I'm reading the Advanced .NET Debugging book, the book is referencing 32-bit notepad.exe and says that I should be able to find the AddressOfEntryPoint at offset 0x108 which should have an RVA of 0x31F8.
I'm using 64 bit Windows 10 and it doesn't seem to be there, the value there is 0x0B02.
When I try to disassemble this in ntsd I get a memory access error (I was expecting notepad!WinMainCRTStartup:
Microsoft (R) Windows Debugger Version 10.0.17134.12 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: \Windows\notepad.exe
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*C:\Symbols\Microsoft
*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*C:\Symbols\Microsoft
*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff6`50db0000 00007ff6`50df1000 notepad.exe
ModLoad: 00007ffe`72370000 00007ffe`72540000 ntdll.dll
ModLoad: 00007ffe`6f970000 00007ffe`6fa1c000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffe`6e880000 00007ffe`6ea9d000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffe`6fea0000 00007ffe`6ff42000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffe`6fbf0000 00007ffe`6fc8e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffe`70af0000 00007ffe`70b49000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffe`720c0000 00007ffe`721e1000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffe`70690000 00007ffe`706c4000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffe`6f5c0000 00007ffe`6f741000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffe`721f0000 00007ffe`72355000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffe`6e860000 00007ffe`6e87e000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffe`70790000 00007ffe`70a58000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffe`6f750000 00007ffe`6f845000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffe`6eaa0000 00007ffe`6eb0a000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffe`706d0000 00007ffe`7078f000 C:\WINDOWS\System32\OLEAUT32.dll
ModLoad: 00007ffe`6f4c0000 00007ffe`6f55c000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffe`700b0000 00007ffe`701aa000 C:\WINDOWS\System32\COMDLG32.dll
ModLoad: 00007ffe`60bd0000 00007ffe`60e4a000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.2273_none_7de240fc83403786\COMCTL32.dll
ModLoad: 00007ffe`6f850000 00007ffe`6f8f9000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffe`6fe40000 00007ffe`6fe92000 C:\WINDOWS\System32\SHLWAPI.dll
ModLoad: 00007ffe`70bb0000 00007ffe`720b5000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffe`6f1f0000 00007ffe`6f232000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffe`6eb10000 00007ffe`6f1e9000 C:\WINDOWS\System32\windows.storage.dll
ModLoad: 00007ffe`6e7d0000 00007ffe`6e81c000 C:\WINDOWS\System32\powrprof.dll
ModLoad: 00007ffe`6e820000 00007ffe`6e82f000 C:\WINDOWS\System32\kernel.appcore.dll
ModLoad: 00007ffe`6e840000 00007ffe`6e854000 C:\WINDOWS\System32\profapi.dll
ModLoad: 00007ffe`6a480000 00007ffe`6a605000 C:\WINDOWS\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffe`5cca0000 00007ffe`5ccb7000 C:\WINDOWS\SYSTEM32\FeClient.dll
ModLoad: 00007ffe`678f0000 00007ffe`67976000 C:\WINDOWS\SYSTEM32\WINSPOOL.DRV
ModLoad: 00007ffe`61120000 00007ffe`612e2000 C:\WINDOWS\SYSTEM32\urlmon.dll
ModLoad: 00007ffe`6e710000 00007ffe`6e73b000 C:\WINDOWS\SYSTEM32\bcrypt.dll
ModLoad: 00007ffe`62140000 00007ffe`623e5000 C:\WINDOWS\SYSTEM32\iertutil.dll
(40d8.452c): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
ntdll!LdrInitShimEngineDynamic+0x360:
00007ffe`72442cc0 cc int 3
0:000> u 00007ff2+0x0b02
00000000`00008af4 ?? ???
^ Memory access error in 'u 00007ff2+0x0b02'
Is this due to the 32/64 bitness?
What should I be doing?
Related
When I tried to validate, if WinDbg has been setup properly, I opened the executable C:\WINDOWS\NOTEPAD.exe and tried to check the loaded modules.
