!process 0 0 - NT 符号不正确,请修正符号
!process 0 0 - NT symbols are incorrect, please fix symbols
我每次使用 !process 0 0 时都会遇到同样的错误 - 是否处于内核调试模式似乎没有任何改变。
这是打开时的命令链 notepad.exe
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: C:\Windows\System32\notepad.exe
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
DBGHELP: Symbol Search Path: cache*;SRV*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff6`27eb0000 00007ff6`27ee8000 notepad.exe
ModLoad: 00007ffe`fb890000 00007ffe`fba86000 ntdll.dll
ModLoad: 00007ffe`f9990000 00007ffe`f9a4d000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffe`f90b0000 00007ffe`f9379000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffe`fb820000 00007ffe`fb84a000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffe`f8fd0000 00007ffe`f8ff2000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffe`f9580000 00007ffe`f968b000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffe`f9380000 00007ffe`f941d000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffe`f9420000 00007ffe`f9520000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffe`faff0000 00007ffe`fb190000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffe`fa110000 00007ffe`fa466000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffe`fb440000 00007ffe`fb56b000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffe`fadc0000 00007ffe`fae6e000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffe`fa4d0000 00007ffe`fa56e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffe`e2d70000 00007ffe`e300b000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.746_none_ca02b4b61b8320a4\COMCTL32.dll
(1208.ff0): Break instruction exception - code 80000003 (first chance)
SYMSRV: BYINDEX: 0x1
C:\ProgramData\Dbg\sym
ntdll.pdb
432F2B8588C52E47219EE25E35F653491
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb2F2B8588C52E47219EE25E35F653491\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb2F2B8588C52E47219EE25E35F653491\ntdll.pdb
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffe`fb960670 cc int 3
.sympath命令:
0:000> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: cache*;SRV*https://msdl.microsoft.com/download/symbols
************* Path validation summary **************
Response Time (ms) Location
Deferred
.reload命令:
0:000> .reload
Reloading current modules
...............SYMSRV: BYINDEX: 0x3
C:\ProgramData\Dbg\sym
ntdll.pdb
432F2B8588C52E47219EE25E35F653491
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb2F2B8588C52E47219EE25E35F653491\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb2F2B8588C52E47219EE25E35F653491\ntdll.pdb
最后 !process 0 0 命令:
0:000> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
Could not get address of nt!KdVersionBlock.
unable to get nt!MmUserProbeAddress
NT symbols are incorrect, please fix symbols
我不知道这是怎么回事。我尝试删除 sym\ntdll.pdb 文件夹并重新下载它,但无济于事。
编辑 - 根据要求提供更多信息:
0:000> !lmi nt
Loaded Module Info: [nt]
DBGHELP: SharedUserData - virtual symbol module
nt not found
0:000> vertarget
Windows 10 Version 19042 MP (16 procs) Free x64
Product: WinNt, suite: SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Build layer: ->
Build layer: ->
Build layer: ->
Machine Name:
Debug session time: Wed Mar 10 18:26:22.757 2021 (UTC + 1:00)
System Uptime: 0 days 14:38:24.474
Process Uptime: 0 days 0:00:51.162
Kernel time: 0 days 0:00:00.015
User time: 0 days 0:00:00.000
0:000> lm
start end module name
00007ff6`54910000 00007ff6`54948000 notepad (deferred)
00007ffe`f9c40000 00007ffe`f9eda000 COMCTL32 (deferred)
00007fff`09350000 00007fff`09372000 win32u (deferred)
00007fff`09540000 00007fff`095dd000 msvcp_win (deferred)
00007fff`09690000 00007fff`09959000 KERNELBASE (deferred)
00007fff`099e0000 00007fff`09ae0000 ucrtbase (deferred)
00007fff`09b30000 00007fff`09c3b000 gdi32full (deferred)
00007fff`09c70000 00007fff`09d0e000 msvcrt (deferred)
00007fff`09e20000 00007fff`09ece000 shcore (deferred)
00007fff`0a8d0000 00007fff`0a98d000 KERNEL32 (deferred)
00007fff`0aa60000 00007fff`0aa8a000 GDI32 (deferred)
00007fff`0aad0000 00007fff`0ac70000 USER32 (deferred)
00007fff`0ad00000 00007fff`0ae2b000 RPCRT4 (deferred)
00007fff`0b810000 00007fff`0bb65000 combase (deferred)
00007fff`0bc10000 00007fff`0be05000 ntdll (pdb symbols) C:\ProgramData\Dbg\sym\ntdll.pdbF12BFE149A2F50205C8D5D66290B481\ntdll.pdb
0:000> .reload /f nt
"nt" was not found in the image list.
