Windbg 如何确定要为转储文件下载哪些操作系统符号
当我进行转储文件分析时,我将符号路径设置为指向 Microsoft 符号服务器。 Windbg 如何知道转储文件是在哪个操作系统下生成的以及如何为该操作系统下载正确的符号?
When I do a dump file analysis, I setup symbol path to point to Microsoft symbol server. How does windbg knows that the dump file was generated under what OS and how does it downloads correct symbols for that OS?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为了将符号与二进制相匹配,WinDbg 会查看名为“调试目录”的内容。调试目录是 PE 模块中的部分(这是 Windows 用于所有类型可执行文件的文件格式)。调试目录仅包含调试信息类型的链接。如果您在 cmd 窗口中键入命令
link /dump /headers,它将打印出如下内容:This is output for ntdll.dll。您可以看到 ntdll.pdb 中包含 CV(对于 CodeView)调试信息,并且该 PDB 的 GUID 必须与链接中的 GUID 匹配。该 GUID 是在构建时为每个模块随机生成的。
WinDbg 中的命令
!lmi也会以不同的格式转储此信息。从符号服务器加载符号时,WinDbg 会向符号服务器发送请求以获取具有匹配 GUID 的名为“ntdll.pdb”的文件。
To match symbols to binary, WinDbg looks at the thing called Debug Directories. Debug Directories are sections in PE modules (which is a file format used by Windows for all types of executables). Debug Directories simply contain links to types of debug information. If you type command in cmd window
link /dump /headers <my_module_name>, it will print out something like this:This is output for ntdll.dll. You can see that CV (for CodeView) debug information is contained in ntdll.pdb, and GUID of that PDB has to match the one in the link. That GUID is generated randomly for each module at build time.
Command
!lmiin WinDbg will also dump this information, in different format.What WinDbg does when loading symbols from symbol server is it sends request to symbol server to get file named 'ntdll.pdb' with matching GUID.