2.WinDbg学习二（符号）2024-01-24

3.WinDbg学习三（字符串通配符语法）2024-01-25 4.WinDbg学习四（标准命令）2024-01-26 5.WinDbg实操一(查看.net对象)2024-04-07

在开始使用WinDbg之前，我们需要设置一下符号。

简介

符号文件包含大量的数据，比如全局变量，局部变量，源行号，这些数据在运行二进制文件时实际上并不需要，但在调试过程中很有用，比如我们写.net程序时生成的PDB文件。

符号可以包括名称、类型（如果适用）、存储地址或寄存器以及任何父符号或子符号。符号示例包括变量名（本地和全局）、函数以及模块的任何入口点。

调试器从位于本地文件系统的或从远程符号服务器加载的符号文件中获取其有关符号的信息。使用符号服务器时，调试器将自动使用正确的符号文件版本来匹配目标中的模块。

如果要执行我们自己程序的调试，则需要我们程序的符号。如果要执行内核模式调试或者依赖的Windwos库，则需要要这些库的符号以及 Windows 公共符号。

符号服务器

符号服务器使调试器能够自动从符号存储（符号文件的索引集合）检索正确的符号文件，用户无需知道产品名称、版本或内部版本号。 Windows 调试工具包括所需的 dll 符号服务器 SymSrv。

Microsoft 符号服务器使 Windows 调试程序符号公开可用。

设置符号符号器

首先在自己电脑D盘建一个WinDbg目录，在建立一个PublicSymbol目录和Cache目录。
在WinDbg中设置

具体为什么这样设置，可以参考(https://learn.microsoft.com/zh-cn/windows-hardware/drivers/debugger/advanced-symsrv-use)

运用

打开记事本
WinDbg挂载
文件-Attach to process,找到记事本的进程，然后双击

可以看到已经附加到记事本进程上了

DbgBreakPoint是一个C++函数，如果安装了内核调试程序，此例程将引发一个异常，该异常由内核调试器处理;否则，它由调试系统处理。如果调试器未连接到系统，则可以以标准方式处理异常。

显示当前路径设置

 0:003> .sympath 
Symbol search path is: srv*D:\WinDbg\PublicSymbol*https://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*d:\windbg\publicsymbol*https://msdl.microsoft.com/download/symbols
 
************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*D:\WinDbg\PublicSymbol*https://msdl.microsoft.com/download/symbols

符号选项

显示当前设置

 0:006> .symopt
Symbol options are 0x30337:
  0x00000001 - SYMOPT_CASE_INSENSITIVE
  0x00000002 - SYMOPT_UNDNAME
  0x00000004 - SYMOPT_DEFERRED_LOADS
  0x00000010 - SYMOPT_LOAD_LINES
  0x00000020 - SYMOPT_OMAP_FIND_NEAREST
  0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
  0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
  0x00010000 - SYMOPT_AUTO_PUBLICS
  0x00020000 - SYMOPT_NO_IMAGE_SEARCH

删除选项

 0:006> .symopt- 1
Symbol options are 0x30336:
  0x00000002 - SYMOPT_UNDNAME
  0x00000004 - SYMOPT_DEFERRED_LOADS
  0x00000010 - SYMOPT_LOAD_LINES
  0x00000020 - SYMOPT_OMAP_FIND_NEAREST
  0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
  0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
  0x00010000 - SYMOPT_AUTO_PUBLICS
  0x00020000 - SYMOPT_NO_IMAGE_SEARCH

增加选项

 0:006> .symopt+ 1
Symbol options are 0x30337:
  0x00000001 - SYMOPT_CASE_INSENSITIVE
  0x00000002 - SYMOPT_UNDNAME
  0x00000004 - SYMOPT_DEFERRED_LOADS
  0x00000010 - SYMOPT_LOAD_LINES
  0x00000020 - SYMOPT_OMAP_FIND_NEAREST
  0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
  0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
  0x00010000 - SYMOPT_AUTO_PUBLICS
  0x00020000 - SYMOPT_NO_IMAGE_SEARCH