First of all, these are the environment variables set:
_NT_SYMBOL_PATH: c:\mysymbols;SRV*c:\symbols*https://msdl.microsoft.com/download/symbols
_NT_EXECUTABLE_IMAGE_PATH: SRV*c:\symbols
This is the WinDbg output:
CommandLine: C:\WINDOWS\NOTEPAD.EXE
Symbol search path is: SRV*C:\symbols*https://msdl.microsoft.com/download/symbols;c:\mysymbols
Executable search path is: SRV*c:\symbols
ModLoad: 01000000 01014000 notepad.exe
ModLoad: 7c910000 7c9c9000 ntdll.dll
ModLoad: 7c800000 7c908000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 76350000 7639a000 C:\WINDOWS\system32\comdlg32.dll
ModLoad: 77da0000 77e4a000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e50000 77ee3000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fc0000 77fd1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 773a0000 774a3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\COMCTL32.dll
ModLoad: 77be0000 77c38000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77ef0000 77f39000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 7e360000 7e3f1000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77f40000 77fb6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 7e670000 7ee91000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 72f70000 72f96000 C:\WINDOWS\system32\WINSPOOL.DRV
(ef8.f6c): Break instruction exception - code 80000003 (first chance)
eax=001a1eb4 ebx=7ffd5000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c91120e esp=0007fb20 ebp=0007fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
ntdll!DbgBreakPoint:
7c91120e cc int 3
I switched on sym noisy mode, called .reload and got the continued output when I tried to list the loaded modules:
0:000> !sym noisy
noisy mode - symbol prompts on
0:000> .reload
Reloading current modules
..............
DBGHELP: c:\mysymbols\ntdll.pdb - mismatched pdb
DBGHELP: c:\mysymbols\symbols\dll\ntdll.pdb - file not found
DBGHELP: c:\mysymbols\dll\ntdll.pdb - file not found
SYMSRV: Die Serververbindung wurde zurückgesetzt.
SYMSRV: c:\symbols\ntdll.pdb\A618C674A4FC40F5B1781029C2C7F68E2\ntdll.pdb not found
SYMSRV: https://msdl.microsoft.com/download/symbols/ntdll.pdb/A618C674A4FC40F5B1781029C2C7F68E2/ntdll.pdb not found
DBGHELP: C:\WINDOWS\system32\ntdll.pdb - file not found
DBGHELP: ntdll.pdb - file not found
DBGHELP: Couldn't load mismatched pdb for C:\WINDOWS\system32\ntdll.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
DBGHELP: ntdll - export symbols
0:000> lm
start end module name
01000000 01014000 notepad (deferred)
72f70000 72f96000 WINSPOOL (deferred)
76350000 7639a000 comdlg32 (deferred)
773a0000 774a3000 COMCTL32 (deferred)
77be0000 77c38000 msvcrt (deferred)
77da0000 77e4a000 ADVAPI32 (deferred)
77e50000 77ee3000 RPCRT4 (deferred)
77ef0000 77f39000 GDI32 (deferred)
77f40000 77fb6000 SHLWAPI (deferred)
77fc0000 77fd1000 Secur32 (deferred)
7c800000 7c908000 kernel32 (deferred)
7c910000 7c9c9000 ntdll (export symbols) C:\WINDOWS\system32\ntdll.dll
7e360000 7e3f1000 USER32 (deferred)
7e670000 7ee91000 SHELL32 (deferred)
The line 7c910000 7c9c9000 ntdll (export symbols) C:\WINDOWS\system32\ntdll.dll shows, that the symbol files couldn't get loaded successfully.
I have downloaded and installed the symbols (like WindowsXP-KB835935-SP2-slp-Symbols) but still the PDB files don't seem to match with my ntdll.dll build. But why is that the case? Is there any chance I can get this to work?
