zoukankan      html  css  js  c++  java

  • Windbg命令学习2(!sym和.reload)

    以下示例以windbg加载calc.exe为例:

    1.!sym

    !sym扩展控制显示详细的符号加载和符号提示。

    .!sym :不带参数表示显示当前的详细符号加载和符号提示的设置状态

    给个示例:

    0:001> !sym
!sym <noisy/quiet - prompts/prompts off> - noisy mode - symbol prompts on

    其实细心点可以看出sym的四种状态了,noisy/quiet -prompts/prompts off,所以我们要记这个命令的用法,就只要调用下!sym,就看到所有用法了.嘿嘿,我还比较聪明的

    <>后面表示当前的设定状态,

    !sym noisy 激活详细符号加载(noisy symbol loading)显示。

    给个示例:

    0:001> !sym noisy
noisy mode - symbol prompts on

    !sym quiet 禁止详细符号加载显示

    0:001> !sym quiet
quiet mode - symbol prompts on

    !sym prompts 当SymSrv接收到认证请求时,允许弹出对话框。

    0:001> !sym prompts
quiet mode - symbol prompts on

    !sym prompts off 禁止SymSrv在接收到认证请求时显示认证对话框。这可能使得SymSrv不能通过internet访问符号。

    0:001> !sym prompts off
quiet mode - symbol prompts off


    都那么聪明,一个是noisy-quiet,一个是prompts off-prompt on,掌握了

    2..reload

    .reload命令删除指定模块的所有符号信息,并且按需要重新加载这些符号。某些情况下,该命令也会重新加载或卸载模块本身。

    /d 重新加载调试器模块列表中的所有模块。(省略所有参数时,这是用户模式调试下的默认行为。)
    给个例子:
    0:001> .reload /d
Reloading current modules
................................
DBGHELP: C:\WINDOWS\symbols\ntdll.pdb - file not found
DBGHELP: ntdll - public symbols  
         C:\WINDOWS\symbols\dll\ntdll.pdb