选项参数

值	名称	描述
0x1	SYMOPT_CASE_INSENSITIVE	符号名称不区分大小写
0x2	SYMOPT_UNDNAME	符号名称未修饰
0x4	SYMOPT_DEFERRED_LOADS	延迟加载
0x8	SYMOPT_NO_CPP	关闭C++转换，C++中的::符号将以__显示
0x10	SYMOPT_LOAD_LINES	从源文件中加载行号
0x20	SYMOPT_OMAP_FIND_NEAREST	如果由于编译器优化导致找不到对应的符号，就以最近的一个符号代替之
0x40	SYMOPT_LOAD_ANYTHING	使得符号匹配的时候，匹配原则较松散，不那么严格
0x80	SYMOPT_IGNORE_CVREC	忽略镜像文件头中的CV记录
0x100	SYMOPT_NO_UNQUALIFIED_LOAD	只在已加载模块中搜索符号，如果搜索符号失败，不会自动加载新模块。
0x200	SYMOPT_FAIL_CRITICAL_ERRORS	不显示文件访问错误对话框
0x400	SYMOPT_EXACT_SYMBOLS	进行最严格的符号文件检查，只要有微小的差异，符号文件都不会被加载
0x800	SYMOPT_ALLOW_ABSOLUTE_SYMBOLS	允许从内存的一个绝对地址处读取符号信息
0x1000	SYMOPT_IGNORE_NT_SYMPATH	忽视在环境变量中设置的符号路径
0x2000	SYMOPT_INCLUDE_32BIT_MODULES	让运行在安腾系统上的调试器，也枚举32位模块
0x4000	SYMOPT_PUBLICS_ONLY	仅搜索符号文件的公共（PUBLIC）符号表，忽略私有符号表。
0x8000	SYMOPT_NO_PUBLICS	不搜索符号文件的公共（PUBLIC）符号表
0x10000	SYMOPT_AUTO_PUBLICS	先搜索pdb文件的私有符号表，如果在其中找到对应的符号，就不再搜索公共（PUBLIC）符号表，这可以加快搜索速度
0x20000	SYMOPT_NO_IMAGE_SEARCH	不搜索镜像拷贝
0x40000	SYMOPT_SECURE	安全模式，让调试器尽量不影响到主机
0x80000	SYMOPT_NO_PROMPTS	不显示符号代理服务器的认证对话框，将导致某些时候无法访问符号服务器
0x80000000	SYMOPT_DEBUG	显示符号搜索的详细过程和信息