As I couldn't stop pondering about the root of the problem, I reread the output above:
SYMSRV: c:\symbols\ntdll.pdb\A618C674A4FC40F5B1781029C2C7F68E2\ntdll.pdb not found
SYMSRV: https://msdl.microsoft.com/download/symbols/ntdll.pdb/A618C674A4FC40F5B1781029C2C7F68E2/ntdll.pdb not found
The debugger is looking for a symbol file having the GUID A618C674A4FC40F5B1781029C2C7F68E2, it even outputs an URI it is trying to load the pdb from. Thus, I tried to download the pdb manually, which worked, created the GUID directory manually, renamed the blob file to ntdll.pdb and placed it within the GUID-directory.
As a result, it did finally work, as the following output shows:
:000> .reload
Reloading current modules
............
DBGHELP: c:\mysymbols\ntdll.pdb - mismatched pdb
DBGHELP: c:\mysymbols\symbols\dll\ntdll.pdb - file not found
DBGHELP: c:\mysymbols\dll\ntdll.pdb - file not found
DBGHELP: ntdll - public symbols
c:\symbols\ntdll.pdb\A618C674A4FC40F5B1781029C2C7F68E2\ntdll.pdb
..
0:000> lm
start end module name
01000000 01014000 notepad (deferred)
72f70000 72f96000 WINSPOOL (deferred)
76350000 7639a000 comdlg32 (deferred)
773a0000 774a3000 COMCTL32 (deferred)
77be0000 77c38000 msvcrt (deferred)
77da0000 77e4a000 ADVAPI32 (deferred)
77e50000 77ee2000 RPCRT4 (deferred)
77ef0000 77f38000 GDI32 (deferred)
77f40000 77fb6000 SHLWAPI (deferred)
77fc0000 77fd1000 Secur32 (deferred)
7c800000 7c907000 kernel32 (deferred)
7c910000 7c9c9000 ntdll (pdb symbols) c:\symbols\ntdll.pdb\A618C674A4FC40F5B1781029C2C7F68E2\ntdll.pdb
7e360000 7e3f0000 USER32 (deferred)
7e670000 7ee90000 SHELL32 (deferred)
EDIT: I was finally able to get the automatic download from the symbol server working! I always thought about it in the beginning, but did not believe it could be the reason: With a newer version 6.12.0002.633 it does work as expected, while with the 6.6.07.5 it did not.
I want to debug my code, so I add __debugbreak(); at the line that I want to break, then I build and run my program, then the windbg is invoked as expected(I had set up windbg properly in regedit, so that the __debugbreak() will make windbg attach my program). But, windbg can't stop the program at the line that I add __debugbreak(); but BUSY(Debuggee is running...) like below:
What's the problem? How can I deal with it?
The last output in the command window is:
Microsoft (R) Windows Debugger Version 10.0.22473.1005 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
OK G:\nemu-vbox6\out\win.amd64\release\stage\debug\bin
Symbol search path is: srv*;G:\nemu-vbox6\out\win.amd64\release\stage\debug\bin
Executable search path is:
ModLoad: 00007ff7`f28c0000 00007ff7`f2e59000 C:\Program Files\Muvm6Vbox\Hypervisor\Muvm6SVC.exe
ModLoad: 00007ffb`98850000 00007ffb`98a45000 C:\WINDOWS\SYSTEM32\ntdll.dll
ModLoad: 00007ffb`97f40000 00007ffb`97ffe000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffb`96260000 00007ffb`96528000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffb`91840000 00007ffb`918d0000 C:\WINDOWS\SYSTEM32\apphelp.dll
ModLoad: 00007ffb`97d80000 00007ffb`97d88000 C:\WINDOWS\System32\PSAPI.DLL
ModLoad: 00007ffb`982b0000 00007ffb`98451000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffb`96230000 00007ffb`96252000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffb`98280000 00007ffb`982ab000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffb`95f70000 00007ffb`9607b000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffb`96080000 00007ffb`9611d000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffb`95530000 00007ffb`9557b000 C:\WINDOWS\SYSTEM32\POWRPROF.dll
