Windbg命令学习2(!sym和.reload)
以下示例以windbg加载calc.exe为例:
1.!sym
!sym扩展控制显示详细的符号加载和符号提示。
.!sym :不带参数表示显示当前的详细符号加载和符号提示的设置状态
给个示例:
0:001> !sym !sym <noisy/quiet - prompts/prompts off> - noisy mode - symbol prompts on
其实细心点可以看出sym的四种状态了,noisy/quiet -prompts/prompts off,所以我们要记这个命令的用法,就只要调用下!sym,就看到所有用法了.嘿嘿,我还比较聪明的
<>后面表示当前的设定状态,
!sym noisy 激活详细符号加载(noisy symbol loading)显示。
给个示例:
0:001> !sym noisy noisy mode - symbol prompts on
!sym quiet 禁止详细符号加载显示
0:001> !sym quiet quiet mode - symbol prompts on
!sym prompts 当SymSrv接收到认证请求时,允许弹出对话框。
0:001> !sym prompts quiet mode - symbol prompts on
!sym prompts off 禁止SymSrv在接收到认证请求时显示认证对话框。这可能使得SymSrv不能通过internet访问符号。
0:001> !sym prompts off
quiet mode - symbol prompts off
都那么聪明,一个是noisy-quiet,一个是prompts off-prompt on,掌握了
2..reload
.reload命令删除指定模块的所有符号信息,并且按需要重新加载这些符号。某些情况下,该命令也会重新加载或卸载模块本身。
0:001> .reload /d Reloading current modules ................................ DBGHELP: C:\WINDOWS\symbols\ntdll.pdb - file not found DBGHELP: ntdll - public symbols C:\WINDOWS\symbols\dll\ntdll.pdb
好吧,我们发现没有立即显示加载符号
0:001> lm start end module name 01000000 0101f000 calc (deferred) 10000000 100b0000 safemon (deferred) 58fb0000 5917a000 AcGenral (deferred) 5adc0000 5adf7000 UxTheme (deferred) 5cc30000 5cc56000 ShimEng (deferred) 62c20000 62c29000 LPK (deferred) 71a10000 71a18000 WS2HELP (deferred) 71a20000 71a37000 WS2_32 (deferred) 73640000 7366e000 msctfime (deferred) 73fa0000 7400b000 USP10 (deferred) 74680000 746cc000 MSCTF (deferred) 759d0000 75a7f000 USERENV (deferred) 76300000 7631d000 IMM32 (deferred) 765e0000 76673000 CRYPT32 (deferred) 76680000 76726000 WININET (deferred) 76990000 76ace000 ole32 (deferred) 76b10000 76b3a000 WINMM (deferred) 76bc0000 76bcb000 PSAPI (deferred) 76db0000 76dc2000 MSASN1 (deferred) 770f0000 7717b000 OLEAUT32 (deferred) 77180000 77283000 comctl32 (deferred) 77bb0000 77bc5000 MSACM32 (deferred) 77bd0000 77bd8000 VERSION (deferred) 77be0000 77c38000 msvcrt (deferred) 77d10000 77da0000 USER32 (deferred) 77da0000 77e49000 ADVAPI32 (deferred) 77e50000 77ee3000 RPCRT4 (deferred) 77ef0000 77f39000 GDI32 (deferred) 77f40000 77fb6000 SHLWAPI (deferred) 77fc0000 77fd1000 Secur32 (deferred) 7c800000 7c91e000 kernel32 (deferred) 7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb 7d590000 7dd84000 SHELL32 (deferred) 0:001> .reload /f GDI32.dll DBGHELP: C:\WINDOWS\symbols\gdi32.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\gdi32.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\gdi32.pdb - file not found DBGHELP: GDI32 - public symbols C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb 0:001> lm start end module name 01000000 0101f000 calc (deferred) 10000000 100b0000 safemon (deferred) 58fb0000 5917a000 AcGenral (deferred) 5adc0000 5adf7000 UxTheme (deferred) 5cc30000 5cc56000 ShimEng (deferred) 62c20000 62c29000 LPK (deferred) 71a10000 71a18000 WS2HELP (deferred) 71a20000 71a37000 WS2_32 (deferred) 73640000 7366e000 msctfime (deferred) 73fa0000 7400b000 USP10 (deferred) 74680000 746cc000 MSCTF (deferred) 759d0000 75a7f000 