Вопросы и ответы по популярному отладчику от Microsoft. Чтобы не создавать темы на каждую мелочь. Такой вопрос. Хотел посмотреть параметры Код (Text): 0:000> dt nt!_OBJECT_ATTRIBUTES Symbol nt!_OBJECT_ATTRIBUTES not found. 0:000> dt ntdll!_OBJECT_ATTRIBUTES Symbol ntdll!_OBJECT_ATTRIBUTES not found. Локальная ring3 отладка какой-то проги. Символы настроены корректно (прописан путь) Код (Text): 0:000> lm start end module name 00760000 00769000 123 C (no symbols) 76440000 76659000 KERNELBASE (deferred) 77c80000 77d70000 KERNEL32 (pdb symbols) c:\symbols\wkernel32.pdb\BAEEF8F4360C760F61\wkernel32.pdb 77d80000 77f24000 ntdll (pdb symbols) c:\symbols\wntdll.pdb\57ACF8C0088D7B2DBFC1\wntdll.pdb
Почему такие пути? Имею в виду с "w"? Может поэтому структуру не находит. c:\symbols\wkernel32.pdb\BAEEF8F4360C760F61\wkernel32.pdb c:\symbols\wntdll.pdb\57ACF8C0088D7B2DBFC1\wntdll.pdb --- Сообщение объединено, 16 авг 2022 --- Проверил свои символы, реально есть с префиксом "w". Странно, раньше не замечал этого. --- Сообщение объединено, 16 авг 2022 --- Я так понимаю это символы для x86? WoW64 или типа того. Тогда попробуй dt wntdll!_OBJECT_ATTRIBUTES
хз, так создалось. попробовал, также не найдено. какой этот виндбг кривой, или я чего-то не знаю. Просто мне надо структуры смотреть в памяти, а x64dbg не умеет, в Ида тоже хз как. вроде же верно настроено? Код (Text): 0:000> .sympath Symbol search path is: SRV*C:\symbols*http://msdl.microsoft.com/download/symbols Expanded Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols ************* Path validation summary ************** Response Time (ms) Location Deferred SRV*C:\symbols*http://msdl.microsoft.com/download/symbols Далее, вообще такого символа в списке нет. Мб это только с ядра видно? Но зачем мне ставить виртуалку и дебажить ядро для простой юзермодной проги? Код (Text): 0:000> dt -t nt!* ...ничего не вывелось 0:000> dt -t ntdll!* ntdll!LIST_ENTRY64 ntdll!LIST_ENTRY32 ntdll!SE_WS_APPX_SIGNATURE_ORIGIN ntdll!_PS_MITIGATION_OPTION ntdll!_PS_MITIGATION_OPTIONS_MAP ntdll!_PS_MITIGATION_AUDIT_OPTIONS_MAP ntdll!_KSYSTEM_TIME ntdll!_NT_PRODUCT_TYPE ntdll!_ALTERNATIVE_ARCHITECTURE_TYPE ntdll!_KUSER_SHARED_DATA ntdll!<anonymous-tag> ntdll!_ULARGE_INTEGER ntdll!<anonymous-tag> ntdll!_LARGE_INTEGER ntdll!_TP_POOL ntdll!_TP_CLEANUP_GROUP ntdll!_ACTIVATION_CONTEXT ntdll!_TP_CALLBACK_INSTANCE ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_TP_CALLBACK_PRIORITY ntdll!_TP_CALLBACK_ENVIRON_V3 ntdll!_TEB ntdll!_LIST_ENTRY ntdll!_LIST_ENTRY ntdll!_SINGLE_LIST_ENTRY ntdll!_RTL_SPLAY_LINKS ntdll!_RTL_DYNAMIC_HASH_TABLE_CONTEXT ntdll!_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR ntdll!_RTL_DYNAMIC_HASH_TABLE ntdll!_UNICODE_STRING ntdll!_STRING ntdll!_LUID ntdll!_CUSTOM_SYSTEM_EVENT_TRIGGER_CONFIG ntdll!_IMAGE_NT_HEADERS ntdll!_IMAGE_DOS_HEADER ntdll!_RTL_RB_TREE ntdll!_RTL_BALANCED_NODE ntdll!_RTL_AVL_TREE ntdll!_GUID ntdll!_KPCR ntdll!_KPRCB ntdll!_KAPC ntdll!_CPU_INFO ntdll!_SINGLE_LIST_ENTRY ntdll!