Unable to load image ntoskrnl.exe的问题

2019年7月24日 333次阅读 来源: 土豆吞噬者

最近在分析一个蓝屏dump时发现,nt模块加载不了符号表,其他系统驱动的符号表都能加载成功

3: kd> .reload /f nt
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe

激活详细符号加载信息

3: kd> !sym noisy
noisy mode - symbol prompts on
3: kd> .reload /f nt
SYMSRV:  d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/56BCC7865ec000/ntoskrnl.exe not found
SYMSRV:  d:\mysymbol\ntkrnlup.exe\56BCC7865ec000\ntkrnlup.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/56BCC7865ec000/ntkrnlup.exe not found
SYMSRV:  d:\mysymbol\ntkrnlpa.exe\56BCC7865ec000\ntkrnlpa.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/56BCC7865ec000/ntkrnlpa.exe not found
SYMSRV:  d:\mysymbol\ntkrnlmp.exe\56BCC7865ec000\ntkrnlmp.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/56BCC7865ec000/ntkrnlmp.exe not found
SYMSRV:  d:\mysymbol\ntkrpamp.exe\56BCC7865ec000\ntkrpamp.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrpamp.exe/56BCC7865ec000/ntkrpamp.exe not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntoskrnl.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlup.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlpa.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlmp.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrpamp.exe - file not found
SYMSRV:  D:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/56BCC7865ec000/ntoskrnl.exe not found
SYMSRV:  D:\mysymbol\ntkrnlup.exe\56BCC7865ec000\ntkrnlup.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/56BCC7865ec000/ntkrnlup.exe not found
SYMSRV:  D:\mysymbol\ntkrnlpa.exe\56BCC7865ec000\ntkrnlpa.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/56BCC7865ec000/ntkrnlpa.exe not found
SYMSRV:  D:\mysymbol\ntkrnlmp.exe\56BCC7865ec000\ntkrnlmp.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/56BCC7865ec000/ntkrnlmp.exe not found
SYMSRV:  D:\mysymbol\ntkrpamp.exe\56BCC7865ec000\ntkrpamp.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrpamp.exe/56BCC7865ec000/ntkrpamp.exe not found
DBGENG:  ntoskrnl.exe - Image mapping disallowed by non-local path.
Unable to load image ntoskrnl.exe, Win32 error 0n2
DBGENG:  ntoskrnl.exe - Partial symbol image load missing image info
DBGHELP: No header for ntoskrnl.exe.  Searching for dbg file
DBGHELP: .\ntoskrnl.dbg - file not found
DBGHELP: .\exe\ntoskrnl.dbg - path not found
DBGHELP: .\symbols\exe\ntoskrnl.dbg - path not found
DBGHELP: ntoskrnl.exe missing debug info.  Searching for pdb anyway
DBGHELP: Can't use symbol server for ntoskrnl.pdb - no header information available
DBGHELP: ntoskrnl.pdb - file not found
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
DBGHELP: nt - no symbols loaded

但是提取对方电脑上的ntoskrnl.exe用IDA分析,发现可以正确加载到符号表,于是我将提取到的ntoskrnl.exe放到windbg要找到的路径上去例如:

SYMSRV:  d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found

结果这次终于正常加载上了

3: kd> .reload /f nt
DBGHELP: d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe - OK
DBGENG:  d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe - Mapped image memory
DBGHELP: nt - public symbols  
         d:\mysymbol\ntkrnlmp.pdb\D7EA2B6682984A0E8697620F5571B7BF2\ntkrnlmp.pdb
    原文作者:土豆吞噬者
    原文地址: https://www.jianshu.com/p/b835886c0e7e
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