USERENV (deferred) 76300000 7631d000 IMM32 (deferred) 765e0000 76673000 CRYPT32 (deferred) 76680000 76726000 WININET (deferred) 76990000 76ace000 ole32 (deferred) 76b10000 76b3a000 WINMM (deferred) 76bc0000 76bcb000 PSAPI (deferred) 76db0000 76dc2000 MSASN1 (deferred) 770f0000 7717b000 OLEAUT32 (deferred) 77180000 77283000 comctl32 (deferred) 77bb0000 77bc5000 MSACM32 (deferred) 77bd0000 77bd8000 VERSION (deferred) 77be0000 77c38000 msvcrt (deferred) 77d10000 77da0000 USER32 (deferred) 77da0000 77e49000 ADVAPI32 (deferred) 77e50000 77ee3000 RPCRT4 (deferred) 77ef0000 77f39000 GDI32 (pdb symbols) C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb 77f40000 77fb6000 SHLWAPI (deferred) 77fc0000 77fd1000 Secur32 (deferred) 7c800000 7c91e000 kernel32 (deferred) 7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb 7d590000 7dd84000 SHELL32 (deferred)
我们发现,第一次lm查询时GDI32(deferred),调用.reload /f加载后,再次lm,我们可以看到GDI32 (pdb symbols),OK,那我们也猜到了,如.reload /f不带模块,那么是不是会重新加载所有的symbols:
0:001> .reload /f Reloading current modules . DBGHELP: C:\WINDOWS\symbols\calc.pdb - file not found DBGHELP: calc - public symbols C:\WINDOWS\symbols\exe\calc.pdb . DBGHELP: C:\WINDOWS\symbols\safemon.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\safemon.pdb - file not found DBGHELP: C:\WINDOWS\symbols\symbols\dll\safemon.pdb - file not found SYMSRV: C:\MyLocalSymbols\safemon.pdb\84C1B55127174ACAA421A85A983FA63B1\safemon.pdb not found SYMSRV: http://msdl.microsoft.com/download/symbols/safemon.pdb/84C1B55127174ACAA421A85A983FA63B1/safemon.pdb not found DBGHELP: C:\Program Files\360\360Safe\safemon\safemon.pdb - file not found DBGHELP: E:\repos\safemon_8_1_1\Release\safemon.pdb - file not found *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\360\360Safe\safemon\safemon.dll - DBGHELP: safemon - export symbols . DBGHELP: C:\WINDOWS\symbols\AcGenral.pdb - file not found DBGHELP: AcGenral - public symbols C:\WINDOWS\symbols\DLL\AcGenral.pdb . DBGHELP: C:\WINDOWS\symbols\uxtheme.pdb - file not found DBGHELP: UxTheme - public symbols C:\WINDOWS\symbols\dll\uxtheme.pdb . DBGHELP: C:\WINDOWS\symbols\ShimEng.pdb - file not found DBGHELP: ShimEng - public symbols C:\WINDOWS\symbols\dll\ShimEng.pdb . DBGHELP: C:\WINDOWS\symbols\lpk.pdb - file not found DBGHELP: LPK - public symbols C:\WINDOWS\symbols\DLL\lpk.pdb . DBGHELP: C:\WINDOWS\symbols\ws2help.pdb - file not found DBGHELP: WS2HELP - public symbols C:\WINDOWS\symbols\dll\ws2help.pdb . DBGHELP: C:\WINDOWS\symbols\ws2_32.pdb - file not found DBGHELP: WS2_32 - public symbols C:\WINDOWS\symbols\dll\ws2_32.pdb . DBGHELP: C:\WINDOWS\symbols\msctfime.pdb - file not found DBGHELP: C:\WINDOWS\symbols\ime\msctfime.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\ime\msctfime.pdb - file not found DBGHELP: msctfime - public symbols C:\MyLocalSymbols\msctfime.pdb\7448D95F454E4C1E93859E4D88C1950E1\msctfime.pdb . DBGHELP: C:\WINDOWS\symbols\usp10.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\usp10.