_EXT_SET_PARAMETERS_V0 ntdll!_PS_TRUSTLET_CREATE_ATTRIBUTES ntdll!_PS_TRUSTLET_CREATE_ATTRIBUTES ntdll!_PS_TRUSTLET_ATTRIBUTE_DATA ntdll!_PS_TRUSTLET_ATTRIBUTE_DATA ntdll!_PS_TRUSTLET_ATTRIBUTE_HEADER ntdll!_PS_TRUSTLET_ATTRIBUTE_TYPE ntdll!_PS_TRUSTLET_ATTRIBUTE_TYPE ntdll!_TRUSTLET_MAILBOX_KEY ntdll!_TRUSTLET_MAILBOX_KEY ntdll!_TRUSTLET_COLLABORATION_ID ntdll!_TRUSTLET_COLLABORATION_ID ntdll!_KAFFINITY_EX ntdll!_KSTACK_COUNT ntdll!_KPROCESS ntdll!_KTHREAD ntdll!_KSTACK_CONTROL ntdll!_KSPIN_LOCK_QUEUE ntdll!_KSPIN_LOCK_QUEUE_NUMBER ntdll!_POOL_TYPE ntdll!_EX_POOL_PRIORITY ntdll!_FAST_MUTEX ntdll!_EVENT_TYPE ntdll!_KEVENT ntdll!_SLIST_HEADER ntdll!_LOOKASIDE_LIST_EX ntdll!_NPAGED_LOOKASIDE_LIST ntdll!_PAGED_LOOKASIDE_LIST ntdll!_LARGE_INTEGER ntdll!_ULARGE_INTEGER ntdll!_UNICODE_STRING ntdll!_IO_STATUS_BLOCK ntdll!_IO_STATUS_BLOCK ntdll!_QUAD ntdll!_QUAD ntdll!_WORK_QUEUE_ITEM ntdll!_EXT_DELETE_PARAMETERS ntdll!_EX_PUSH_LOCK ntdll!_PP_LOOKASIDE_LIST ntdll!_PP_NPAGED_LOOKASIDE_NUMBER ntdll!_GENERAL_LOOKASIDE ntdll!_KNODE ntdll!_ENODE ntdll!_HANDLE_TABLE ntdll!_HANDLE_TABLE_ENTRY_INFO ntdll!_HANDLE_TABLE_ENTRY ntdll!_EX_FAST_REF ntdll!_EX_FAST_REF ntdll!_EX_GEN_RANDOM_DOMAIN ntdll!<anonymous-tag> ntdll!_ACCESS_STATE ntdll!_AUX_ACCESS_DATA ntdll!_OBJECT_HANDLE_INFORMATION ntdll!_GUID ntdll!_ETHREAD ntdll!_PAGEFAULT_HISTORY ntdll!_MM_SESSION_SPACE ntdll!_EPROCESS_QUOTA_BLOCK ntdll!_PO_PROCESS_ENERGY_CONTEXT ntdll!_PS_INTERLOCKED_TIMER_DELAY_VALUES ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_EPROCESS ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_IRP ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_FILE_INFORMATION_CLASS ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_DIRECTORY_NOTIFY_INFORMATION_CLASS ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_FSINFOCLASS ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_SCSI_REQUEST_BLOCK ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_DEVICE_RELATION_TYPE ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!BUS_QUERY_ID_TYPE ntdll!<anonymous-tag> ntdll!DEVICE_TEXT_TYPE ntdll!<anonymous-tag> ntdll!_DEVICE_USAGE_NOTIFICATION_TYPE ntdll!<anonymous-tag> ntdll!_SYSTEM_POWER_STATE ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_POWER_STATE_TYPE ntdll!POWER_ACTION ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_IO_STACK_LOCATION ntdll!<anonymous-tag> ntdll!_DEVICE_OBJECT ntdll!_KDPC ntdll!_ECP_LIST ntdll!_IO_DRIVER_CREATE_CONTEXT ntdll!_JOB_ACCESS_STATE ntdll!_JOB_NOTIFICATION_INFORMATION ntdll!_JOB_CPU_RATE_CONTROL ntdll!_PSP_STORAGE ntdll!_JOB_NET_RATE_CONTROL ntdll!_EJOB ntdll!_IO_PRIORITY_HINT ntdll!_IO_PRIORITY_INFO ntdll!_MDL ntdll!_MEMORY_CACHING_TYPE ntdll!_EVENT_DATA_DESCRIPTOR ntdll!_EVENT_DESCRIPTOR ntdll!_EVENT_DESCRIPTOR ntdll!_EVENT_RECORD ntdll!_EVENT_RECORD ntdll!_PERFINFO_GROUPMASK ntdll!_FILE_OBJECT ntdll!_EX_RUNDOWN_REF ntdll!_MM_PAGE_ACCESS_TYPE ntdll!_MM_PAGE_ACCESS_INFO_HEADER ntdll!_PF_FILE_ACCESS_TYPE ntdll!_DEVICE_POWER_STATE ntdll!