Unable to load image ntoskrnl.exe的问题

最近在分析一个蓝屏dump时发现,nt模块加载不了符号表,其他系统驱动的符号表都能加载成功

3: kd> .reload /f nt
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe

激活详细符号加载信息

3: kd> !sym noisy
noisy mode - symbol prompts on
3: kd> .reload /f nt
SYMSRV:  d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/56BCC7865ec000/ntoskrnl.exe not found
SYMSRV:  d:\mysymbol\ntkrnlup.exe\56BCC7865ec000\ntkrnlup.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/56BCC7865ec000/ntkrnlup.exe not found
SYMSRV:  d:\mysymbol\ntkrnlpa.exe\56BCC7865ec000\ntkrnlpa.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/56BCC7865ec000/ntkrnlpa.exe not found
SYMSRV:  d:\mysymbol\ntkrnlmp.exe\56BCC7865ec000\ntkrnlmp.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/56BCC7865ec000/ntkrnlmp.exe not found
SYMSRV:  d:\mysymbol\ntkrpamp.exe\56BCC7865ec000\ntkrpamp.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrpamp.exe/56BCC7865ec000/ntkrpamp.exe not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntoskrnl.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlup.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlpa.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlmp.exe - file not found
DBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrpamp.exe - file not found
SYMSRV:  D:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/56BCC7865ec000/ntoskrnl.exe not found
SYMSRV:  D:\mysymbol\ntkrnlup.exe\56BCC7865ec000\ntkrnlup.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/56BCC7865ec000/ntkrnlup.exe not found
SYMSRV:  D:\mysymbol\ntkrnlpa.exe\56BCC7865ec000\ntkrnlpa.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/56BCC7865ec000/ntkrnlpa.exe not found
SYMSRV:  D:\mysymbol\ntkrnlmp.exe\56BCC7865ec000\ntkrnlmp.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/56BCC7865ec000/ntkrnlmp.exe not found
SYMSRV:  D:\mysymbol\ntkrpamp.exe\56BCC7865ec000\ntkrpamp.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrpamp.exe/56BCC7865ec000/ntkrpamp.exe not found
DBGENG:  ntoskrnl.exe - Image mapping disallowed by non-local path.
Unable to load image ntoskrnl.exe, Win32 error 0n2
DBGENG:  ntoskrnl.exe - Partial symbol image load missing image info
DBGHELP: No header for ntoskrnl.exe.  Searching for dbg file
DBGHELP: .\ntoskrnl.dbg - file not found
DBGHELP: .\exe\ntoskrnl.dbg - path not found
DBGHELP: .\symbols\exe\ntoskrnl.dbg - path not found
DBGHELP: ntoskrnl.exe missing debug info.  Searching for pdb anyway
DBGHELP: Can't use symbol server for ntoskrnl.pdb - no header information available
DBGHELP: ntoskrnl.pdb - file not found
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
DBGHELP: nt - no symbols loaded

但是提取对方电脑上的ntoskrnl.exe用IDA分析,发现可以正确加载到符号表,于是我将提取到的ntoskrnl.exe放到windbg要找到的路径上去例如:

SYMSRV:  d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found

结果这次终于正常加载上了

3: kd> .reload /f nt
DBGHELP: d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe - OK
DBGENG:  d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe - Mapped image memory
DBGHELP: nt - public symbols  
         d:\mysymbol\ntkrnlmp.pdb\D7EA2B6682984A0E8697620F5571B7BF2\ntkrnlmp.pdb

