Windbg命令学习2(!sym和.reload)
生活随笔
收集整理的這篇文章主要介紹了
Windbg命令学习2(!sym和.reload)
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
以下示例以windbg加載calc.exe為例:
1.!sym
!sym擴展控制顯示詳細的符號加載和符號提示。
.!sym :不帶參數表示顯示當前的詳細符號加載和符號提示的設置狀態
給個示例:
0:001> !sym !sym <noisy/quiet - prompts/prompts off> - noisy mode - symbol prompts on
其實細心點可以看出sym的四種狀態了,noisy/quiet -prompts/prompts off,所以我們要記這個命令的用法,就只要調用下!sym,就看到所有用法了.嘿嘿,我還比較聰明的
<>后面表示當前的設定狀態,
!symnoisy激活詳細符號加載(noisy symbol loading)顯示。
給個示例:
0:001> !sym noisy noisy mode - symbol prompts on
!symquiet禁止詳細符號加載顯示
0:001> !sym quiet quiet mode - symbol prompts on
!symprompts當SymSrv接收到認證請求時,允許彈出對話框。
0:001> !sym prompts quiet mode - symbol prompts on
!sympromptsoff禁止SymSrv在接收到認證請求時顯示認證對話框。這可能使得SymSrv不能通過internet訪問符號。
0:001> !sym prompts off quiet mode - symbol prompts off
都那么聰明,一個是noisy-quiet,一個是prompts off-prompt on,掌握了
2..reload
.reload命令刪除指定模塊的所有符號信息,并且按需要重新加載這些符號。某些情況下,該命令也會重新加載或卸載模塊本身。
/d 重新加載調試器模塊列表中的所有模塊。(省略所有參數時,這是用戶模式調試下的默認行為。)給個例子:
0:001> .reload /d
Reloading current modules
................................
DBGHELP: C:\WINDOWS\symbols\ntdll.pdb - file not found
DBGHELP: ntdll - public symbols
C:\WINDOWS\symbols\dll\ntdll.pdb
好吧,我們發現沒有立即顯示加載符號
/f 強制調試器立即加載符號。該參數會覆蓋延遲符號加載。更多信息,查看下面的注釋節。我們發現用lm查詢時GDI32(deferred),那我們試著來加載它的符號信息試試:
0:001> lm
start end module name
01000000 0101f000 calc (deferred)
10000000 100b0000 safemon (deferred)
58fb0000 5917a000 AcGenral (deferred)
5adc0000 5adf7000 UxTheme (deferred)
5cc30000 5cc56000 ShimEng (deferred)
62c20000 62c29000 LPK (deferred)
71a10000 71a18000 WS2HELP (deferred)
71a20000 71a37000 WS2_32 (deferred)
73640000 7366e000 msctfime (deferred)
73fa0000 7400b000 USP10 (deferred)
74680000 746cc000 MSCTF (deferred)
759d0000 75a7f000 USERENV (deferred)
76300000 7631d000 IMM32 (deferred)
765e0000 76673000 CRYPT32 (deferred)
76680000 76726000 WININET (deferred)
76990000 76ace000 ole32 (deferred)
76b10000 76b3a000 WINMM (deferred)
76bc0000 76bcb000 PSAPI (deferred)
76db0000 76dc2000 MSASN1 (deferred)
770f0000 7717b000 OLEAUT32 (deferred)
77180000 77283000 comctl32 (deferred)
77bb0000 77bc5000 MSACM32 (deferred)
77bd0000 77bd8000 VERSION (deferred)
77be0000 77c38000 msvcrt (deferred)
77d10000 77da0000 USER32 (deferred)
77da0000 77e49000 ADVAPI32 (deferred)
77e50000 77ee3000 RPCRT4 (deferred)
77ef0000 77f39000 GDI32 (deferred)
77f40000 77fb6000 SHLWAPI (deferred)
77fc0000 77fd1000 Secur32 (deferred)
7c800000 7c91e000 kernel32 (deferred)
7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb
7d590000 7dd84000 SHELL32 (deferred)
0:001> .reload /f GDI32.dll
DBGHELP: C:\WINDOWS\symbols\gdi32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\gdi32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\gdi32.pdb - file not found
