Re: 关于!chkimg 命令
C/C++本地代码调试
关于!chkimg 命令
HiJack
2015-06-03, 15:39 下午
张老师,最近用户机收集的dump文件windbg自动分析会出现
CHKIMG_EXTENSION: !chkimg -lo 50 -d !Music
5afc004e-5afc0070 35 bytes - Music!OpenFile+21e
[ 18 ff ff ff ff 15 d4 d2:00 00 00 00 00 00 00 00 ]
5afc0073-5afc0092 32 bytes - Music!OpenFile+243 (+0x25)
[ 50 8d 8d 18 ff ff ff ff:00 00 00 00 00 00 00 00 ]
5afc0095-5afc00a6 18 bytes - Music!OpenFile+265 (+0x22)
[ 50 8b 8d ec fc ff ff e8:00 00 00 00 00 00 00 00 ]
5afc00ab-5afc00c6 28 bytes - Music!OpenFile+27b (+0x16)
[ c7 45 fc ff ff ff ff 8d:00 00 00 00 00 00 00 00 ]
5afc00c9-5afc00d8 16 bytes - Music!OpenFile+299 (+0x1e)
[ e9 cd fe ff ff 8b 8d ec:00 00 00 00 00 00 00 00 ]
5afc00da-5afc00dc 3 bytes - Music!OpenFile+2aa (+0x11)
[ 0f 84 c6:00 00 00 ]
5afc00e0-5afc00e5 6 bytes - Music!OpenFile+2b0 (+0x06)
[ 8b 4d 08 e8 d8 b0:00 00 00 00 00 00 ]
5afc00e8-5afc00fc 21 bytes - Music!OpenFile+2b8 (+0x08)
[ 50 8b 85 ec fc ff ff 8b:00 00 00 00 00 00 00 00 ]
5afc0101-5afc0117 23 bytes - Music!OpenFile+2d1 (+0x19)
[ eb 0f 8b 8d 14 ff ff ff:00 00 00 00 00 00 00 00 ]
5afc011a-5afc012e 21 bytes - Music!OpenFile+2ea (+0x19)
[ 39 85 14 ff ff ff 7d 76:00 00 00 00 00 00 00 00 ]
5afc0131-5afc013d 13 bytes - Music!OpenFile+301 (+0x17)
[ 50 8b 85 ec fc ff ff 8b:00 00 00 00 00 00 00 00 ]
5afc0140-5afc014d 14 bytes - Music!OpenFile+310 (+0x0f)
[ 85 c0 75 4f 8b 8d ec fc:00 00 00 00 00 00 00 00 ]
230 errors : !Music (5afc004e-5afc014d)
因为联系不上用户,所以也没法证实。但通过这几个dump是不是能够说明,用户机上的这个music模块文件已经被破坏了?还是dump文件抓错了?
Re: 关于!chkimg 命令
Bombs
2015-06-04, 11:23 上午
dump文件没抓错,!chkimg是通过对比内存镜像(dump里面包含的)与本地二进制文件对比来检查的。比如一般API HOOK等也会造成内存与二进制文件不一致。从你这dump来看,有大面积的填0,应该是内存破坏导致的。music二进制文件不一定被破坏了,只是其加载到内存中的镜像被修改了。
Re: 关于!chkimg 命令
HiJack
2015-06-04, 15:42 下午
应该不像是我代码的bug,代码段是不能直接改写的。也不知道这种问题怎么查~~