ModLoad: 00007ffb`96580000 00007ffb`96680000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00000000`63490000 00000000`63528000 C:\Program Files\Muvm6Vbox\Hypervisor\MSVCP100.dll
ModLoad: 00000000`63530000 00000000`63602000 C:\Program Files\Muvm6Vbox\Hypervisor\MSVCR100.dll
ModLoad: 00007ffb`98000000 00007ffb`980ac000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffb`978c0000 00007ffb`979ea000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffb`98650000 00007ffb`986ee000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffb`96c60000 00007ffb`96cfb000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffb`97180000 00007ffb`978bf000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffb`95400000 00007ffb`954cb000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffb`4ba10000 00007ffb`4ba77000 C:\Program Files\Muvm6Vbox\Hypervisor\Muvm6DDU.dll
ModLoad: 00007ffb`96d00000 00007ffb`97172000 C:\WINDOWS\System32\SETUPAPI.dll
ModLoad: 00007ffb`96530000 00007ffb`9657e000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffb`4b380000 00007ffb`4ba0a000 C:\Program Files\Muvm6Vbox\Hypervisor\Muvm6RT.dll
ModLoad: 00007ffb`96870000 00007ffb`96897000 C:\WINDOWS\System32\bcrypt.dll
ModLoad: 00007ffb`97ed0000 00007ffb`97f3b000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ffb`98140000 00007ffb`9826a000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffb`968a0000 00007ffb`96bf5000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffb`97da0000 00007ffb`97e6d000 C:\WINDOWS\System32\OLEAUT32.dll
ModLoad: 00007ffb`8e9a0000 00007ffb`8e9aa000 C:\WINDOWS\SYSTEM32\VERSION.dll
ModLoad: 00007ffb`96680000 00007ffb`967d6000 C:\WINDOWS\System32\CRYPT32.dll
ModLoad: 00007ffb`953c0000 00007ffb`953fb000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffb`953a0000 00007ffb`953b2000 C:\WINDOWS\SYSTEM32\UMPDC.dll
ModLoad: 00007ffb`98270000 00007ffb`98278000 C:\WINDOWS\System32\NSI.dll
ModLoad: 00007ffb`97cd0000 00007ffb`97d00000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffb`979f0000 00007ffb`97a9d000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffb`94060000 00007ffb`947f0000 C:\WINDOWS\SYSTEM32\windows.storage.dll
ModLoad: 00007ffb`959c0000 00007ffb`959ee000 C:\WINDOWS\SYSTEM32\Wldp.dll
ModLoad: 00007ffb`96c00000 00007ffb`96c55000 C:\WINDOWS\System32\shlwapi.dll
ModLoad: 00007ffb`95eb0000 00007ffb`95ecf000 C:\WINDOWS\SYSTEM32\profapi.dll
ModLoad: 00007ffb`94810000 00007ffb`94822000 C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 00007ffb`967e0000 00007ffb`96863000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffb`985a0000 00007ffb`98649000 C:\WINDOWS\System32\clbcatq.dll
ModLoad: 00007ffb`841d0000 00007ffb`841e9000 C:\WINDOWS\SYSTEM32\amsi.dll
ModLoad: 00007ffb`95e30000 00007ffb`95e5e000 C:\WINDOWS\SYSTEM32\USERENV.dll
ModLoad: 00007ffb`84180000 00007ffb`841c4000 C:\Program Files\Windows Defender\MpOav.dll
ModLoad: 00007ffb`83fa0000 00007ffb`83fd5000 C:\Program Files\McAfee\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll
ModLoad: 00007ffb`961d0000 00007ffb`96230000 C:\WINDOWS\System32\WINTRUST.dll