_DEVICE_POWER_STATE ntdll!_DEVICE_WAKE_DEPTH ntdll!_MCUPDATE_INFO ntdll!_PROCESS_EXTENDED_ENERGY_VALUES ntdll!_WHEA_ERROR_SOURCE_TYPE ntdll!_WHEA_ERROR_SOURCE_STATE ntdll!<anonymous-tag> ntdll!_WHEA_ERROR_SOURCE_DESCRIPTOR ntdll!_WHEA_EVENT_LOG_ENTRY ntdll!_WHEA_EVENT_LOG_ENTRY_TYPE ntdll!_WHEA_EVENT_LOG_ENTRY_ID ntdll!_WHEA_EVENT_LOG_ENTRY_FLAGS ntdll!_WHEA_ERROR_TYPE ntdll!_WHEA_ERROR_SEVERITY ntdll!_WHEA_ERROR_PACKET_DATA_FORMAT ntdll!_WHEA_ERROR_PACKET_V2 ntdll!_WHEA_ERROR_RECORD ntdll!_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR ntdll!_HEAP_SUBALLOCATOR_CALLBACKS ntdll!_SEGMENT_HEAP_EXTRA ntdll!_RTL_CSPARSE_BITMAP ntdll!RTLP_CSPARSE_BITMAP_STATE ntdll!_RTL_SPARSE_ARRAY ntdll!_HEAP_VAMGR_ALLOCATOR ntdll!_RTLP_HP_ADDRESS_SPACE_TYPE ntdll!_HEAP_VAMGR_VASPACE ntdll!_HEAP_VAMGR_RANGE ntdll!_RTLP_HP_LOCK_TYPE ntdll!_RTLP_HP_HEAP_MANAGER ntdll!_RTLP_HP_ALLOC_TRACKER ntdll!_HEAP_LIST_LOOKUP ntdll!_HEAP ntdll!<anonymous-tag> ntdll!_HEAP_LOCK ntdll!_RTL_CRITICAL_SECTION ntdll!_HEAP_ENTRY ntdll!_HEAP_SEGMENT ntdll!_HEAP_VIRTUAL_ALLOC_ENTRY ntdll!_HEAP_FAILURE_TYPE ntdll!_HEAP_FREE_ENTRY ntdll!_ACTIVATION_CONTEXT_DATA ntdll!_ACTIVATION_CONTEXT_DATA ntdll!_ASSEMBLY_STORAGE_MAP ntdll!_PEB ntdll!_PEB_LDR_DATA ntdll!_LDRP_LOAD_CONTEXT ntdll!_LDR_DLL_LOAD_REASON ntdll!_LDR_DATA_TABLE_ENTRY ntdll!_INTERLOCK_SEQ ntdll!_HEAP_SUBSEGMENT ntdll!_HEAP_USERDATA_HEADER ntdll!_RTLP_HP_PADDING_HEADER ntdll!_RTL_HASH_TABLE ntdll!_RTL_HASH_ENTRY ntdll!_RTL_HASH_TABLE ntdll!_RTL_HASH_TABLE_ITERATOR ntdll!_RTL_CHASH_TABLE ntdll!_RTL_CHASH_ENTRY ntdll!_RTL_STACKDB_CONTEXT ntdll!_HEAP_LFH_FAST_REF ntdll!_HEAP_LFH_SUBSEGMENT_OWNER ntdll!_HEAP_LFH_CONTEXT ntdll!_HEAP_LFH_BUCKET ntdll!_HEAP_LFH_ONDEMAND_POINTER ntdll!_HEAP_LFH_SUBSEGMENT_ENCODED_OFFSETS ntdll!_HEAP_LFH_SUBSEGMENT ntdll!_HEAP_LFH_UNUSED_BYTES_INFO ntdll!_HEAP_LFH_LOCKMODE ntdll!_RTLP_HP_QUEUE_LOCK_HANDLE ntdll!_HEAP_VS_CONTEXT ntdll!_HEAP_VS_CHUNK_HEADER ntdll!_HEAP_VS_CHUNK_HEADER_SIZE ntdll!_HEAP_VS_CHUNK_FREE_HEADER ntdll!_HEAP_VS_SUBSEGMENT ntdll!_HEAP_VS_UNUSED_BYTES_INFO ntdll!_HEAP_PAGE_RANGE_DESCRIPTOR ntdll!_HEAP_SEG_RANGE_TYPE ntdll!_HEAP_PAGE_SEGMENT ntdll!<anonymous-tag> ntdll!_HEAP_SEG_CONTEXT ntdll!_HEAP_RUNTIME_MEMORY_STATS ntdll!_HEAP_DESCRIPTOR_KEY ntdll!_RTLP_HP_ALLOCATOR ntdll!RTL_HP_ENV_HANDLE ntdll!_SEGMENT_HEAP ntdll!_HEAP_BUCKET_COUNTERS ntdll!_HEAP_LOCAL_SEGMENT_INFO ntdll!_HEAP_LOCAL_DATA ntdll!_HEAP_BUCKET_RUN_INFO ntdll!_LFH_HEAP ntdll!_HEAP_BUCKET ntdll!_HEAP_LARGE_ALLOC_DATA ntdll!_TEB32 ntdll!_TEB64 ntdll!_FILESYSTEM_DISK_COUNTERS ntdll!_WHEA_IPF_CMC_DESCRIPTOR ntdll!_IO_RATE_CONTROL_TYPE ntdll!_WHEA_AER_ENDPOINT_DESCRIPTOR ntdll!_KINTERRUPT_POLARITY ntdll!_JOBOBJECTINFOCLASS ntdll!_HANDLE_TABLE_FREE_LIST ntdll!_KDPC_DATA ntdll!_WHEA_AER_BRIDGE_DESCRIPTOR ntdll!_ACTIVATION_CONTEXT_STACK32 ntdll!_PROCESS_SECTION_TYPE ntdll!_KLOCK_ENTRY ntdll!_KTHREAD_COUNTERS ntdll!_HEAP_TAG_ENTRY ntdll!_XSAVE_AREA ntdll!_GROUP_AFFINITY ntdll!_HEAP_COUNTERS ntdll!_INTERFACE ntdll!_HEAP_PSEUDO_TAG_ENTRY ntdll!