我正在调试一个文件解析器(Win32)。每次当我向它提供某个文件时,它都会在同一位置崩溃。我无权访问该应用程序的源代码。我试图分析崩溃的根本原因,似乎它的那种数组越界读取错误。但我不确定它内部是否有任何内存损坏。我使用 ADPlus 进行故障转储,下面我添加了迷你转储和 adplus 日志。
https://dl.dropboxusercontent.com/u/107519001/MINIDUMP_FirstChance_av_AccessViolation_FileParser.exe__0e04_2013-10-25_20-26-29-893_084c.dmp
&
https://dl.dropboxusercontent.com/u/107519001/ADPlus_log_0e04_2013-10-25_20-26-18-707.log
调试信息:
https://dl.dropboxusercontent.com/u/107519001/vc90.pdb
任何人都可以帮助我了解访问冲突崩溃的根本原因。
提前致谢,
FileParser 从中读取二进制数据inline1.exe并期望看到有效的偏移量和结构布局,但会发生访问冲突。二进制文件没有有效的标题布局 ets。也许二进制文件被压缩或加密。
手动堆栈重建:
0:000> kn =0012f674 0012f674 004071f1
# ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0012f674 73dd1eb6 FileParser+0x71f1
01 0012f6ec 73dd1b9b mfc42!CWnd::OnWndMsg+0x2f4
02 0012f70c 73dd1b05 mfc42!CWnd::WindowProc+0x24
03 0012f76c 73dd2c9c mfc42!AfxCallWndProc+0x91
04 0012f790 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x36
05 0012f7b8 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x6a
06 0012f7e0 73ddca6f mfc42!CWnd::SendMessageToDescendants+0x6a
07 0012f808 73ddca0a mfc42!CFrameWnd::InitialUpdateFrame+0x5d
08 0012f814 73de3bd2 mfc42!CDocTemplate::InitialUpdateFrame+0x11
09 0012f844 73de13cf mfc42!CMultiDocTemplate::OpenDocumentFile+0x101
0a 0012fb78 73e3929c mfc42!CDocManager::OpenDocumentFile+0x14c
0b 0012fca0 73dd1fd3 mfc42!CFrameWnd::OnDropFiles+0x76
0c 0012fd1c 73dd1b9b mfc42!CWnd::OnWndMsg+0x411
0d 0012fd3c 73dd1b05 mfc42!CWnd::WindowProc+0x24
0e 0012fd9c 73dd1a58 mfc42!AfxCallWndProc+0x91
0f 0012fdbc 73e6847d mfc42!AfxWndProc+0x36
10 0012fde8 77d48709 mfc42!AfxWndProcBase+0x39
11 0012fe14 77d487eb user32!InternalCallWinProc+0x28
12 0012fe7c 77d489a5 user32!UserCallWinProcCheckWow+0x150
13 0012fedc 77d4bccc user32!DispatchMessageWorker+0x306
14 0012feec 73dd125a user32!DispatchMessageA+0xf
15 0012fefc 73ddb55f mfc42!CWinThread::PumpMessage+0x3c
16 0012ff14 73ddcf95 mfc42!CWinThread::Run+0x48
17 0012ff24 00409472 mfc42!AfxWinMain+0x6a
18 0012ffc0 7c816d4f FileParser+0x9472
19 0012fff0 00000000 kernel32!BaseProcessStart+0x23
卸载,File Parser+0x71f1直到File Parser+0x7212发生访问冲突。
004071ec e8e71b0000 call FileParser+0x8dd8 (00408dd8)
004071f1 84db test bl,bl
004071f3 0f846f050000 je FileParser+0x7768 (00407768)
004071f9 8b442414 mov eax,dword ptr [esp+14h] *Base address of inline1.exe binary
004071fd 8b483c mov ecx,dword ptr [eax+3Ch] *must be offset at _IMAGE_NT_HEADERS
00407200 8b5c0178 mov ebx,dword ptr [ecx+eax+78h]*must be _IMAGE_DATA_DIRECTORY
00407204 8d4c0118 lea ecx,[ecx+eax+18h] *must be _IMAGE_OPTIONAL_HEADER
00407208 03d8 add ebx,eax *must be VA _IMAGE_DATA_DIRECTORY
0040720a 8d4c2418 lea ecx,[esp+18h] *
0040720e 895c2434 mov dword ptr [esp+34h],ebx *
00407212 8b530c mov edx,dword ptr [ebx+0Ch] *Access violation here
发生访问冲突是因为ebx指向3fb80000而不是内部二进制文件,b80000直到ImageSize: 00006000
基地址 inline1.exe 在eax寄存器中加载。mov eax,dword ptr [esp+14h]
0:000> dps esp+14 L1
0012f510 00b80000 inline1
0:000> lmvm inline1
start end module name
00b80000 00b86000 inline1 T (no symbols)
Loaded symbol image file: inline1.exe
Image path: C:\Documents and Settings\debasish mandal\Desktop\inline1.exe
Image name: inline1.exe
Timestamp: Sat Sep 28 21:27:18 2013 (52471176)
CheckSum: 00011C84
ImageSize: 00006000
File version: 0.0.0.0
Product version: 0.0.0.0
File flags: 0 (Mask 0)
File OS: 0 Unknown Base
File type: 0.0 Unknown
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:000> .ecxr
eax=00b80000 ebx=3fb80000 ecx=0012f514 edx=0012f448 esi=0012f628 edi=0012f650
eip=00407212 esp=0012f4fc ebp=00000000 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
FileParser+0x7212:
00407212 8b530c mov edx,dword ptr [ebx+0Ch] ds:0023:3fb8000c=????????
0:000> kvn
*** Stack trace for last set context - .thread/.cxr resets it
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00000000 00000000 00000000 00000000 00000000 FileParser+0x7212
我们必须有 FileParser.pdb 才有机会弄清楚发生了什么。@ebp 看起来不太好,