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\usp10.pdb - file not found DBGHELP: USP10 - public symbols C:\MyLocalSymbols\usp10.pdb\D4BA2952809F469BB6D1D3AF6B956E6B1\usp10.pdb . DBGHELP: C:\WINDOWS\symbols\msctf.pdb - file not found DBGHELP: MSCTF - public symbols C:\WINDOWS\symbols\dll\msctf.pdb . DBGHELP: C:\WINDOWS\symbols\userenv.pdb - file not found DBGHELP: USERENV - public symbols C:\WINDOWS\symbols\dll\userenv.pdb . DBGHELP: C:\WINDOWS\symbols\imm32.pdb - file not found DBGHELP: IMM32 - public symbols C:\WINDOWS\symbols\DLL\imm32.pdb . DBGHELP: C:\WINDOWS\symbols\crypt32.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\crypt32.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\crypt32.pdb - file not found DBGHELP: CRYPT32 - public symbols C:\MyLocalSymbols\crypt32.pdb\A854C29D50C34464948D078CA2A0BFD32\crypt32.pdb . DBGHELP: C:\WINDOWS\symbols\wininet.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\wininet.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\wininet.pdb - file not found DBGHELP: WININET - public symbols C:\MyLocalSymbols\wininet.pdb\041BF2F58BAF4B3880CA9A705DA8398F2\wininet.pdb . DBGHELP: C:\WINDOWS\symbols\ole32.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\ole32.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\ole32.pdb - file not found DBGHELP: ole32 - public symbols C:\MyLocalSymbols\ole32.pdb\498D399602DE44A59DB412C95883B65C2\ole32.pdb . DBGHELP: C:\WINDOWS\symbols\winmm.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\winmm.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\winmm.pdb - file not found DBGHELP: WINMM - public symbols C:\MyLocalSymbols\winmm.pdb\CBD9B2B21EE74EE6BA95B56DCBD2A57F2\winmm.pdb . DBGHELP: C:\WINDOWS\symbols\psapi.pdb - file not found DBGHELP: PSAPI - public symbols C:\WINDOWS\symbols\DLL\psapi.pdb . DBGHELP: C:\WINDOWS\symbols\msasn1.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\msasn1.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\msasn1.pdb - file not found DBGHELP: MSASN1 - public symbols C:\MyLocalSymbols\msasn1.pdb\1AED0D31142F496E83481A9BF3DEF1A52\msasn1.pdb . DBGHELP: C:\WINDOWS\symbols\oleaut32.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\oleaut32.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\oleaut32.pdb - file not found DBGHELP: OLEAUT32 - public symbols C:\MyLocalSymbols\oleaut32.pdb\E04ECB48CAED47B2958C3D2C1094E23F2\oleaut32.pdb . DBGHELP: C:\WINDOWS\symbols\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb - file not found DBGHELP: C:\WINDOWS\symbols\symbols\dll\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb - file not found DBGHELP: comctl32 - public symbols C:\MyLocalSymbols\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb\E882C2C890724D598449E20A4FE6F07C1\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb . DBGHELP: C:\WINDOWS\symbols\msacm32.pdb - file not found DBGHELP: MSACM32 - public symbols C:\WINDOWS\symbols\dll\msacm32.pdb . DBGHELP: C:\WINDOWS\symbols\version.pdb - file not found DBGHELP: VERSION - public symbols C:\WINDOWS\symbols\dll\version.pdb . DBGHELP: C:\WINDOWS\symbols\msvcrt.pdb - file not found DBGHELP: msvcrt - public symbols C:\WINDOWS\symbols\dll\msvcrt.pdb . DBGHELP: C:\WINDOWS\symbols\user32.pdb - file not found DBGHELP: USER32 - public symbols C:\WINDOWS\symbols\dll\user32.pdb . DBGHELP: C:\WINDOWS\symbols\advapi32.pdb - file not found DBGHELP: ADVAPI32 - public symbols C:\WINDOWS\symbols\dll\advapi32.pdb . DBGHELP: C:\WINDOWS\symbols\rpcrt4.