_RTLP_HP_MEMORY_TYPE ntdll!_CLIENT_ID ntdll!_PROCESS_DISK_COUNTERS ntdll!_UNICODE_STRING ntdll!_KLOCK_ENTRY_BOOST_BITMAP ntdll!_KWAIT_BLOCK_STATE ntdll!_EVENT_HEADER_EXTENDED_DATA_ITEM ntdll!_HEAP_BUCKET_RUN_INFO ntdll!_RTL_HEAP_MEMORY_LIMIT_DATA ntdll!_KHETERO_CPU_POLICY ntdll!_KSCHEDULING_GROUP ntdll!_TEB_ACTIVE_FRAME_CONTEXT ntdll!_TEB_ACTIVE_FRAME ntdll!_DEVICE_CAPABILITIES ntdll!_JOBOBJECT_ENERGY_TRACKING_STATE ntdll!_PROCESSOR_PROFILE_CONTROL_AREA ntdll!_KHETERO_PROCESSOR_SET ntdll!_CLIENT_ID64 ntdll!_EPROCESS_VALUES ntdll!_LARGE_INTEGER ntdll!_RTL_TRACE_DATABASE ntdll!_WHEA_XPF_CMC_DESCRIPTOR ntdll!JOB_OBJECT_IO_RATE_CONTROL_FLAGS ntdll!_LDR_DDAG_STATE ntdll!_LDR_DDAG_NODE ntdll!_KOBJECTS ntdll!_JOB_RATE_CONTROL_HEADER ntdll!_RTL_DYNAMIC_HASH_TABLE_ENTRY ntdll!_WHEA_GENERIC_ERROR_DESCRIPTOR_V2 ntdll!_PROCESSOR_NUMBER ntdll!_GDI_TEB_BATCH64 ntdll!_HEAP_TUNING_PARAMETERS ntdll!_AER_ENDPOINT_DESCRIPTOR_FLAGS ntdll!_MEMORY_PHYSICAL_CONTIGUITY_UNIT_STATE ntdll!_OBJECT_TYPE ntdll!_KQOS_GROUPING_SETS ntdll!_PS_PROPERTY_SET ntdll!_PS_WAKE_REASON ntdll!_RTL_MEMORY_TYPE ntdll!_THREAD_ENERGY_VALUES ntdll!_RTL_RUN_ONCE ntdll!_KHETERO_RUNNING_TYPE ntdll!<anonymous-tag> ntdll!_RTL_HP_VS_CONFIG ntdll!_EXHANDLE ntdll!_HARDWARE_COUNTER_TYPE ntdll!_COUNTER_READING ntdll!_SECURITY_DESCRIPTOR ntdll!_REG_NOTIFY_CLASS ntdll!_REQUEST_MAILBOX ntdll!_ACTIVATION_CONTEXT_STACK ntdll!_KTHREAD_TAG ntdll!_KEXECUTE_OPTIONS ntdll!_CLIENT_ID32 ntdll!_GDI_TEB_BATCH32 ntdll!_RTL_BITMAP ntdll!_STACK_TRACE_DATABASE ntdll!_DISPATCHER_HEADER ntdll!_PEBS_DS_SAVE_AREA ntdll!_KE_WAKE_SOURCE_TYPE ntdll!_INTERLOCK_SEQ ntdll!_WHEA_GENERIC_ERROR_DESCRIPTOR ntdll!_HANDLE_TRACE_DEBUG_INFO ntdll!CPU_VENDORS ntdll!_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS ntdll!_PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS ntdll!_KREQUEST_PACKET ntdll!_PS_PROCESS_WAKE_INFORMATION ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_WHEA_PCI_SLOT_NUMBER ntdll!_PROCESS_ENERGY_VALUES ntdll!_PROCESS_VA_TYPE ntdll!_WHEA_XPF_MCE_DESCRIPTOR ntdll!_PS_RESOURCE_TYPE ntdll!_IMAGE_FILE_HEADER ntdll!_MMSUPPORT_FULL ntdll!_JOBOBJECT_WAKE_FILTER ntdll!_HEAP_SEGMGR_LARGE_PAGE_POLICY ntdll!_IO_TIMER ntdll!_RTL_FEATURE_CONFIGURATION_PRIORITY ntdll!_GENERAL_LOOKASIDE_POOL ntdll!_PERFINFO_KERNELMEMORY_USAGE_TYPE ntdll!_RTLP_HP_HEAP_GLOBALS ntdll!_RTL_STACK_TRACE_ENTRY ntdll!_NAMED_PIPE_CREATE_PARAMETERS ntdll!_ACL ntdll!_HEAP_VS_DELAY_FREE_CONTEXT ntdll!_PS_DYNAMIC_ENFORCED_ADDRESS_RANGES ntdll!_IO_ALLOCATION_ACTION ntdll!_WAIT_CONTEXT_BLOCK ntdll!_PS_PROTECTED_SIGNER ntdll!_WHEA_IPF_MCA_DESCRIPTOR ntdll!_WORKING_SET_TYPE ntdll!_RTL_USER_PROCESS_PARAMETERS ntdll!_PS_PROTECTION ntdll!_HEAP_LFH_MEM_POLICIES ntdll!DISPLAYCONFIG_SCANLINE_ORDERING ntdll!_MM_PAGE_ACCESS_INFO ntdll!_MODE ntdll!_NT_TIB64 ntdll!_DPH_HEAP_BLOCK ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_MM_PAGE_ACCESS_INFO_FLAGS ntdll!_KTHREAD_PPM_POLICY ntdll!_WHEA_AER_ROOTPORT_DESCRIPTOR ntdll!_KGATE ntdll!