt to read from address 000001ed55cab000

DEFAULT_BUCKET_ID:  STATUS_BREAKPOINT

PROCESS_NAME:  EDRMaster.exe

CONTEXT:  0000007927dfefc0 -- (.cxr 0x7927dfefc0)
rax=0000000000000001 rbx=00000000000b4210 rcx=2a008595d84a0000
rdx=000001ed55bf6df0 rsi=000001ed3f0ebfc0 rdi=00000000000b420f
rip=00007ff635834127 rsp=0000007927dff740 rbp=0000007927dff840
 r8=000001ed260e2fa0  r9=00007fff1ee90000 r10=ce709ee7125b9070
r11=0000007927dfee90 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz ac pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
EDRMaster+0x4b4127:
00007ff6`35834127 803c1a00        cmp     byte ptr [rdx+rbx],0 ds:000001ed`55cab000=??
Resetting default scope

ERROR_CODE: (NTSTATUS) 0x80000003 - {

EXCEPTION_CODE: (NTSTATUS) 0x80000003 (2147483651) - {

EXCEPTION_PARAMETER1:  0000000000000000

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  2000100

APPLICATION_VERIFIER_FLAGS:  81643023

FAULTING_THREAD:  00000000000061a0

PRIMARY_PROBLEM_CLASS:  STATUS_BREAKPOINT

BUGCHECK_STR:  APPLICATION_FAULT_STATUS_BREAKPOINT

LAST_CONTROL_TRANSFER:  from 00007ffeea7f868d to 00007ffeea7f26ee

STACK_TEXT:  
00000079`27dfe6c0 00007ffe`ea7f868d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : vrfcore!VerifierStopMessageEx+0x81e
00000079`27dfea20 00007ffe`c5d66829 : 00000079`27dfefc0 00007ff6`35834127 00000079`27dff4b0 000001ed`55cab000 : vrfcore!VfCoreRedirectedStopMessage+0x8d
00000079`27dfeab0 00007fff`1ef6c0d6 : 00000079`27dff4b0 00007ffe`ea736ab0 00007fff`1efd75fc 00007ffe`ea736a90 : verifier!VerifierStopMessage+0xb9
00000079`27dfeb60 00007ffe`ea712853 : 00007fff`1ee90000 00007fff`1eee26f1 00007fff`1eee26f1 00007fff`00000000 : ntdll!RtlApplicationVerifierStop+0x96
00000079`27dfebd0 00007ffe`ea7136a0 : 00000079`27dff4b0 00000000`00000000 000001ed`14ed7fd0 00000000`00000000 : vfbasics!VerifierStopMessage+0x223
00000079`27dfec30 00007ffe`ea712bfa : 00000079`27dfed50 000001ed`14ed7fd0 00000000`00000000 000004f7`00000017 : vfbasics!AVrfpCheckFirstChanceException+0x148
00000079`27dfecc0 00007fff`1ef08b9c : 00007ffe`ea712be0 00007fff`1f004a24 00007fff`1efd75fc 00000079`27dffde0 : vfbasics!AVrfpVectoredExceptionHandler+0x1a
00000079`27dfed10 00007fff`1eee1316 : 00000079`27dff4b0 00000079`27dfefc0 00000079`27dfef00 00000079`27dff400 : ntdll!RtlpCallVectoredHandlers+0x108
00000079`27dfedb0 00007fff`1ef30f8e : 00000000`00000000 00000000`00000000 00000000`000b4210 00000000`00000000 : ntdll!RtlDispatchException+0x66
00000079`27dfefc0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!KiUserExceptionDispatcher+0x2e


FOLLOWUP_IP: 
EDRMaster+4b4127
00007ff6`35834127 803c1a00        cmp     byte ptr [rdx+rbx],0

SYMBOL_NAME:  EDRMaster+4b4127

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: EDRMaster

IMAGE_NAME:  EDRMaster.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  64bf97dc