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\rpcrt4.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\rpcrt4.pdb - file not found DBGHELP: RPCRT4 - public symbols C:\MyLocalSymbols\rpcrt4.pdb\1A465C67828242F28A8C70E3B9D5C4772\rpcrt4.pdb . DBGHELP: C:\WINDOWS\symbols\gdi32.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\gdi32.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\gdi32.pdb - file not found DBGHELP: GDI32 - public symbols C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb . DBGHELP: C:\WINDOWS\symbols\shlwapi.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\shlwapi.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\shlwapi.pdb - file not found DBGHELP: SHLWAPI - public symbols C:\MyLocalSymbols\shlwapi.pdb\483E8894476B412DABC2FBA7F470E39A2\shlwapi.pdb . DBGHELP: C:\WINDOWS\symbols\secur32.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\secur32.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\secur32.pdb - file not found DBGHELP: Secur32 - public symbols C:\MyLocalSymbols\secur32.pdb\7867B3F28B5C41CE847895E3FC013DC52\secur32.pdb . DBGHELP: C:\WINDOWS\symbols\kernel32.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\kernel32.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\kernel32.pdb - file not found DBGHELP: kernel32 - public symbols C:\MyLocalSymbols\kernel32.pdb\072FF0EB54D24DFAAE9D13885486EE092\kernel32.pdb . DBGHELP: C:\WINDOWS\symbols\ntdll.pdb - file not found DBGHELP: ntdll - public symbols C:\WINDOWS\symbols\dll\ntdll.pdb . DBGHELP: C:\WINDOWS\symbols\shell32.pdb - file not found DBGHELP: C:\WINDOWS\symbols\dll\shell32.pdb - mismatched pdb DBGHELP: C:\WINDOWS\symbols\symbols\dll\shell32.pdb - file not found DBGHELP: SHELL32 - public symbols C:\MyLocalSymbols\shell32.pdb\DF59C75CA10B4BF89B447BB924C4292C2\shell32.pdb 0:001> lm start end module name 01000000 0101f000 calc (pdb symbols) C:\WINDOWS\symbols\exe\calc.pdb 10000000 100b0000 safemon (export symbols) C:\Program Files\360\360Safe\safemon\safemon.dll 58fb0000 5917a000 AcGenral (pdb symbols) C:\WINDOWS\symbols\DLL\AcGenral.pdb 5adc0000 5adf7000 UxTheme (pdb symbols) C:\WINDOWS\symbols\dll\uxtheme.pdb 5cc30000 5cc56000 ShimEng (pdb symbols) C:\WINDOWS\symbols\dll\ShimEng.pdb 62c20000 62c29000 LPK (pdb symbols) C:\WINDOWS\symbols\DLL\lpk.pdb 71a10000 71a18000 WS2HELP (pdb symbols) C:\WINDOWS\symbols\dll\ws2help.pdb 71a20000 71a37000 WS2_32 (pdb symbols) C:\WINDOWS\symbols\dll\ws2_32.pdb 73640000 7366e000 msctfime (pdb symbols) C:\MyLocalSymbols\msctfime.pdb\7448D95F454E4C1E93859E4D88C1950E1\msctfime.pdb 73fa0000 7400b000 USP10 (pdb