Windbg命令学习12(.lastevent和!analyze)
以下不经说明都以calc强制附加windbg1.lastevent.lastevent 命令显示最近一次发生的异常或事件。
1.lastevent
.lastevent 命令显示最近一次发生的异常或事件。
0:000> .lastevent Last event: 1534.f4c: Break instruction exception - code 80000003 (first chance) debugger time: Tue May 22 10:47:26.962 2012 (GMT+8) 0:000> ~ . 0 Id: 1534.e8c Suspend: 1 Teb: 7ffdf000 Unfrozen 1 Id: 1534.1338 Suspend: 1 Teb: 7ffde000 Unfrozen # 2 Id: 1534.f4c Suspend: 1 Teb: 7ffdd000 Unfrozen
我们可以看出,当前为2号线程发生异常,线程0前面的点号(.)表示它是当前线程。线程2前面的数字号(#)表示它是产生异常或调试器附加到进程时活动的线程。如果使用CTRL+C、 CTRL+BREAK或Debug | Break中断到调试器,总是会产生一个 0x80000003异常代码。
2!analyze
!analyze扩展显示当前异常或bug check的信息。
0:000> .lastevent
Last event: 1534.f4c: Break instruction exception - code 80000003 (first chance)
debugger time: Tue May 22 10:47:26.962 2012 (GMT+8)
0:000> !analyze
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
DBGHELP: c:\mysymbol\kernel32.dll\49C4F48111e000\kernel32.dll - OK
DBGHELP: c:\mysymbol\ntdll.dll\4D00F28096000\ntdll.dll - OK
DBGHELP: c:\mysymbol\calc.exe\3B7D84101f000\calc.exe - OK
DBGHELP: c:\mysymbol\UxTheme.dll\4802BDC037000\UxTheme.dll - OK
DBGHELP: c:\mysymbol\MSCTF.dll\4802BDE34c000\MSCTF.dll - OK
DBGHELP: c:\mysymbol\USER32.dll\4802BDBD90000\USER32.dll - OK
DBGHELP: c:\mysymbol\kernel32.dll\49C4F48111e000\kernel32.dll - OK
DBGHELP: c:\mysymbol\ntdll.dll\4D00F28096000\ntdll.dll - OK
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
Probably caused by : ntdll.dll ( ntdll!DbgBreakPoint+0 )
Followup: MachineOwner
---------
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
DBGHELP: c:\mysymbol\kernel32.dll\49C4F48111e000\kernel32.dll - OK
DBGHELP: c:\mysymbol\ntdll.dll\4D00F28096000\ntdll.dll - OK
DBGHELP: c:\mysymbol\calc.exe\3B7D84101f000\calc.exe - OK
DBGHELP: c:\mysymbol\UxTheme.dll\4802BDC037000\UxTheme.dll - OK
DBGHELP: c:\mysymbol\MSCTF.dll\4802BDE34c000\MSCTF.dll - OK
DBGHELP: c:\mysymbol\USER32.dll\4802BDBD90000\USER32.dll - OK
DBGHELP: c:\mysymbol\kernel32.dll\49C4F48111e000\kernel32.dll - OK
DBGHELP: c:\mysymbol\ntdll.dll\4D00F28096000\ntdll.dll - OK
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
FAULTING_IP:
ntdll!DbgBreakPoint+0
7c92120e cc int 3
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c92120e (ntdll!DbgBreakPoint)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 00000000
Parameter[1]: 00000002
Parameter[2]: 00000003
FAULTING_THREAD: 00000f4c
DEFAULT_BUCKET_ID: STACKIMMUNE
PROCESS_NAME: calc.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - <Unable to get error code text>
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000002
EXCEPTION_PARAMETER3: 00000003
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
ADDITIONAL_DEBUG_TEXT: Followup set via attribute from Frame 0 on thread ffffffff
PRIMARY_PROBLEM_CLASS: STACKIMMUNE
BUGCHECK_STR: APPLICATION_FAULT_STACKIMMUNE
STACK_TEXT:
00bfffc8 7c972119 00000005 00000004 00000001 ntdll!DbgBreakPoint
00bffff4 00000000 00000000 00000008 000060c0 ntdll!DbgUiRemoteBreakin+0x2d
FOLLOWUP_IP:
ntdll!DbgBreakPoint+0
7c92120e cc int 3
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: ntdll!DbgBreakPoint+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ntdll
IMAGE_NAME: ntdll.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4d00f280
STACK_COMMAND: ~2s ; kb
BUCKET_ID: MANUAL_BREAKIN
FAILURE_BUCKET_ID: STACKIMMUNE_80000003_ntdll.dll!DbgBreakPoint
Followup: MachineOwner
---------
用户模式下,!analyze 和!analyze -v 扩展显示当前异常的信息。
注意的是.lastevent是元指令,而!analyze是扩展指令
3.符号文件简介:
符号文件对于调试程序是相当重要的,通常符号文件中包含以下内容
全局变量的名字和地址
函数名,地址及其原型
帧指针优化数据
局部变量的名字和地址
源文件路径以及每个符号的行号
变量,结构等的类型信息