符号加载

查看模块及模块符号的加载情况（lm）

 0:003> lm
start             end                 module name
00007ff6`1ae50000 00007ff6`1ae88000   NOTEPAD    (pdb symbols)          d:\windbg\publicsymbol\notepad.pdb\5A096A6EA0DB6F42E516FC1B12C514EE1\notepad.pdb
00007ff9`c5dc0000 00007ff9`c5e9d000   efswrt     (deferred)             
00007ff9`cc2c0000 00007ff9`cc36c000   TextShaping   (deferred)             
00007ff9`ce5d0000 00007ff9`ce6ca000   textinputframework   (deferred)             
00007ff9`d0010000 00007ff9`d0104000   MrmCoreR   (deferred)             
00007ff9`d5f60000 00007ff9`d614d000   urlmon     (deferred)             
00007ff9`d7250000 00007ff9`d74ea000   COMCTL32   (deferred)             
00007ff9`ded40000 00007ff9`deffc000   iertutil   (deferred)             
00007ff9`e8b30000 00007ff9`e8b59000   srvcli     (deferred)             
00007ff9`e8c40000 00007ff9`e8c5d000   MPR        (deferred)             
00007ff9`e9c10000 00007ff9`e9e17000   twinapi_appcore   (deferred)             
00007ff9`ebc90000 00007ff9`ebcf6000   oleacc     (deferred)             
00007ff9`ed210000 00007ff9`ed306000   PROPSYS    (deferred)             
00007ff9`ed320000 00007ff9`ed3c1000   policymanager   (deferred)             
00007ff9`ee160000 00007ff9`ee2b5000   wintypes   (deferred)             
00007ff9`eeb90000 00007ff9`eec82000   CoreMessaging   (deferred)             
00007ff9`eec90000 00007ff9`eefee000   CoreUIComponents   (deferred)             
00007ff9`ef900000 00007ff9`ef99e000   uxtheme    (deferred)             
00007ff9`f0420000 00007ff9`f0bbb000   windows_storage   (deferred)             
00007ff9`f0bd0000 00007ff9`f0be2000   kernel_appcore   (deferred)             
00007ff9`f14a0000 00007ff9`f152a000   msvcp110_win   (deferred)             
00007ff9`f1530000 00007ff9`f1563000   ntmarta    (deferred)             
00007ff9`f1880000 00007ff9`f188c000   netutils   (deferred)             
00007ff9`f1d50000 00007ff9`f1d7e000   Wldp       (deferred)             
00007ff9`f23f0000 00007ff9`f243e000   CFGMGR32   (deferred)             
00007ff9`f24f0000 00007ff9`f27e6000   KERNELBASE   (deferred)             
00007ff9`f27f0000 00007ff9`f290a000   gdi32full   (deferred)             
00007ff9`f2940000 00007ff9`f2a40000   ucrtbase   (deferred)             
00007ff9`f2ab0000 00007ff9`f2ad2000   win32u     (deferred)             
00007ff9`f2ae0000 00007ff9`f2b7d000   msvcp_win   (deferred)             
00007ff9`f2ce0000 00007ff9`f2d62000   bcryptPrimitives   (deferred)             
00007ff9`f2d70000 00007ff9`f2e2d000   KERNEL32   (pdb symbols)          d:\windbg\publicsymbol\kernel32.pdb\C8DEC0DDA0E2EF5C882CC32F0AF2F80B1\kernel32.pdb
00007ff9`f2e30000 00007ff9`f2e5c000   GDI32      (deferred)             
00007ff9`f2e60000 00007ff9`f2f74000   MSCTF      (deferred)             
00007ff9`f3130000 00007ff9`f3185000   shlwapi    (deferred)             
00007ff9`f3190000 00007ff9`f322e000   msvcrt     (deferred)             
00007ff9`f3230000 00007ff9`f32d9000   clbcatq    (deferred)             
00007ff9`f32e0000 00007ff9`f338e000   ADVAPI32   (deferred)             
00007ff9`f3390000 00007ff9`f342c000   sechost    (deferred)             
00007ff9`f3490000 00007ff9`f35ba000   ole32      (deferred)             
00007ff9`f35c0000 00007ff9`f35f0000   IMM32      (deferred)             
00007ff9`f3600000 00007ff9`f36ad000   shcore     (deferred)             
00007ff9`f36b0000 00007ff9`f37d6000   RPCRT4     (deferred)             
00007ff9`f3800000 00007ff9`f399e000   USER32     (deferred)             
00007ff9`f39a0000 00007ff9`f3a7a000   COMDLG32   (deferred)             
00007ff9`f3b90000 00007ff9`f3bfb000   WS2_32     (deferred)             
00007ff9`f3c00000 00007ff9`f3ccd000   OLEAUT32   (deferred)             
00007ff9`f3cf0000 00007ff9`f4044000   combase    (deferred)             
00007ff9`f4050000 00007ff9`f4795000   SHELL32    (deferred)             
00007ff9`f4d10000 00007ff9`f4f08000   ntdll      (pdb symbols)          d:\windbg\publicsymbol\ntdll.pdb\DF7907287B0D7132B3C4A5D82B567E9E1\ntdll.pdb

deferred:表示为延迟加载。
默认情况下，在加载目标模块时不会实际加载符号信息。相反，调试器会根据需要加载符号
可以使用.reload /f强制即刻加载

查看已加载模块符号的模块（lm l）

 0:003> lm l
start             end                 module name
00007ff6`1ae50000 00007ff6`1ae88000   NOTEPAD    (pdb symbols)          d:\windbg\publicsymbol\notepad.pdb\5A096A6EA0DB6F42E516FC1B12C514EE1\notepad.pdb
00007ff9`f2d70000 00007ff9`f2e2d000   KERNEL32   (pdb symbols)          d:\windbg\publicsymbol\kernel32.pdb\C8DEC0DDA0E2EF5C882CC32F0AF2F80B1\kernel32.pdb
00007ff9`f4d10000 00007ff9`f4f08000   ntdll      (pdb symbols)          d:\windbg\publicsymbol\ntdll.pdb\DF7907287B0D7132B3C4A5D82B567E9E1\ntdll.pdb

查看所有模块及详细信息（lm v）

posted @ 2024-01-24 15:28 leafroc 阅读(404) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· WinDbg学习四（标准命令）

· WinDbg学习一（入门）

· WinDbg教程-[1]、调试基础(用户模式)

