Re: 关于使用WinDBG观察启用PAE后的分页机制

《软件调试》的示例程序

关于使用WinDBG观察启用PAE后的分页机制

udknight 2009-04-13, 15:23 下午

在看到《软件调试》第59页的时候,我按照书上说的方法实践了下。也参照了下博客的那篇开启APE的文章。可是当我输入!dd 5da41000想要查看物理地址的时候,windbg报错:

lkd> !dd 5da41000
Physical memory read at 5da41000 failed
If you know the caching attributes used for the memory,
try specifying Coffee [C], [uc] or [wc], as in !dd Coffee [C] .
WARNING: Incorrect use of these flags will cause unpredictable
processor corruption.  This may immediately (or at any time in
the future until reboot) result in a system hang, incorrect data
being displayed or other strange crashes and corruption.

以下是我按照书的windbg的输出:

1 附加calc程序
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: srv*d:\symbolslocal*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 01000000 0101f000   C:\WINDOWS\system32\calc.exe
ModLoad: 7c920000 7c9b4000   C:\WINDOWS\system32\ntdll.dll
ModLoad: 7c800000 7c91d000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 7d590000 7dd83000   C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77da0000 77e49000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e50000 77ee2000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fc0000 77fd1000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 77ef0000 77f37000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 77d10000 77d9f000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77be0000 77c38000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f40000 77fb6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 5cc30000 5cc56000   C:\WINDOWS\system32\ShimEng.dll
ModLoad: 58fb0000 5917a000   C:\WINDOWS\AppPatch\AcGenral.DLL
ModLoad: 76b10000 76b3a000   C:\WINDOWS\system32\WINMM.dll
ModLoad: 76990000 76acd000   C:\WINDOWS\system32\ole32.dll
ModLoad: 770f0000 7717b000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 77bb0000 77bc5000   C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd8000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 759d0000 75a7e000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 5adc0000 5adf7000   C:\WINDOWS\system32\UxTheme.dll
ModLoad: 76300000 7631d000   C:\WINDOWS\system32\IMM32.DLL
ModLoad: 62c20000 62c29000   C:\WINDOWS\system32\LPK.DLL
ModLoad: 73fa0000 7400b000   C:\WINDOWS\system32\USP10.dll
ModLoad: 77180000 77283000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
ModLoad: 10000000 10029000   C:\Program Files\360safe\safemon\safemon.dll
ModLoad: 76bc0000 76bcb000   C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 75c60000 75cff000   C:\WINDOWS\system32\urlmon.dll
ModLoad: 74680000 746cb000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 00ab0000 00ab4000   C:\Program Files\Unlocker\UnlockerHook.dll
ModLoad: 73640000 7366e000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 60800000 60809000   C:\WINDOWS\system32\mslbui.dll