STACK_COMMAND:  ~61s; .ecxr ; kb

FAILURE_BUCKET_ID:  STATUS_BREAKPOINT_80000003_EDRMaster.exe!Unknown

BUCKET_ID:  X64_APPLICATION_FAULT_STATUS_BREAKPOINT_EDRMaster+4b4127

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/EDRMaster_exe/1_1_10_18/64bf97dc/vrfcore_dll/10_0_22621_755/2a413d3b/80000003/000026ee.htm?Retriage=1

Followup: MachineOwner
---------

0:061> !heap -p -a ACCESS_ADDRESS
invalid address ACCESS_ADDRESS passed to `-p -a'0:061> !heap -p -a ACCESS_ADDRESS
invalid address ACCESS_ADDRESS passed to `-p -a'0:061> kP 
Child-SP          RetAddr           Call Site
00000079`27dfda68 00007fff`1ef6de08 ntdll!ZwWaitForMultipleObjects+0x14
00000079`27dfda70 00007fff`1ef6d3ee ntdll!WerpWaitForCrashReporting+0xa8
00000079`27dfdaf0 00007fff`1ef6cbab ntdll!RtlReportExceptionHelper+0x33e
00000079`27dfdbc0 00007ffe`ea712cec ntdll!RtlReportException+0x9b
00000079`27dfdc40 00007fff`1ef08b9c vfbasics!AVrfpVectoredExceptionHandler+0x10c
00000079`27dfdc90 00007fff`1eee1316 ntdll!RtlpCallVectoredHandlers+0x108
00000079`27dfdd30 00007fff`1ef30f8e ntdll!RtlDispatchException+0x66
00000079`27dfdf40 00000000`00000000 ntdll!KiUserExceptionDispatcher+0x2e
0:061> rdx+rbx
         ^ Syntax error in 'rdx+rbx'
0:061> d [rdx+rbx]
00000079`27e0190c  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
00000079`27e0191c  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
00000079`27e0192c  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
00000079`27e0193c  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
00000079`27e0194c  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
00000079`27e0195c  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
00000079`27e0196c  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
00000079`27e0197c  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:061> d 000001ed`55cab000
000001ed`55cab000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab050  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab060  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab070  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:061> d 000001ed`55caafff
000001ed`55caafff  c0 ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  .???????????????
000001ed`55cab00f  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab01f  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab02f  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab03f  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab04f  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab05f  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
000001ed`55cab06f  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:061> d 000001ed`55ca1fff
000001ed`55ca1fff  e6 a3 80 e6 b5 8b e5 8b-92 e7 b4 a2 e7 97 85 e6  ................
000001ed`55ca200f  af 92 20 4c 6f 6f 43 69-70 68 65 72 20 e5 88 9b  .. LooCipher ...
000001ed`55ca201f  e5 bb ba e5 8b 92 e7 b4-a2 e5 90 8e e7 bc 80 e6  ................
000001ed`55ca202f  96 87 e4 bb b6 22 2c 22-63 72 65 61 74 65 54 69  .....","createTi
000001ed`55ca203f  6d 65 22 3a 22 32 30 32-33 2d 30 37 2d 32 34 22  me":"2023-07-24"
000001ed`55ca204f  2c 22 74 68 72 65 61 74-4e 75 6d 22 3a 22 54 4e  ,"threatNum":"TN
000001ed`55ca205f  30 35 31 34 22 2c 22 61-75 74 68 6f 72 22 3a 22  0514","author":"
000001ed`55ca206f  57 68 69 74 65 43 65 6c-6c 2d 6a 79 68 22 2c 22  WhiteCell-jyh","
0:061> d 000001ed`55ca000
0000001e`d55ca000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000001e`d55ca010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000001e`d55ca020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000001e`d55ca030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000001e`d55ca040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000001e`d55ca050  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000001e`d55ca060  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000001e`d55ca070  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

  

可以看到是内存访问出错了。实际排查最终发现是string隐式构造的时候,忘记加\0,导致内存读取出错。

 

标签:00007fff,windbg,dump,00000000,22,symbols,00000079,EDRMaster,000001ed
From: https://www.cnblogs.com/bonelee/p/17582675.html