symbols) C:\MyLocalSymbols\usp10.pdb\D4BA2952809F469BB6D1D3AF6B956E6B1\usp10.pdb 74680000 746cc000 MSCTF (pdb symbols) C:\WINDOWS\symbols\dll\msctf.pdb 759d0000 75a7f000 USERENV (pdb symbols) C:\WINDOWS\symbols\dll\userenv.pdb 76300000 7631d000 IMM32 (pdb symbols) C:\WINDOWS\symbols\DLL\imm32.pdb 765e0000 76673000 CRYPT32 (pdb symbols) C:\MyLocalSymbols\crypt32.pdb\A854C29D50C34464948D078CA2A0BFD32\crypt32.pdb 76680000 76726000 WININET (pdb symbols) C:\MyLocalSymbols\wininet.pdb\041BF2F58BAF4B3880CA9A705DA8398F2\wininet.pdb 76990000 76ace000 ole32 (pdb symbols) C:\MyLocalSymbols\ole32.pdb\498D399602DE44A59DB412C95883B65C2\ole32.pdb 76b10000 76b3a000 WINMM (pdb symbols) C:\MyLocalSymbols\winmm.pdb\CBD9B2B21EE74EE6BA95B56DCBD2A57F2\winmm.pdb 76bc0000 76bcb000 PSAPI (pdb symbols) C:\WINDOWS\symbols\DLL\psapi.pdb 76db0000 76dc2000 MSASN1 (pdb symbols) C:\MyLocalSymbols\msasn1.pdb\1AED0D31142F496E83481A9BF3DEF1A52\msasn1.pdb 770f0000 7717b000 OLEAUT32 (pdb symbols) C:\MyLocalSymbols\oleaut32.pdb\E04ECB48CAED47B2958C3D2C1094E23F2\oleaut32.pdb 77180000 77283000 comctl32 (pdb symbols) C:\MyLocalSymbols\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb\E882C2C890724D598449E20A4FE6F07C1\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb 77bb0000 77bc5000 MSACM32 (pdb symbols) C:\WINDOWS\symbols\dll\msacm32.pdb 77bd0000 77bd8000 VERSION (pdb symbols) C:\WINDOWS\symbols\dll\version.pdb 77be0000 77c38000 msvcrt (pdb symbols) C:\WINDOWS\symbols\dll\msvcrt.pdb 77d10000 77da0000 USER32 (pdb symbols) C:\WINDOWS\symbols\dll\user32.pdb 77da0000 77e49000 ADVAPI32 (pdb symbols) C:\WINDOWS\symbols\dll\advapi32.pdb 77e50000 77ee3000 RPCRT4 (pdb symbols) C:\MyLocalSymbols\rpcrt4.pdb\1A465C67828242F28A8C70E3B9D5C4772\rpcrt4.pdb 77ef0000 77f39000 GDI32 (pdb symbols) C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb 77f40000 77fb6000 SHLWAPI (pdb symbols) C:\MyLocalSymbols\shlwapi.pdb\483E8894476B412DABC2FBA7F470E39A2\shlwapi.pdb 77fc0000 77fd1000 Secur32 (pdb symbols) C:\MyLocalSymbols\secur32.pdb\7867B3F28B5C41CE847895E3FC013DC52\secur32.pdb 7c800000 7c91e000 kernel32 (pdb symbols) C:\MyLocalSymbols\kernel32.pdb\072FF0EB54D24DFAAE9D13885486EE092\kernel32.pdb 7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb 7d590000 7dd84000 SHELL32 (pdb symbols) C:\MyLocalSymbols\shell32.pdb\DF59C75CA10B4BF89B447BB924C4292C2\shell32.pdb
果然如此!
由于符号服务器对每个版本的二进制文件的符号使用不同的名字,除非确认下游存储被破坏了,否则不需要使用该选项。
reload /u 命令进行更广泛的搜索。调试器首先尝试使用Module 匹配精确的模块名,不管路径是什么。如果找不到匹配项,Module 被当作已加载的映像名。例如,如果HAL在内存中的名字为halacpi.dll,下面两个命令都可以卸载它的符号。
kd> .reload /u hal
如果在进行用户模式调试,并且希望加载一个不在目标程序模块列表中的模块,必须像下面的例子一样使用/s 选项。
Unloaded ntdll.dll
0:000> .reload /s /f ntdll.dll
上面的命令我测试了下:
0:001> lm start end module name 00ad0000 00adf000 WordStrokeHelper32 (deferred) 01000000 0101f000 calc (deferred) 10000000 100b0000 safemon (deferred) 58fb0000 5917a000 AcGenral (deferred) 5adc0000 5adf7000 UxTheme (deferred) 5cc30000 5cc56000 ShimEng (deferred) 62c20000 62c29000 LPK (deferred) 71a10000 71a18000 WS2HELP (deferred) 71a20000 71a37000 WS2_32 (deferred) 73640000 7366e000 msctfime (deferred) 73fa0000 7400b000 USP10 (deferred) 74680000 746cc000 MSCTF (deferred) 759d0000 75a7f000 USERENV (deferred) 76300000 7631d000 IMM32 (deferred) 765e0000 76673000 CRYPT32 (deferred) 76680000 76726000 WININET (deferred) 76990000 76ace000 ole32 (deferred) 76b10000 76b3a000 WINMM (deferred) 76bc0000 76bcb000 PSAPI (deferred) 76db0000 76dc2000 MSASN1 (deferred) 770f0000 7717b000 OLEAUT32 (deferred) 77180000 77283000 comctl32 (deferred) 77bb0000 77bc5000 MSACM32 (deferred) 77bd0000 77bd8000 VERSION (deferred) 77be0000 77c38000 msvcrt (deferred) 77d10000 77da0000 USER32 (deferred) 77da0000 77e49000 ADVAPI32 (deferred) 77e50000 77ee3000 RPCRT4 (deferred) 77ef0000 77f39000 GDI32 (deferred) 77f40000 77fb6000 SHLWAPI (deferred) 77fc0000 77fd1000 Secur32 (deferred) 7c800000 7c91e000 kernel32 (deferred) 7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb 7d590000 7dd84000 SHELL32 (deferred) 0:001> .reload /u kernel32 Unloaded kernel32 0:001> lm start end module name 00ad0000 00adf000 WordStrokeHelper32 (deferred) 01000000 0101f000 calc (deferred) 10000000 100b0000 safemon (deferred) 58fb0000 5917a000 AcGenral (deferred) 5adc0000 5adf7000 UxTheme (deferred) 5cc30000 5cc56000 ShimEng (deferred) 62c20000 62c29000 LPK (deferred) 71a10000 71a18000 WS2HELP (deferred) 71a20000 71a37000 WS2_32 (deferred) 73640000 7366e000 msctfime (deferred) 73fa0000 7400b000 USP10 (deferred) 74680000 746cc000 MSCTF (deferred) 759d0000 75a7f000 USERENV (deferred) 76300000 7631d000 IMM32 (deferred) 765e0000 76673000 CRYPT32 (deferred) 76680000 76726000 WININET (deferred) 76990000 76ace000 ole32 (deferred) 76b10000 76b3a000 WINMM (deferred) 76bc0000 76bcb000 PSAPI (deferred) 76db0000 76dc2000 MSASN1 (deferred) 770f0000 7717b000 OLEAUT32 (deferred) 77180000 77283000 comctl32 (deferred) 77bb0000 77bc5000 MSACM32 (deferred) 77bd0000 77bd8000 VERSION (deferred) 77be0000 77c38000 msvcrt (deferred) 77d10000 77da0000 USER32 (deferred) 77da0000 77e49000 ADVAPI32 (deferred) 77e50000 77ee3000 RPCRT4 (deferred) 77ef0000 77f39000 GDI32 (deferred) 77f40000 77fb6000 SHLWAPI (deferred) 77fc0000 77fd1000 Secur32 (deferred) 7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb 7d590000 7dd84000 SHELL32 (deferred)
后面的lm竟然还真显示不了kernel32.dll,
不过程序还是正常运行,用冰刃看了下,kernel32.dll明显还在,怀疑了,不懂了,标记下!!!!!!!!!!!!!!!!!!!!!!
0:001> .reload -i maincode_org=00AD0000,0024E000 *** WARNING: Unable to verify timestamp for maincode_org
如果一个dll被内嵌于exe中,默认只会加载exe的pdb,.reload提供了强制加载的方式
1..sympath+ 增加pdb路径文件夹
2..reload /i 模块名=基地址,大小
实例如下:
0:001> lm start end module name 00400000 00ad0000 test011 (deferred) 02810000 02b7a000 SOGOUWB (deferred)
其实在ad0000后附带了个内嵌的dll
设置pdb路径操作:如果下述方式不行,就加到file->symbol file path中,记得不要有中文路径
0:001> .symfix+ E:\项目SVN加载
0:001> .reload /i maincode_org=00AD0000,0024E000 *** WARNING: Unable to verify timestamp for maincode_org
0:001> x maincode_org!* 00ceb628 maincode_org!g_timeGetTime = 0x00000000 00cf8814 maincode_org!g_szMessage = 0x00000000 "" 00cfb504 maincode_org!g_pSetWindowPos = 0x0000000此方式也可强制加载其他的pdb,比如有时你需要用到某个pdb的某个结构体时