_flags ntdll!_PS_IO_CONTROL_ENTRY ntdll!_KSYSTEM_TIME ntdll!_RTL_HP_LFH_CONFIG ntdll!_IO_COMPLETION_CONTEXT ntdll!_VRF_RULE_CLASS_ID ntdll!_HEAP_LFH_AFFINITY_SLOT ntdll!_IMAGE_OPTIONAL_HEADER ntdll!_KPRCBFLAG ntdll!_KPROCESS_PPM_POLICY ntdll!_POWER_STATE ntdll!_ALPC_PROCESS_CONTEXT ntdll!_MEMORY_CACHING_TYPE_ORIG ntdll!_CONTEXT ntdll!_XSTATE_CONFIGURATION ntdll!_DEVICE_OBJECT_POWER_EXTENSION ntdll!_DEVOBJ_EXTENSION ntdll!_AER_ROOTPORT_DESCRIPTOR_FLAGS ntdll!_HEAP_SEGMENT_MGR_COMMIT_STATE ntdll!_RTL_HP_SEG_ALLOC_POLICY ntdll!_KDEVICE_QUEUE ntdll!_KSTACK_COUNT ntdll!_RTL_TRACE_BLOCK ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_KGDTENTRY ntdll!_ERESOURCE ntdll!_WHEA_REVISION ntdll!_SYSTEM_PROCESS_CLASSIFICATION ntdll!_HEAP_LFH_SUBSEGMENT_STATS ntdll!_WOW64_SHARED_INFORMATION ntdll!_PROCESSOR_CACHE_TYPE ntdll!_CACHE_DESCRIPTOR ntdll!_KWAIT_STATE ntdll!_KSEMAPHORE ntdll!_EVENT_HEADER ntdll!_SYSTEM_POWER_STATE_CONTEXT ntdll!_KTRAP_FRAME ntdll!_KINTERRUPT_MODE ntdll!_KINTERRUPT ntdll!_PRIVILEGE_SET ntdll!_RTL_STACK_DATABASE_LOCK ntdll!_XSAVE_AREA_HEADER ntdll!_KAPC_STATE ntdll!_KDEVICE_QUEUE_ENTRY ntdll!_INITIAL_PRIVILEGE_SET ntdll!_SECTION_OBJECT_POINTERS ntdll!_HEAP_VAMGR_CTX ntdll!_USER_ACTIVITY_PRESENCE ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_WHEA_NOTIFICATION_DESCRIPTOR ntdll!_KAFFINITY_EX ntdll!_INTERFACE_TYPE ntdll!_IO_RESOURCE_REQUIREMENTS_LIST ntdll!_RTL_SRWLOCK ntdll!_KSCB ntdll!_KTSS ntdll!_HEAP_ENTRY_EXTRA ntdll!_KPROCESS_STATE ntdll!_RTLP_HP_METADATA_HEAP_CTX ntdll!_FILE_GET_QUOTA_INFORMATION ntdll!_IO_SECURITY_CONTEXT ntdll!_ENERGY_STATE_DURATION ntdll!_MMWSL_INSTANCE ntdll!_MMSUPPORT_INSTANCE ntdll!_KWAIT_BLOCK ntdll!_VPB ntdll!_MAILSLOT_CREATE_PARAMETERS ntdll!_LFH_RANDOM_DATA ntdll!_RTL_TRACE_SEGMENT ntdll!_KSHARED_READY_QUEUE ntdll!_NT_TIB ntdll!_TERMINATION_PORT ntdll!_PS_INTERLOCKED_TIMER_DELAY_VALUES ntdll!_POWER_SEQUENCE ntdll!_TRACE_INFORMATION_CLASS ntdll!_STRING32 ntdll!_WHEA_ERROR_RECORD_HEADER ntdll!_EXCEPTION_DISPOSITION ntdll!_EXCEPTION_REGISTRATION_RECORD ntdll!_GDI_TEB_BATCH ntdll!_MMSUPPORT_SHARED ntdll!_AER_BRIDGE_DESCRIPTOR_FLAGS ntdll!_PS_CLIENT_SECURITY_CONTEXT ntdll!_STRING64 ntdll!_CM_RESOURCE_LIST ntdll!_KWAIT_STATUS_REGISTER ntdll!_LUID_AND_ATTRIBUTES ntdll!_SECURITY_IMPERSONATION_LEVEL ntdll!_SECURITY_QUALITY_OF_SERVICE ntdll!_TEB_ACTIVE_FRAME_CONTEXT ntdll!_RTL_DRIVE_LETTER_CURDIR ntdll!_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS ntdll!_WHEA_EVENT_LOG_ENTRY_HEADER ntdll!_PERFINFO_MM_STAT ntdll!_PS_TRUSTLET_TKSESSION_ID ntdll!_PS_TRUSTLET_TKSESSION_ID ntdll!_HEAP_LFH_SUBSEGMENT_STAT ntdll!_WHEA_DEVICE_DRIVER_DESCRIPTOR ntdll!_HEAP_GLOBAL_APPCOMPAT_FLAGS ntdll!_PO_DIAG_STACK_RECORD ntdll!_PROCESS_ENERGY_VALUES_EXTENSION ntdll!_KLOCK_ENTRY_LOCK_STATE ntdll!_SECURITY_SUBJECT_CONTEXT ntdll!_WHEA_IPF_CPE_DESCRIPTOR ntdll!_OWNER_ENTRY ntdll!_XPF_MCE_FLAGS ntdll!_SE_AUDIT_PROCESS_CREATION_INFO ntdll!_ACTIVATION_CONTEXT_STACK64 ntdll!LSA_FOREST_TRUST_RECORD_TYPE ntdll!_PPM_IDLE_SYNCHRONIZATION_STATE ntdll!