Re: !handle报错Error Retrieving type

WinDbg

!handle报错Error Retrieving type

sculida 2020-06-11, 10:27 上午
win7 64,故障现象是桌面快捷方式点不动,但是win键、右击任务栏有反应。explorer进程cpu很低。连下了4个dmp,发现explorer的前5个线程一动不动。
分析0号线程的kb,如图
想知道它Wait那个Object。但是从栈区数据上很难逆向出实际参数是啥。改用!cmkd.stack -p来解析WaitMulityObjectEx的实际入参
0:000> !cmkd.stack -p
Call Stack : 128 frames
## Stack-Pointer    Return-Address   Call-Site       
00 00000000001497b8 000007fefce71420 ntdll!NtWaitForMultipleObjects+a 
	Parameter[0] = 0000000000000002
	Parameter[1] = 0000000000149860
	Parameter[2] = (unknown)       
	Parameter[3] = 0000000000000000
01 00000000001497c0 0000000076f71273 KERNELBASE!WaitForMultipleObjectsEx+e8 
	Parameter[0] = 0000000000000002
	Parameter[1] = 00000000001498f0
	Parameter[2] = 0000000000000000
	Parameter[3] = 00000000000003e8
02 00000000001498c0 0000000077088f8d kernel32!WaitForMultipleObjectsExImplementation+b3 (perf)
	Parameter[0] = 0000000000000002
	Parameter[1] = 0000000000000000
	Parameter[2] = 0000000000000000
	Parameter[3] = 00000000000003e8
03 0000000000149950 0000000077086272 user32!RealMsgWaitForMultipleObjectsEx+12a 
	Parameter[0] = 0000000000000001
	Parameter[1] = 0000000000149ad8
	Parameter[2] = 00000000000003e8
	Parameter[3] = (unknown)
随后解析handle*,
0:000> dq 00000000001498f0
00000000`001498f0  00000000`000012cc 00000000`0000002c
但是!handle就报错了
0:000> !handle 00000000`000012cc
Handle 00000000000012cc
  Type         	<Error retrieving type>
0:000> !handle 00000000`0000002c
Handle 000000000000002c
  Type         	<Error retrieving type>
Error retrieving type不知道是咋回事。
亦或是对此故障,有什么看法,还盼大家不吝赐教。

Re: !handle报错Error Retrieving type

格蠹老雷 2020-07-03, 11:43 上午
这种问题最好是直接调试活动目标,非要用dmp的话,产生dump时要保存句柄信息,产生hdmp文件

Powered by Community Server Powered by CnForums.Net