· WinDbg实践--入门篇

· Windbg符号加载和调试

阅读排行：
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布：重大改进与新特性概览！
· AI与.NET技术实操系列（二）：开始使用ML.NET
· 单线程的Redis速度为什么快？

leafroc

九层之台，起于垒土；千里之行，始于足下。

WinDbg学习二（符号）

简介

符号服务器

设置符号符号器

运用

显示当前路径设置

符号选项

显示当前设置

删除选项

增加选项

选项参数

符号加载

查看模块及模块符号的加载情况（lm）

查看已加载模块符号的模块（lm l）

查看所有模块及详细信息（lm v）

常用链接

我的标签

合集

随笔分类

随笔档案

阅读排行榜

评论排行榜

推荐排行榜

最新评论

	0:003> .sympath
	Symbol search path is: srvD:\WinDbg\PublicSymbolhttps://msdl.microsoft.com/download/symbols
	Expanded Symbol search path is: srvd:\windbg\publicsymbolhttps://msdl.microsoft.com/download/symbols

	*********** Path validation summary ************
	Response Time (ms) Location
	Deferred srvD:\WinDbg\PublicSymbolhttps://msdl.microsoft.com/download/symbols

	0:006> .symopt
	Symbol options are 0x30337:
	0x00000001 - SYMOPT_CASE_INSENSITIVE
	0x00000002 - SYMOPT_UNDNAME
	0x00000004 - SYMOPT_DEFERRED_LOADS
	0x00000010 - SYMOPT_LOAD_LINES
	0x00000020 - SYMOPT_OMAP_FIND_NEAREST
	0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
	0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
	0x00010000 - SYMOPT_AUTO_PUBLICS
	0x00020000 - SYMOPT_NO_IMAGE_SEARCH

	0:006> .symopt- 1
	Symbol options are 0x30336:
	0x00000002 - SYMOPT_UNDNAME
	0x00000004 - SYMOPT_DEFERRED_LOADS
	0x00000010 - SYMOPT_LOAD_LINES
	0x00000020 - SYMOPT_OMAP_FIND_NEAREST
	0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
	0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
	0x00010000 - SYMOPT_AUTO_PUBLICS
	0x00020000 - SYMOPT_NO_IMAGE_SEARCH

	0:006> .symopt+ 1
	Symbol options are 0x30337:
	0x00000001 - SYMOPT_CASE_INSENSITIVE
	0x00000002 - SYMOPT_UNDNAME
	0x00000004 - SYMOPT_DEFERRED_LOADS
	0x00000010 - SYMOPT_LOAD_LINES
	0x00000020 - SYMOPT_OMAP_FIND_NEAREST
	0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
	0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
	0x00010000 - SYMOPT_AUTO_PUBLICS
	0x00020000 - SYMOPT_NO_IMAGE_SEARCH

