新建一个环境变量_NT_SYMBOL_PATH 值为: SRV*c:mysymbol* http://msdl.microsoft.com/download/symbols 

WinDBG无法加载符号表是很痛苦的事情,明明符号表的路径已经加载进去了,可是还是无法加断点,下面直接进入主题:


符号表无法加载,无法触发断点。 

1、检查sympath是否正确 

kd> .sympath 
Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;C:Windowssymbols;D:VSSDataBaseTrueCryptDriverobj_driver_debugi386 
Expanded Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;c:windowssymbols;d:vssdatabase ruecryptdriverobj_driver_debugi386 

之前的尝试,以为符号表的路径在前面和在后面关系很大,毕竟是依次查找路径的嘛,只要查找正确了,路径前后和符号表在什么位置又有什么关系呢。 

src*与;之前的区别:src*是符号表服务器上找,而;是去本地路径上去找,对于一台机子来说就一样的。 

sys文件会记录PDB文件的位置,从而找到符号表,所以设置目录必须是编译时候的目录,即使把编译目录下的文件拷贝出来放到其他地方 然后在把windbg符号目录设置成那个目录 windbg也是不认识的 因为windbg对SYS的符号文件的寻找只会去SYS指定的那个目录寻找 这点很奇特 以前配置windbg的时候百思不得其解

2、!lmi truecrypt查找相应的模块信息 

kd> !lmi truecrypt 
Loaded Module Info: [truecrypt] 
         Module: truecrypt 
   Base Address: ee21b000 
     Image Name: truecrypt.sys 
   Machine Type: 332 (I386) 
     Time Stamp: 4d889673 Tue Mar 22 20:30:43 2011 
           Size: 4ef80 
       CheckSum: 55776 
Characteristics: 102  
Debug Data Dirs: Type  Size     VA  Pointer 
             CODEVIEW    5c, 43fc8,   43fc8 RSDS - GUID: {1B9489BA-E47D-4E48-89EB-D0CB60055F22} 
               Age: 1, Pdb: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb 
     Image Type: MEMORY   - Image read successfully from loaded memory. 
    Symbol Type: EXPORT   - PDB not found 
    Load Report: export symbols 



Symbol Type: EXPORT   - PDB not found 符号表没有找到 
Export 
没有发现符号文件,使用映像文件的输出信息(如DLL的Export)作为符号 
3、检查符号表加载详细情况 
!sym noisy 
当Windbg加载Symbol文件的时候,显示Symbol的路径,默认情况下是不显示的。 
YMSRV:  无法与服务器建立连接 
SYMSRV:  c:windowssymbols ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found 
!sym quiet 不显示路径 
SYMSRV: truecrypt.pdb not found 

kd> !sym noisy 
noisy mode - symbol prompts on 

kd> .reload /f truecrypt.sys 
SYMSRV: 无法与服务器建立连接 
SYMSRV: c:windowssymbols ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found 
SYMSRV: http://msdl.microsoft.com/download/symbols/truecrypt.pdb/1B9489BAE47D4E4889EBD0CB60055F221/truecrypt.pdb not found
DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb - mismatched pdb 
DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386sys ruecrypt.pdb - file not found 
DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386symbolssys ruecrypt.pdb - file not found 
SYMSRV: 无法与服务器建立连接 
SYMSRV: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found 
SYMSRV: c:windowssymbols ruecrypt.pdb1B9489BAE47D4E4889EBD0CB60055F221 ruecrypt.pdb not found 
SYMSRV: http://msdl.microsoft.com/download/symbols/truecrypt.pdb/1B9489BAE47D4E4889EBD0CB60055F221/truecrypt.pdb not found
DBGHELP: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb - mismatched pdb 
DBGHELP: Couldn't load mismatched pdb for truecrypt.sys 
*** ERROR: Symbol file could not be found. Defaulted to export symbols for truecrypt.sys - 
DBGHELP: truecrypt - export symbols 


注意上面那一行,符号表的位置是正确的,也找对了,但是结果却是mismatched pdb,于是我就将debug目录下内容,删除后重新生成,并拷贝到虚拟机里,结果仍然是一样的, 
仍然是mismatched pdb。 
4、模块详情对照 
!IToldYouSo tests the validity of a module against a symbol file.The module can be specified by either its name or base address.If a symbol file is not specified, then the loaded symbol is tested. 
Otherwise, if a pdb or dbg symbol file path is specified, it is tested against the loaded module. 

kd> !itoldyouso truecrypt d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb 

truecrypt.sys 
    Timestamp: 4D889673 
  SizeOfImage: 4EF80 
          pdb: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb 
      pdb sig: 1B9489BA-E47D-4E48-89EB-D0CB60055F22 
          age: 1 

truecrypt.pdb 
      pdb sig: 329A35FA-70B8-4A97-BB0E-99BA6342AB6A 
          age: 1 

sig MISMATCH: truecrypt.pdb and truecrypt.sys 



签名不一样,结果说明我虚拟机里装载的驱动和我重新生成的符号表不一致。经过检查发现,truecrypt.exe启动时候装载的truecrypt.sys并不是在C:WindowsSystem32Drivers下面, 
而是在truecrypt.exe本身的安装目录下,替换之后,已经能够成功装载符号表了。 
如下: 

kd> !lmi truecrypt 
Loaded Module Info: [truecrypt] 
         Module: truecrypt 
   Base Address: ee1ef000 
     Image Name: truecrypt.sys 
   Machine Type: 332 (I386) 
     Time Stamp: 4d8c8e61 Fri Mar 25 20:45:21 2011 
           Size: 4f180 
       CheckSum: 5b7fa 
Characteristics: 102  
Debug Data Dirs: Type  Size     VA  Pointer 
             CODEVIEW    5c, 44148,   44148 RSDS - GUID: {160409E4-8EFC-4412-B760-4E9BF8F1A05A} 
               Age: 1, Pdb: d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb 
     Image Type: MEMORY   - Image read successfully from loaded memory. 
    Symbol Type: PDB      - Symbols loaded successfully from symbol search path. 
                 d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb 
       Compiler: Resource - front end [0.0 bld 0] - back end [9.0 bld 30729] 
    Load Report: private symbols & lines, not source indexed 
                 d:vssdatabase ruecryptdriverobj_driver_debugi386 ruecrypt.pdb