ModLoad: 00007ffb`95930000 00007ffb`9593c000 C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ffb`95b50000 00007ffb`95b62000 C:\WINDOWS\SYSTEM32\MSASN1.dll
ModLoad: 00007ffb`83c60000 00007ffb`83c7c000 C:\Program Files\McAfee\McAfee\Endpoint Security\Threat Prevention\blframeworku.dll
ModLoad: 00007ffb`83760000 00007ffb`837a2000 C:\Program Files\McAfee\McAfee\Endpoint Security\Threat Prevention\LogLib.dll
ModLoad: 00007ffb`94b50000 00007ffb`94b83000 C:\WINDOWS\SYSTEM32\ntmarta.dll
ModLoad: 00007ffb`95910000 00007ffb`95928000 C:\WINDOWS\SYSTEM32\CRYPTSP.dll
ModLoad: 00007ffb`95030000 00007ffb`95064000 C:\WINDOWS\system32\rsaenh.dll
ModLoad: 00007ffb`97d00000 00007ffb`97d1d000 C:\WINDOWS\System32\imagehlp.dll
ModLoad: 00007ffb`94830000 00007ffb`94853000 C:\WINDOWS\SYSTEM32\gpapi.dll
ModLoad: 00007ffb`8e060000 00007ffb`8e091000 C:\WINDOWS\SYSTEM32\cryptnet.dll
ModLoad: 00000000`66f30000 00000000`66f53000 C:\Program Files\Common Files\McAfee\SystemCore\mfehida.dll
ModLoad: 00000000`66ef0000 00000000`66f2a000 C:\Program Files\Common Files\McAfee\SystemCore\mfemmsa.dll
ModLoad: 00007ffb`92ab0000 00007ffb`92b4e000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 00007ffb`986f0000 00007ffb`98805000 C:\WINDOWS\System32\MSCTF.dll
ModLoad: 00007ffb`95d10000 00007ffb`95d44000 C:\WINDOWS\SYSTEM32\DEVOBJ.dll
ModLoad: 00007ffb`90a20000 00007ffb`90a37000 C:\WINDOWS\SYSTEM32\dhcpcsvc6.DLL
ModLoad: 00007ffb`90930000 00007ffb`9094d000 C:\WINDOWS\SYSTEM32\dhcpcsvc.DLL
ModLoad: 00007ffb`7b7d0000 00007ffb`7b848000 C:\Windows\System32\NetSetupShim.dll
ModLoad: 00007ffb`8c730000 00007ffb`8c756000 C:\Windows\System32\NetSetupApi.dll
ModLoad: 00007ffb`88530000 00007ffb`88544000 C:\Windows\System32\DEVRTL.dll
ModLoad: 00007ffb`91680000 00007ffb`9168b000 C:\WINDOWS\SYSTEM32\WINNSI.DLL
ModLoad: 00007ffb`4b290000 00007ffb`4b37d000 C:\Program Files\Muvm6Vbox\Hypervisor\Muvm6ProxyStub.dll
ModLoad: 00007ffb`7a220000 00007ffb`7a22a000 C:\WINDOWS\SYSTEM32\msiltcfg.dll
ModLoad: 00007ffb`79e90000 00007ffb`7a1bd000 C:\WINDOWS\SYSTEM32\msi.dll
onecore\com\combase\dcomrem\channelb.cxx(7124)\combase.dll!00007FFB96999093: (caller: 00007FFB968C8A69) ReturnHr(1) tid(3f9c) 80010105 服务器出现意外情况。
(3c18.3f9c): Unknown exception - code 80010105 (first chance)
I was trying to set up my debugging environment, but it works perfectly on windbg x64 10.0.17763.132, but however when I tried to use !address , !heap it doesn't work because No symbols for ntdll. Cannot continue.. I also tried to reinstall c++ redistributable , and debugging tools, and nothing seems to work. I got Windows 10 SDK, version 1809 (10.0.17763.0) , and maybe MS symbols server is having an issue with it
ntdll log
0:000> lmvm ntdll
Browse full module list
start end module name
77370000 7750a000 ntdll (pdb symbols) c:\windbgsymbols\wntdll.pdb\D85FCE08D56038E2C69B69F29E11B5EE1\wntdll.pdb
Loaded symbol image file: C:\WINDOWS\SYSTEM32\ntdll.dll
Image path: ntdll.dll
Image name: ntdll.dll
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: A4208572 (This is a reproducible build file hash, not a timestamp)
CheckSum: 00198081
ImageSize: 0019A000
File version: 10.0.18362.387
Product version: 10.0.18362.387
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntdll.dll
OriginalFilename: ntdll.dll
ProductVersion: 10.0.18362.387
FileVersion: 10.0.18362.387 (WinBuild.160101.0800)
FileDescription: NT Layer DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.
