如何使用WinDbg分析VC++应用程序的崩溃转储？

Question

如何使用WinDbg分析转储文件？

Answer 1

以下是一些可以帮助您的一般步骤:

首先,您必须更改编译器的设置,以便创建PDB文件,即使对于发布版本也是如此.Visual C++编译器的更高版本默认执行此操作,但在许多版本的Visual C++中,您必须自己执行此操作.创建程序数据库文件,然后保存这些文件的存档以及应用程序的每个版本.至关重要的是,应用程序的每个构建都有自己的一组PDB.例如,您不能仅仅使用与构建10相同的方法来检查构建15生成的转储.在项目的整个生命周期中,您最终会得到大量的PDB,因此请做好准备.

接下来,您需要能够识别生成转储文件的应用程序的确切版本.如果您正在创建自己的MiniDump(例如,通过调用MiniDumpWriteDump()),最简单的方法是简单地将MiniDump的部分文件名作为应用程序的完整版本号.您需要有一个合理的版本编号方案才能实现.在我的商店中,每次autobuilder创建构建时,我们将所有分支的构建号递增1.

现在您已收到客户的转储文件,您知道创建转储的应用程序的精确版本,并且您已找到此版本的PDB文件.

现在,您需要查看源代码管理的历史记录,并找到该软件的确切版本的源代码.执行此操作的最佳方法是在每次构建时将"标签"应用于分支.将标签的值设置为确切的版本号,并且在历史记录中很容易找到.

你几乎准备启动WinDbg/Visual C++:

1. 获取该应用程序版本的完整源代码树.将它放在硬盘上的一个单独的位置,比如c:\app_build_1.0.100应用程序版本1.0 build#100.
2. 获取应用程序的确切版本的二进制文件,并将它们放在硬盘驱动器上的某个位置.简单地安装该应用程序版本以获取二进制文件可能是最简单的.
3. 将PDB文件放在与步骤2中的二进制文件相同的位置.

现在您有两个查看转储文件的选项.您可以使用Visual Studio或WinDbg.使用Visual Studio更容易,但WinDbg更强大.大多数情况下,Visual Studio中的功能就足够了.

要使用Visual Studio,您所要做的就是打开转储文件,就像它是一个项目一样.打开后,"运行"转储文件(F5默认情况下),如果所有路径都设置正确,它将直接转到崩溃的代码,给你一个调用堆栈等.

要使用WinDbg,你必须跳过几个环节:

1. 启动WinDbg
2. 打开转储文件.(默认为Ctrl+ D)
3. 告诉WinDbg获取正确的MicroSoft符号文件.类型.symfix.这可能需要一些时间,因为它会从互联网上拉下大量的东西.
4. 告诉WinDbg符号(PDB文件)在哪里.键入.sympath+ c:\pdblocation,替换将PDB文件放在路径名的任何位置.确保你得到的加号,在那里与之间没有空格.sympath的和+标志,否则你会搞砸了第3步.
5. 告诉WinDbg源代码在哪里.键入.srcpath c:\app_build_1.0.100替换您从源代码管理获取代码的路径,以获取此版本的软件.
6. 告诉WinDbg分析转储文件.类型!analyze -v

片刻之后,如果所有内容都配置正确,WinDbg会将您带到崩溃的位置.在这一点上你有深挖应用程序的内存空间,关键部分,Windows等的状态万股期权但是,这是方法超出了本文的范围.

祝好运!

Answer 2

(see the "Dump" sections below)

Basic Tutorials and Demonstrations of Using WinDbg

• Installing and Configuring WinDbg (Windows Debug Tools)
• Mike Taulty - A word for WinDBG
• WinDbg Tutorials
• Windows Debuggers: Part 1: A WinDbg Tutorial

Different Ways to "Start"/Attach WinDBG

• Start Debugging with Windbg (includes how to debug an .msi)
• How to debug a Windows service
• Setting up Windows Debugging

Workspaces

Understanding how Workspaces work...

• Pimp up your debugger: Creating a custom workspace for windbg debugging
• Uncovering How Workspaces Work in WinDbg

Cmdtree

A "cmdtree" allows you to define a "menu" of debugger commands for easy access to frequently used commands without having to remember the terse command names.

You don't have to put all the command definitions into the same cmdtree text file....you can keep them separate and load multiple ones if you wish (they then get their own window).

• Amazing helper .cmdtree
• How do I make a cmdtree window dock at startup in WinDBG
• Making it easier to debug .net dumps in windbg using .cmdtree
• Microshaoft Cmdtree
• Special Command—Execute Commands from a Customized User Interface with .cmdtree

Startup Script

You can use the -c option on the command line to automatically run a WinDBG script when you start WinDBG.

