当前位置: 文江博客话题详情

Windows 堆栈跟踪中的函数名称

发布于 2024-08-17 07:13:11 字数 1770 浏览 2 评论 0原文

如何恢复堆栈跟踪函数名称而不是 

    Event Type: Error
    Event Source:   abcd
    Event Category: None
    Event ID:   16
    Date:       1/3/2010
    Time:       10:24:10 PM
    User:       N/A
    Computer:   CMS01
    Description:
    Server.exe caused a  in module  at 2CA001B:77E4BEF7

    Build 6.0.0.334

    WorkingSetSize: 1291071488 bytes

    EAX=02CAF420  EBX=00402C88  ECX=00000000  EDX=7C82860C  ESI=02CAF4A8
    EDI=02CAFB68  EBP=02CAF470  ESP=02CAF41C  EIP=77E4BEF7  FLG=00000206
    CS=2CA001B   DS=2CA0023  SS=7C820023  ES=2CA0023   FS=7C82003B  GS=2CA0000

    2CA001B:77E4BEF7 (0xE06D7363 0x00000001 0x00000003 0x02CAF49C) 
    2CA001B:006DFAC7 (0x02CAF4B8 0x00807F50 0x00760D50 0x007D951C) 
    2CA001B:006DFC87 (0x00003561 0x7F6A0F38 0x008E7290 0x00021A6F) 
    2CA001B:0067E4C3 (0x00003561 0x00000000 0x02CAFBB8 0x02CAFB74) 
    2CA001B:00674CB2 (0x00003561 0x006EBAC7 0x02CAFB68 0x02CAFA64) 
    2CA001B:00402CA4 (0x00003560 0x00000000 0x00000000 0x02CAFBB8) 
    2CA001B:00402B29 (0x00003560 0x00000001 0x02CAFBB8 0x00000000) 
    2CA001B:00683096 (0x00003560 0x563DDDB6 0x00000000 0x02CAFC18) 
    2CA001B:00688E32 (0x02CAFC58 0x7C7BE590 0x00000000 0x00000000) 
    2CA001B:00689F0C (0x02CAFC58 0x7C7BE590 0x00000000 0x00650930) 
    2CA001B:0042E8EA (0x7F677648 0x7F677648 0x00CAFD6C 0x02CAFD6C) 
    2CA001B:004100CA (0x563DDB3E 0x00000000 0x00000000 0x008E7290) 
    2CA001B:0063AC39 (0x7F677648 0x02CAFD94 0x02CAFD88 0x77B5B540) 
    2CA001B:0064CB51 (0x7F660288 0x563DD9FE 0x00000000 0x00000000) 
    2CA001B:0063A648 (0x00000000 0x02CAFFEC 0x77E6482F 0x008E7290) 
    2CA001B:0063A74D (0x008E7290 0x00000000 0x00000000 0x008E7290) 
    2CA001B:77E6482F (0x0063A740 0x008E7290 0x00000000 0x00000000)
原文

How do I restore the stack trace function name instead of <UNKNOWN>?

    Event Type: Error
    Event Source:   abcd
    Event Category: None
    Event ID:   16
    Date:       1/3/2010
    Time:       10:24:10 PM
    User:       N/A
    Computer:   CMS01
    Description:
    Server.exe caused a  in module  at 2CA001B:77E4BEF7

    Build 6.0.0.334

    WorkingSetSize: 1291071488 bytes

    EAX=02CAF420  EBX=00402C88  ECX=00000000  EDX=7C82860C  ESI=02CAF4A8
    EDI=02CAFB68  EBP=02CAF470  ESP=02CAF41C  EIP=77E4BEF7  FLG=00000206
    CS=2CA001B   DS=2CA0023  SS=7C820023  ES=2CA0023   FS=7C82003B  GS=2CA0000

    2CA001B:77E4BEF7 (0xE06D7363 0x00000001 0x00000003 0x02CAF49C) 
    2CA001B:006DFAC7 (0x02CAF4B8 0x00807F50 0x00760D50 0x007D951C) 
    2CA001B:006DFC87 (0x00003561 0x7F6A0F38 0x008E7290 0x00021A6F) 
    2CA001B:0067E4C3 (0x00003561 0x00000000 0x02CAFBB8 0x02CAFB74) 
    2CA001B:00674CB2 (0x00003561 0x006EBAC7 0x02CAFB68 0x02CAFA64) 
    2CA001B:00402CA4 (0x00003560 0x00000000 0x00000000 0x02CAFBB8) 
    2CA001B:00402B29 (0x00003560 0x00000001 0x02CAFBB8 0x00000000) 
    2CA001B:00683096 (0x00003560 0x563DDDB6 0x00000000 0x02CAFC18) 
    2CA001B:00688E32 (0x02CAFC58 0x7C7BE590 0x00000000 0x00000000) 
    2CA001B:00689F0C (0x02CAFC58 0x7C7BE590 0x00000000 0x00650930) 
    2CA001B:0042E8EA (0x7F677648 0x7F677648 0x00CAFD6C 0x02CAFD6C) 
    2CA001B:004100CA (0x563DDB3E 0x00000000 0x00000000 0x008E7290) 
    2CA001B:0063AC39 (0x7F677648 0x02CAFD94 0x02CAFD88 0x77B5B540) 
    2CA001B:0064CB51 (0x7F660288 0x563DD9FE 0x00000000 0x00000000) 
    2CA001B:0063A648 (0x00000000 0x02CAFFEC 0x77E6482F 0x008E7290) 
    2CA001B:0063A74D (0x008E7290 0x00000000 0x00000000 0x008E7290) 
    2CA001B:77E6482F (0x0063A740 0x008E7290 0x00000000 0x00000000)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