Debugger will attempt to load "nt" at given base 00000000`00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
SYMSRV: BYINDEX: 0xD
C:\ProgramData\Dbg\sym
nt
FFFFFFFE
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\nt - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\n_ - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\file.ptr - path not found
SYMSRV: RESULT: 0x80070003
SYMSRV: BYINDEX: 0xE
C:\ProgramData\Dbg\sym*https://msdl.microsoft.com/download/symbols
nt
FFFFFFFE
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\nt - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\n_ - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\file.ptr - path not found
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/nt
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/n_
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/file.ptr
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: RESULT: 0x80190194
DBGHELP: C:\WINDOWS\system32\nt - file not found
SYMSRV: BYINDEX: 0xF
https://msdl.microsoft.com/download/symbols
nt
FFFFFFFE
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\nt - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\n_ - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\file.ptr - path not found
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/nt
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/n_
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/file.ptr
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: RESULT: 0x80190194
DBGENG: nt - Image mapping disallowed by non-local path.
DBGHELP: No header for nt. Searching for dbg file
DBGHELP: .\nt.dbg - file not found
DBGHELP: nt missing debug info. Searching for pdb anyway
DBGHELP: Can't use symbol server for nt.pdb - no header information available
DBGHELP: nt.pdb - file not found
*** WARNING: Unable to verify timestamp for nt
*** ERROR: Module load completed but symbols could not be loaded for nt
DBGHELP: nt_0 - no symbols loaded
Unable to add module at 00000000`00000000
!process 0 0 将仅在 附加到内核 模式下工作,并打开 Windows 内核调试。
要在进程中使用 !pte,必须使用 .process /p pid 设置进程上下文 - pid 是一个进程 ID,用 !process 0 0 列出。
要使用 !vtop,必须指定进程 directoryBase [连同虚拟地址],它也与 !process 0 0.
一起列出
我每次使用 !process 0 0 时都会遇到同样的错误 - 是否处于内核调试模式似乎没有任何改变。
这是打开时的命令链 notepad.exe
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: C:\Windows\System32\notepad.exe
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
DBGHELP: Symbol Search Path: cache*;SRV*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff6`27eb0000 00007ff6`27ee8000 notepad.exe
ModLoad: 00007ffe`fb890000 00007ffe`fba86000 ntdll.dll
ModLoad: 00007ffe`f9990000 00007ffe`f9a4d000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffe`f90b0000 00007ffe`f9379000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffe`fb820000 00007ffe`fb84a000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffe`f8fd0000 00007ffe`f8ff2000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffe`f9580000 00007ffe`f968b000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffe`f9380000 00007ffe`f941d000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffe`f9420000 00007ffe`f9520000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffe`faff0000 00007ffe`fb190000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffe`fa110000 00007ffe`fa466000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffe`fb440000 00007ffe`fb56b000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffe`fadc0000 00007ffe`fae6e000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffe`fa4d0000 00007ffe`fa56e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffe`e2d70000 00007ffe`e300b000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.746_none_ca02b4b61b8320a4\COMCTL32.dll
(1208.ff0): Break instruction exception - code 80000003 (first chance)
SYMSRV: BYINDEX: 0x1
C:\ProgramData\Dbg\sym
ntdll.pdb
432F2B8588C52E47219EE25E35F653491
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb2F2B8588C52E47219EE25E35F653491\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb2F2B8588C52E47219EE25E35F653491\ntdll.pdb
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffe`fb960670 cc int 3
.sympath命令:
0:000> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: cache*;SRV*https://msdl.microsoft.com/download/symbols
************* Path validation summary **************
Response Time (ms) Location
Deferred
.reload命令:
0:000> .reload
Reloading current modules
...............SYMSRV: BYINDEX: 0x3
C:\ProgramData\Dbg\sym
ntdll.pdb
432F2B8588C52E47219EE25E35F653491
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb2F2B8588C52E47219EE25E35F653491\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb2F2B8588C52E47219EE25E35F653491\ntdll.pdb
最后 !process 0 0 命令:
0:000> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
Could not get address of nt!KdVersionBlock.