相关文章

  • shared pool之三:library cache结构/library cache object的结构-dump LibraryHandle
    Librarycache结构Librarycache最主要的功能就是存放用户提交的SQL语句,SQL语句相关的解析树(解析树也就是对SQL语句中所涉及到的所有对象的展现)--->共享SQL区(sharedSQLareas),私有SQL区(privateSQLareas,如果配置了共享服务器),执行计划,用户提交的PL/SQL程序块(包括匿名程序块,存......
  • 使用mysqldump备份数据库时报错表不存在,提示信息Table 'mysql.engine_cost' doesn't e
    问题描述:使用mysqldump备份数据库时报错表不存在,提示信息Table'mysql.engine_cost'doesn'texist,如下所示:数据库:mysql5.7.211、异常重现[mysql@hisdb1~]$mysqldump-uroot-S/mysql/data/mysql.sock-P3306--max_allowed_packet=1G--master-data=2--single-transaction......
  • ES数据备份之snapshot和elasticdump
    https://blog.csdn.net/m0_46435788/article/details/114291491?spm=1001.2101.3001.6650.9&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7ERate-9-114291491-blog-129881702.235%5Ev38%5Epc_relevant_sort&depth_1-utm_so......
  • mysqldump
    mysqldumpMySQL数据库中备份工具补充说明mysqldump命令是mysql数据库中备份工具,用于将MySQL服务器中的数据库以标准的sql语言的方式导出,并保存到文件中。语法mysqldump(选项)选项--add-drop-table:在每个创建数据库表语句前添加删除数据库表的语句;--add-locks:备份数据库......
  • windbg配置网络版双机调试【转】
     一丶配置以及简介1.1简介与配置​windbg配置双机调试从来都是有很多方式。比如之前的是串口模式。现在我写一篇利用网络来进行配置的双击调试。首先准备的工具以及流程如下1.准备一台虚拟机。里面安装window1064版本(我是64,这个随意)itllyou上下载即可2.window......
  • windows下用mysqldump导出数据库中文乱码的解决方案
    解决方案是从这篇文章得到的启发:http://www.pcxitongcheng.com/server/anz/2022-12-06/33622.html先去mysql里确认字符编码是utf8:showvariableslike'%char%'主要确认character_set_results。先创建好sql文件,比如d:\backup.sql然后备份的时候用--result-file=指定刚创建的文......
  • 交叉编译tcpdump
    交叉编译tcpdump,在树莓派上抓包,用户层交叉编译比较简单。交叉编译器有很多,我们本次采用linaro(http://releases.linaro.org)交叉编译工具。系统版本:centos7编译工具:arm-linux-gnueabiwgethttp://releases.linaro.org/components/toolchain/binaries/4.9-2017.01/arm-linux-g......
  • linux环境用mysqldump定时备份Mysql数据
    每日备份mysql的数据,并保留一定数量的备份文件一、Mysql备份脚本backup.shvibackup.sh#!/bin/bash#保存备份个,备份31天的数据number=31#备份保存路径backup_dir=/home/mysql/data/mysqlbackup#日期dd=`data+%Y-%m-%d-%H-%M-%S`#备份工具tool=mysqldump#用户......
  • windbg.appinstaller打不开分析蓝屏工具安装,无法使用微软商店
    蓝屏分析工具windbg,正常应该是在微软商店直接安装的。但是,微软商店各种方式都搞不定,官方的资料回答显示得重置(不过我们重置应该也是没有的,可能是因为破解windows的缘故)所以得从别的方式下载,windows商店实际就是下载的windbg.msixbundle文件安装,然后在使用该配置windbg.appinst......
  • 使用mysqldump命令对MySQL数据库进行备份与还原操作
    mysqldump是mysql自带的逻辑备份工具,是mysql的客户端命令。其备份的文件内容可以看到主要是,先根据备份的数据表结构创建数据表,再有一条INSERTINTO语句写入所有的数据 1、mysqldump备份相关的操作1、备份指定的数据库-database的表与数据C:\Users\qq-5201351>mysqldump-u......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99