0:000> !heap
Invalid type information
0:000> !address
No symbols for ntdll. Cannot continue.
proof
This is how you see what is happening with symbol loading:
!sym noisy
.reload /f ntdll.dll
I am building a C++/MFC (I know it's an old technology, but need to maintain it) under VS2010 and Windows 7 (x86). Running the application under Windows 2008 R2 (x64) is fine, the application start with success. But when I am trying to run the application under Windows 2008 (x86) or Windows Server 2003 it fails, I'm getting the same error on both systems : "The application failed to initialize properly (0xc0000005). Click Ok to close the Application".
It looks very stange to me since the app is built under a x86 system but runs only on built system (win7 x86) and on x64 system !
And secondly what does mean the exception code 0xc0000005? Any tips find what is missing in the x86 systems that make the application unstartable?
here is the log from WinDbg:
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Documents and Settings\Administrator\Desktop\BINTest\C****.exe"
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 00581000 C*******.exe
ModLoad: 7c800000 7c8c2000 ntdll.dll
ModLoad: 77e40000 77f43000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 77b90000 77b98000 C:\WINDOWS\system32\VERSION.dll
ModLoad: 77ba0000 77bfa000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 10000000 1001a000 C:\Documents and Settings\Administrator\Desktop\BINTest\S*****************.dll
ModLoad: 79000000 79046000 C:\WINDOWS\system32\mscoree.dll
ModLoad: 78aa0000 78b5d000 C:\Documents and Settings\Administrator\Desktop\BINTest\MSVCR100.dll
ModLoad: 78050000 780b9000 C:\Documents and Settings\Administrator\Desktop\BINTest\MSVCP100.dll
ModLoad: 003a0000 003c0000 C:\Documents and Settings\Administrator\Desktop\BINTest\R*********.dll
ModLoad: 003d0000 003d8000 C:\Documents and Settings\Administrator\Desktop\BINTest\Ch*****.dll
ModLoad: 78520000 785c3000 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_D08D0375\MSVCR90.dll
ModLoad: 78b60000 78f8c000 C:\Documents and Settings\Administrator\Desktop\BINTest\mfc100.dll
ModLoad: 77380000 77412000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77c00000 77c49000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 77f50000 77fec000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77c50000 77cef000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77da0000 77df2000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 77530000 775c7000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_5.82.3790.2778_x-ww_497C098C\COMCTL32.dll
ModLoad: 76280000 76285000 C:\WINDOWS\system32\MSIMG32.dll
ModLoad: 7c8d0000 7d0d4000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77670000 777a4000 C:\WINDOWS\system32\ole32.dll
ModLoad: 77d00000 77d8c000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 71bb0000 71bb9000 C:\WINDOWS\system32\WSOCK32.dll
ModLoad: 71c00000 71c17000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71bf0000 71bf8000 C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 6d580000 6d628000 C:\WINDOWS\system32\dbghelp.dll
ModLoad: 76cf0000 76d0a000 C:\WINDOWS\system32\IPHLPAPI.DLL
ModLoad: 76b70000 76b7b000 C:\WINDOWS\system32\PSAPI.DLL
(87c.135c): Break instruction exception - code 80000003 (first chance)
eax=76c00000 ebx=7ffda000 ecx=00000003 edx=00000008 esi=7c88be14 edi=00151f38
eip=7c822577 esp=0012fb70 ebp=0012fcb4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** WARNING: symbols timestamp is wrong 0x49901641 0x45d70ad8 for ntdll.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
ntdll!RtlMultiByteToUnicodeN+0x6002:
7c822577 cc int 3
0:000> g
(87c.135c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=77fc2324 ecx=fffffffc edx=00000000 esi=77fc2320 edi=00000004
eip=7c8396f0 esp=0012f030 ebp=0012f058 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!strnicmp+0x22b:
7c8396f0 8b5014 mov edx,dword ptr [eax+14h] ds:0023:00000014=????????