unable to get nt!MmUserProbeAddress
NT symbols are incorrect, please fix symbols
我不知道这是怎么回事。我尝试删除 sym\ntdll.pdb 文件夹并重新下载它,但无济于事。
编辑 - 根据要求提供更多信息:
0:000> !lmi nt
Loaded Module Info: [nt]
DBGHELP: SharedUserData - virtual symbol module
nt not found
0:000> vertarget
Windows 10 Version 19042 MP (16 procs) Free x64
Product: WinNt, suite: SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Build layer: ->
Build layer: ->
Build layer: ->
Machine Name:
Debug session time: Wed Mar 10 18:26:22.757 2021 (UTC + 1:00)
System Uptime: 0 days 14:38:24.474
Process Uptime: 0 days 0:00:51.162
Kernel time: 0 days 0:00:00.015
User time: 0 days 0:00:00.000
0:000> lm
start end module name
00007ff6`54910000 00007ff6`54948000 notepad (deferred)
00007ffe`f9c40000 00007ffe`f9eda000 COMCTL32 (deferred)
00007fff`09350000 00007fff`09372000 win32u (deferred)
00007fff`09540000 00007fff`095dd000 msvcp_win (deferred)
00007fff`09690000 00007fff`09959000 KERNELBASE (deferred)
00007fff`099e0000 00007fff`09ae0000 ucrtbase (deferred)
00007fff`09b30000 00007fff`09c3b000 gdi32full (deferred)
00007fff`09c70000 00007fff`09d0e000 msvcrt (deferred)
00007fff`09e20000 00007fff`09ece000 shcore (deferred)
00007fff`0a8d0000 00007fff`0a98d000 KERNEL32 (deferred)
00007fff`0aa60000 00007fff`0aa8a000 GDI32 (deferred)
00007fff`0aad0000 00007fff`0ac70000 USER32 (deferred)
00007fff`0ad00000 00007fff`0ae2b000 RPCRT4 (deferred)
00007fff`0b810000 00007fff`0bb65000 combase (deferred)
00007fff`0bc10000 00007fff`0be05000 ntdll (pdb symbols) C:\ProgramData\Dbg\sym\ntdll.pdbF12BFE149A2F50205C8D5D66290B481\ntdll.pdb
0:000> .reload /f nt
"nt" was not found in the image list.
Debugger will attempt to load "nt" at given base 00000000`00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
SYMSRV: BYINDEX: 0xD
C:\ProgramData\Dbg\sym
nt
FFFFFFFE
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\nt - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\n_ - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\file.ptr - path not found
SYMSRV: RESULT: 0x80070003
SYMSRV: BYINDEX: 0xE
C:\ProgramData\Dbg\sym*https://msdl.microsoft.com/download/symbols
nt
FFFFFFFE
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\nt - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\n_ - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\file.ptr - path not found
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/nt
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/n_
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/file.ptr
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: RESULT: 0x80190194
DBGHELP: C:\WINDOWS\system32\nt - file not found
SYMSRV: BYINDEX: 0xF
https://msdl.microsoft.com/download/symbols
nt
FFFFFFFE
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\nt - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\n_ - path not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\nt\FFFFFFFE\file.ptr - path not found
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/nt
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/n_
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/nt/FFFFFFFE/file.ptr
SYMSRV: HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV: RESULT: 0x80190194
DBGENG: nt - Image mapping disallowed by non-local path.
DBGHELP: No header for nt. Searching for dbg file
DBGHELP: .\nt.dbg - file not found
DBGHELP: nt missing debug info. Searching for pdb anyway
DBGHELP: Can't use symbol server for nt.pdb - no header information available
DBGHELP: nt.pdb - file not found
*** WARNING: Unable to verify timestamp for nt
*** ERROR: Module load completed but symbols could not be loaded for nt
DBGHELP: nt_0 - no symbols loaded
Unable to add module at 00000000`00000000
!process 0 0 将仅在 附加到内核 模式下工作,并打开 Windows 内核调试。
要在进程中使用 !pte,必须使用 .process /p pid 设置进程上下文 - pid 是一个进程 ID,用 !process 0 0 列出。
要使用 !vtop,必须指定进程 directoryBase [连同虚拟地址],它也与 !process 0 0.