(1148.c5c): Break instruction exception - code 80000003 (first chance)
eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c921230 esp=00adffcc ebp=00adfff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c921230 cc              int     3
0:002> x calc!g*
01014f08 calc!ghwndTimeOutDlg =
01014d9c calc!g_fHighContrast =
0100514d calc!GetKeyColor =
01014ef8 calc!gfExiting =
0100518d calc!GetHelpID =
01014c70 calc!ghnoPrecNum =
01014c08 calc!ghnoParNum =
01014038 calc!gszSep =
01014eec calc!ghcurOld =
01014d38 calc!g_ahnoChopNumbers =
01014f00 calc!ghCalcDone =
01014db0 calc!gpszNum =
01014f0c calc!gnPendingError =
01014000 calc!gnDecGrouping =
01014dc0 calc!gcio =
01014d98 calc!ghnoLastNum =
01014f04 calc!ghDogThread =
01014d80 calc!g_hDecMenu =
01014f48 calc!gbinexact =
01014d7c calc!g_hHexMenu =
01014efc calc!ghCalcStart =
01014da0 calc!g_fLayoutRTL =
01014db8 calc!gbRecord =
010149d8 calc!gcIntDigits =
01014d6c calc!g_hwndDlg =
01014d4c calc!gbUseSep =
01014d94 calc!ghnoMem =
010044b4 calc!GroupDigits =
01014f4c calc!gllfact =
01014d90 calc!ghnoNum =
01014064 calc!gldPrevious =
0:002> x calc!m*
0100563c calc!MemErrorMessage =
0100bbd4 calc!mulrat =
01011aa0 calc!mulnum =
0100565b calc!MenuFunctions =
01012314 calc!mulnumx =
01014390 calc!machine =
01014f5c calc!maxout =
0100c266 calc!modrat =
0:002> dd calc!gpszNum
01014db0  000b8a10 00000000 00000001 00000000
01014dc0  00000000 ffffffff 00000000 00000000
01014dd0  00000009 00320031 00340033 00360035
01014de0  00380037 00000039 00000000 00000000
01014df0  00000000 00000000 00000000 00000000
01014e00  00000000 00000000 00000000 00000000
01014e10  00000000 00000000 00000000 00000000
01014e20  00000000 00000000 00000000 00000000
0:002> du 000b8a10
000b8a10  "123456789."
0:002> .format 000b8a10
                      ^ Syntax error in '.format 000b8a10'
0:002> .formats 000b8a10
Evaluate expression:
  Hex:     000b8a10
  Decimal: 756240
  Octal:   00002705020
  Binary:  00000000 00001011 10001010 00010000
  Chars:   ....
  Time:    Sat Jan 10 02:04:00 1970
  Float:   low 1.05972e-039 high 0
  Double:  3.73632e-318
0:002> db 000b8a10
000b8a10  31 00 32 00 33 00 34 00-35 00 36 00 37 00 38 00  1.2.3.4.5.6.7.8.
000b8a20  39 00 2e 00 00 00 00 00-00 00 00 00 00 00 00 00  9...............
000b8a30  05 00 05 00 e9 01 08 00-b0 89 0b 00 04 08 04 08  ................
000b8a40  ff ff ff ff 50 14 0b 00-00 00 00 00 04 08 22 e0  ....P.........".
000b8a50  ff ff ff ff 90 16 0b 00-05 00 05 00 e4 01 08 00  ................
000b8a60  00 00 00 00 04 08 04 08-ff ff ff ff 50 14 0b 00  ............P...
000b8a70  00 00 00 00 04 08 22 e0-ff ff ff ff 90 16 0b 00  ......".........
000b8a80  07 00 05 00 ff 01 0c 00-00 00 00 00 01 00 00 00  ................