DBGHELP: GDI32 - public symbols
C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb
0:001> lm
start end module name
01000000 0101f000 calc (deferred)
10000000 100b0000 safemon (deferred)
58fb0000 5917a000 AcGenral (deferred)
5adc0000 5adf7000 UxTheme (deferred)
5cc30000 5cc56000 ShimEng (deferred)
62c20000 62c29000 LPK (deferred)
71a10000 71a18000 WS2HELP (deferred)
71a20000 71a37000 WS2_32 (deferred)
73640000 7366e000 msctfime (deferred)
73fa0000 7400b000 USP10 (deferred)
74680000 746cc000 MSCTF (deferred)
759d0000 75a7f000 USERENV (deferred)
76300000 7631d000 IMM32 (deferred)
765e0000 76673000 CRYPT32 (deferred)
76680000 76726000 WININET (deferred)
76990000 76ace000 ole32 (deferred)
76b10000 76b3a000 WINMM (deferred)
76bc0000 76bcb000 PSAPI (deferred)
76db0000 76dc2000 MSASN1 (deferred)
770f0000 7717b000 OLEAUT32 (deferred)
77180000 77283000 comctl32 (deferred)
77bb0000 77bc5000 MSACM32 (deferred)
77bd0000 77bd8000 VERSION (deferred)
77be0000 77c38000 msvcrt (deferred)
77d10000 77da0000 USER32 (deferred)
77da0000 77e49000 ADVAPI32 (deferred)
77e50000 77ee3000 RPCRT4 (deferred)
77ef0000 77f39000 GDI32 (pdb symbols) C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb
77f40000 77fb6000 SHLWAPI (deferred)
77fc0000 77fd1000 Secur32 (deferred)
7c800000 7c91e000 kernel32 (deferred)
7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb
7d590000 7dd84000 SHELL32 (deferred)
我們發現,第一次lm查詢時GDI32(deferred),調用.reload /f加載后,再次lm,我們可以看到GDI32 (pdb symbols),OK,那我們也猜到了,如.reload /f不帶模塊,那么是不是會重新加載所有的symbols:
0:001> .reload /f
Reloading current modules
.
DBGHELP: C:\WINDOWS\symbols\calc.pdb - file not found
DBGHELP: calc - public symbols
C:\WINDOWS\symbols\exe\calc.pdb
.
DBGHELP: C:\WINDOWS\symbols\safemon.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\safemon.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\symbols\dll\safemon.pdb - file not found
SYMSRV: C:\MyLocalSymbols\safemon.pdb\84C1B55127174ACAA421A85A983FA63B1\safemon.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/safemon.pdb/84C1B55127174ACAA421A85A983FA63B1/safemon.pdb not found
DBGHELP: C:\Program Files\360\360Safe\safemon\safemon.pdb - file not found
DBGHELP: E:\repos\safemon_8_1_1\Release\safemon.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\360\360Safe\safemon\safemon.dll -
DBGHELP: safemon - export symbols
.
DBGHELP: C:\WINDOWS\symbols\AcGenral.pdb - file not found
DBGHELP: AcGenral - public symbols
C:\WINDOWS\symbols\DLL\AcGenral.pdb
.
DBGHELP: C:\WINDOWS\symbols\uxtheme.pdb - file not found
DBGHELP: UxTheme - public symbols
C:\WINDOWS\symbols\dll\uxtheme.pdb
.
DBGHELP: C:\WINDOWS\symbols\ShimEng.pdb - file not found
DBGHELP: ShimEng - public symbols
C:\WINDOWS\symbols\dll\ShimEng.pdb
.
