Windbg符号的问题


发布于 2020-01-06


最近分析dump,想看看PEB里面的信息,于是运行!peb命令,返回如下:

0:000> !peb
PEB at fffde000
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that     ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: ntdll!_PEB                                    ***
***                                                                   ***
*************************************************************************
error 3 InitTypeRead( nt!_PEB at fffde000)...

提示我pdb符号不对,导致!peb看不到有效的信息。我很奇怪,因为之前一直都是好好的,我的调试符号路径也没有改动,如下:

0:000> .sympath
Symbol search path is: SRV*D:\symbols*https://msdl.microsoft.com/download/symbols;SRV*D:\symbols*http://172.xx.xx.xx/symbols/

Expanded Symbol search path is: srv*d:\symbols*https://msdl.microsoft.com/download/symbols;srv*d:\symbols*http://172.xx.xx.xx/symbols/

确认微软和我们公司自己的调试符号服务器都是正常的。

然后用!sym noisy开启符号加载噪音模式,.reload /f ntdll.dll看看具体是怎么解析加载符号的。

0:000> !sym noisy
noisy mode - symbol prompts on
0:000> .reload /f ntdll.dll
SYMSRV:  BYINDEX: 0x9
         d:\symbols*https://msdl.microsoft.com/download/symbols
         ntdll.dll
         589C957A180000
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\ntdll.dll - path not found
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\ntdll.dl_ - path not found
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\file.ptr - path not found
SYMSRV:  HTTPGET: /download/symbols/ntdll.dll/589C957A180000/ntdll.dll
SYMSRV:  HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT
SYMSRV:  RESULT: 0x800C2EFD
SYMSRV:  BYINDEX: 0xA
         d:\symbols*http://172.xx.xx.xx/symbols/
         ntdll.dll
         589C957A180000
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\ntdll.dll - path not found
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\ntdll.dl_ - path not found
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\file.ptr - path not found
SYMSRV:  HTTPGET: /symbols//ntdll.dll/589C957A180000/ntdll.dll
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  HTTPGET: /symbols//ntdll.dll/589C957A180000/ntdll.dl_
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  HTTPGET: /symbols//ntdll.dll/589C957A180000/file.ptr
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  RESULT: 0x80190194
DBGHELP: C:\Program Files (x86)\Windows Kits\10\Debuggers\ntdll.dll - file not found
DBGENG:  C:\Windows\SysWOW64\ntdll.dll image header does not match memory image header.
DBGENG:  C:\Windows\SysWOW64\ntdll.dll - Couldn't map image from disk.
Unable to load image C:\Windows\SysWOW64\ntdll.dll, Win32 error 0n2
DBGENG:  ntdll.dll - Partial symbol image load missing image info
DBGHELP: Module is not fully loaded into memory.
DBGHELP: Searching for symbols using debugger-provided data.
SYMSRV:  BYINDEX: 0xB
         d:\symbols*https://msdl.microsoft.com/download/symbols
         wntdll.pdb
         611AE48A538F4C0B82726D75DE80A6A92
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\wntdll.pdb - path not found
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\wntdll.pd_ - path not found
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\file.ptr - path not found
SYMSRV:  HTTPGET: /download/symbols/wntdll.pdb/611AE48A538F4C0B82726D75DE80A6A92/wntdll.pdb
SYMSRV:  HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT
SYMSRV:  RESULT: 0x800C2EFD
SYMSRV:  BYINDEX: 0xC
         d:\symbols*http://172.xx.xx.xx/symbols/
         wntdll.pdb
         611AE48A538F4C0B82726D75DE80A6A92
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\wntdll.pdb - path not found
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\wntdll.pd_ - path not found
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\file.ptr - path not found
SYMSRV:  HTTPGET: /symbols//wntdll.pdb/611AE48A538F4C0B82726D75DE80A6A92/wntdll.pdb
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  HTTPGET: /symbols//wntdll.pdb/611AE48A538F4C0B82726D75DE80A6A92/wntdll.pd_
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  HTTPGET: /symbols//wntdll.pdb/611AE48A538F4C0B82726D75DE80A6A92/file.ptr
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  RESULT: 0x80190194
DBGHELP: wntdll.pdb - file not found
*** WARNING: Unable to verify timestamp for ntdll.dll
*** ERROR: Module load completed but symbols could not be loaded for ntdll.dll
DBGHELP: ntdll - no symbols loaded

************* Symbol Loading Error Summary **************
Module name            Error
ntdll                  The system cannot find the file specified
                The SYMSRV client failed to find a file in the UNC store, or there
                is an invalid UNC store (an invalid path or the pingme.txt file is
                not present in the root directory), or the file is present in the
                symbol server exclusion list.

发现输出了SYMSRV: HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT,难道是微软的符号服务器被墙了?手动在浏览器里打开ntdll.dll的符号url https://msdl.microsoft.com/download/symbols/ntdll.dll/589C957A180000/ntdll.dll ,发现重定向到 https://vsblobprodscussu5shard87.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/787A6C8378595D38A99B4DAFBE7316691BFBE38E4D0CA1A7637EE21A8140836900.blob?sv=2017-04-17&sr=b&si=1&sig=SX5nGwAekvPaY8jUMSUlZRHUcLEH6rZ6A8Y39HjQwfM%3D&spr=https&se=2020-01-07T07%3A28%3A15Z&rscl=x-e2eid-12793ff4-22fd46ce-b05476a0-93cdf775-session-ca085441-b4d94ca1-a365b6a1-3c06aa71 。

这个url果然只有挂了代理才能打开。耽误事啊。