	0:003> lm
	start end module name
	00007ff6`1ae50000 00007ff6`1ae88000 NOTEPAD (pdb symbols) d:\windbg\publicsymbol\notepad.pdb\5A096A6EA0DB6F42E516FC1B12C514EE1\notepad.pdb
	00007ff9`c5dc0000 00007ff9`c5e9d000 efswrt (deferred)
	00007ff9`cc2c0000 00007ff9`cc36c000 TextShaping (deferred)
	00007ff9`ce5d0000 00007ff9`ce6ca000 textinputframework (deferred)
	00007ff9`d0010000 00007ff9`d0104000 MrmCoreR (deferred)
	00007ff9`d5f60000 00007ff9`d614d000 urlmon (deferred)
	00007ff9`d7250000 00007ff9`d74ea000 COMCTL32 (deferred)
	00007ff9`ded40000 00007ff9`deffc000 iertutil (deferred)
	00007ff9`e8b30000 00007ff9`e8b59000 srvcli (deferred)
	00007ff9`e8c40000 00007ff9`e8c5d000 MPR (deferred)
	00007ff9`e9c10000 00007ff9`e9e17000 twinapi_appcore (deferred)
	00007ff9`ebc90000 00007ff9`ebcf6000 oleacc (deferred)
	00007ff9`ed210000 00007ff9`ed306000 PROPSYS (deferred)
	00007ff9`ed320000 00007ff9`ed3c1000 policymanager (deferred)
	00007ff9`ee160000 00007ff9`ee2b5000 wintypes (deferred)
	00007ff9`eeb90000 00007ff9`eec82000 CoreMessaging (deferred)
	00007ff9`eec90000 00007ff9`eefee000 CoreUIComponents (deferred)
	00007ff9`ef900000 00007ff9`ef99e000 uxtheme (deferred)
	00007ff9`f0420000 00007ff9`f0bbb000 windows_storage (deferred)
	00007ff9`f0bd0000 00007ff9`f0be2000 kernel_appcore (deferred)
	00007ff9`f14a0000 00007ff9`f152a000 msvcp110_win (deferred)
	00007ff9`f1530000 00007ff9`f1563000 ntmarta (deferred)
	00007ff9`f1880000 00007ff9`f188c000 netutils (deferred)
	00007ff9`f1d50000 00007ff9`f1d7e000 Wldp (deferred)
	00007ff9`f23f0000 00007ff9`f243e000 CFGMGR32 (deferred)
	00007ff9`f24f0000 00007ff9`f27e6000 KERNELBASE (deferred)
	00007ff9`f27f0000 00007ff9`f290a000 gdi32full (deferred)
	00007ff9`f2940000 00007ff9`f2a40000 ucrtbase (deferred)
	00007ff9`f2ab0000 00007ff9`f2ad2000 win32u (deferred)
	00007ff9`f2ae0000 00007ff9`f2b7d000 msvcp_win (deferred)
	00007ff9`f2ce0000 00007ff9`f2d62000 bcryptPrimitives (deferred)
	00007ff9`f2d70000 00007ff9`f2e2d000 KERNEL32 (pdb symbols) d:\windbg\publicsymbol\kernel32.pdb\C8DEC0DDA0E2EF5C882CC32F0AF2F80B1\kernel32.pdb
	00007ff9`f2e30000 00007ff9`f2e5c000 GDI32 (deferred)
	00007ff9`f2e60000 00007ff9`f2f74000 MSCTF (deferred)
	00007ff9`f3130000 00007ff9`f3185000 shlwapi (deferred)
	00007ff9`f3190000 00007ff9`f322e000 msvcrt (deferred)
	00007ff9`f3230000 00007ff9`f32d9000 clbcatq (deferred)
	00007ff9`f32e0000 00007ff9`f338e000 ADVAPI32 (deferred)
	00007ff9`f3390000 00007ff9`f342c000 sechost (deferred)
	00007ff9`f3490000 00007ff9`f35ba000 ole32 (deferred)
	00007ff9`f35c0000 00007ff9`f35f0000 IMM32 (deferred)
	00007ff9`f3600000 00007ff9`f36ad000 shcore (deferred)
	00007ff9`f36b0000 00007ff9`f37d6000 RPCRT4 (deferred)
	00007ff9`f3800000 00007ff9`f399e000 USER32 (deferred)
	00007ff9`f39a0000 00007ff9`f3a7a000 COMDLG32 (deferred)
	00007ff9`f3b90000 00007ff9`f3bfb000 WS2_32 (deferred)
	00007ff9`f3c00000 00007ff9`f3ccd000 OLEAUT32 (deferred)
	00007ff9`f3cf0000 00007ff9`f4044000 combase (deferred)
	00007ff9`f4050000 00007ff9`f4795000 SHELL32 (deferred)
	00007ff9`f4d10000 00007ff9`f4f08000 ntdll (pdb symbols) d:\windbg\publicsymbol\ntdll.pdb\DF7907287B0D7132B3C4A5D82B567E9E1\ntdll.pdb

	0:003> lm l
	start end module name
	00007ff6`1ae50000 00007ff6`1ae88000 NOTEPAD (pdb symbols) d:\windbg\publicsymbol\notepad.pdb\5A096A6EA0DB6F42E516FC1B12C514EE1\notepad.pdb
	00007ff9`f2d70000 00007ff9`f2e2d000 KERNEL32 (pdb symbols) d:\windbg\publicsymbol\kernel32.pdb\C8DEC0DDA0E2EF5C882CC32F0AF2F80B1\kernel32.pdb
	00007ff9`f4d10000 00007ff9`f4f08000 ntdll (pdb symbols) d:\windbg\publicsymbol\ntdll.pdb\DF7907287B0D7132B3C4A5D82B567E9E1\ntdll.pdb