windbg-记一次应用程序崩溃的定位
Windbg 及sos.dll、mex.dll扩展插件-CSDN博客
windbg设置见上
查看内存信息如下,发现是创建句柄时异常
Current frame: KERNELBASE!RaiseException+0x690:035> !DumpStack
OS Thread Id: 0x2af4 (35)
Current frame: KERNELBASE!RaiseException+0x69
Child-SP RetAddr Caller, Callee
000000002f1ce570 00007ff91ed8563e clr!GCCoop::GCCoop+0xe, calling clr!GetTLSDummy
000000002f1ce580 00007ff91edf9c1c clr!IsExceptionOfType+0x14, calling clr!Object::GetTrueMethodTable
000000002f1ce5f0 00007ff91edb8aee clr!StringLiteralMap::GetStringLiteral+0x221, calling clr!CrstBase::Leave
000000002f1ce6d0 00007ff91edfb4a4 clr!IL_Throw+0x114, calling clr!RaiseTheExceptionInternalOnly
000000002f1ce868 00007ff91edfb3d5 clr!IL_Throw+0x45, calling clr!LazyMachStateCaptureState
000000002f1ce9f0 00007ff8f6453827 (MethodDesc 00007ff8f6281bc0 System.Windows.Forms.Timer+TimerNativeWindow.EnsureHandle())
000000002f1cea58 00007ff91ef08e45 clr!JIT_NewCrossContext_Portable+0x75, calling clr!LazyMachStateCaptureState
000000002f1cea90 00007ff8f6453644 (MethodDesc 00007ff8f61b5608 System.Windows.Forms.Timer.set_Enabled(Boolean)), calling 00007ff8c0ef7900
000000002f1ceb20 00007ff8c28b88ba (MethodDesc 00007ff8c2c44300 +0x8a DevExpress.XtraSplashScreen.OverlayLayeredWindow.RunMessageLoop())
000000002f1ceb90 00007ff8c28b3f70 (MethodDesc 00007ff8c2c44188 +0xf0 DevExpress.XtraSplashScreen.OverlayLayeredWindow.Show())
000000002f1cebe0 00007ff8c28b3a27 (MethodDesc 00007ff8c2c43960 +0x47 DevExpress.XtraSplashScreen.OverlayWindowController.DoShow()), calling 00007ff8c28b0bb8
000000002f1cec20 00007ff91a33df12 (MethodDesc 00007ff919db85b8 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean))
000000002f1cecf0 00007ff91a33dd95 (MethodDesc 00007ff919f987a0 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)), calling (MethodDesc 00007ff919db85b8 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean))
000000002f1ced30 00007ff937807997 ntdll!RtlDeactivateActivationContextUnsafeFast+0xc7, calling ntdll!_security_check_cookie
000000002f1ced90 00007ff91ed87255 clr!SigPointer::PeekElemTypeNormalized+0x32, calling clr!SigPointer::PeekElemTypeClosed
...
000000002f1cfbf0 00007ff93781cec1 ntdll!RtlUserThreadStart+0x21, calling ntdll!guard_dispatch_icall_nop列出所有按 callstack 线程分组的线程、发现一个奇怪的线程
0000000180167de2 QQPinyin+0x167de20:035> !mex.us
...
1 thread [stats]: 8
00007ff93786b414 ntdll!NtDelayExecution+0x14
00007ff9350f818e KERNELBASE!SleepEx+0x9e
0000000180167de2 QQPinyin+0x167de2
000000002af4c8b8 0x2af4c8b8
...
