1

TL;博士

为什么 WinDBG 会lmv显示两个版本信息字段(当我知道没有其他工具可以做到这一点时)以及在哪些情况下这些字段会有所不同?

背景:我有一个我们的应用程序的实时转储(来自死锁)。符号已正确加载,我能够将死锁追溯到微软的pdm.dll(用于我们的 vbscript 引擎的“进程调试管理器”)。

然后,我想检查在生产站点的会话中加载了该 DLL 的哪个版本:

0:000> lmv m pdm
start    end        module name
51860000 518b8000   pdm      # (pdb symbols)          d:\symcache\pdm.pdb\7BE601EDE9234816B72B49DA4A25DF042\pdm.pdb
    Loaded symbol image file: pdm.dll
    Image path: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\pdm.dll
    Image name: pdm.dll
    Timestamp:        Tue Jul 29 16:46:11 2008 (488F2D33)
    CheckSum:         000663E0
    ImageSize:        00058000
??  File version:     9.0.30729.1
??  Product version:  9.0.30729.1
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Visual Studio .NET
    InternalName:     pdm.dll
    OriginalFilename: pdm.dll
??  ProductVersion:   7.10.3077
??  FileVersion:      7.10.3077
    FileDescription:  Process Debug Manager
    LegalCopyright:   Copyright© Microsoft Corporation.  All rights reserved.

如您所见,文件和产品版本显示了两次,但它们在转储中不匹配!

当我在我的机器上交叉检查(显然,查看时间戳和校验和!)运行 iexplore 进程的相同文件时:

0:043> lmv m pdm
start    end        module name
3efa0000 3eff8000   pdm        (pdb symbols)          c:\windows\symbols\martin-cache\pdm.pdb\415D0A165EB24613BC01CE516512062C2\pdm.pdb
    Loaded symbol image file: C:\Program Files (x86)\Internet Explorer\pdm.dll
    Image path: C:\Program Files (x86)\Internet Explorer\pdm.dll
    Image name: pdm.dll
    Timestamp:        Tue Jul 29 16:46:11 2008 (488F2D33)
    CheckSum:         000663E0
    ImageSize:        00058000
    File version:     9.0.30729.1
    Product version:  9.0.30729.1
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Visual Studio® 2008
    InternalName:     pdm.dll
    OriginalFilename: pdm.dll
    ProductVersion:   9.0.30729.1
    FileVersion:      9.0.30729.1 built by: SP
    FileDescription:  Process Debug Manager
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

版本信息匹配。

4

1 回答 1

2

lmv 显示资源文件中定义的字符串,

在此处输入图像描述

我不知道为什么除了一些空格外,两组文件/产品版本名称相同。

0:041> lmv m kernel32
start    end        module name
753e0000 754f0000   kernel32   (deferred)             
    Image path: C:\Windows\SysWOW64\kernel32.dll
    Image name: kernel32.dll
    Timestamp:        Fri Aug 02 03:53:25 2013 (51FB1115)
    CheckSum:         00111A9F
    ImageSize:        00110000
    File version:     6.1.7601.18229
    Product version:  6.1.7601.18229
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     kernel32
    OriginalFilename: kernel32
    ProductVersion:   6.1.7601.18229
    FileVersion:      6.1.7601.18229 (win7sp1_gdr.130801-1533)

在您的情况下,您有两个不同的 dll,请查看图像文件路径。

Image path: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\


Image path: C:\Program Files (x86)\Internet Explorer

它们在资源部分必须有不同的字符串,winDbg 只能显示它。由于时间戳相同,因此可能已被篡改。

于 2013-10-18T13:42:07.977 回答