_PROC_HYPERVISOR_STATE ntdll!_POP_FX_DEVICE ntdll!_KHETERO_CPU_QOS ntdll!_PROCESSOR_POWER_STATE ntdll!_KiIoAccessMap ntdll!_HEAP_FAILURE_INFORMATION ntdll!_PS_JOB_WAKE_INFORMATION ntdll!_USER_MEMORY_CACHE_ENTRY ntdll!_THREAD_WORKLOAD_CLASS ntdll!_PPM_CONCURRENCY_ACCOUNTING ntdll!_RTL_HP_SUB_ALLOCATOR_CONFIGS ntdll!_PEBS_DS_SAVE_AREA64 ntdll!_FLOATING_SAVE_AREA ntdll!_RTL_STD_LIST_ENTRY ntdll!_LEAP_SECOND_DATA ntdll!_THREAD_PERFORMANCE_DATA ntdll!_NT_TIB32 ntdll!_KDPC_LIST ntdll!_DPH_HEAP_ROOT ntdll!_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS ntdll!_HEAP_LFH_SUBSEGMENT_DELAY_FREE ntdll!SYSTEM_POWER_CAPABILITIES ntdll!RTLP_HP_LFH_PERF_FLAGS ntdll!_IOP_IRP_STACK_PROFILER ntdll!_LDRP_CSLIST ntdll!_SYSTEM_FEATURE_CONFIGURATION_SECTION_TYPE ntdll!_KERNEL_STACK_SEGMENT ntdll!_MMSUPPORT_FLAGS ntdll!_WHEA_ERROR_PACKET_FLAGS ntdll!_KTIMER_EXPIRATION_TRACE ntdll!_KIDTENTRY ntdll!_PROC_FEEDBACK ntdll!_KPROCESSOR_STATE ntdll!_TIMELINE_BITMAP ntdll!_PROC_FEEDBACK_COUNTER ntdll!_SID ntdll!_SYSTEM_INFORMATION_CLASS ntdll!_PROCESS_TERMINATE_REQUEST_REASON ntdll!_PPM_FFH_THROTTLE_STATE_INFO ntdll!_RTL_CRITICAL_SECTION_DEBUG ntdll!_HEAP_BUCKET_COUNTERS ntdll!_VRF_TRIAGE_CONTEXT ntdll!_WHEA_ERROR_SOURCE_CONFIGURATION_DD ntdll!_WHEA_ERROR_RECORD_HEADER_VALIDBITS ntdll!_EXQUEUEINDEX ntdll!_KTIMER ntdll!_HEAP_USERDATA_OFFSETS ntdll!ReplacesCorHdrNumericDefines ntdll!_SYNCH_COUNTERS ntdll!JOB_OBJECT_NET_RATE_CONTROL_FLAGS ntdll!_KENTROPY_TIMING_STATE ntdll!_HANDLE_TRACE_DB_ENTRY ntdll!_LFH_BLOCK_ZONE ntdll!_ETW_BUFFER_CONTEXT ntdll!_WHEA_XPF_MC_BANK_DESCRIPTOR ntdll!_PROC_PERF_CHECK_CONTEXT ntdll!_ACCESS_REASONS ntdll!_IMAGE_DATA_DIRECTORY ntdll!_PPM_IDLE_SYNCHRONIZATION_STATE ntdll!_WHEA_TIMESTAMP ntdll!_WHEA_XPF_NMI_DESCRIPTOR ntdll!_SID_IDENTIFIER_AUTHORITY ntdll!_HEAP_OPPORTUNISTIC_LARGE_PAGE_STATS ntdll!_DPH_BLOCK_INFORMATION ntdll!_TXN_PARAMETER_BLOCK ntdll!_RTL_STD_LIST_HEAD ntdll!_PROC_PERF_HISTORY ntdll!PPM_IDLE_BUCKET_TIME_TYPE ntdll!_PROC_IDLE_ACCOUNTING ntdll!_OB_OPEN_REASON ntdll!_SECURITY_OPERATION_CODE ntdll!_OBJECT_TYPE_INITIALIZER ntdll!_MM_DRIVER_VERIFIER_DATA ntdll!_ETW_SILODRIVERSTATE ntdll!_EXP_LICENSE_STATE ntdll!_SERVERSILO_STATE ntdll!_ESERVERSILO_GLOBALS ntdll!_KCONTINUE_TYPE ntdll!_WNF_STATE_NAME ntdll!_OB_EXTENDED_PARSE_PARAMETERS ntdll!_RTL_GENERIC_COMPARE_RESULTS ntdll!_RTL_AVL_TABLE ntdll!_WHEA_PERSISTENCE_INFO ntdll!_GENERIC_MAPPING ntdll!_SEP_LOGON_SESSION_REFERENCES ntdll!_CI_NGEN_PATHS ntdll!_SEP_SILOSTATE ntdll!_KSCHEDULING_GROUP_POLICY ntdll!_LDR_SERVICE_TAG_RECORD ntdll!MCA_EXCEPTION_TYPE ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_MCA_EXCEPTION ntdll!_ISRDPCSTATS ntdll!BATTERY_REPORTING_SCALE ntdll!_XSAVE_FORMAT ntdll!_OBJECT_DUMP_CONTROL ntdll!_DRIVER_OBJECT ntdll!_PROC_PERF_DOMAIN ntdll!_RTL_BALANCED_LINKS ntdll!_HEAP_EXTENDED_ENTRY ntdll!_KTIMER_TABLE ntdll!_XPF_MC_BANK_FLAGS ntdll!_PROC_PERF_HISTORY_ENTRY ntdll!_CURDIR ntdll!_HEAP_UNPACKED_ENTRY ntdll!_HEAP_UCR_DESCRIPTOR ntdll!