2 本地内核调试模式启动另外一个windbg


Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe -
Unable to read selector for PCR for processor 0
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d8000 PsLoadedModuleList = 0x805634a0
Debug session time: Mon Apr 13 15:11:16.687 2009 (GMT+8)
System Uptime: 0 days 6:16:04.273
lkd> .reload
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
.................................................................................................................................
Loading User Symbols
Unable to read selector for PCR for processor 0
Unable to get PEB pointer
Loading unloaded module list
................
lkd> !process 0 0 calc.exe
Unable to read selector for PCR for processor 0
PROCESS 86e280c0  SessionId: 0  Cid: 1148    Peb: 7ffde000  ParentCid: 0ab8
    DirBase: 5da41000  ObjectTable: e4e0a9d8  HandleCount:  53.
    Image: calc.exe

lkd> !dd 5da41000
Physical memory read at 5da41000 failed
If you know the caching attributes used for the memory,
try specifying Coffee [C], [uc] or [wc], as in !dd Coffee [C] .
WARNING: Incorrect use of these flags will cause unpredictable
processor corruption.  This may immediately (or at any time in
the future until reboot) result in a system hang, incorrect data
being displayed or other strange crashes and corruption.

我想知道问题到底是出的那个地方,请张老师指点迷津。

Re: 关于使用WinDBG观察启用PAE后的分页机制

格蠹老雷 2009-04-13, 15:50 下午
请执行一下下面两条命令,然后把结果贴上来:
.sympath
.chain

Re: 关于使用WinDBG观察启用PAE后的分页机制

udknight 2009-04-13, 16:10 下午
没想到张老师在线啊,下面是执行后的结果:
lkd> .sympath
Symbol search path is: srv*d:\symbolslocal*http://msdl.microsoft.com/download/symbols
lkd> .chain
Extension DLL search Path:
C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;"C:\Program Files\Microsoft DirectX SDK (February 2006)\Utilities\Bin\x86";C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\backburner 2\;D:\Program Files\;C:\Program Files\Common Files\Thunder Network\KanKan\Codecs;C:\Program Files\StormII\Codec;C:\Program Files\StormII;D:\Program Files\StormII\Codec;D:\Program Files\StormII
Extension DLL chain:
dbghelp: image 6.9.0003.113, API 6.1.6, built Fri Mar 21 09:28:43 2008
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
ext: image 6.9.0003.113, API 1.0.0, built Fri Mar 21 09:28:43 2008
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
exts: image 6.9.0003.113, API 1.0.0, built Fri Mar 21 09:28:35 2008
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
kext: image 6.9.0003.113, API 1.0.0, built Fri Mar 21 09:28:29 2008
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll]
kdexts: image 6.1.6526.1, API 1.0.0, built Fri Mar 21 09:27:17 2008
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll]

Re: 关于使用WinDBG观察启用PAE后的分页机制

格蠹老雷 2009-04-13, 17:09 下午
从启动本地内核调试时的输出信息来看:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
调试符号路径设置的有问题。
下面这个警告信息不应该出现:
Unable to read selector for PCR for processor 0
建议你设置好调试符号,重新操作一遍。如果还有问题,可能与你本机上的安全类软件有关,不妨先到一台环境相对简单的系统上做成功后再找着一台上面的问题。

Re: 关于使用WinDBG观察启用PAE后的分页机制

udknight 2009-04-13, 17:53 下午
关闭了瑞星和360.尝试着修复了下。可惜没有成功。我回去在笔记本上面试试。
lkd> .sympath SRV*d:\DebugSymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*d:\DebugSymbols*http://msdl.microsoft.com/download/symbols
lkd> !sym noisy
noisy mode - symbol prompts on
lkd> !lmi
You must specify a module
lkd> !lmi nt
Loaded Module Info: [nt]
Module: ntkrnlmp
Base Address: 804d8000
Image Name: ntkrnlmp.exe
Machine Type: 332 (I386)
Time Stamp: 45e54690 Wed Feb 28 17:08:32 2007
Size: 226000
CheckSum: 217a25
Characteristics: 10e
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 25, 75d90, 75390 RSDS - GUID: {7627B1AD-A0F5-436A-AA5D-B5B9B2C11FFF}
Age: 2, Pdb: ntkrnlmp.pdb
CLSID 4, 75d8c, 7538c [Data not mapped]
Image Type: MEMORY - Image read successfully from loaded memory.
Symbol Type: EXPORT - PDB not found
Load Report: export symbols
lkd> .reload /f nt
SYMSRV: ntkrnlmp.pdb from http://msdl.microsoft.com/download/symbols: 1208807 bytes - copied
DBGHELP: nt - public symbols
d:\DebugSymbols\ntkrnlmp.pdb\7627B1ADA0F5436AAA5DB5B9B2C11FFF2\ntkrnlmp.pdb
lkd> !process 0 0 calc.exe
Unable to read selector for PCR for processor 0
PROCESS 85ffc020 SessionId: 0 Cid: 1094 Peb: 7ffda000 ParentCid: 0ab8
DirBase: 0baed000 ObjectTable: e49aa510 HandleCount: 50.
Image: calc.exe

lkd> !dd 0baed000
Physical memory read at baed000 failed
If you know the caching attributes used for the memory,
try specifying <img src="/emoticons/emotion-44.gif" alt="Coffee [C]" />, [uc] or [wc], as in !dd <img src="/emoticons/emotion-44.gif" alt="Coffee [C]" /> .
WARNING: Incorrect use of these flags will cause unpredictable
processor corruption. This may immediately (or at any time in
the future until reboot) result in a system hang, incorrect data
being displayed or other strange crashes and corruption.