Gives opportunity to turn on DML (Debugger markup language) mode, load particular extensions, set .NET exception breakpoints, set kernel flags (e.g. when kernel debugging you might need to change the DbgPrint mask so you see tracing information....ed nt!Kd_DEFAULT_Mask 0xffffffff), load cmdtrees, etc.

• http://yeilho.blogspot.co.uk/2012/10/windbg-init-script.html
• 掌控WinDBG

示例脚本:

$$ Include a directory to search for extensions
$$ (point to a source controlled or UNC common directory so that all developers get access)
.extpath+"c:\svn\DevTools\WinDBG\Extensions"
$$ When debugging a driver written with the Windows Driver Framework/KMDF
$$ load this extension that comes from the WinDDK.
!load C:\WinDDK\7600.16385.1\bin\x86\wdfkd.dll
!wdftmffile C:\WinDDK\7600.16385.1\tools\tracing\i386\wdf01009.tmf
$$ load some extensions
.load msec.dll
.load byakugan.dll
.load odbgext.dll
.load sosex
.load psscor4
$$ Make commands that support DML (Debugger Markup Language) use it
.prefer_dml 1
.dml_start
$$ Show NTSTATUS codes in hex by default
.enable_long_status 1
$$ Set default extension
.setdll psscor4
$$ Show all loaded extensions
.chain /D
$$ Load some command trees
.cmdtree c:\svn\DevTools\WinDBG\cmdtree\cmdtree1.txt
.cmdtree c:\svn\DevTools\WinDBG\cmdtree\cmdtree2.txt
$$ Show some help for the extensions
!wdfkd.help
!psscor4.help
.help /D

命令作弊表

• 崩溃转储分析海报v3.0
• SOS备忘单(.NET 2.0/3.0/3.5)
• WinDbg备忘单(开发艺术)
• WinDbg内核模式扩展命令Flashcards

扩展

"Extensions"允许您扩展WinDBG中支持的命令/功能范围.

• bigLasagne(bldbgexts&blwdbgue)
  - 汇编语法高亮显示和驱动程序映射工具)
  
  
• BigLib数字阅读器
  
  
• 的Byakugan
  -检测反调试方法,远景堆可视化/仿真,轨道缓冲器存储器
  
  
• 呼叫流量分析器+ KnExt
  
  
• CmdHist
  - 记录您在调试会话中执行的每个命令,以便您可以轻松地重新执行
  
  
• Core Analyzer
  - check heap structures for corruption, detect objects shared by threads, etc
  
  
• dom WinDBG Extension
  - (!stlpvector, !idt, !unhex, !grep, etc)
  
  
• dumppe
  - dumps PE file from memory
  
  
• Image Viewer Extension (Vladimir Vuki?evi?)
  
  
• Intel UEFI Development Kit Debugger Tool
  - debug UEFI firmware
  
  
• leaktrap
  - GDI/USER handle tracker to aid in leak detection
  
  
• Mona (requires PyKD)
  - set of commands to aid in advanced analysis/find exploits
  
  
• MSEC
  - provides automated crash analysis and security risk assessment
  
  
• narly
  - lists info about loaded modules such as if using SafeSEH, ASLR, DEP, /GS (Buffer Security Checks)
  
  
• netext (Rodney Viana)
  - (!wservice - list WCF service objects, !wconfig - show .config lines, !whttp - list HttpContexts, !wselect/!wfrom - support SQL like queries on arrays)
  
  
• ODbgExt
  - open debugger extensions
  
  
• OllyMigrate
  - pass debuggee to another debugger without restarting
  
  
• Psscor2
  - a superset of SOS for assisting in debugging .NET 2.0 managed code
  
  
• Psscor4
  - a superset of SOS for assisting in debugging .NET 4 managed code
  
  
• PyDBGExt
  - allows python scripting to be used
  
  
• PyKD
  - allows Python to be used to script WinDBG
  
  
• sdbgext (Nynaeve)
  -(!valloc, !vallocrwx, !heapalloc, !heapfree, !remotecall, !remotecall64, !loaddll, !unloaddll, !close, !killthread, !adjpriv, !ret)
  
  
• SieExtPub
  -legacy extension...now built into WinDBG in ext.dll
  
  
• SOSEX
  - more commands for helping to debug managed NET 2.0 or 4.0 code
  
  
• SPT/SDBGExt2 (Steve Niemitz)
  - (!DumpHttpContext, !DumpASPNetRequests, !DumpSqlConnectionPools, !DumpThreadPool, etc)
  
  
• Uniqstack
  - source to a debugger extension (need an OSR Online account to access it)
  
  
• viscope
  - code coverage graph
  
  
• Wait Chain Traversal/wct.dll (Codeplex Debugging Extensions
  - display wait chains of application threads (helps find deadlocks)
  
