2

我有以下情况:

我将内核调试器 (Windbg) 附加到运行Windows 10 64bit的 Hyper-V 机器上。我要调试的进程是一个32 位用户模式进程,它有时会挂起机器(它与微过滤器通信),因此我不能使用用户模式调试器或远程调试器。

现在我有一个符号服务器,我知道我要调查的进程和线程,我该如何:

  1. 仅查看此线程的调用堆栈
  2. 为我的模块加载符号

奖励问题:出于某种原因,我的程序有很多实例。除了“活动”之外,其余的在 Process Explorer 中不可见,没有线程和 0 句柄计数。什么可能导致这种情况?

我尝试过的事情:

!process ffffe08620a30800 7
(view all process threads)
...
       THREAD **ffffe0862212f800**  Cid 08a0.1cfc  Teb: 0000000000d6e000 Win32Thread: 0000000000000000 RUNNING on processor 0
        Not impersonating
        DeviceMap                 ffffcb0a55817c30
        Owning Process            ffffe08620a30800       Image:         avguard.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      27338460       Ticks: 1 (0:00:00:00.015)
        Context Switch Count      2999214        IdealProcessor: 0             
        UserTime                  **00:17:51.125**
        KernelTime                00:06:14.671
        Win32 Start Address 0x00000000741bbfb4
        Stack Init ffffb481db842dd0 Current ffffb481db842a10
        Base ffffb481db843000 Limit ffffb481db83d000 Call 0
        Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
        Child-SP          RetAddr           : Args to Child                                                           : Call Site
        ffffb481`db842c40 00000000`77b1222c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x2f (TrapFrame @ ffffb481`db842c40)
        00000000`0333ed18 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : wow64cpu!CpupSyscallStub+0xc
...

这个线程是我要调查的线程。它具有很高的处理器使用率,如粗体所示:用户时间:17 分钟。但是堆栈没有帮助。然后我做了:

.thread /p /r /w ffffe0862212f800
Implicit thread is now ffffe086`2212f800
Implicit process is now ffffe086`20a30800
.cache forcedecodeuser done
Loading User Symbols
.ModLoad: 00000000`009b0000 00000000`00a25000   C:\Program Files (x86)\my process.exe
.ModLoad: 00007ffb`67e20000 00007ffb`67ff1000   C:\WINDOWS\SYSTEM32\ntdll.dll
.ModLoad: 00000000`778d0000 00000000`77922000   C:\WINDOWS\System32\wow64.dll
.ModLoad: 00000000`77850000 00000000`778c7000   C:\WINDOWS\System32\wow64win.dll
.ModLoad: 00000000`77b10000 00000000`77b1a000   C:\WINDOWS\System32\wow64cpu.dll

The context is partially valid. Only x86 user-mode context is available.
x86 context set
1: kd:x86> kb
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP          RetAddr           Args to Child                                         
WARNING: Frame IP not in any known module. Following frames may be wrong.
db842cc0 00000000 00000000 00000000 00000000 **0x819613ca**

这个地址 0x819613ca 是什么?如何提取它所属的模块?或者提取一个有意义的调用堆栈?我现在如何进一步进行调查?

4

0 回答 0