DBGHELP: C:\WINDOWS\symbols\lpk.pdb - file not found
DBGHELP: LPK - public symbols
C:\WINDOWS\symbols\DLL\lpk.pdb
.
DBGHELP: C:\WINDOWS\symbols\ws2help.pdb - file not found
DBGHELP: WS2HELP - public symbols
C:\WINDOWS\symbols\dll\ws2help.pdb
.
DBGHELP: C:\WINDOWS\symbols\ws2_32.pdb - file not found
DBGHELP: WS2_32 - public symbols
C:\WINDOWS\symbols\dll\ws2_32.pdb
.
DBGHELP: C:\WINDOWS\symbols\msctfime.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\ime\msctfime.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\ime\msctfime.pdb - file not found
DBGHELP: msctfime - public symbols
C:\MyLocalSymbols\msctfime.pdb\7448D95F454E4C1E93859E4D88C1950E1\msctfime.pdb
.
DBGHELP: C:\WINDOWS\symbols\usp10.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\usp10.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\usp10.pdb - file not found
DBGHELP: USP10 - public symbols
C:\MyLocalSymbols\usp10.pdb\D4BA2952809F469BB6D1D3AF6B956E6B1\usp10.pdb
.
DBGHELP: C:\WINDOWS\symbols\msctf.pdb - file not found
DBGHELP: MSCTF - public symbols
C:\WINDOWS\symbols\dll\msctf.pdb
.
DBGHELP: C:\WINDOWS\symbols\userenv.pdb - file not found
DBGHELP: USERENV - public symbols
C:\WINDOWS\symbols\dll\userenv.pdb
.
DBGHELP: C:\WINDOWS\symbols\imm32.pdb - file not found
DBGHELP: IMM32 - public symbols
C:\WINDOWS\symbols\DLL\imm32.pdb
.
DBGHELP: C:\WINDOWS\symbols\crypt32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\crypt32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\crypt32.pdb - file not found
DBGHELP: CRYPT32 - public symbols
C:\MyLocalSymbols\crypt32.pdb\A854C29D50C34464948D078CA2A0BFD32\crypt32.pdb
.
DBGHELP: C:\WINDOWS\symbols\wininet.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\wininet.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\wininet.pdb - file not found
DBGHELP: WININET - public symbols
C:\MyLocalSymbols\wininet.pdb\041BF2F58BAF4B3880CA9A705DA8398F2\wininet.pdb
.
DBGHELP: C:\WINDOWS\symbols\ole32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\ole32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\ole32.pdb - file not found
DBGHELP: ole32 - public symbols
C:\MyLocalSymbols\ole32.pdb\498D399602DE44A59DB412C95883B65C2\ole32.pdb
.
DBGHELP: C:\WINDOWS\symbols\winmm.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\winmm.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\winmm.pdb - file not found
DBGHELP: WINMM - public symbols
C:\MyLocalSymbols\winmm.pdb\CBD9B2B21EE74EE6BA95B56DCBD2A57F2\winmm.pdb
.
DBGHELP: C:\WINDOWS\symbols\psapi.pdb - file not found
DBGHELP: PSAPI - public symbols
C:\WINDOWS\symbols\DLL\psapi.pdb
.
DBGHELP: C:\WINDOWS\symbols\msasn1.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\msasn1.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\msasn1.pdb - file not found
DBGHELP: MSASN1 - public symbols
C:\MyLocalSymbols\msasn1.pdb\1AED0D31142F496E83481A9BF3DEF1A52\msasn1.pdb
.
DBGHELP: C:\WINDOWS\symbols\oleaut32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\oleaut32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\oleaut32.pdb - file not found
DBGHELP: OLEAUT32 - public symbols
C:\MyLocalSymbols\oleaut32.pdb\E04ECB48CAED47B2958C3D2C1094E23F2\oleaut32.pdb
.
