0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
000dccf8 0532416b 07888ff8 00000000 00000000 Flash10+0x3d914
000dcdb8 0533a17d 060aa020 060aa020 05361116 Flash10+0xd416b
000dcde4 05368d13 00000001 05331a29 057e0830 Flash10+0xea17d
000dcdec 05331a29 057e0830 0000000a 057e0000 Flash10+0x118d13
000dce1c 05459f4d 00000090 00000000 057e70d0 Flash10+0xe1a29
00000000 00000000 00000000 00000000 00000000 Flash10!DllUnregisterServer+0xe02fe
这里的出模块是 Flash10
但运行了
0:000> !analyze -v
之后
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for testflash.exe
*** ERROR: Module load completed but symbols could not be loaded for testflash.exe
*** WARNING: Unable to verify checksum for flashgame.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for flashgame.dll -
*** WARNING: Unable to verify checksum for yyyclient.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for yyyclient.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SKCHUI.DLL -
*** ERROR: Module load completed but symbols could not be loaded for xpsp2res.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for MSOXMLMF.DLL -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for RTXOLAss.dll -
*** WARNING: Unable to verify checksum for DS40xxSDK.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for DS40xxSDK.dll -
*** WARNING: Unable to verify checksum for ClientPlayM4.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ClientPlayM4.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for rsaenh.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for safemon.dll -
*** ERROR: Module load completed but symbols could not be loaded for shdoclc.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for sysfer.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for mswsock.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for psapi.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for user32.dll -
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: IMAGE_NT_HEADERS32 ***
*** ***
*************************************************************************
WARNING: lient overlaps testflash
WARNING: lient overlaps flashgame
WARNING: lient overlaps yyyclient
WARNING: lient overlaps SKCHUI
WARNING: lient overlaps xpsp2res
WARNING: lient overlaps MSOXMLMF
WARNING: lient overlaps RTXOLAss
WARNING: lient overlaps Flash10
WARNING: lient overlaps DS40xxSDK
WARNING: lient overlaps ClientPlayM4
WARNING: lient overlaps rsaenh
WARNING: lient overlaps safemon
WARNING: lient overlaps shdoclc
*** WARNING: Unable to verify timestamp for lient.dll
*** ERROR: Module load completed but symbols could not be loaded for lient.dll
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
FAULTING_IP:
lient+528d873
0528d914 8a08 mov cl,byte ptr [eax]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0528d914 (lient+0x0528d873)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 07889000
Attempt to read from address 07889000
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: testflash.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 07889000
READ_ADDRESS: 07889000
FOLLOWUP_IP:
lient+528d873
0528d914 8a08 mov cl,byte ptr [eax]
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [UnloadedModule_Arch_AX] from Frame:[0] on thread:[c60]
FAULTING_THREAD: 00000c60
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 0532416b to 0528d914
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
000dccf8 0532416b 07888ff8 00000000 00000000 lient+0x528d873
000dcdb8 0533a17d 060aa020 060aa020 05361116 lient+0x53240ca
000dcde4 05368d13 00000001 05331a29 057e0830 lient+0x533a0dc
000dcdec 05331a29 057e0830 0000000a 057e0000 lient+0x5368c72
000dce1c 05459f4d 00000090 00000000 057e70d0 lient+0x5331988
00000000 00000000 00000000 00000000 00000000 lient!DllUnregisterServer+0xe02fe
SYMBOL_NAME: lient.dll!Unloaded
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: lient.dll
IMAGE_NAME: lient.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 690068
STACK_COMMAND: .ecxr ; ~~[c60] ; .frame 0 ; ~0s; .ecxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_lient.dll!Unloaded
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_lient.dll!Unloaded
WATSON_STAGEONE_URL: 071K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6S2N6s2y4G2L8W2)9J5k6h3#2A6j5%4u0G2M7$3!0X3N6q4)9J5k6h3y4G2L8g2)9J5c8W2y4@1j5h3N6W2e0$3&6W2i4K6u0r3N6r3g2K6N6r3k6D9j5i4y4Z5i4K6g2X3k6i4S2W2i4K6u0r3x3g2)9#2k6U0x3H3i4K6g2X3x3q4)9#2k6U0m8Q4x3V1j5@1j5U0l9H3j5K6x3K6j5#2)9J5c8V1k6D9j5i4y4Z5x3e0m8Q4y4h3k6G2j5%4S2Q4x3V1j5I4x3q4)9#2k6U0m8Q4y4h3j5J5i4K6g2X3y4e0c8Q4x3V1j5@1z5r3u0W2k6o6f1J5y4q4)9J5c8X3x3H3x3o6l9H3x3o6l9#2i4K6u0r3x3o6l9H3x3$3b7&6x3e0c8Q4x3X3g2Z5N6r3#2Q4x3@1k6d9k6i4c8J5K9h3q4Y4k6g2)9K6c8o6p5`.
Followup: MachineOwner
---------
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
000dccf8 0532416b 07888ff8 00000000 00000000 lient+0x528d873
000dcdb8 0533a17d 060aa020 060aa020 05361116 lient+0x53240ca
000dcde4 05368d13 00000001 05331a29 057e0830 lient+0x533a0dc
000dcdec 05331a29 057e0830 0000000a 057e0000 lient+0x5368c72
000dce1c 05459f4d 00000090 00000000 057e70d0 lient+0x5331988
00000000 00000000 00000000 00000000 00000000 lient!DllUnregisterServer+0xe02fe
