ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • windows dump debugging
    2011. 5. 3. comments
    windows dump 파일 분석 툴(win dbg)


    windbg를 사용하기 위해서는 다음의 절차가 필요하다.
    1. windbg 설치
    2. OS symbol 설치
    3. 문제점 확인


    위의 링크에서 dump 분석 툴을 설치, 실행하여
     File 메뉴에서 Open Crash dump 를 실행하여 dump 파일 선택
    ※  dump 파일을 분석하기 위해서는 Crash로 인하여 생성된 dump파일이 있어야 한다. 이러한 dump파일은 메모리상태와 드라이버등의 문제를 찾을때 도움이 된다.


    dump파일을 선택하고 실행하니, 아래와 같이 symbol 오류 발생한다. 
    해당 dump가 만들어진 OS의 symbol파일이 존재하여야 오류에 대해서 debugging이 가능하다. 
     

     
    Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Users\morenice\Desktop\Mini010511-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: *** Invalid ***
    ****************************************************************************
    * Symbol loading may be unreliable without a symbol search path.           *
    * Use .symfix to have the debugger choose a symbol path.                   *
    * After setting your symbol path, use .reload to refresh symbol locations. *
    ****************************************************************************
    Executable search path is: 
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    *                                                                   *
    * The Symbol Path can be set by:                                    *
    *   using the _NT_SYMBOL_PATH environment variable.                 *
    *   using the -y <symbol_path> argument when starting the debugger. *
    *   using .sympath and .sympath+                                    *
    *********************************************************************
    Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ntoskrnl.exe
    *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
    Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
    Product: WinNt
    Machine Name:
    Kernel base = 0x804d9000 PsLoadedModuleList = 0x805654c0
    Debug session time: Wed Jan  5 09:09:04.830 2011 (GMT+9)
    System Uptime: 0 days 0:28:09.619
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    *                                                                   *
    * The Symbol Path can be set by:                                    *
    *   using the _NT_SYMBOL_PATH environment variable.                 *
    *   using the -y <symbol_path> argument when starting the debugger. *
    *   using .sympath and .sympath+                                    *
    *********************************************************************
    Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ntoskrnl.exe
    *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ......
    Loading User Symbols
    Loading unloaded module list
    ............
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 50, {e552f000, 0, 804dc2c0, 1}

    *** WARNING: Unable to verify timestamp for mssmbios.sys
    *** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.

    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Your debugger is not using the correct symbols                 ***
    ***                                                                   ***
    ***    In order for this command to work properly, your symbol path   ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: nt!_KPRCB                                     ***
    ***                                                                   ***
    *************************************************************************
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Your debugger is not using the correct symbols                 ***
    ***                                                                   ***
    ***    In order for this command to work properly, your symbol path   ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: nt!_KPRCB                                     ***
    ***                                                                   ***
    *************************************************************************
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    *                                                                   *
    * The Symbol Path can be set by:                                    *
    *   using the _NT_SYMBOL_PATH environment variable.                 *
    *   using the -y <symbol_path> argument when starting the debugger. *
    *   using .sympath and .sympath+                                    *
    *********************************************************************
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    *                                                                   *
    * The Symbol Path can be set by:                                    *
    *   using the _NT_SYMBOL_PATH environment variable.                 *
    *   using the -y <symbol_path> argument when starting the debugger. *
    *   using .sympath and .sympath+                                    *
    *********************************************************************
    Probably caused by : ntoskrnl.exe ( nt+32c0 )

    Followup: MachineOwner



     dump가 발생한 OS에 대한 symbol 설치한다.

     symbol 설치 후, windbg가 symbol에 접근 가능하도록 환경변수를 설정한다.

     변수 값 
       _NT_SYMBOL_PATH
     c:\windows\symbols


    다시 windgb를 실행하여 dump파일을 불러들여 성공적으로 로드 됨을 확인한다.

    Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Users\morenice\Desktop\Mini010511-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: C:\Windows\symbols
    Executable search path is: 
    Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ntoskrnl.exe
    Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
    Product: WinNt
    Machine Name:
    Kernel base = 0x804d9000 PsLoadedModuleList = 0x805654c0
    Debug session time: Wed Jan  5 09:09:04.830 2011 (GMT+9)
    System Uptime: 0 days 0:28:09.619
    Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ntoskrnl.exe
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ......
    Loading User Symbols
    Loading unloaded module list
    ............
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 50, {e552f000, 0, 804dc2c0, 1}

    *** WARNING: Unable to verify timestamp for mssmbios.sys

    Could not read faulting driver name
    Probably caused by : ntoskrnl.exe ( nt!strlen+3a )

    Followup: MachineOwner



    분석을 위한 간단한 명령어는 analyze -v 이다.

    2: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: e552f000, memory referenced.
    Arg2: 00000000, value 0 = read operation, 1 = write operation.
    Arg3: 804dc2c0, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 00000001, (reserved)

    Debugging Details:
    ------------------


    Could not read faulting driver name

    READ_ADDRESS:  e552f000 

    FAULTING_IP: 
    nt!strlen+3a
    804dc2c0 ??              ???

    MM_INTERNAL_CODE:  1

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  DRIVER_FAULT

    BUGCHECK_STR:  0x50

    LAST_CONTROL_TRANSFER:  from 8052b1b8 to 805396ba

    STACK_TEXT:  
    97310aec 8052b1b8 00000050 e552f000 00000000 nt!MiRemoveUnusedSegments+0x423
    97310b3c 804e2956 00000000 e552f000 00000000 nt!GUID_DOCK_INTERFACE+0x2b8
    97310b54 804dc2c0 badb0d00 97310bd8 00000000 nt!Dr_kitb_a+0x19
    97310b58 badb0d00 97310bd8 00000000 00000000 nt!strlen+0x3a
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    97310be4 806377bf 884ec7e0 00000de0 97310c24 0xbadb0d00
    97310c04 805fedfc 884ec7e0 00000de0 97310c24 nt!RtlpSysVolCheckOwnerAndSecurity+0x25c
    97310c48 8058edb4 89ea8bd0 03a40000 97310d18 nt!RtlpAddIntersectingRanges+0xff
    97310ca4 8057caa8 00000018 8855bba8 97310d18 nt!CmpMapCmView+0x208
    97310d34 804df99f 0000026c ffffffff 0013ca14 nt!IopXxxControlFile+0x1a6
    97310d64 7c93e514 badb0d00 0013c9d0 00000000 nt!ZwSetSystemPowerState+0xf
    97310d74 00000000 00000000 00000000 00000000 0x7c93e514


    STACK_COMMAND:  kb

    FOLLOWUP_IP: 
    nt!strlen+3a
    804dc2c0 ??              ???

    SYMBOL_STACK_INDEX:  3

    SYMBOL_NAME:  nt!strlen+3a

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: nt

    IMAGE_NAME:  ntoskrnl.exe

    DEBUG_FLR_IMAGE_TIMESTAMP:  4bd6eda6

    FAILURE_BUCKET_ID:  0x50_nt!strlen+3a

    BUCKET_ID:  0x50_nt!strlen+3a

    Followup: MachineOwner


    드라이버 모듈에서 잘못된 메모리를 참조해서 생긴 문제를 확인하였다.
    어떤 모듈이 왜 이런 결과를 낳았는지는 사용법을 더 숙지해봐야 알수 있을듯 하다.

    • windbg가 설치되면 메뉴얼을 볼수가 있다.
      C:\Program Files\Debugging Tools for Windows\Debugger.chm


    반응형

    댓글

Designed by Tistory.