Re: 关于使用WinDBG观察启用PAE后的分页机制

格蠹老雷 2009-04-14, 12:34 下午
从上面的输出来看,执行.reload /f nt之前,符号有问题,使用的是DLL Export。但执行!process时的:Unable to read selector for PCR for processor 0来看,符号方面还有问题,参见:http://www.osronline.com/showThread.cfm?link=27072
建议你尝试一下设置好符号路径后,直接.reload,重新加载一下所有模块。

Re: 关于使用WinDBG观察启用PAE后的分页机制

udknight 2009-04-14, 14:52 下午
已经在一台干净的XP上面成功了!呵呵。把符号表拷贝过来了现在正在看原因。

Re: 关于使用WinDBG观察启用PAE后的分页机制

udknight 2009-04-14, 16:36 下午

把瑞星和windbg卸载掉,重新安装windbg。将原来的符号文件删除。设置完符号路径,直接.reload。下载完符号文件后,运行命令还是!dd失败。虽然知道符号文件有问题,可是不管我怎么换符号文件目录下载后还是这样。真是个奇怪的问题。

这个问题在家里面机器也是一样,不过在公司的一台测试机器上面同样的命令却成功了。我也是很纳闷。要说符号路径不对,我卸载重装指定了新的目录,符号文件也是从微软下的。

刚才给的那个链接我仔细看了下,那个老外说出现“Unable to read selector for PCR for processor 0”是符号文件不全。我看我本机输出信息总是有:

Loading Kernel Symbols
.............................................................................................................................
Loading User Symbols
Unable to read selector for PCR for processor 0
Unable to get PEB pointer

那台成功的机器没有“Unable to read selector for PCR for processor 0”,可是把那边符号文件拷贝过来还是提示这个。

Re: 关于使用WinDBG观察启用PAE后的分页机制

udknight 2009-04-14, 16:53 下午
2台机器都是XP 中文SP2。下面是哪个成功的机器的输出:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Unable to read head of debugger data list
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrnl.exe -
KdDebuggerDataBlock not available!
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows XP Kernel Version 2600 UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055b620
Debug session time: Tue Apr 14 15:31:22.000 2009 (GMT+8)
System Uptime: 0 days 5:28:38.608
lkd> .reload
Unable to read head of debugger data list
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
....................................................................................................
Loading User Symbols
......................................................
Loading unloaded module list
....................
lkd> !process 0 0 calc.exe
PROCESS 81862da0 SessionId: 0 Cid: 05f8 Peb: 7ffd3000 ParentCid: 068c
DirBase: 008e4000 ObjectTable: e237c6d8 HandleCount: 48.
Image: calc.exe

lkd> !dd 008e4000
# 8e4000 00cf6067 1d686067 05c12067 0677c067
# 8e4010 036d5067 00000000 00000000 00000000
# 8e4020 00000000 00000000 00000000 00000000
# 8e4030 00000000 00000000 00000000 00000000
# 8e4040 00000000 00000000 00000000 00000000
# 8e4050 00000000 00000000 00000000 00000000
# 8e4060 00000000 00000000 00000000 00000000
# 8e4070 00000000 00000000 00000000 00000000
lkd> .sympath
Symbol search path is: SRV*d:\DebugSymbols*http://msdl.microsoft.com/download/symbols
lkd> .sympath SRV*d:\DebugSymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*d:\DebugSymbols*http://msdl.microsoft.com/download/symbols

Re: 关于使用WinDBG观察启用PAE后的分页机制

udknight 2009-04-14, 17:26 下午
在那台成功的机器上面,删除所有符号文件。运行命令 !process 0 0,然后随便找了个程序!dd看了下DirBase。命令居然成功了。仔细看了下C:\Program Files\Debugging Tools for Windows (x86)\sym 里面有符号文件,将这个也拷贝到本机对应目录。执行还是不成功。神拉,这到底是什么问题。这么困难?

Re: 关于使用WinDBG观察启用PAE后的分页机制

udknight 2009-04-14, 17:32 下午
发现一点不一样的东西,本机进行内核调试总是要下ntkrnlmp.pdb,而成功的机器不要这个文件,只需要ntoskrnl.pdb。奇怪

Re: 关于使用WinDBG观察启用PAE后的分页机制

aa1ss2 2009-04-14, 17:36 下午
楼主你考过去的文件未必能用。
参考http://advdbg.com/forums/2139/ShowPost.aspx

建议你用虚拟机,这样的话就可以在其它机子上用了。

Re: 关于使用WinDBG观察启用PAE后的分页机制

udknight 2009-04-14, 18:17 下午
哦,原来是一个是单核一个是多核。文件不能通用。我也在想可能是机器环境导致内核调试老不成功。以后用虚拟机进行调试。谢谢aa1ss2 指点。一直以为符号文件只和操作系统有关,没有想到还有硬件环境。

Powered by Community Server Powered by CnForums.Net