    好吧,我们发现没有立即显示加载符号

    /f 强制调试器立即加载符号。该参数会覆盖延迟符号加载。更多信息,查看下面的注释节。
    我们发现用lm查询时GDI32(deferred),那我们试着来加载它的符号信息试试:
    0:001> lm
start    end        module name
01000000 0101f000   calc       (deferred)             
10000000 100b0000   safemon    (deferred)             
58fb0000 5917a000   AcGenral   (deferred)             
5adc0000 5adf7000   UxTheme    (deferred)             
5cc30000 5cc56000   ShimEng    (deferred)             
62c20000 62c29000   LPK        (deferred)             
71a10000 71a18000   WS2HELP    (deferred)             
71a20000 71a37000   WS2_32     (deferred)             
73640000 7366e000   msctfime   (deferred)             
73fa0000 7400b000   USP10      (deferred)             
74680000 746cc000   MSCTF      (deferred)             
759d0000 75a7f000   USERENV    (deferred)             
76300000 7631d000   IMM32      (deferred)             
765e0000 76673000   CRYPT32    (deferred)             
76680000 76726000   WININET    (deferred)             
76990000 76ace000   ole32      (deferred)             
76b10000 76b3a000   WINMM      (deferred)             
76bc0000 76bcb000   PSAPI      (deferred)             
76db0000 76dc2000   MSASN1     (deferred)             
770f0000 7717b000   OLEAUT32   (deferred)             
77180000 77283000   comctl32   (deferred)             
77bb0000 77bc5000   MSACM32    (deferred)             
77bd0000 77bd8000   VERSION    (deferred)             
77be0000 77c38000   msvcrt     (deferred)             
77d10000 77da0000   USER32     (deferred)             
77da0000 77e49000   ADVAPI32   (deferred)             
77e50000 77ee3000   RPCRT4     (deferred)             
77ef0000 77f39000   GDI32      (deferred)             
77f40000 77fb6000   SHLWAPI    (deferred)             
77fc0000 77fd1000   Secur32    (deferred)             
7c800000 7c91e000   kernel32   (deferred)             
7c920000 7c9b3000   ntdll      (pdb symbols)          C:\WINDOWS\symbols\dll\ntdll.pdb
7d590000 7dd84000   SHELL32    (deferred)             
0:001> .reload /f GDI32.dll
DBGHELP: C:\WINDOWS\symbols\gdi32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\gdi32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\gdi32.pdb - file not found
DBGHELP: GDI32 - public symbols  
         C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb
0:001> lm
start    end        module name
01000000 0101f000   calc       (deferred)             
10000000 100b0000   safemon    (deferred)             
58fb0000 5917a000   AcGenral   (deferred)             
5adc0000 5adf7000   UxTheme    (deferred)             
5cc30000 5cc56000   ShimEng    (deferred)             
62c20000 62c29000   LPK        (deferred)             
71a10000 71a18000   WS2HELP    (deferred)             
71a20000 71a37000   WS2_32     (deferred)             
73640000 7366e000   msctfime   (deferred)             
73fa0000 7400b000   USP10      (deferred)             
74680000 746cc000   MSCTF      (deferred)             
759d0000 75a7f000   USERENV    (deferred)             
76300000 7631d000   IMM32      (deferred)             
765e0000 76673000   CRYPT32    (deferred)             
76680000 76726000   WININET    (deferred)             
76990000 76ace000   ole32      (deferred)             
76b10000 76b3a000   WINMM      (deferred)             
76bc0000 76bcb000   PSAPI      (deferred)             
76db0000 76dc2000   MSASN1     (deferred)             
770f0000 7717b000   OLEAUT32   (deferred)             
77180000 77283000   comctl32   (deferred)             
77bb0000 77bc5000   MSACM32    (deferred)             
77bd0000 77bd8000   VERSION    (deferred)             
77be0000 77c38000   msvcrt     (deferred)             
77d10000 77da0000   USER32     (deferred)             
77da0000 77e49000   ADVAPI32   (deferred)             
77e50000 77ee3000   RPCRT4     (deferred)             
77ef0000 77f39000   GDI32      (pdb symbols)          C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb
77f40000 77fb6000   SHLWAPI    (deferred)             
77fc0000 77fd1000   Secur32    (deferred)             
7c800000 7c91e000   kernel32   (deferred)             
7c920000 7c9b3000   ntdll      (pdb symbols)          C:\WINDOWS\symbols\dll\ntdll.pdb
7d590000 7dd84000   SHELL32    (deferred)


    我们发现,第一次lm查询时GDI32(deferred),调用.reload /f加载后,再次lm,我们可以看到GDI32 (pdb symbols),OK,那我们也猜到了,如.reload /f不带模块,那么是不是会重新加载所有的symbols:

    0:001> .reload /f
Reloading current modules
.
DBGHELP: C:\WINDOWS\symbols\calc.pdb - file not found
DBGHELP: calc - public symbols  
         C:\WINDOWS\symbols\exe\calc.pdb
.
DBGHELP: C:\WINDOWS\symbols\safemon.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\safemon.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\symbols\dll\safemon.pdb - file not found
SYMSRV:  C:\MyLocalSymbols\safemon.pdb\84C1B55127174ACAA421A85A983FA63B1\safemon.pdb not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/safemon.pdb/84C1B55127174ACAA421A85A983FA63B1/safemon.pdb not found
DBGHELP: C:\Program Files\360\360Safe\safemon\safemon.pdb - file not found
DBGHELP: E:\repos\safemon_8_1_1\Release\safemon.pdb - file not found
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\360\360Safe\safemon\safemon.dll - 
DBGHELP: safemon - export symbols
.
DBGHELP: C:\WINDOWS\symbols\AcGenral.pdb - file not found
DBGHELP: AcGenral - public symbols  
         C:\WINDOWS\symbols\DLL\AcGenral.pdb
.
DBGHELP: C:\WINDOWS\symbols\uxtheme.pdb - file not found
DBGHELP: UxTheme - public symbols  
         C:\WINDOWS\symbols\dll\uxtheme.pdb
.
DBGHELP: C:\WINDOWS\symbols\ShimEng.pdb - file not found
DBGHELP: ShimEng - public symbols  
         C:\WINDOWS\symbols\dll\ShimEng.pdb
.
DBGHELP: C:\WINDOWS\symbols\lpk.pdb - file not found
DBGHELP: LPK - public symbols  
         C:\WINDOWS\symbols\DLL\lpk.pdb
.
DBGHELP: C:\WINDOWS\symbols\ws2help.pdb - file not found
DBGHELP: WS2HELP - public symbols  
         C:\WINDOWS\symbols\dll\ws2help.pdb
.
DBGHELP: C:\WINDOWS\symbols\ws2_32.pdb - file not found
DBGHELP: WS2_32 - public symbols  
         C:\WINDOWS\symbols\dll\ws2_32.pdb
.
DBGHELP: C:\WINDOWS\symbols\msctfime.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\ime\msctfime.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\ime\msctfime.pdb - file not found
DBGHELP: msctfime - public symbols  
         C:\MyLocalSymbols\msctfime.pdb\7448D95F454E4C1E93859E4D88C1950E1\msctfime.pdb
.
DBGHELP: C:\WINDOWS\symbols\usp10.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\usp10.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\usp10.pdb - file not found
DBGHELP: USP10 - public symbols  
         C:\MyLocalSymbols\usp10.pdb\D4BA2952809F469BB6D1D3AF6B956E6B1\usp10.pdb
.
DBGHELP: C:\WINDOWS\symbols\msctf.pdb - file not found
DBGHELP: MSCTF - public symbols  
         C:\WINDOWS\symbols\dll\msctf.pdb
.
DBGHELP: C:\WINDOWS\symbols\userenv.pdb - file not found
DBGHELP: USERENV - public symbols  
         C:\WINDOWS\symbols\dll\userenv.pdb
.
DBGHELP: C:\WINDOWS\symbols\imm32.pdb - file not found
DBGHELP: IMM32 - public symbols  
         C:\WINDOWS\symbols\DLL\imm32.pdb
.
DBGHELP: C:\WINDOWS\symbols\crypt32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\crypt32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\crypt32.pdb - file not found
DBGHELP: CRYPT32 - public symbols  
         C:\MyLocalSymbols\crypt32.pdb\A854C29D50C34464948D078CA2A0BFD32\crypt32.pdb
.
DBGHELP: C:\WINDOWS\symbols\wininet.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\wininet.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\wininet.pdb - file not found
DBGHELP: WININET - public symbols  
         C:\MyLocalSymbols\wininet.pdb\041BF2F58BAF4B3880CA9A705DA8398F2\wininet.pdb
.
DBGHELP: C:\WINDOWS\symbols\ole32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\ole32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\ole32.pdb - file not found
DBGHELP: ole32 - public symbols  
         C:\MyLocalSymbols\ole32.pdb\498D399602DE44A59DB412C95883B65C2\ole32.pdb
.
DBGHELP: C:\WINDOWS\symbols\winmm.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\winmm.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\winmm.pdb - file not found
DBGHELP: WINMM - public symbols  