眉目亦如画i 2024-08-24 07:13:11

获取完全相同的程序构建,objdump 它,并查看该地址处的函数。如果符号名称已从可执行文件中删除,这可能会有点困难。

如果程序代码是动态的,您可能必须将其运行到调试器中才能找到函数的地址。

如果程序被故意混淆和令人讨厌,并且它在运行时以某种方式随机化其函数地址(诸如病毒或复制保护代码之类的规避行为有时会这样做),那么所有的赌注都会失败。

一般情况:
找出导致崩溃的原因的最简单方法是按照必要的步骤在调试器中运行的应用程序实例中重现崩溃。所有其他方法都困难得多。这就是为什么开发人员通常不会花时间尝试解决没有已知方法可以重现的错误。

Get the exact same build of the program, objdump it, and have a look at what function is at the address. If symbol names have been stripped from the executable, this might be a little bit difficult.

If the program code is in any way dynamic, you may have to run it into a debugger to find the addresses of functions.

If the program is deliberately obfuscated and nasty, and it randomises its function addresses in some way at runtime (evasive things like viruses, or copy-protection code sometimes do this) then all bets are off.

In general:
The easiest way to find out what caused the crash is to follow the steps necessary to reproduce it in an instance of the application running in a debugger. All other approaches are much more difficult. This is why developers will often not spend time trying to tackle bugs which there are no known methods to reproduce.

回复 原文
横笛休吹塞上声 2024-08-24 07:13:11

当崩溃发生时,您需要在 exe 旁边放置调试信息文件 (.pdb)。
然后希望您的崩溃转储代码可以加载它并使用其中的信息。

You need to have the debug info file (.pdb) next to the exe when the crash occurs.
Then hopefully, your crash dumping code can load it and use the information in it.

回复 原文
遇到 2024-08-24 07:13:11

尝试从 IDE 运行相同的构建,暂停它并跳转到汇编中的地址。然后你可以切换到源代码并查看那里的功能。

至少在 Delphi 中是这样的。我也知道 Visual Studio 中存在这种可能性。

如果您的 IDE 中没有内置的,则必须使用像 OllyDbg 这样的调试器。运行导致错误的 exe 并在 OllyDbg 中暂停应用程序。从堆栈跟踪转到地址。
在 IDE 中打开一个类似的应用程序项目,运行并暂停它。搜索您在 OllyDbg 中看到的相同二进制模式,然后切换到源代码。

我知道的最后一种可能性是分析地图文件(如果您在构建过程中构建了它)。

Try to run the same built from your IDE, pause it and jump to the adresses in assembly. Then you can switch to source code and see the functions there.

At least that's how it works in Delphi. And I know of this possibility in Visual Studio as well.

If you don't have the built in your IDE, you have to use a Debugger like OllyDbg. Run the exe that caused the errors and pause the application in OllyDbg. Go to the adresses from the stack trace.
Open a similar application project in your IDE, run it and pause it. Search for the same binary pattern you see in OllyDbg and then switch to source code.

The last possibility I know is analysing the map file if you built it during your built.

回复 原文
十秒萌定你 2024-08-24 07:13:11

我使用 StackWalker - 只需将其编译到程序的源代码中,如果它崩溃了,您可以生成一个堆栈当时的跟踪,包括函数名称。

I use StackWalker - just compile it into the source of your program, and if it crashes you can generate a stack trace at that time, including function names.

回复 原文
帅冕 2024-08-24 07:13:11

最常见的原因是实际上您在指定地址没有模块。例如,当您取消引用未初始化的函数指针或使用无效的 this 指针调用虚拟函数时,就会发生这种情况。

这里的情况可能并非如此:“77E4BEF7”很可能是一个 Windows DLL,而 006DFAC7 是您的模块之一中的地址。为此,您不需要 PDB 文件:Windows 应该始终知道模块名称(.EXE 或 .DLL) - 事实上,它首先需要该模块名称才能找到正确的 PDB 文件。

现在,剩下的问题是为什么你没有模块信息。从上面的信息我无法判断这一点。您需要有关实际系统的信息。例如,如果有DEP吗?您的流程是否启用了 DEP?

The most common cause is that you in fact don't have a module at the specified address. This can happen e.g. when you dereference an uninitialized function pointer, or call a virtual function using an invalid this pointer.

This is probably not the case here: "77E4BEF7" is with very high probability a Windows DLL, and 006DFAC7 an address in one of your modules. You don't need PDB files for this: Windows should always know the module name (.EXE or .DLL) - in fact, it needs first that module name to even find the proper PDB file.

Now, the remaining question is why you don't have the module information. This I can't tell from the information above. You need information about the actual system. For instance, does if have DEP? Is DEP enabled for your process?

回复 原文
~没有更多了~

关于作者

羞稚

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文