1

我正在调试一个文件解析器(Win32)。每次当我向它提供某个文件时,它都会在同一位置崩溃。我无权访问该应用程序的源代码。我试图分析崩溃的根本原因,似乎它的那种数组越界读取错误。但我不确定它内部是否有任何内存损坏。我使用 ADPlus 进行故障转储,下面我添加了迷你转储和 adplus 日志。

https://dl.dropboxusercontent.com/u/107519001/MINIDUMP_FirstChance_av_AccessViolation_FileParser.exe__0e04_2013-10-25_20-26-29-893_084c.dmp

&

https://dl.dropboxusercontent.com/u/107519001/ADPlus_log_0e04_2013-10-25_20-26-18-707.log

调试信息:

https://dl.dropboxusercontent.com/u/107519001/vc90.pdb

任何人都可以帮助我了解访问冲突崩溃的根本原因。

提前致谢,

4

2 回答 2

2

FileParser 从中读取二进制数据inline1.exe并期望看到有效的偏移量和结构布局,但会发生访问冲突。二进制文件没有有效的标题布局 ets。也许二进制文件被压缩或加密。

手动堆栈重建:

0:000> kn =0012f674 0012f674 004071f1
 # ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0012f674 73dd1eb6 FileParser+0x71f1
01 0012f6ec 73dd1b9b mfc42!CWnd::OnWndMsg+0x2f4
02 0012f70c 73dd1b05 mfc42!CWnd::WindowProc+0x24
03 0012f76c 73dd2c9c mfc42!AfxCallWndProc+0x91
04 0012f790 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x36
05 0012f7b8 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x6a
06 0012f7e0 73ddca6f mfc42!CWnd::SendMessageToDescendants+0x6a
07 0012f808 73ddca0a mfc42!CFrameWnd::InitialUpdateFrame+0x5d
08 0012f814 73de3bd2 mfc42!CDocTemplate::InitialUpdateFrame+0x11
09 0012f844 73de13cf mfc42!CMultiDocTemplate::OpenDocumentFile+0x101
0a 0012fb78 73e3929c mfc42!CDocManager::OpenDocumentFile+0x14c
0b 0012fca0 73dd1fd3 mfc42!CFrameWnd::OnDropFiles+0x76
0c 0012fd1c 73dd1b9b mfc42!CWnd::OnWndMsg+0x411
0d 0012fd3c 73dd1b05 mfc42!CWnd::WindowProc+0x24
0e 0012fd9c 73dd1a58 mfc42!AfxCallWndProc+0x91
0f 0012fdbc 73e6847d mfc42!AfxWndProc+0x36
10 0012fde8 77d48709 mfc42!AfxWndProcBase+0x39
11 0012fe14 77d487eb user32!InternalCallWinProc+0x28
12 0012fe7c 77d489a5 user32!UserCallWinProcCheckWow+0x150
13 0012fedc 77d4bccc user32!DispatchMessageWorker+0x306
14 0012feec 73dd125a user32!DispatchMessageA+0xf
15 0012fefc 73ddb55f mfc42!CWinThread::PumpMessage+0x3c
16 0012ff14 73ddcf95 mfc42!CWinThread::Run+0x48
17 0012ff24 00409472 mfc42!AfxWinMain+0x6a
18 0012ffc0 7c816d4f FileParser+0x9472
19 0012fff0 00000000 kernel32!BaseProcessStart+0x23

卸载,File Parser+0x71f1直到File Parser+0x7212发生访问冲突。

004071ec e8e71b0000      call    FileParser+0x8dd8 (00408dd8)   
004071f1 84db            test    bl,bl
004071f3 0f846f050000    je      FileParser+0x7768 (00407768)
004071f9 8b442414        mov     eax,dword ptr [esp+14h]    *Base address of inline1.exe binary 
004071fd 8b483c          mov     ecx,dword ptr [eax+3Ch]    *must be offset at _IMAGE_NT_HEADERS 
00407200 8b5c0178        mov     ebx,dword ptr [ecx+eax+78h]*must be _IMAGE_DATA_DIRECTORY
00407204 8d4c0118        lea     ecx,[ecx+eax+18h]      *must be _IMAGE_OPTIONAL_HEADER
00407208 03d8            add     ebx,eax            *must be VA _IMAGE_DATA_DIRECTORY
0040720a 8d4c2418        lea     ecx,[esp+18h]      * 
0040720e 895c2434        mov     dword ptr [esp+34h],ebx    *
00407212 8b530c          mov     edx,dword ptr [ebx+0Ch]    *Access violation here 

发生访问冲突是因为ebx指向3fb80000而不是内部二进制文件,b80000直到ImageSize: 00006000

基地址 inline1.exe 在eax寄存器中加载。mov eax,dword ptr [esp+14h]

0:000> dps esp+14 L1
0012f510  00b80000 inline1
0:000> lmvm inline1
start    end        module name
00b80000 00b86000   inline1  T (no symbols)           
Loaded symbol image file: inline1.exe
Image path: C:\Documents and Settings\debasish mandal\Desktop\inline1.exe
Image name: inline1.exe
Timestamp:        Sat Sep 28 21:27:18 2013 (52471176)
CheckSum:         00011C84
ImageSize:        00006000
File version:     0.0.0.0
Product version:  0.0.0.0
File flags:       0 (Mask 0)
File OS:          0 Unknown Base
File type:        0.0 Unknown
File date:        00000000.00000000
Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
于 2013-10-26T20:10:52.500 回答
0
0:000> .ecxr
eax=00b80000 ebx=3fb80000 ecx=0012f514 edx=0012f448 esi=0012f628 edi=0012f650
eip=00407212 esp=0012f4fc ebp=00000000 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206
FileParser+0x7212:
00407212 8b530c          mov     edx,dword ptr [ebx+0Ch] ds:0023:3fb8000c=????????
0:000> kvn
 *** Stack trace for last set context - .thread/.cxr resets it
# ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00000000 00000000 00000000 00000000 00000000 FileParser+0x7212

我们必须有 FileParser.pdb 才有机会弄清楚发生了什么。@ebp 看起来不太好,

于 2013-10-25T17:07:04.937 回答