         C:\MyLocalSymbols\winmm.pdb\CBD9B2B21EE74EE6BA95B56DCBD2A57F2\winmm.pdb
.
DBGHELP: C:\WINDOWS\symbols\psapi.pdb - file not found
DBGHELP: PSAPI - public symbols  
         C:\WINDOWS\symbols\DLL\psapi.pdb
.
DBGHELP: C:\WINDOWS\symbols\msasn1.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\msasn1.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\msasn1.pdb - file not found
DBGHELP: MSASN1 - public symbols  
         C:\MyLocalSymbols\msasn1.pdb\1AED0D31142F496E83481A9BF3DEF1A52\msasn1.pdb
.
DBGHELP: C:\WINDOWS\symbols\oleaut32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\oleaut32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\oleaut32.pdb - file not found
DBGHELP: OLEAUT32 - public symbols  
         C:\MyLocalSymbols\oleaut32.pdb\E04ECB48CAED47B2958C3D2C1094E23F2\oleaut32.pdb
.
DBGHELP: C:\WINDOWS\symbols\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\symbols\dll\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb - file not found
DBGHELP: comctl32 - public symbols  
         C:\MyLocalSymbols\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb\E882C2C890724D598449E20A4FE6F07C1\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb
.
DBGHELP: C:\WINDOWS\symbols\msacm32.pdb - file not found
DBGHELP: MSACM32 - public symbols  
         C:\WINDOWS\symbols\dll\msacm32.pdb
.
DBGHELP: C:\WINDOWS\symbols\version.pdb - file not found
DBGHELP: VERSION - public symbols  
         C:\WINDOWS\symbols\dll\version.pdb
.
DBGHELP: C:\WINDOWS\symbols\msvcrt.pdb - file not found
DBGHELP: msvcrt - public symbols  
         C:\WINDOWS\symbols\dll\msvcrt.pdb
.
DBGHELP: C:\WINDOWS\symbols\user32.pdb - file not found
DBGHELP: USER32 - public symbols  
         C:\WINDOWS\symbols\dll\user32.pdb
.
DBGHELP: C:\WINDOWS\symbols\advapi32.pdb - file not found
DBGHELP: ADVAPI32 - public symbols  
         C:\WINDOWS\symbols\dll\advapi32.pdb
.
DBGHELP: C:\WINDOWS\symbols\rpcrt4.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\rpcrt4.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\rpcrt4.pdb - file not found
DBGHELP: RPCRT4 - public symbols  
         C:\MyLocalSymbols\rpcrt4.pdb\1A465C67828242F28A8C70E3B9D5C4772\rpcrt4.pdb
.
DBGHELP: C:\WINDOWS\symbols\gdi32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\gdi32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\gdi32.pdb - file not found
DBGHELP: GDI32 - public symbols  
         C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb
.
DBGHELP: C:\WINDOWS\symbols\shlwapi.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\shlwapi.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\shlwapi.pdb - file not found
DBGHELP: SHLWAPI - public symbols  
         C:\MyLocalSymbols\shlwapi.pdb\483E8894476B412DABC2FBA7F470E39A2\shlwapi.pdb
.
DBGHELP: C:\WINDOWS\symbols\secur32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\secur32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\secur32.pdb - file not found
DBGHELP: Secur32 - public symbols  
         C:\MyLocalSymbols\secur32.pdb\7867B3F28B5C41CE847895E3FC013DC52\secur32.pdb
.
DBGHELP: C:\WINDOWS\symbols\kernel32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\kernel32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\kernel32.pdb - file not found
DBGHELP: kernel32 - public symbols  
         C:\MyLocalSymbols\kernel32.pdb\072FF0EB54D24DFAAE9D13885486EE092\kernel32.pdb
.
DBGHELP: C:\WINDOWS\symbols\ntdll.pdb - file not found
DBGHELP: ntdll - public symbols  
         C:\WINDOWS\symbols\dll\ntdll.pdb
.
DBGHELP: C:\WINDOWS\symbols\shell32.pdb - file not found
DBGHELP: C:\WINDOWS\symbols\dll\shell32.pdb - mismatched pdb
DBGHELP: C:\WINDOWS\symbols\symbols\dll\shell32.pdb - file not found
DBGHELP: SHELL32 - public symbols  
         C:\MyLocalSymbols\shell32.pdb\DF59C75CA10B4BF89B447BB924C4292C2\shell32.pdb