_DRIVER_EXTENSION ntdll!_INTERRUPT_CONNECTION_DATA ntdll!_IO_RESOURCE_LIST ntdll!_KSPECIAL_REGISTERS ntdll!_PROC_PERF_CHECK ntdll!_PPM_IDLE_STATES ntdll!_PEB32 ntdll!_XSTATE_FEATURE ntdll!_SEP_RM_LSA_CONNECTION_STATE ntdll!_PROC_IDLE_SNAP ntdll!_WHEA_NOTIFICATION_FLAGS ntdll!_XSTATE_SAVE ntdll!_OBJECT_NAME_INFORMATION ntdll!_PROC_PERF_LOAD ntdll!_PF_KERNEL_GLOBALS ntdll!_RTL_ACTIVATION_CONTEXT_STACK_FRAME ntdll!_PROC_PERF_QOS_CLASS_POLICY ntdll!_PERF_CONTROL_STATE_SELECTION ntdll!_IO_MINI_COMPLETION_PACKET_USER ntdll!<anonymous-tag> ntdll!_IRQ_PRIORITY ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_IO_RESOURCE_DESCRIPTOR ntdll!_PEBS_DS_SAVE_AREA32 ntdll!_PROC_IDLE_POLICY ntdll!_SILO_USER_SHARED_DATA ntdll!_DBGKP_ERROR_PORT ntdll!_DBGK_SILOSTATE ntdll!_FAKE_HEAP_ENTRY ntdll!INTERRUPT_CONNECTION_TYPE ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!HAL_APIC_DESTINATION_MODE ntdll!<anonymous-tag> ntdll!_INTERRUPT_VECTOR_DATA ntdll!_KQUEUE ntdll!_PROCESSOR_IDLE_CONSTRAINTS ntdll!_KTIMER_TABLE_STATE ntdll!_DESCRIPTOR ntdll!_PPM_IDLE_STATE ntdll!_WNF_SCOPE_MAP ntdll!_WNF_SILODRIVERSTATE ntdll!_EXCEPTION_RECORD ntdll!_KTIMER_TABLE_ENTRY ntdll!_WHEA_ERROR_RECORD_HEADER_FLAGS ntdll!_PROC_PERF_CONSTRAINT ntdll!_PROC_IDLE_STATE_ACCOUNTING ntdll!_CM_FULL_RESOURCE_DESCRIPTOR ntdll!_FAST_IO_DISPATCH ntdll!_EX_TIMEZONE_STATE ntdll!_TIMEZONE_CHANGE_EVENT ntdll!_OBP_SILODRIVERSTATE ntdll!_PPM_SELECTION_MENU ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_INTERRUPT_HT_INTR_INFO ntdll!_FILE_BASIC_INFORMATION ntdll!_PROC_PERF_CHECK_SNAP ntdll!_MCI_ADDR ntdll!_PPM_SELECTION_MENU_ENTRY ntdll!_ISRDPCSTATS_SEQUENCE ntdll!_FILE_NETWORK_OPEN_INFORMATION ntdll!_PROC_IDLE_STATE_BUCKET ntdll!_IO_CLIENT_EXTENSION ntdll!_OBP_SYSTEM_DOS_DEVICE_STATE ntdll!_PROCESSOR_IDLE_PREPARE_INFO ntdll!_WNF_LOCK ntdll!_COMPRESSED_DATA_INFO ntdll!_FILE_STANDARD_INFORMATION ntdll!_M128A ntdll!<anonymous-tag> ntdll!_MCI_STATS ntdll!_PROCESSOR_IDLE_DEPENDENCY ntdll!_DEVICE_MAP ntdll!_PPM_COORDINATED_SELECTION ntdll!_RTL_DYNAMIC_TIME_ZONE_INFORMATION ntdll!_FS_FILTER_CALLBACKS ntdll!_PPM_SELECTION_STATISTICS ntdll!_XSTATE_CONTEXT ntdll!_PPM_VETO_ACCOUNTING ntdll!_CM_PARTIAL_RESOURCE_LIST ntdll!_FS_FILTER_CALLBACK_DATA ntdll!_TIME_FIELDS ntdll!_PERFINFO_PPM_STATE_SELECTION ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_CM_PARTIAL_RESOURCE_DESCRIPTOR ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_INTERRUPT_REMAPPING_INFO ntdll!_PPM_VETO_ENTRY ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_FS_FILTER_SECTION_SYNC_TYPE ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!<anonymous-tag> ntdll!_FS_FILTER_PARAMETERS ntdll!_RTL_TIME_ZONE_INFORMATION ntdll!_OBJECT_DIRECTORY ntdll!_OBJECT_NAMESPACE_LOOKUPTABLE ntdll!_FS_FILTER_SECTION_SYNC_OUTPUT ntdll!_PPM_SELECTION_DEPENDENCY ntdll!_OBJECT_DIRECTORY_ENTRY
_OBJECT_ATTRIBUTES должны быть в ntdll. Попробуй удалить папку с символами для ntdll (с w-префиксом тоже) и попробовать заново загрузить, может быть загрузились криво.
