最近在分析一个蓝屏dump时发现,nt模块加载不了符号表,其他系统驱动的符号表都能加载成功
3: kd> .reload /f nt
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
激活详细符号加载信息
3: kd> !sym noisy
noisy mode - symbol prompts on
3: kd> .reload /f nt
SYMSRV: d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/56BCC7865ec000/ntoskrnl.exe not found
SYMSRV: d:\mysymbol\ntkrnlup.exe\56BCC7865ec000\ntkrnlup.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/56BCC7865ec000/ntkrnlup.exe not found
SYMSRV: d:\mysymbol\ntkrnlpa.exe\56BCC7865ec000\ntkrnlpa.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/56BCC7865ec000/ntkrnlpa.exe not found
SYMSRV: d:\mysymbol\ntkrnlmp.exe\56BCC7865ec000\ntkrnlmp.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/56BCC7865ec000/ntkrnlmp.exe not found
SYMSRV: d:\mysymbol\ntkrpamp.exe\56BCC7865ec000\ntkrpamp.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrpamp.exe/56BCC7865ec000/ntkrpamp.exe not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntoskrnl.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlup.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlpa.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlmp.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrpamp.exe - file not found
SYMSRV: D:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/56BCC7865ec000/ntoskrnl.exe not found
SYMSRV: D:\mysymbol\ntkrnlup.exe\56BCC7865ec000\ntkrnlup.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/56BCC7865ec000/ntkrnlup.exe not found
SYMSRV: D:\mysymbol\ntkrnlpa.exe\56BCC7865ec000\ntkrnlpa.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/56BCC7865ec000/ntkrnlpa.exe not found
SYMSRV: D:\mysymbol\ntkrnlmp.exe\56BCC7865ec000\ntkrnlmp.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/56BCC7865ec000/ntkrnlmp.exe not found
SYMSRV: D:\mysymbol\ntkrpamp.exe\56BCC7865ec000\ntkrpamp.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrpamp.exe/56BCC7865ec000/ntkrpamp.exe not found
DBGENG: ntoskrnl.exe - Image mapping disallowed by non-local path.
Unable to load image ntoskrnl.exe, Win32 error 0n2
DBGENG: ntoskrnl.exe - Partial symbol image load missing image info
DBGHELP: No header for ntoskrnl.exe. Searching for dbg file
DBGHELP: .\ntoskrnl.dbg - file not found
DBGHELP: .\exe\ntoskrnl.dbg - path not found
DBGHELP: .\symbols\exe\ntoskrnl.dbg - path not found
DBGHELP: ntoskrnl.exe missing debug info. Searching for pdb anyway
DBGHELP: Can't use symbol server for ntoskrnl.pdb - no header information available
DBGHELP: ntoskrnl.pdb - file not found
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
DBGHELP: nt - no symbols loaded
但是提取对方电脑上的ntoskrnl.exe用IDA分析,发现可以正确加载到符号表,于是我将提取到的ntoskrnl.exe放到windbg要找到的路径上去例如:
SYMSRV: d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found
结果这次终于正常加载上了
3: kd> .reload /f nt
DBGHELP: d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe - OK
DBGENG: d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe - Mapped image memory
DBGHELP: nt - public symbols
d:\mysymbol\ntkrnlmp.pdb\D7EA2B6682984A0E8697620F5571B7BF2\ntkrnlmp.pdb