当前位置:theitroad>windows 使用 WinDBG 识别有缺陷的功能

windows 使用 WinDBG 识别有缺陷的功能

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/5494614/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-09-15 16:31:42  来源:igfitidea点击:

Using WinDBG to Identify Defective Function

c++windowsdebuggingwindbg

提问by Brent Arias

I've installed WinDBG from the 7.1 Windows SDK. Then with VC++ 2008 I made a program 'CleanPayload.exe' which contains nothing but a 'main' and an invocation to a function that intentionally contains a defect. It is a release build which includes debug symbols. I opened that program into WindDBG and then

我已经从 7.1 Windows SDK 安装了 WinDBG。然后使用 VC++ 2008 我制作了一个程序“CleanPayload.exe”,它只包含一个“main”和一个对故意包含缺陷的函数的调用。它是一个包含调试符号的发布版本。我将该程序打开到 WindDBG 中,然后

  1. did a .sympath+to indicate where the PDB was for that program.
  2. did a ld *to load all symbols
  3. did a lmto verify all symbols were loaded (private symbols for my program, public symbols for Windows libraries).
  1. 做了一个.sympath+指示该程序的PDB在哪里。
  2. 做了一个ld *加载所有符号
  3. 做了一个lm验证所有符号是否已加载(我的程序的私有符号,Windows 库的公共符号)。

I then ran the program and it threw a first-chance exception, which was rather expected. As follows:

然后我运行了这个程序,它抛出了一个第一次机会异常,这是意料之中的。如下:

(910.12a0): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!LdrpDoDebuggerBreak+0x2c:
771e0f2b cc              int     3

But when I ask WinDBG to show me the stack, it doesn't show me anything of my program 'CleanPayload.exe'. Instead it shows me this:

但是当我要求 WinDBG 向我展示堆栈时,它没有向我展示我的程序“CleanPayload.exe”的任何内容。相反,它向我展示了这一点:

0:000:x86> kb
ChildEBP RetAddr  Args to Child              
004bf5ec 771c122b 7efdd000 7efde000 7724206c ntdll32!LdrpDoDebuggerBreak+0x2c
004bf764 77192187 004bf7d8 77140000 7c185e6a ntdll32!LdrpInitializeProcess+0x132f
004bf7b4 77179e89 004bf7d8 77140000 00000000 ntdll32!_LdrpInitialize+0x78
004bf7c4 00000000 004bf7d8 77140000 00000000 ntdll32!LdrInitializeThunk+0x10

What do I need to do so that it will show me a stack trace which (1) includes my program and (2) the function where the exception was thrown?

我需要做什么才能向我显示堆栈跟踪,其中 (1) 包括我的程序和 (2) 抛出异常的函数?

UpdateI followed Larry's suggestion, to run past the first exception, and got the following results:

更新我遵循了拉里的建议,运行了第一个异常,并得到了以下结果:

0:000:x86> g
ntdll!NtTerminateProcess+0xa:
00000000`76faf97a c3              ret
0:000> kb
RetAddr           : Args to Child                                                           : Call Site
00000000`74c6601a : 00000000`00000000 00000000`000de600 00000000`000ddc80 00000000`74c60304 : ntdll!NtTerminateProcess+0xa
00000000`74c5cf87 : 00000000`0030f988 00000000`0030dba8 00000000`7efdb000 00000000`0030f934 : wow64!whNtTerminateProcess+0x46
00000000`74be276d : 00000000`77150190 00000000`74c50023 00000000`00000000 00000000`0030fab8 : wow64!Wow64SystemServiceEx+0xd7
00000000`74c5d07e : 00000000`00000000 00000000`74be1920 00000000`000de820 00000000`76f93501 : wow64cpu!TurboDispatchJumpAddressEnd+0x24
00000000`74c5c549 : 00000000`00000000 00000000`00000000 00000000`74c54ac8 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`76faae27 : 00000000`004a3100 00000000`00000000 00000000`7707a1e0 00000000`7efdf000 : wow64!Wow64LdrpInitialize+0x429
00000000`76fa72f8 : 00000000`00000000 00000000`76fa8641 00000000`76fb84e0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x1780
00000000`76f92ace : 00000000`000df1b0 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x2af20
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe

Thus, unfortunately, I'm still not seeing relevant stack trace information. I also tried the .effmach x86command, before the steps above, and it didn't seem to have an impact. Incidentally, I also then re-executed the whole test with app verifier activated for the target program I'm testing. I got very conflicting results:

因此,不幸的是,我仍然没有看到相关的堆栈跟踪信息。.effmach x86在上面的步骤之前,我也尝试了命令,它似乎没有影响。顺便说一句,然后我还重新执行了整个测试,并为我正在测试的目标程序激活了应用程序验证程序。我得到了非常矛盾的结果:

0:000> g
ModLoad: 00000000`76d40000 00000000`76e5f000   WOW64_IMAGE_SECTION
ModLoad: 00000000`74f90000 00000000`75090000   WOW64_IMAGE_SECTION
ModLoad: 00000000`76d40000 00000000`76e5f000   NOT_AN_IMAGE
ModLoad: 00000000`76e60000 00000000`76f5a000   NOT_AN_IMAGE
ModLoad: 00000000`71160000 00000000`711c0000   C:\Windows\syswow64\verifier.dll
Page heap: pid 0x1A54: page heap enabled with flags 0x3.
AVRF: CleanPayload.exe: pid 0x1A54: flags 0x80643027: application verifier enabled
ModLoad: 00000000`71130000 00000000`7115b000   C:\Windows\SysWOW64\vrfcore.dll
ModLoad: 00000000`710d0000 00000000`71128000   C:\Windows\SysWOW64\vfbasics.dll
ModLoad: 00000000`74f90000 00000000`75090000   C:\Windows\syswow64\kernel32.dll
ModLoad: 00000000`76830000 00000000`76876000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 00000000`715c0000 00000000`7164e000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\MSVCP90.dll
ModLoad: 00000000`73dc0000 00000000`73e63000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\MSVCR90.dll
(1a54.17dc): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!LdrpDoDebuggerBreak+0x2c:
771e0f2b cc              int     3

0:000:x86> !avrf
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: wow64!_TEB32                                  ***
***                                                                   ***
*************************************************************************
Application verifier is not enabled for this process.
Use appverif.exe tool to enable it.

The above execution saysAVRF: Cleanpayload.exe ... application verifier enabled, which indicates that it is locked-on to the target. But then the subsequent !avrfcommand reveals that debug symbols are bad, even though the lmcommand shows they are all properly loaded! What on earth is happening here?

上面的执行说AVRF: Cleanpayload.exe ... application verifier enabled,这表明它锁定了目标。但是随后的!avrf命令显示调试符号是错误的,即使该lm命令显示它们都已正确加载!这里到底发生了什么?

回答by ReinstateMonica Larry Osterman

You're running the 64bit version of windbg and a 32bit application. The initial breakpoint is running in 64bit code.

您正在运行 64 位版本的 Windbg 和 32 位应用程序。初始断点在 64 位代码中运行。

If you hit "g" you should hit the initial breakpoint for the 32bit application, you should be able to go from there.

如果您点击“g”,您应该点击 32 位应用程序的初始断点,您应该能够从那里开始。

To switch from 64bit debugging to 32bit debugging (if you hit CTRL-C for example), type in:

要从 64 位调试切换到 32 位调试(例如,如果您按下 CTRL-C),请输入:

.effmach x86

which will switch the debugger from 64bit mode to 32bit mode.

这会将调试器从 64 位模式切换到 32 位模式。

回答by DXM

Are you trying to figure out how to debug real problems once your software is packaged up and sent to QA or customers? If yes, there's another tool you could use, adplus. Adplus launches the debugger under the hood and has only one purpose (actually two, if you ran in hang mode, but that's not what you want here), which is to wait for exceptions. When an exception happens, it will generate a process memory dump file which can be loaded into WinDbg.

一旦您的软件打包并发送给 QA 或客户,您是否想弄清楚如何调试实际问题?如果是,您可以使用另一种工具,adplus。Adplus 在幕后启动调试器并且只有一个目的(实际上有两个,如果您在挂起模式下运行,但这不是您在这里想要的),那就是等待异常。当异常发生时,它会生成一个进程内存转储文件,该文件可以加载到 WinDbg 中。

Using this approach, you don't have to rely on QA or your customers to know how to work with WinDbg. You simply give them instructions how to run one command line. After they run it, they just zip up the entire output directory and send it to you for analysis.

使用这种方法,您不必依赖 QA 或您的客户来了解如何使用 WinDbg。您只需向他们说明如何运行一个命令行。运行后,他们只需压缩整个输出目录并将其发送给您进行分析。

Once loaded into WinDbg, the memory dump file will show you the exact place of the exception and all local/member variables at the time (although you may have to fish a bit for those values if your code is optimized).

一旦加载到 WinDbg 中,内存转储文件将向您显示异常的确切位置以及当时的所有本地/成员变量(尽管如果您的代码已优化,您可能需要对这些值进行一些研究)。

相关推荐

windows iexpress 硬编码提取目标文件夹?

windows iexpress 硬编码提取目标文件夹?

windows 如何将 objdump 结果发送到文件?

windows 如何将 objdump 结果发送到文件?

Windows 7 上的 Pyusb 找不到任何设备

Windows 7 上的 Pyusb 找不到任何设备

windows 硬件信息

windows 硬件信息

相关推荐
最近更新
标签