0:001> lm
start    end        module name
01000000 0101f000   calc       (pdb symbols)          C:\WINDOWS\symbols\exe\calc.pdb
10000000 100b0000   safemon    (export symbols)       C:\Program Files\360\360Safe\safemon\safemon.dll
58fb0000 5917a000   AcGenral   (pdb symbols)          C:\WINDOWS\symbols\DLL\AcGenral.pdb
5adc0000 5adf7000   UxTheme    (pdb symbols)          C:\WINDOWS\symbols\dll\uxtheme.pdb
5cc30000 5cc56000   ShimEng    (pdb symbols)          C:\WINDOWS\symbols\dll\ShimEng.pdb
62c20000 62c29000   LPK        (pdb symbols)          C:\WINDOWS\symbols\DLL\lpk.pdb
71a10000 71a18000   WS2HELP    (pdb symbols)          C:\WINDOWS\symbols\dll\ws2help.pdb
71a20000 71a37000   WS2_32     (pdb symbols)          C:\WINDOWS\symbols\dll\ws2_32.pdb
73640000 7366e000   msctfime   (pdb symbols)          C:\MyLocalSymbols\msctfime.pdb\7448D95F454E4C1E93859E4D88C1950E1\msctfime.pdb
73fa0000 7400b000   USP10      (pdb symbols)          C:\MyLocalSymbols\usp10.pdb\D4BA2952809F469BB6D1D3AF6B956E6B1\usp10.pdb
74680000 746cc000   MSCTF      (pdb symbols)          C:\WINDOWS\symbols\dll\msctf.pdb
759d0000 75a7f000   USERENV    (pdb symbols)          C:\WINDOWS\symbols\dll\userenv.pdb
76300000 7631d000   IMM32      (pdb symbols)          C:\WINDOWS\symbols\DLL\imm32.pdb
765e0000 76673000   CRYPT32    (pdb symbols)          C:\MyLocalSymbols\crypt32.pdb\A854C29D50C34464948D078CA2A0BFD32\crypt32.pdb
76680000 76726000   WININET    (pdb symbols)          C:\MyLocalSymbols\wininet.pdb\041BF2F58BAF4B3880CA9A705DA8398F2\wininet.pdb
76990000 76ace000   ole32      (pdb symbols)          C:\MyLocalSymbols\ole32.pdb\498D399602DE44A59DB412C95883B65C2\ole32.pdb
76b10000 76b3a000   WINMM      (pdb symbols)          C:\MyLocalSymbols\winmm.pdb\CBD9B2B21EE74EE6BA95B56DCBD2A57F2\winmm.pdb
76bc0000 76bcb000   PSAPI      (pdb symbols)          C:\WINDOWS\symbols\DLL\psapi.pdb
76db0000 76dc2000   MSASN1     (pdb symbols)          C:\MyLocalSymbols\msasn1.pdb\1AED0D31142F496E83481A9BF3DEF1A52\msasn1.pdb
770f0000 7717b000   OLEAUT32   (pdb symbols)          C:\MyLocalSymbols\oleaut32.pdb\E04ECB48CAED47B2958C3D2C1094E23F2\oleaut32.pdb
77180000 77283000   comctl32   (pdb symbols)          C:\MyLocalSymbols\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb\E882C2C890724D598449E20A4FE6F07C1\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb
77bb0000 77bc5000   MSACM32    (pdb symbols)          C:\WINDOWS\symbols\dll\msacm32.pdb
77bd0000 77bd8000   VERSION    (pdb symbols)          C:\WINDOWS\symbols\dll\version.pdb
77be0000 77c38000   msvcrt     (pdb symbols)          C:\WINDOWS\symbols\dll\msvcrt.pdb
77d10000 77da0000   USER32     (pdb symbols)          C:\WINDOWS\symbols\dll\user32.pdb
77da0000 77e49000   ADVAPI32   (pdb symbols)          C:\WINDOWS\symbols\dll\advapi32.pdb
77e50000 77ee3000   RPCRT4     (pdb symbols)          C:\MyLocalSymbols\rpcrt4.pdb\1A465C67828242F28A8C70E3B9D5C4772\rpcrt4.pdb
77ef0000 77f39000   GDI32      (pdb symbols)          C:\MyLocalSymbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb
77f40000 77fb6000   SHLWAPI    (pdb symbols)          C:\MyLocalSymbols\shlwapi.pdb\483E8894476B412DABC2FBA7F470E39A2\shlwapi.pdb
77fc0000 77fd1000   Secur32    (pdb symbols)          C:\MyLocalSymbols\secur32.pdb\7867B3F28B5C41CE847895E3FC013DC52\secur32.pdb
7c800000 7c91e000   kernel32   (pdb symbols)          C:\MyLocalSymbols\kernel32.pdb\072FF0EB54D24DFAAE9D13885486EE092\kernel32.pdb
7c920000 7c9b3000   ntdll      (pdb symbols)          C:\WINDOWS\symbols\dll\ntdll.pdb
7d590000 7dd84000   SHELL32    (pdb symbols)          C:\MyLocalSymbols\shell32.pdb\DF59C75CA10B4BF89B447BB924C4292C2\shell32.pdb

