Unable to load image ntoskrnl.exe的问题
最近在分析一个蓝屏dump时发现,nt模块加载不了符号表,其他系统驱动的符号表都能加载成功
3: kd> .reload /f nt Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
激活详细符号加载信息
3: kd> !sym noisy noisy mode - symbol prompts on 3: kd> .reload /f nt SYMSRV: d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/56BCC7865ec000/ntoskrnl.exe not found SYMSRV: d:\mysymbol\ntkrnlup.exe\56BCC7865ec000\ntkrnlup.exe not found SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/56BCC7865ec000/ntkrnlup.exe not found SYMSRV: d:\mysymbol\ntkrnlpa.exe\56BCC7865ec000\ntkrnlpa.exe not found SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/56BCC7865ec000/ntkrnlpa.exe not found SYMSRV: d:\mysymbol\ntkrnlmp.exe\56BCC7865ec000\ntkrnlmp.exe not found SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/56BCC7865ec000/ntkrnlmp.exe not found SYMSRV: d:\mysymbol\ntkrpamp.exe\56BCC7865ec000\ntkrpamp.exe not found SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrpamp.exe/56BCC7865ec000/ntkrpamp.exe not found DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntoskrnl.exe - file not found DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlup.exe - file not found DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlpa.exe - file not found DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlmp.exe - file not found DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrpamp.exe - file not found SYMSRV: D:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/56BCC7865ec000/ntoskrnl.exe not found SYMSRV: D:\mysymbol\ntkrnlup.exe\56BCC7865ec000\ntkrnlup.exe not found SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/56BCC7865ec000/ntkrnlup.exe not found SYMSRV: D:\mysymbol\ntkrnlpa.exe\56BCC7865ec000\ntkrnlpa.exe not found SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/56BCC7865ec000/ntkrnlpa.exe not found SYMSRV: D:\mysymbol\ntkrnlmp.exe\56BCC7865ec000\ntkrnlmp.exe not found SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/56BCC7865ec000/ntkrnlmp.exe not found SYMSRV: D:\mysymbol\ntkrpamp.exe\56BCC7865ec000\ntkrpamp.exe not found SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrpamp.exe/56BCC7865ec000/ntkrpamp.exe not found DBGENG: ntoskrnl.exe - Image mapping disallowed by non-local path. Unable to load image ntoskrnl.exe, Win32 error 0n2 DBGENG: ntoskrnl.exe - Partial symbol image load missing image info DBGHELP: No header for ntoskrnl.exe. Searching for dbg file DBGHELP: .\ntoskrnl.dbg - file not found DBGHELP: .\exe\ntoskrnl.dbg - path not found DBGHELP: .\symbols\exe\ntoskrnl.dbg - path not found DBGHELP: ntoskrnl.exe missing debug info. Searching for pdb anyway DBGHELP: Can't use symbol server for ntoskrnl.pdb - no header information available DBGHELP: ntoskrnl.pdb - file not found *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe DBGHELP: nt - no symbols loaded
但是提取对方电脑上的ntoskrnl.exe用IDA分析,发现可以正确加载到符号表,于是我将提取到的ntoskrnl.exe放到windbg要找到的路径上去例如:
SYMSRV: d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found
结果这次终于正常加载上了
3: kd> .reload /f nt DBGHELP: d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe - OK DBGENG: d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe - Mapped image memory DBGHELP: nt - public symbols d:\mysymbol\ntkrnlmp.pdb\D7EA2B6682984A0E8697620F5571B7BF2\ntkrnlmp.pdb