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ADVAPI32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\mscoree.dll -
*Next step: Removing dependencies in my project.
My project has dependency on another c++ project (R**.dll) which is a wrapper to a C# library. When a remove this dependency my program suddenly works (at least it starts normally). How can I link with this DLL's (wrapper and c#)?
Is it releated to manifest?
any idea?
here is the manifest of the app
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="Microsoft.Windows.C****"
type="win32"
/>
<description></description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
</assembly>
It seems that the root cause of your problem is a conflict between two versions of the C++ runtime libraries.
Your application is compiled with Visual Studio 2010, so it requires version 10 of the C++ runtime, but it depends on another C++ project that loads version 2 of the .NET CLR. That version of the CLR, in turn, requires version 9 of the C++ runtime. Since only one version of the runtime can be loaded by a given process, chaos ensues.
The easy way out is to either build your application with Visual Studio 2008, or modify the dependent project so it targets version 4 of the .NET CLR. That way, both modules will agree on the version of the C++ runtime to load.
The hard way is to split your application into two processes: one that loads the dependent project and one that contains the application proper, and use some form of IPC to communicate between them. That way, each process will be able to load its own version of the C++ runtime.
I'm using windbg (the latest available from the MSDN download page).
I'm trying to debug a deadlock in my app, and !locks would be very useful. However, it's not working:
0:023> !locks NTSDEXTS: Unable to resolve ntdll!RTL_CRITICAL_SECTION_DEBUG type
NTSDEXTS: Please check your symbols
I don't know why it's upset. I've got symbols properly loaded:
0:023> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: cache*c:\debuggers\sym;SRV*http://msdl.microsoft.com/download/symbols
And NTSD agrees:
0:023> lmv m ntdll
start end module name
777b0000 77930000 ntdll (pdb symbols) c:\debuggers\sym\wntdll.pdb\E9D10FA3EB884A23A5854E04FB7E2F0C2\wntdll.pdb
Loaded symbol image file: C:\Windows\SysWOW64\ntdll.dll
Image path: ntdll.dll
Image name: ntdll.dll
Timestamp: Mon Jul 13 18:11:23 2009 (4A5BDB3B)
CheckSum: 00148A78
ImageSize: 00180000
File version: 6.1.7600.16385
Product version: 6.1.7600.16385
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntdll.dll
OriginalFilename: ntdll.dll
ProductVersion: 6.1.7600.16385
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileDescription: NT Layer DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.
And the stack looks good:
0:036> k
ChildEBP RetAddr
1506fdd8 7784f546 ntdll!DbgBreakPoint
1506fe08 75bf3677 ntdll!DbgUiRemoteBreakin+0x3c
1506fe14 777e9d72 kernel32!BaseThreadInitThunk+0xe
1506fe54 777e9d45 ntdll!__RtlUserThreadStart+0x70
1506fe6c 00000000 ntdll!_RtlUserThreadStart+0x1b
Any help is appreciated.
Useful link.
The correct version that fixes this is 6.12.2.633. It's part of WDK 7.1 in the "debuggers" folder in the root of the DVD (.iso).
Alternatively, grab the WDK 7.1 web installer and install "just" Debugging Tools for Windows (though that seems to involve a hundred odd megabytes of extraneous material that does not correspond with any of the checkboxes in the installer).
dlanod comments:
I also found msdn-archives
which lets you download standalone versions of the new release.
And this link does in fact work. (Much better than the WDK installer)