    果然如此!

    /i
    忽略.pdb文件版本不匹配的情况。(如果没有包含该参数,调试器不会加载不匹配的符号文件。) 使用 /i时,即使没有明确指定,也会使用/f
    /l
    列出模块但是不重加载它们的符号。(内核模式下,使用该参数的输出和!drivers 扩展命令一样。)
    /n
    仅重加载内核符号。该参数不会重加载任何用户模式符号。(只能在内核模式调试时使用该选项。)
    /o
    强制覆盖符号服务器的下游存储(downstream store)中的缓存文件。使用该标志时,还需要包含/f。默认情况下,下游存储中的文件永远不会被覆盖。

    由于符号服务器对每个版本的二进制文件的符号使用不同的名字,除非确认下游存储被破坏了,否则不需要使用该选项。

    /s
    重新加载系统的模块映像列表中所有模块。(省略所有参数时,在内核模式下这是默认行为。) 如果在用户模式调试时使用名字来单独加载某个系统模块,则必须包含/s
    /u
    卸载指定模块和它的所有符号。调试器卸载任何名字匹配Module 的模块,不管它的全路径是什么。映像名也会被搜索。更多信息,查看下面的注释节。
    /unl
    基于已卸载模块列表中的映像信息重新加载符号。
    /user
    仅重加载用户模式符号。(只能在内核模式调试时使用该选项。)
    /v
    打开详细显示。
    /w
    Module 当作一个字面上的字符串。这样可以避免调试器展开通配符。


     

     reload /u 命令进行更广泛的搜索。调试器首先尝试使用Module 匹配精确的模块名,不管路径是什么。如果找不到匹配项,Module 被当作已加载的映像名。例如,如果HAL在内存中的名字为halacpi.dll,下面两个命令都可以卸载它的符号。

    kd> .reload /u halacpi.dll
    kd> .reload /u hal

    如果在进行用户模式调试,并且希望加载一个不在目标程序模块列表中的模块,必须像下面的例子一样使用/s 选项。

    0:000> .reload /u ntdll.dll
    Unloaded ntdll.dll
    0:000> .reload /s /f ntdll.dll

    上面的命令我测试了下:

    0:001> lm
start    end        module name
00ad0000 00adf000   WordStrokeHelper32   (deferred)             
01000000 0101f000   calc       (deferred)             
10000000 100b0000   safemon    (deferred)             
58fb0000 5917a000   AcGenral   (deferred)             
5adc0000 5adf7000   UxTheme    (deferred)             
5cc30000 5cc56000   ShimEng    (deferred)             
62c20000 62c29000   LPK        (deferred)             
71a10000 71a18000   WS2HELP    (deferred)             
71a20000 71a37000   WS2_32     (deferred)             
73640000 7366e000   msctfime   (deferred)             
73fa0000 7400b000   USP10      (deferred)             
74680000 746cc000   MSCTF      (deferred)             
759d0000 75a7f000   USERENV    (deferred)             
76300000 7631d000   IMM32      (deferred)             
765e0000 76673000   CRYPT32    (deferred)             
76680000 76726000   WININET    (deferred)             
76990000 76ace000   ole32      (deferred)             
76b10000 76b3a000   WINMM      (deferred)             
76bc0000 76bcb000   PSAPI      (deferred)             
76db0000 76dc2000   MSASN1     (deferred)             
770f0000 7717b000   OLEAUT32   (deferred)             
77180000 77283000   comctl32   (deferred)             
77bb0000 77bc5000   MSACM32    (deferred)             
77bd0000 77bd8000   VERSION    (deferred)             
77be0000 77c38000   msvcrt     (deferred)             
77d10000 77da0000   USER32     (deferred)             
77da0000 77e49000   ADVAPI32   (deferred)             
77e50000 77ee3000   RPCRT4     (deferred)             
77ef0000 77f39000   GDI32      (deferred)             
77f40000 77fb6000   SHLWAPI    (deferred)             
77fc0000 77fd1000   Secur32    (deferred)             
7c800000 7c91e000   kernel32   (deferred)             
7c920000 7c9b3000   ntdll      (pdb symbols)          C:\WINDOWS\symbols\dll\ntdll.pdb
7d590000 7dd84000   SHELL32    (deferred)             
0:001> .reload /u kernel32
Unloaded kernel32
0:001> lm
start    end        module name
00ad0000 00adf000   WordStrokeHelper32   (deferred)             
01000000 0101f000   calc       (deferred)             
10000000 100b0000   safemon    (deferred)             
58fb0000 5917a000   AcGenral   (deferred)             
5adc0000 5adf7000   UxTheme    (deferred)             
5cc30000 5cc56000   ShimEng    (deferred)             
62c20000 62c29000   LPK        (deferred)             
71a10000 71a18000   WS2HELP    (deferred)             
71a20000 71a37000   WS2_32     (deferred)             
73640000 7366e000   msctfime   (deferred)             
73fa0000 7400b000   USP10      (deferred)             
74680000 746cc000   MSCTF      (deferred)             
759d0000 75a7f000   USERENV    (deferred)             
76300000 7631d000   IMM32      (deferred)             
765e0000 76673000   CRYPT32    (deferred)             
76680000 76726000   WININET    (deferred)             
76990000 76ace000   ole32      (deferred)             
76b10000 76b3a000   WINMM      (deferred)             
76bc0000 76bcb000   PSAPI      (deferred)             
76db0000 76dc2000   MSASN1     (deferred)             
770f0000 7717b000   OLEAUT32   (deferred)             
77180000 77283000   comctl32   (deferred)             
77bb0000 77bc5000   MSACM32    (deferred)             
77bd0000 77bd8000   VERSION    (deferred)             
77be0000 77c38000   msvcrt     (deferred)             
77d10000 77da0000   USER32     (deferred)             
77da0000 77e49000   ADVAPI32   (deferred)             
77e50000 77ee3000   RPCRT4     (deferred)             
77ef0000 77f39000   GDI32      (deferred)             
77f40000 77fb6000   SHLWAPI    (deferred)             
77fc0000 77fd1000   Secur32    (deferred)             
7c920000 7c9b3000   ntdll      (pdb symbols)          C:\WINDOWS\symbols\dll\ntdll.pdb
7d590000 7dd84000   SHELL32    (deferred)