DBGHELP: C:\WINDOWS\symbols\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\symbols\dll\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb - file not found
DBGHELP: comctl32 - public symbols
C:\MyLocalSymbols\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb\E882C2C890724D598449E20A4FE6F07C1\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb
.
DBGHELP: C:\WINDOWS\symbols\msacm32.pdb - file not found
DBGHELP: MSACM32 - public symbols
C:\WINDOWS\symbols\dll\msacm32.pdb
.
DBGHELP: C:\WINDOWS\symbols\version.pdb - file not found
DBGHELP: VERSION - public symbols
C:\WINDOWS\symbols\dll\version.pdb
.
DBGHELP: C:\WINDOWS\symbols\msvcrt.pdb - file not found
DBGHELP: msvcrt - public symbols
C:\WINDOWS\symbols\dll\msvcrt.pdb
.
DBGHELP: C:\WINDOWS\symbols\user32.pdb - file not found
DBGHELP: USER32 - public symbols
C:\WINDOWS\symbols\dll\user32.pdb
.
DBGHELP: C:\WINDOWS\symbols\advapi32.pdb - file not found
DBGHELP: ADVAPI32 - public symbols
C:\WINDOWS\symbols\dll\advapi32.pdb
.
DBGHELP: C:\WINDOWS\symbols\rpcrt4.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\rpcrt4.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\rpcrt4.pdb - file not found
DBGHELP: RPCRT4 - public symbols
C:\MyLocalSymbols\rpcrt4.pdb\1A465C67828242F28A8C70E3B9D5C4772\rpcrt4.pdb
.
DBGHELP: C:\WINDOWS\symbols\gdi32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\gdi32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\gdi32.pdb - file not found
DBGHELP: GDI32 - public symbols
C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb
.
DBGHELP: C:\WINDOWS\symbols\shlwapi.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\shlwapi.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\shlwapi.pdb - file not found
DBGHELP: SHLWAPI - public symbols
C:\MyLocalSymbols\shlwapi.pdb\483E8894476B412DABC2FBA7F470E39A2\shlwapi.pdb
.
DBGHELP: C:\WINDOWS\symbols\secur32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\secur32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\secur32.pdb - file not found
DBGHELP: Secur32 - public symbols
C:\MyLocalSymbols\secur32.pdb\7867B3F28B5C41CE847895E3FC013DC52\secur32.pdb
.
DBGHELP: C:\WINDOWS\symbols\kernel32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\kernel32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\kernel32.pdb - file not found
DBGHELP: kernel32 - public symbols
C:\MyLocalSymbols\kernel32.pdb\072FF0EB54D24DFAAE9D13885486EE092\kernel32.pdb
.
DBGHELP: C:\WINDOWS\symbols\ntdll.pdb - file not found
DBGHELP: ntdll - public symbols
C:\WINDOWS\symbols\dll\ntdll.pdb
.