  
• windbgshark
  - integrates Wireshark protocol analyser to enable VM traffic manipulation and analysis
  
  
• WinDBG Extensions (Sasha Goldstein)
  - Tracer, WCT, heap_stat, bkb, traverse_map, traverse_vector)
  
  
• WinDBG Highlight (ColorWindbg.dll) [Use Google Translate to translate link]
  - asm syntax highlighting

Write your own extension

• Tools of the Trade: Part IV - Developing WinDbg Extension DLLs
• The Basics of Debugger Extensions: Short Term Effort, Long Term Gain

Using WinDBG to Debug Managed Code

• Breaking on an Exception
• Breaking on specific CLR Exception
• Debugging .Net framework source code within Windbg
• Debugging exceptions in managed code using Windbg
• Debugging managed code using WinDbg and SOS.dll
• Debugging with WinDbg. Deadlocks in Applications.
• MANAGED DEBUGGING with WINDBG. Introduction and Index
• Setting .NET breakpoints in Windbg for applications that crash on startup

Scripting (C#, PS, Python, WinDBG)

• KDAR (Kernel Debugger Anti Rootkit)
  - a collection of WinDBG scripts
  
  
• Sysnative BSOD Scripts/Processing Apps
  
  
• WinDBG Script library
  - a collection of WinDBG scripts
  
  
• Scripting MDbg and DbgHostLib
  - allows managed code to script the Managed Debugger (MDBG) and the DbgEng
  
  
• ExtCS
  - allows control of WinDBG via C# scripts
  
  
• PowerDBG
  - allows control of WinDBG via Powershell scripts
  
  
• Pykd
  - allows control of WinDBG via Python scripts
  
  
• windbglib
  - python wrapper library around the pykd extension for WinDBG, mimicking immlib (so you can use scripts originally written for Immunity Debugger)

Debuggers/Tools that use the dbgeng.dll API/WinDBG Tools

• A Simple Dbgeng Based User Mode Debugger
• Acorns.Debugging NET Deadlock Detector (uses cdb.exe) (download)
• CLR Managed Debugger (MDBG)
• DbgHost - How to control a debugging engine
• Debug Diagnostic Tool v1.2 (DebugDiag), Ver 2.0 + DebugDiag Blog
• Dynamorio - dynamic binary instrumentation tool which can interact with WinDBG
• IDA + WinDBG plugin
• GUI WinDBG
• LeakShell (find managed leaks)
• mdbglib - Managed Debug API
• PyDbgEng
  - python wrapper for Windows Debugging Engine
• SOSNET - a WinDBG Fork/alternative shell that concentrates on using the SOS extension and supports C# scripting
• SOSNET O2 fork - fork of SOSNET that uses Rosyln for the C# REPL (read-eval-print-loop) scripting engine
• VDB/Vivisect (kenshoto) - provides a cross-platform debugging API layered on WinDBG
• WinAppDbg + Heappie-WinAppDbg
• Writing a basic Windows debugger

Different Ways to Generate Crash Dump Files for Post-Mortem Analysis

• DebugDiag 2.0
• Dump Cheat Sheet
  - includes how to generate dump from Hyper-V, VMWare ESX, and XenServer VMs.
• Citrix SystemDump
• Keyboard Keypress Combination
• MiniDumpWriteDump
  - (via WIN32 API call inside your application). (Example for C# applications)
• NMI Switch, or (here)
  (hardware based feature to generate an NMI...usually found on high-end servers e.g. HP or you can obtain an add-in PCI card "Universal PCI Dump Switch"). Microsoft NMI technology background.
• Procdump
• System|Advanced System Settings|Startup and Recovery
  (registry info),
  (how to configure a Complete (Full) Memory Dump),
  (how to enable Complete Memory Dump),
  (how to enable Complete Memory Dump on Windows 7 when PC has lots of memory...normally not available when more than 2GB of memory)
• Task Manager "Create Dump File"
• UserDump, instructions (very old tool)
• UserModeProcessDumper, instructions
• Visual Studio "Save Dump As…"
• WER (Windows Error Reporting....local dumps)

Answer 3

这是一个非常广泛的问题。

1. 第一步是将转储文件加载到WinDbg实例中。
2. 接下来，您需要确保已设置符号。
3. 最后，您可以运行命令!analyze -v以对其执行基本分析。您需要为代码提供符号信息，以使转储文件有价值。

网站Memory Dump，软件跟踪，调试，恶意软件，受害者软件和情报分析门户网站对我来说非常有用。我也非常喜欢Mario Hewardt和Daniel Pravat撰写的《Advanced Windows Debugging》一书。