    后面的lm竟然还真显示不了kernel32.dll,

    不过程序还是正常运行,用冰刃看了下,kernel32.dll明显还在,怀疑了,不懂了,标记下!!!!!!!!!!!!!!!!!!!!!!

    0:001> .reload -i maincode_org=00AD0000,0024E000
*** WARNING: Unable to verify timestamp for maincode_org


    如果一个dll被内嵌于exe中,默认只会加载exe的pdb,.reload提供了强制加载的方式

    1..sympath+ 增加pdb路径文件夹

    2..reload /i 模块名=基地址,大小

    实例如下:

    0:001> lm
start    end        module name
00400000 00ad0000   test011    (deferred)             
02810000 02b7a000   SOGOUWB    (deferred)

    其实在ad0000后附带了个内嵌的dll

    设置pdb路径操作:如果下述方式不行,就加到file->symbol file path中,记得不要有中文路径

    0:001> .symfix+ E:\项目SVN
    加载 

    0:001> .reload /i maincode_org=00AD0000,0024E000
*** WARNING: Unable to verify timestamp for maincode_org
    0:001> x maincode_org!*
00ceb628 maincode_org!g_timeGetTime = 0x00000000
00cf8814 maincode_org!g_szMessage = 0x00000000 ""
00cfb504 maincode_org!g_pSetWindowPos = 0x0000000
    此方式也可强制加载其他的pdb,比如有时你需要用到某个pdb的某个结构体时




     
  • 相关阅读:
    python进阶之装饰器之3利用装饰器强制函数上的类型检查
    python进阶之装饰器之6.装饰器为被包装函数增加参数,如何实现装饰器对类进行打补丁或者说对类的功能进行扩充
    python进阶之装饰器之5把装饰器作用到类和静态方法上
    python进阶之装饰器之4在类中定义装饰器,将装饰器定义为类,两者的区别与联系
    AOP的使用
    使用Maven搭建SSM框架
    js判断字符串是否有重复
    纯js实现复制功能
    关于Log文本的操作
    jquery往textarea鼠标光标选中的地方插入值
  • 原文地址:https://www.cnblogs.com/hgy413/p/3693715.html
Copyright © 2011-2022 走看看