DBGHELP: C:\WINDOWS\symbols\shell32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\shell32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\shell32.pdb - file not found
DBGHELP: SHELL32 - public symbols
C:\MyLocalSymbols\shell32.pdb\DF59C75CA10B4BF89B447BB924C4292C2\shell32.pdb
0:001> lm
start end module name
01000000 0101f000 calc (pdb symbols) C:\WINDOWS\symbols\exe\calc.pdb
10000000 100b0000 safemon (export symbols) C:\Program Files\360\360Safe\safemon\safemon.dll
58fb0000 5917a000 AcGenral (pdb symbols) C:\WINDOWS\symbols\DLL\AcGenral.pdb
5adc0000 5adf7000 UxTheme (pdb symbols) C:\WINDOWS\symbols\dll\uxtheme.pdb
5cc30000 5cc56000 ShimEng (pdb symbols) C:\WINDOWS\symbols\dll\ShimEng.pdb
62c20000 62c29000 LPK (pdb symbols) C:\WINDOWS\symbols\DLL\lpk.pdb
71a10000 71a18000 WS2HELP (pdb symbols) C:\WINDOWS\symbols\dll\ws2help.pdb
71a20000 71a37000 WS2_32 (pdb symbols) C:\WINDOWS\symbols\dll\ws2_32.pdb
73640000 7366e000 msctfime (pdb symbols) C:\MyLocalSymbols\msctfime.pdb\7448D95F454E4C1E93859E4D88C1950E1\msctfime.pdb
73fa0000 7400b000 USP10 (pdb symbols) C:\MyLocalSymbols\usp10.pdb\D4BA2952809F469BB6D1D3AF6B956E6B1\usp10.pdb
74680000 746cc000 MSCTF (pdb symbols) C:\WINDOWS\symbols\dll\msctf.pdb
759d0000 75a7f000 USERENV (pdb symbols) C:\WINDOWS\symbols\dll\userenv.pdb
76300000 7631d000 IMM32 (pdb symbols) C:\WINDOWS\symbols\DLL\imm32.pdb
765e0000 76673000 CRYPT32 (pdb symbols) C:\MyLocalSymbols\crypt32.pdb\A854C29D50C34464948D078CA2A0BFD32\crypt32.pdb
76680000 76726000 WININET (pdb symbols) C:\MyLocalSymbols\wininet.pdb\041BF2F58BAF4B3880CA9A705DA8398F2\wininet.pdb
76990000 76ace000 ole32 (pdb symbols) C:\MyLocalSymbols\ole32.pdb\498D399602DE44A59DB412C95883B65C2\ole32.pdb
76b10000 76b3a000 WINMM (pdb symbols) C:\MyLocalSymbols\winmm.pdb\CBD9B2B21EE74EE6BA95B56DCBD2A57F2\winmm.pdb
76bc0000 76bcb000 PSAPI (pdb symbols) C:\WINDOWS\symbols\DLL\psapi.pdb
76db0000 76dc2000 MSASN1 (pdb symbols) C:\MyLocalSymbols\msasn1.pdb\1AED0D31142F496E83481A9BF3DEF1A52\msasn1.pdb
770f0000 7717b000 OLEAUT32 (pdb symbols) C:\MyLocalSymbols\oleaut32.pdb\E04ECB48CAED47B2958C3D2C1094E23F2\oleaut32.pdb
77180000 77283000 comctl32 (pdb symbols) C:\MyLocalSymbols\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb\E882C2C890724D598449E20A4FE6F07C1\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb
77bb0000 77bc5000 MSACM32 (pdb symbols) C:\WINDOWS\symbols\dll\msacm32.pdb
77bd0000 77bd8000 VERSION (pdb symbols) C:\WINDOWS\symbols\dll\version.pdb
77be0000 77c38000 msvcrt (pdb symbols) C:\WINDOWS\symbols\dll\msvcrt.pdb
77d10000 77da0000 USER32 (pdb symbols) C:\WINDOWS\symbols\dll\user32.pdb
77da0000 77e49000 ADVAPI32 (pdb symbols) C:\WINDOWS\symbols\dll\advapi32.pdb
77e50000 77ee3000 RPCRT4 (pdb symbols) C:\MyLocalSymbols\rpcrt4.pdb\1A465C67828242F28A8C70E3B9D5C4772\rpcrt4.pdb
77ef0000 77f39000 GDI32 (pdb symbols) C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb
77f40000 77fb6000 SHLWAPI (pdb symbols) C:\MyLocalSymbols\shlwapi.pdb\483E8894476B412DABC2FBA7F470E39A2\shlwapi.pdb
77fc0000 77fd1000 Secur32 (pdb symbols) C:\MyLocalSymbols\secur32.pdb\7867B3F28B5C41CE847895E3FC013DC52\secur32.pdb
7c800000 7c91e000 kernel32 (pdb symbols) C:\MyLocalSymbols\kernel32.pdb\072FF0EB54D24DFAAE9D13885486EE092\kernel32.pdb
7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb
7d590000 7dd84000 SHELL32 (pdb symbols) C:\MyLocalSymbols\shell32.pdb\DF59C75CA10B4BF89B447BB924C4292C2\shell32.pdb
果然如此!
