发布时间:2014-3-20 11:46
分类名称:Debug_Crack
使用Windbg调试计算器,打开吵杂模式:
0:004> !sym noisy
noisy mode - symbol prompts on
敲入lm,列出加载的模块,一般搜狗拼音或注入各个进程,由于搜狗的模块对应的PDB肯定找不到,敲入下列命令,
吵杂模式下,会列出Windbg搜索的顺序:
0:004> ld PicFace64
SYMSRV: e:\symbols\serversymbols\PicFace64.pdb\0BF59D5211E643CA967428FCC8C97BAA31\PicFace64.pdb not found
DBGHELP: e:\symbols\mysymbols\PicFace64.pdb - file not found
DBGHELP: e:\symbols\mysymbols\dll\PicFace64.pdb - file not found
DBGHELP: e:\symbols\mysymbols\symbols\dll\PicFace64.pdb - file not found
DBGHELP: e:\symbols\extsym\PicFace64.pdb - file not found
DBGHELP: e:\symbols\extsym\dll\PicFace64.pdb - file not found
DBGHELP: e:\symbols\extsym\symbols\dll\PicFace64.pdb - file not found
SYMSRV: 无法与服务器建立连接
SYMSRV: e:\symbols\serversymbols\PicFace64.pdb\0BF59D5211E643CA967428FCC8C97BAA31\PicFace64.pdb not found
SYMSRV:http://msdl.microsoft.com/download/symbols/PicFace64.pdb/0BF59D5211E643CA967428FCC8C97BAA31/PicFace64.pdb not found
DBGHELP: D:\x64\Program Files (x86)\SogouInput\Components\PicFace\1.0.0.925\PicFace64.pdb - file not found
DBGHELP:e:\project\sogouime\branch\PinyinDev_R_7_1_Final\Bin\SogouPdb\Component\PicFace\PicFace64.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for D:\x64\Program Files (x86)\SogouInput\Components\PicFace\1.0.0.925\PicFace64.dll -
DBGHELP: PicFace64 - export symbols
Symbols loaded for PicFace64
我设置的Symbol path为:
E:\symbols\Serversymbols;E:\symbols\mysymbols;E:\symbols\Extsym;srv*E:\symbols\Serversymbols*http://msdl.microsoft.com/download/symbols
可以看到Windbg先安装我们设置的Symbol Path顺序:
Debug Directories
Time Type Size RVA Pointer
-------- ------ -------- -------- --------
53203291 cv 74 000D3B88 D2B88 Format: RSDS, {641F091E-5621-493B-A79C-2D2D1766A915}, 52, e:\project\sogouime\branch\PinyinDev_R_7_1_Final\Bin\SogouPdb\Component\PicFace\PicFace.pdb
所以,在调试驱动的时候,即便不拷贝pdb到我们指定的Symbol path下,Windbg也最终能找到对应的pdb,要付出的代价就是,如果网络不好,你会卡半天,等windbg从网上确定没有pdb的时候,才去找我们驱动内嵌的路径信息。例如我们公司的破网,每次都要等半分钟左右。