**以下是dmp文件** Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Windows\Minidump\042516-38765-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available WARNING: Whitespace at start of path element Symbol search path is: SRV*C:\mysymbol*http://msdl.microsoft.com/download/symbols; SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Kernel Version 10586 MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 10586.212.amd64fre.th2_release_sec.160328-1908 Machine Name: Kernel base = 0xfffff800`5ca06000 PsLoadedModuleList = 0xfffff800`5cce4cd0 Debug session time: Mon Apr 25 14:00:16.636 2016 (UTC + 8:00) System Uptime: 0 days 0:09:38.532 Loading Kernel Symbols . Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. .............................................................. ................................................................ ....................................................... Loading User Symbols Loading unloaded module list ........................................ ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 139, {3, ffffd0020017a280, ffffd0020017a1d8, 0} Unable to load image \??\C:\WINDOWS\sysWOW64\drivers\topsecpf.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for topsecpf.sys *** ERROR: Module load completed but symbols could not be loaded for topsecpf.sys Probably caused by : topsecpf.sys ( topsecpf+7370 ) Followup: MachineOwner --------- 3: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Unknown bugcheck code (139) Unknown bugcheck description Arguments: Arg1: 0000000000000003 Arg2: ffffd0020017a280 Arg3: ffffd0020017a1d8 Arg4: 0000000000000000 Debugging Details: ------------------ CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x139 PROCESS_NAME: System CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from fffff8005cb532e9 to fffff8005cb48760 SYMBOL_ON_RAW_STACK: 1 STACK_ADDR_RAW_STACK_SYMBOL: ffffd0020017a070 STACK_COMMAND: dds FFFFD0020017A070-0x20 ; kb STACK_TEXT: ffffd002`0017a050 00000000 ffffd002`0017a054 ffffe001 ffffd002`0017a058 c565637b ffffd002`0017a05c fffff801 ffffd002`0017a060 3ddb1490 ffffd002`0017a064 ffffe001 ffffd002`0017a068 c6d57370 ffffd002`0017a06c fffff801 ffffd002`0017a070 c6d57348 ffffd002`0017a074 fffff801 ffffd002`0017a078 00000000 ffffd002`0017a07c 00000000 ffffd002`0017a080 00000000 ffffd002`0017a084 00000000 ffffd002`0017a088 00000000 ffffd002`0017a08c 00000000 ffffd002`0017a090 c6d19700 ffffd002`0017a094 fffff801 ffffd002`0017a098 5cb53610 ffffd002`0017a09c fffff800 ffffd002`0017a0a0 00000002 ffffd002`0017a0a4 00000000 ffffd002`0017a0a8 0017a4b0 ffffd002`0017a0ac ffffd002 ffffd002`0017a0b0 0000ad13 ffffd002`0017a0b4 00000000 ffffd002`0017a0b8 00000000 ffffd002`0017a0bc 00000000 ffffd002`0017a0c0 3dfe7b70 ffffd002`0017a0c4 ffffe001 ffffd002`0017a0c8 c624f303 ffffd002`0017a0cc fffff801 FOLLOWUP_IP: topsecpf+7370 fffff801`c6d57370 90 nop SYMBOL_NAME: topsecpf+7370 FOLLOWUP_NAME: MachineOwner MODULE_NAME: topsecpf IMAGE_NAME: topsecpf.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4d6da0f2 FAILURE_BUCKET_ID: X64_0x139_topsecpf+7370 BUCKET_ID: X64_0x139_topsecpf+7370 Followup: MachineOwner --------- 3: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Unknown bugcheck code (139) Unknown bugcheck description Arguments: Arg1: 0000000000000003 Arg2: ffffd0020017a280 Arg3: ffffd0020017a1d8 Arg4: 0000000000000000 Debugging Details: ------------------ CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x139 PROCESS_NAME: System CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from fffff8005cb532e9 to fffff8005cb48760 SYMBOL_ON_RAW_STACK: 1 STACK_ADDR_RAW_STACK_SYMBOL: ffffd0020017a070 STACK_COMMAND: dds FFFFD0020017A070-0x20 ; kb STACK_TEXT: ffffd002`0017a050 00000000 ffffd002`0017a054 ffffe001 ffffd002`0017a058 c565637b ffffd002`0017a05c fffff801 ffffd002`0017a060 3ddb1490 ffffd002`0017a064 ffffe001 ffffd002`0017a068 c6d57370 ffffd002`0017a06c fffff801 ffffd002`0017a070 c6d57348 ffffd002`0017a074 fffff801 ffffd002`0017a078 00000000 ffffd002`0017a07c 00000000 ffffd002`0017a080 00000000 ffffd002`0017a084 00000000 ffffd002`0017a088 00000000 ffffd002`0017a08c 00000000 ffffd002`0017a090 c6d19700 ffffd002`0017a094 fffff801 ffffd002`0017a098 5cb53610 ffffd002`0017a09c fffff800 ffffd002`0017a0a0 00000002 ffffd002`0017a0a4 00000000 ffffd002`0017a0a8 0017a4b0 ffffd002`0017a0ac ffffd002 ffffd002`0017a0b0 0000ad13 ffffd002`0017a0b4 00000000 ffffd002`0017a0b8 00000000 ffffd002`0017a0bc 00000000 ffffd002`0017a0c0 3dfe7b70 ffffd002`0017a0c4 ffffe001 ffffd002`0017a0c8 c624f303 ffffd002`0017a0cc fffff801 FOLLOWUP_IP: topsecpf+7370 fffff801`c6d57370 90 nop SYMBOL_NAME: topsecpf+7370 FOLLOWUP_NAME: MachineOwner MODULE_NAME: topsecpf IMAGE_NAME: topsecpf.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4d6da0f2 FAILURE_BUCKET_ID: X64_0x139_topsecpf+7370 BUCKET_ID: X64_0x139_topsecpf+7370 Followup: MachineOwner --------- 3: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Unknown bugcheck code (139) Unknown bugcheck description Arguments: Arg1: 0000000000000003 Arg2: ffffd0020017a280 Arg3: ffffd0020017a1d8 Arg4: 0000000000000000 Debugging Details: ------------------
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页