18 stack(s) with 36 threads displayed (36 Total threads)查看线程堆栈
0:035> !mex.t 8
DbgID ThreadID User Kernel Create Time (UTC)
8 286c (0n10348) 0 46ms xx/xx/xxxx 01:25:43.673 上午
# Child-SP Return Call Site
0 000000002caefd28 00007ff9350f818e ntdll!NtDelayExecution+0x14
1 000000002caefd30 0000000180167de2 KERNELBASE!SleepEx+0x9e
2 000000002caefdd0 000000002af4c8b8 QQPinyin+0x167de2
3 000000002caefdd8 0000000000000000 0x2af4c8b8然后我有查看所有线程 没看到线程id为0x286c这个线程很奇怪
0:008> !threads
ThreadCount: 26
UnstartedThread: 0
BackgroundThread: 22
PendingThread: 0
DeadThread: 3
Hosted Runtime: no
Lock
ID OSID ThreadOBJ State GC Mode GC Alloc Context Domain Count Apt Exception
0 1 8a4 0000000000eaf7b0 26020 Cooperative 0000000065836A70:0000000065836FD0 0000000000ea2cd0 1 Ukn
2 2 b74 0000000000ed9940 2b220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Finalizer)
XXXX 3 0 000000001bb5e630 1039820 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
XXXX 4 0 000000001bac0f70 1039820 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
4 7 2174 000000001fbea540 102a220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
5 13 b20 000000001fcdb2b0 2b220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn
6 14 27e4 000000001fcdba80 2b220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn
7 15 1940 000000001fcf32c0 2b220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn
10 17 2788 0000000023ce27f0 202b220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 1 Ukn
11 22 630 0000000023ce08b0 1020220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
20 44 2110 000000003392d0d0 1029220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
21 48 1cac 00000000337c2f70 1029220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
22 27 16e4 000000003392d8a0 1029220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
23 41 ff4 00000000337c1fd0 1029220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
24 30 2d44 0000000023ce5ea0 1029220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
25 10 2fac 0000000033ccef30 1029220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
26 12 2744 000000003cb97840 1029220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
27 49 2d0c 0000000033ccfed0 1029220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
28 45 2f18 00000000536f9cc0 1029220 Preemptive 00000000652CABC0:00000000652CCAD8 0000000000ea2cd0 0 Ukn (Threadpool Worker)
29 34 25e8 0000000033ccdf90 1029220 Preemptive 00000000652CCC58:00000000652CEAD8 0000000000ea2cd0 0 Ukn (Threadpool Worker)
30 18 2c58 0000000033546aa0 8029220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Completion Port)
31 51 2c30 00000000334ef340 1029220 Preemptive 00000000652CEB08:00000000652D0AD8 0000000000ea2cd0 0 Ukn (Threadpool Worker)
33 43 2cf8 00000000337c4eb0 1029220 Preemptive 00000000652D0C90:00000000652D2AD8 0000000000ea2cd0 0 Ukn (Threadpool Worker)
32 38 1f0c 0000000033cd06a0 1029220 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn (Threadpool Worker)
XXXX 50 0 00000000335433f0 39820 Preemptive 0000000000000000:0000000000000000 0000000000ea2cd0 0 Ukn
35 42 2af4 0000000033545b00 2b220 Preemptive 000000006584D0B0:000000006584EFD0 0000000000ea2cd0 3 Ukn System.ComponentModel.Win32Exception 000000006525bbf0然后我单独查线程号发现又能查到,很奇怪
0:008> !mex.t 8
DbgID ThreadID User Kernel Create Time (UTC)
8 286c (0n10348) 0 46ms xx/xxx/xxxx 01:25:43.673 上午
# Child-SP Return Call Site
0 000000002caefd28 00007ff9350f818e ntdll!NtDelayExecution+0x14
1 000000002caefd30 0000000180167de2 KERNELBASE!SleepEx+0x9e
2 000000002caefdd0 000000002af4c8b8 QQPinyin+0x167de2
3 000000002caefdd8 0000000000000000 0x2af4c8b8看下加载的模块 确实加载了QQPinyin的模块
00000001`80000000 00000001`804c6000 QQPinyin T (no symbols) 0:008> lm
start end module name
...
00000000`34560000 00000000`346e0000 System_Windows_Forms_resources (deferred)
00000001`80000000 00000001`804c6000 QQPinyin T (no symbols)
...
00007ff9`377d0000 00007ff9`379c4000 ntdll (pdb symbols) c:\symbols\ntdll.pdb\63E12347526A46144B98F8CF61CDED791\ntdll.pdb
最后在看下QQPinyin 模块的信息
0:008> lmDvmQQPinyin
Browse full module list
start end module name
00000001`80000000 00000001`804c6000 QQPinyin T (no symbols)
Loaded symbol image file: QQPinyin.ime
Image path: C:\Windows\System32\QQPinyin.ime
Image name: QQPinyin.ime
Browse all global symbols functions data Symbol Reload
Timestamp: Tue Apr 26 13:02:39 2011 (4DB651EF)
CheckSum: 004BC3A2
ImageSize: 004C6000
Index Key: (GUID) D2567EEAB9BB488F8572C2BBF0F3DCB0
File version: 4.2.1073.400
Product version: 4.2.1073.400
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 3.B Driver
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:QQPinyin输入法对进程注入,进程注入会导致应用不稳定