/i 忽略.pdb文件版本不匹配的情況。(如果沒有包含該參數,調試器不會加載不匹配的符號文件。) 使用 /i時,即使沒有明確指定,也會使用/f。/l 列出模塊但是不重加載它們的符號。(內核模式下,使用該參數的輸出和!drivers 擴展命令一樣。)/n 僅重加載內核符號。該參數不會重加載任何用戶模式符號。(只能在內核模式調試時使用該選項。) /o 強制覆蓋符號服務器的下游存儲(downstream store)中的緩存文件。使用該標志時,還需要包含/f。默認情況下,下游存儲中的文件永遠不會被覆蓋。
由于符號服務器對每個版本的二進制文件的符號使用不同的名字,除非確認下游存儲被破壞了,否則不需要使用該選項。
/s 重新加載系統的模塊映像列表中所有模塊。(省略所有參數時,在內核模式下這是默認行為。) 如果在用戶模式調試時使用名字來單獨加載某個系統模塊,則必須包含/s。/u 卸載指定模塊和它的所有符號。調試器卸載任何名字匹配Module 的模塊,不管它的全路徑是什么。映像名也會被搜索。更多信息,查看下面的注釋節。/unl 基于已卸載模塊列表中的映像信息重新加載符號。 /user 僅重加載用戶模式符號。(只能在內核模式調試時使用該選項。) /v 打開詳細顯示。 /w 將Module 當作一個字面上的字符串。這樣可以避免調試器展開通配符。
reload /u 命令進行更廣泛的搜索。調試器首先嘗試使用Module 匹配精確的模塊名,不管路徑是什么。如果找不到匹配項,Module 被當作已加載的映像名。例如,如果HAL在內存中的名字為halacpi.dll,下面兩個命令都可以卸載它的符號。
kd>.reload/uhalacpi.dll
kd>.reload/uhal
如果在進行用戶模式調試,并且希望加載一個不在目標程序模塊列表中的模塊,必須像下面的例子一樣使用/s 選項。
0:000>.reload/untdll.dll
Unloadedntdll.dll
0:000>.reload/s/fntdll.dll
上面的命令我測試了下:
0:001> lm start end module name 00ad0000 00adf000 WordStrokeHelper32 (deferred) 01000000 0101f000 calc (deferred) 10000000 100b0000 safemon (deferred) 58fb0000 5917a000 AcGenral (deferred) 5adc0000 5adf7000 UxTheme (deferred) 5cc30000 5cc56000 ShimEng (deferred) 62c20000 62c29000 LPK (deferred) 71a10000 71a18000 WS2HELP (deferred) 71a20000 71a37000 WS2_32 (deferred) 73640000 7366e000 msctfime (deferred) 73fa0000 7400b000 USP10 (deferred) 74680000 746cc000 MSCTF (deferred) 759d0000 75a7f000 USERENV (deferred) 76300000 7631d000 IMM32 (deferred) 765e0000 76673000 CRYPT32 (deferred) 76680000 76726000 WININET (deferred) 76990000 76ace000 ole32 (deferred) 76b10000 76b3a000 WINMM (deferred) 76bc0000 76bcb000 PSAPI (deferred) 76db0000 76dc2000 MSASN1 (deferred) 770f0000 7717b000 OLEAUT32 (deferred) 77180000 77283000 comctl32 (deferred) 77bb0000 77bc5000 MSACM32 (deferred) 77bd0000 77bd8000 VERSION (deferred) 77be0000 77c38000 msvcrt (deferred) 77d10000 77da0000 USER32 (deferred) 77da0000 77e49000 ADVAPI32 (deferred) 77e50000 77ee3000 RPCRT4 (deferred) 77ef0000 77f39000 GDI32 (deferred) 77f40000 77fb6000 SHLWAPI (deferred) 77fc0000 77fd1000 Secur32 (deferred) 7c800000 7c91e000 kernel32 (deferred) 7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb 7d590000 7dd84000 SHELL32 (deferred) 0:001> .reload /u kernel32 Unloaded kernel32 0:001> lm