Geek Answers Handbook

The ntdll module does not load correctly in windbg, but why?

I used windbg to debug user mode before, but I suspect that I did something on my system because I don’t remember that I had a problem using, for example, the extension command! heap before.

I clearly see that ntdll is a loaded module:

77760000 778e0000 ntdll (pdb symbols) C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\wntdll.pdb\FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb 0:001> lmvm ntdll start end module name 77760000 778e0000 ntdll (pdb symbols) C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\wntdll.pdb \FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb Loaded symbol image file: C:\Windows\SysWOW64\ntdll.dll Image path: C:\Windows\SysWOW64\ntdll.dll Image name: ntdll.dll Timestamp: Wed Jul 15 13:53:36 2015 (55A69E20) CheckSum: 00142A8B ImageSize: 00180000 File version: 6.1.7601.18933 Product version: 6.1.7601.18933 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: ntdll.dll OriginalFilename: ntdll.dll ProductVersion: 6.1.7601.18933 FileVersion: 6.1.7601.18933 (win7sp1_gdr.150715-0600) FileDescription: NT Layer DLL LegalCopyright: © Microsoft Corporation. All rights reserved.

and

 0:001> !chksym ntdll C:\Windows\SysWOW64\ntdll.dll Timestamp: 55A69E20 SizeOfImage: 180000 pdb: wntdll.pdb pdb sig: FA9C48F9-C11D-4E08-94B8-970DECD92C97 age: 2 Loaded pdb is C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\wntdll.pdb\FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb wntdll.pdb pdb sig: FA9C48F9-C11D-4E08-94B8-970DECD92C97 age: 2 MATCH: wntdll.pdb and C:\Windows\SysWOW64\ntdll.dll<code>

When I try to use the heap extension, I get:

 0:001> !heap -stat ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: ntdll!_PEB *** *** ***

.symopt- 100 doesn't help either

and if I try to use the critical section extension, I get a similar error:

 Bad symbols for NTDLL (error 3). Aborting.

I read that this can happen if you have a mismatch between 32 and 64 bits or if you just don’t have the correct character settings, but I used .symfix and can make my characters reload with .reload /f , I use the x86 debugger for x86 process or 32-bit dump, so I don’t see how these problems play.

I started a new and remote windbg completely and reinstalled the debugging tools for windows from MSDN and still ran into the same problem. Surely I'm missing something obvious?

+5
debugging windows windbg
source share
2 answers

MS gets rid of all type information in the latest Windows 7 PDBs. This violates !heap . A tweeter talk about this begins with Alex Ionescu, co-author of Windows Internals, Sixth Edition: https://twitter.com/aionescu/status/634028737458114560

UPDATE: 12/10/2015 . A possible workaround is using a python type of type PDB script that copies type information from one PDB to another. Use will be to copy type information from an older PDB that has type information that was deleted in subsequent PDBs. This link contains all the details: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/PDB-Type-Theft/ba-p/6801065#.Vhv2gPm6fmE

UPDATE: 10/22/2015 : with the patch day of Microsoft (2015-10-13) and KB3088195 , the characters are again available. However, symbols for the broken version were not provided, so the above may still be useful.

+8
source share

It appears that with Windows updates distributed through 20151013 , heap information is again available.

 0:018> !chksym ntdll C:\Windows\SysWOW64\ntdll.dll Timestamp: 56099FFA SizeOfImage: 180000 pdb: wntdll.pdb pdb sig: C2B37FDB-B631-4EA7-8A6D-7F51123F151E age: 2 Loaded pdb is microsoft\wntdll.pdb \C2B37FDBB6314EA78A6D7F51123F151E2\wntdll.pdb wntdll.pdb pdb sig: C2B37FDB-B631-4EA7-8A6D-7F51123F151E age: 2 MATCH: wntdll.pdb and C:\Windows\SysWOW64\ntdll.dll

and

 0:018> lm vm *ntdll* start end module name 77530000 776b0000 ntdll (pdb symbols) microsoft\wntdll.pdb\C2B37FDBB6314EA78A6D7F51123F151E2\wntdll.pdb Loaded symbol image file: C:\Windows\SysWOW64\ntdll.dll Image path: C:\Windows\SysWOW64\ntdll.dll Image name: ntdll.dll Timestamp: Mon Sep 28 22:15:54 2015 (56099FFA) CheckSum: 001412F8 ImageSize: 00180000 File version: 6.1.7601.23223 Product version: 6.1.7601.23223 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: ntdll.dll OriginalFilename: ntdll.dll ProductVersion: 6.1.7601.23223 FileVersion: 6.1.7601.23223 (win7sp1_ldr.150928-0600) FileDescription: NT Layer DLL LegalCopyright: © Microsoft Corporation. All rights reserved.

Can you install updates, recreate the application and try again?

+1
source share

More articles:


All Articles