0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
000dccf8 0532416b 07888ff8 00000000 00000000 Flash10+0x3d914
000dcdb8 0533a17d 060aa020 060aa020 05361116 Flash10+0xd416b
000dcde4 05368d13 00000001 05331a29 057e0830 Flash10+0xea17d
000dcdec 05331a29 057e0830 0000000a 057e0000 Flash10+0x118d13
000dce1c 05459f4d 00000090 00000000 057e70d0 Flash10+0xe1a29
00000000 00000000 00000000 00000000 00000000 Flash10!DllUnregisterServer+0xe02fe
这里的出模块是 Flash10
但运行了
0:000> !analyze -v
之后
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for testflash.exe
*** ERROR: Module load completed but symbols could not be loaded for testflash.exe
*** WARNING: Unable to verify checksum for flashgame.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for flashgame.dll -
*** WARNING: Unable to verify checksum for yyyclient.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for yyyclient.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SKCHUI.DLL -
*** ERROR: Module load completed but symbols could not be loaded for xpsp2res.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for MSOXMLMF.DLL -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for RTXOLAss.dll -
*** WARNING: Unable to verify checksum for DS40xxSDK.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for DS40xxSDK.dll -
*** WARNING: Unable to verify checksum for ClientPlayM4.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ClientPlayM4.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for rsaenh.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for safemon.dll -
*** ERROR: Module load completed but symbols could not be loaded for shdoclc.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for sysfer.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for mswsock.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for psapi.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for user32.dll -
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: IMAGE_NT_HEADERS32 ***
*** ***
*************************************************************************
WARNING: lient overlaps testflash
WARNING: lient overlaps flashgame
WARNING: lient overlaps yyyclient
WARNING: lient overlaps SKCHUI
WARNING: lient overlaps xpsp2res
WARNING: lient overlaps MSOXMLMF
WARNING: lient overlaps RTXOLAss
WARNING: lient overlaps Flash10
WARNING: lient overlaps DS40xxSDK
WARNING: lient overlaps ClientPlayM4
WARNING: lient overlaps rsaenh
WARNING: lient overlaps safemon
WARNING: lient overlaps shdoclc
*** WARNING: Unable to verify timestamp for lient.dll
*** ERROR: Module load completed but symbols could not be loaded for lient.dll
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
FAULTING_IP:
lient+528d873
0528d914 8a08 mov cl,byte ptr [eax]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0528d914 (lient+0x0528d873)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 07889000
Attempt to read from address 07889000
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: testflash.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 07889000
READ_ADDRESS: 07889000
FOLLOWUP_IP:
lient+528d873
0528d914 8a08 mov cl,byte ptr [eax]
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [UnloadedModule_Arch_AX] from Frame:[0] on thread:[c60]
FAULTING_THREAD: 00000c60
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 0532416b to 0528d914
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
000dccf8 0532416b 07888ff8 00000000 00000000 lient+0x528d873
000dcdb8 0533a17d 060aa020 060aa020 05361116 lient+0x53240ca
000dcde4 05368d13 00000001 05331a29 057e0830 lient+0x533a0dc
000dcdec 05331a29 057e0830 0000000a 057e0000 lient+0x5368c72
000dce1c 05459f4d 00000090 00000000 057e70d0 lient+0x5331988
00000000 00000000 00000000 00000000 00000000 lient!DllUnregisterServer+0xe02fe
SYMBOL_NAME: lient.dll!Unloaded
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: lient.dll
IMAGE_NAME: lient.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 690068
STACK_COMMAND: .ecxr ; ~~[c60] ; .frame 0 ; ~0s; .ecxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_lient.dll!Unloaded
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_lient.dll!Unloaded
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/testflash_exe/1_30_0_0/4b00c33c/Flash10_ocx/10_0_2_54/48bed524/c0000005/0003d914.htm?Retriage=1
Followup: MachineOwner
---------
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
000dccf8 0532416b 07888ff8 00000000 00000000 lient+0x528d873
000dcdb8 0533a17d 060aa020 060aa020 05361116 lient+0x53240ca
000dcde4 05368d13 00000001 05331a29 057e0830 lient+0x533a0dc
000dcdec 05331a29 057e0830 0000000a 057e0000 lient+0x5368c72
000dce1c 05459f4d 00000090 00000000 057e70d0 lient+0x5331988
00000000 00000000 00000000 00000000 00000000 lient!DllUnregisterServer+0xe02fe