MaKaKa, увы, нет. Ладно, значит не судьба. удалял вручную, делал .symfix reload , один х. вот теперь понимаю, почему все ругают майкрософт. --- Сообщение объединено, 16 авг 2022 --- MaKaKa, нашлись символы при LKD хз в чем прикол и почему это надо узнавать методом тыка.
_OBJECT_ATTRIBUTES лежит в WinTypes: Код (Text): 0:028> dt WinTypes!_OBJECT_ATTRIBUTES +0x000 Length : Uint4B +0x008 RootDirectory : Ptr64 Void +0x010 ObjectName : Ptr64 _UNICODE_STRING +0x018 Attributes : Uint4B +0x020 SecurityDescriptor : Ptr64 Void +0x028 SecurityQualityOfService : Ptr64 Void Если не знаешь, где именно лежит символ, можешь попробовать поискать его везде через dt *!symbol_name
Да, просто поверил local types в иде, там эта структура была, по-видимому, из идовых библиотек типов а не непосредственно .pdb.
HoShiMin, все равно не работает. Код (Text): 0:000> dt WinTypes!_OBJECT_ATTRIBUTES Symbol WinTypes!_OBJECT_ATTRIBUTES not found. может нужно только ядро, т.е. полноценная отладка ядра ?? Потому что при LKD у меня нашло, но это бред какой-то. а вот обычная ринг3 отладка бестолку, и удалял, и .reload и все такое делал, не находит. пустой результат. Win10 х64, тестил классический виндбг и новый.
HoShiMin, нашел причину. Если дебажить 64 бит проги, оно все находит, а нужный мне ехе был 32 битный.. хз почему так, но да, на блокноте (который 64 бит) все заработало.. --- Сообщение объединено, 16 авг 2022 --- Еще вопрос. Олли и х64дбг останавливаются на entry_point . Windbg же - где-то в кишках ntdll. Как можно перейти на entry_point? Если своя прога, то понятно, что можно поставить DebugBreak внутри winmain или подгрузить символы, а в чужой?
Попробуй bp $exentry после остановки в ntdll --- Сообщение объединено, 16 авг 2022 --- А если явно выбрать разрядность отладчика перед началом отладки? Или попробовать переключиться в wow64 через wow64exts.sw и попробовать снова?
не знал про такое. пишу, оно отвечает 0:000> !wow64exts.sw *** !wow64exts is only useful targeting architectures that support WoW *** что это значит? --- Сообщение объединено, 17 авг 2022 --- HoShiMin, точка останова сработала по символам - это какой-то анекдот! Хз, стоит ли писать в негрософт или это локальный баг, но это правда. могу показать даже по тимвьювере. Короче, если делать ATTACH то процесс - тогда оно находит символы. Если же RUN - то не находит. Я хз чем думал тот индус, что говнокодил такой хак, но факт имеет место. --- Сообщение объединено, 17 авг 2022 --- 0:015> dt *!_OBJECT_ATTRIBUTES ole32!_OBJECT_ATTRIBUTES combase!_OBJECT_ATTRIBUTES wintypes!_OBJECT_ATTRIBUTES
Не находит автоматически или не находит вообще, даже если прописать все пути и адреса символов и сделать .reload? Попробуй, кроме прочего, задать переменную окружения _NT_SYMBOL_PATH, задав там путь к символам, как ты обычно его задаёшь. Или в настройках WinDbg задай. Только убедись, что настраиваешь пути к символам, будучи в НЕприаттаченном состоянии, иначе настройки применятся лишь для текущего сеанса отладки. --- Сообщение объединено, 17 авг 2022 --- А в каком контексте ты это набрал? Если система 64х-битная, на ней запущен 32х-битный процесс, и ты аттачишься к нему 64х-битным отладчиком - эта команда должна работать.
HoShiMin, как я делаю. Запускаю UWP windbg. Хз какая там разрядность, наверное одинаковая с системой (64 бит), раз UWP ? Открываю вкладку settings - Debugging settings. Там прописаны символы к папке. Открываю переменные среды, там есть _NT_SYMBOL_PATH (путь такой же). Выбираю launch executable. И все.. Возможно, дело в том, что нужные мне символы находятся в combase.dll / wintypes.dll , которые не подгружаются при запуске этой программы? Т.е. если пишу LM , то там нет этих модулей, может оно символы ищет только в загруженных в память? А в блокноте есть. Не знаю, это гадание какое-то.
Да, ищет только в загруженных. Он же не знает, в каких ещё библиотеках, кроме загруженных, надо что-то искать - библиотек миллионы, он не будет перебирать все папки на системе в поисках нужной либы с символом. Поэтому если либа не загружена - до символов ты не доберёшься. Средствами самого WinDbg объявлять кастомные типы нельзя, но можно сделать хак, подложив ему pdb, в котором определён нужный символ: https://community.osr.com/discussion/193747
HoShiMin, еще такой вопрос. В дизасм коде внутри системных длл видно апи вызовы (скрин 1). А внутри кода приложения почему-то не видно, что это допустим CreateFile . так и должно быть или нет? Потому что х64дбг показывает вызовы апи.
Про это хз: видимо, следовать по адресам и ресолвить их не умеет. Или нужны символы для бинарника, где он не ресолвит вызовы.