start end module name 00ad0000 00adf000 WordStrokeHelper32 (deferred) 01000000 0101f000 calc (deferred) 10000000 100b0000 safemon (deferred) 58fb0000 5917a000 AcGenral (deferred) 5adc0000 5adf7000 UxTheme (deferred) 5cc30000 5cc56000 ShimEng (deferred) 62c20000 62c29000 LPK (deferred) 71a10000 71a18000 WS2HELP (deferred) 71a20000 71a37000 WS2_32 (deferred) 73640000 7366e000 msctfime (deferred) 73fa0000 7400b000 USP10 (deferred) 74680000 746cc000 MSCTF (deferred) 759d0000 75a7f000 USERENV (deferred) 76300000 7631d000 IMM32 (deferred) 765e0000 76673000 CRYPT32 (deferred) 76680000 76726000 WININET (deferred) 76990000 76ace000 ole32 (deferred) 76b10000 76b3a000 WINMM (deferred) 76bc0000 76bcb000 PSAPI (deferred) 76db0000 76dc2000 MSASN1 (deferred) 770f0000 7717b000 OLEAUT32 (deferred) 77180000 77283000 comctl32 (deferred) 77bb0000 77bc5000 MSACM32 (deferred) 77bd0000 77bd8000 VERSION (deferred) 77be0000 77c38000 msvcrt (deferred) 77d10000 77da0000 USER32 (deferred) 77da0000 77e49000 ADVAPI32 (deferred) 77e50000 77ee3000 RPCRT4 (deferred) 77ef0000 77f39000 GDI32 (deferred) 77f40000 77fb6000 SHLWAPI (deferred) 77fc0000 77fd1000 Secur32 (deferred) 7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb 7d590000 7dd84000 SHELL32 (deferred)
后面的lm竟然還真顯示不了kernel32.dll,
不過程序還是正常運行,用冰刃看了下,kernel32.dll明顯還在,懷疑了,不懂了,標記下!!!!!!!!!!!!!!!!!!!!!!
0:001> .reload -i maincode_org=00AD0000,0024E000 *** WARNING: Unable to verify timestamp for maincode_org
如果一個dll被內嵌于exe中,默認只會加載exe的pdb,.reload提供了強制加載的方式
1..sympath+ 增加pdb路徑文件夾
2..reload /i 模塊名=基地址,大小
實例如下:
0:001> lm start end module name 00400000 00ad0000 test011 (deferred) 02810000 02b7a000 SOGOUWB (deferred)
其實在ad0000后附帶了個內嵌的dll
設置pdb路徑操作:如果下述方式不行,就加到file->symbol file path中,記得不要有中文路徑
0:001> .symfix+ E:\項目SVN
加載
0:001> .reload /i maincode_org=00AD0000,0024E000 *** WARNING: Unable to verify timestamp for maincode_org
0:001> x maincode_org!* 00ceb628 maincode_org!g_timeGetTime = 0x00000000 00cf8814 maincode_org!g_szMessage = 0x00000000 "" 00cfb504 maincode_org!g_pSetWindowPos = 0x0000000
此方式也可強制加載其他的pdb,比如有時你需要用到某個pdb的某個結構體時
總結
以上是生活随笔為你收集整理的Windbg命令学习2(!sym和.reload)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 领益科技:如何查看客户机的域策略应用情况
- 下一篇: springboot 学习之路 18(w