1. 首页
  2. 问答
  3. 崩溃调试Win32应用程序

崩溃调试Win32应用程序

2013-10-25 137 views
1

我正在调试文件解析器(Win32)。每次当它向某个文件提供某个文件时,它会在同一位置崩溃。我无法访问该应用程序的源代码。我试图分析崩溃的根本原因,看来它是一种数组超出界限的读取错误。但是我不确定它内部是否有内存被损坏。我使用ADPlus进行崩溃转储,在下面我添加了迷你转储和adplus日志。崩溃调试Win32应用程序

https://dl.dropboxusercontent.com/u/107519001/MINIDUMP_FirstChance_av_AccessViolation_FileParser.exe__0e04_2013-10-25_20-26-29-893_084c.dmp

&

https://dl.dropboxusercontent.com/u/107519001/ADPlus_log_0e04_2013-10-25_20-26-18-707.log

调试信息:

https://dl.dropboxusercontent.com/u/107519001/vc90.pdb

可有人请帮助我进入访问冲突崩溃的根本原因。

由于事先

来源

2013-10-25 Dev.K.

回答

2

FileParser从inline1.exe读取二进制数据,并期望看到有效的偏移量和结构布局,但相反会发生访问冲突。该二进制文件没有有效的头部布局ets。也许二进制文件被压缩或加密。

手动堆重建:从File Parser+0x71f1

0:000> kn =0012f674 0012f674 004071f1 
# ChildEBP RetAddr 
WARNING: Stack unwind information not available. Following frames may be wrong. 
00 0012f674 73dd1eb6 FileParser+0x71f1 
01 0012f6ec 73dd1b9b mfc42!CWnd::OnWndMsg+0x2f4 
02 0012f70c 73dd1b05 mfc42!CWnd::WindowProc+0x24 
03 0012f76c 73dd2c9c mfc42!AfxCallWndProc+0x91 
04 0012f790 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x36 
05 0012f7b8 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x6a 
06 0012f7e0 73ddca6f mfc42!CWnd::SendMessageToDescendants+0x6a 
07 0012f808 73ddca0a mfc42!CFrameWnd::InitialUpdateFrame+0x5d 
08 0012f814 73de3bd2 mfc42!CDocTemplate::InitialUpdateFrame+0x11 
09 0012f844 73de13cf mfc42!CMultiDocTemplate::OpenDocumentFile+0x101 
0a 0012fb78 73e3929c mfc42!CDocManager::OpenDocumentFile+0x14c 
0b 0012fca0 73dd1fd3 mfc42!CFrameWnd::OnDropFiles+0x76 
0c 0012fd1c 73dd1b9b mfc42!CWnd::OnWndMsg+0x411 
0d 0012fd3c 73dd1b05 mfc42!CWnd::WindowProc+0x24 
0e 0012fd9c 73dd1a58 mfc42!AfxCallWndProc+0x91 
0f 0012fdbc 73e6847d mfc42!AfxWndProc+0x36 
10 0012fde8 77d48709 mfc42!AfxWndProcBase+0x39 
11 0012fe14 77d487eb user32!InternalCallWinProc+0x28 
12 0012fe7c 77d489a5 user32!UserCallWinProcCheckWow+0x150 
13 0012fedc 77d4bccc user32!DispatchMessageWorker+0x306 
14 0012feec 73dd125a user32!DispatchMessageA+0xf 
15 0012fefc 73ddb55f mfc42!CWinThread::PumpMessage+0x3c 
16 0012ff14 73ddcf95 mfc42!CWinThread::Run+0x48 
17 0012ff24 00409472 mfc42!AfxWinMain+0x6a 
18 0012ffc0 7c816d4f FileParser+0x9472 
19 0012fff0 00000000 kernel32!BaseProcessStart+0x23

装卸直到File Parser+0x7212有访问冲突occure。

004071ec e8e71b0000  call FileParser+0x8dd8 (00408dd8) 
004071f1 84db   test bl,bl 
004071f3 0f846f050000 je  FileParser+0x7768 (00407768) 
004071f9 8b442414  mov  eax,dword ptr [esp+14h] *Base address of inline1.exe binary 
004071fd 8b483c   mov  ecx,dword ptr [eax+3Ch] *must be offset at _IMAGE_NT_HEADERS 
00407200 8b5c0178  mov  ebx,dword ptr [ecx+eax+78h]*must be _IMAGE_DATA_DIRECTORY 
00407204 8d4c0118  lea  ecx,[ecx+eax+18h]  *must be _IMAGE_OPTIONAL_HEADER 
00407208 03d8   add  ebx,eax   *must be VA _IMAGE_DATA_DIRECTORY 
0040720a 8d4c2418  lea  ecx,[esp+18h]  * 
0040720e 895c2434  mov  dword ptr [esp+34h],ebx * 
00407212 8b530c   mov  edx,dword ptr [ebx+0Ch] *Access violation here

访问冲突occure因为ebx3fb80000而不是从b80000内部二进制文件,直到eax寄存器ImageSize: 00006000

基址inline1.exe负荷。 mov eax,dword ptr [esp+14h]

0:000> dps esp+14 L1 
0012f510 00b80000 inline1 
0:000> lmvm inline1 
start end  module name 
00b80000 00b86000 inline1 T (no symbols)   
Loaded symbol image file: inline1.exe 
Image path: C:\Documents and Settings\debasish mandal\Desktop\inline1.exe 
Image name: inline1.exe 
Timestamp:  Sat Sep 28 21:27:18 2013 (52471176) 
CheckSum:   00011C84 
ImageSize:  00006000 
File version:  0.0.0.0 
Product version: 0.0.0.0 
File flags:  0 (Mask 0) 
File OS:   0 Unknown Base 
File type:  0.0 Unknown 
File date:  00000000.00000000 
Translations:  0000.04b0 0000.04e4 0409.04b0 0409.04e4

来源

2013-10-26 20:10:52 sergmat

+0

你是如何找到 中使用的BasePtr StackPtr InstructionsPtr kn = 0012f674 0012f674 004071f1 –

+0

@sergmat - 但是'3fb00000'从哪里来?你可能有任何链接描述了你所做的'IMAGE_ *'引用? –

+0

@KjellGunnar我看着原始堆栈,并尝试在当前esp附近的当前eip和BasePointer附近找到有效的ReturnAddress对。我尝试了第四次或第五次。 – sergmat

0 
0:000> .ecxr 
eax=00b80000 ebx=3fb80000 ecx=0012f514 edx=0012f448 esi=0012f628 edi=0012f650 
eip=00407212 esp=0012f4fc ebp=00000000 iopl=0   nv up ei pl nz na pe nc 
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000    efl=00010206 
FileParser+0x7212: 
00407212 8b530c   mov  edx,dword ptr [ebx+0Ch] ds:0023:3fb8000c=???????? 
0:000> kvn 
*** Stack trace for last set context - .thread/.cxr resets it 
# ChildEBP RetAddr Args to Child    
WARNING: Stack unwind information not available. Following frames may be wrong. 
00 00000000 00000000 00000000 00000000 00000000 FileParser+0x7212

我们必须有FileParser.pdb有机会搞清楚发生了什么事。 @ebp看起来不好,

来源

2013-10-25 17:07:04

+0

嗨谢尔,不知道,但我希望它会help..https://dl.dropboxusercontent.com/u/107519001/vc90.pdb感谢您的答复。 –

+0

不,应该命名为FileParser.pdb,您必须在项目的链接器属性页面中启用调试信息才能生成它。 –

相关问题

 相关问题