Unable to load image ntoskrnl.exe的问题

来源：互联网发布：淘宝上买的轮毂可靠吗编辑：程序博客网时间：2024/06/05 14:27

最近在分析一个蓝屏dump时发现，nt模块加载不了符号表，其他系统驱动的符号表都能加载成功

3: kd> .reload /f ntUnable to load image ntoskrnl.exe, Win32 error 0n2*** WARNING: Unable to verify timestamp for ntoskrnl.exe*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe

激活详细符号加载信息

3: kd> !sym noisynoisy mode - symbol prompts on3: kd> .reload /f ntSYMSRV:  d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not foundSYMSRV:  http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/56BCC7865ec000/ntoskrnl.exe not foundSYMSRV:  d:\mysymbol\ntkrnlup.exe\56BCC7865ec000\ntkrnlup.exe not foundSYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/56BCC7865ec000/ntkrnlup.exe not foundSYMSRV:  d:\mysymbol\ntkrnlpa.exe\56BCC7865ec000\ntkrnlpa.exe not foundSYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/56BCC7865ec000/ntkrnlpa.exe not foundSYMSRV:  d:\mysymbol\ntkrnlmp.exe\56BCC7865ec000\ntkrnlmp.exe not foundSYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/56BCC7865ec000/ntkrnlmp.exe not foundSYMSRV:  d:\mysymbol\ntkrpamp.exe\56BCC7865ec000\ntkrpamp.exe not foundSYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrpamp.exe/56BCC7865ec000/ntkrpamp.exe not foundDBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntoskrnl.exe - file not foundDBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlup.exe - file not foundDBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlpa.exe - file not foundDBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrnlmp.exe - file not foundDBGHELP: C:\Program Files (x86)\Debugging Tools for Windows (x86)\ntkrpamp.exe - file not foundSYMSRV:  D:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not foundSYMSRV:  http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/56BCC7865ec000/ntoskrnl.exe not foundSYMSRV:  D:\mysymbol\ntkrnlup.exe\56BCC7865ec000\ntkrnlup.exe not foundSYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/56BCC7865ec000/ntkrnlup.exe not foundSYMSRV:  D:\mysymbol\ntkrnlpa.exe\56BCC7865ec000\ntkrnlpa.exe not foundSYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/56BCC7865ec000/ntkrnlpa.exe not foundSYMSRV:  D:\mysymbol\ntkrnlmp.exe\56BCC7865ec000\ntkrnlmp.exe not foundSYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/56BCC7865ec000/ntkrnlmp.exe not foundSYMSRV:  D:\mysymbol\ntkrpamp.exe\56BCC7865ec000\ntkrpamp.exe not foundSYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrpamp.exe/56BCC7865ec000/ntkrpamp.exe not foundDBGENG:  ntoskrnl.exe - Image mapping disallowed by non-local path.Unable to load image ntoskrnl.exe, Win32 error 0n2DBGENG:  ntoskrnl.exe - Partial symbol image load missing image infoDBGHELP: No header for ntoskrnl.exe.  Searching for dbg fileDBGHELP: .\ntoskrnl.dbg - file not foundDBGHELP: .\exe\ntoskrnl.dbg - path not foundDBGHELP: .\symbols\exe\ntoskrnl.dbg - path not foundDBGHELP: ntoskrnl.exe missing debug info.  Searching for pdb anywayDBGHELP: Can't use symbol server for ntoskrnl.pdb - no header information availableDBGHELP: ntoskrnl.pdb - file not found*** WARNING: Unable to verify timestamp for ntoskrnl.exe*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exeDBGHELP: nt - no symbols loaded

但是提取对方电脑上的ntoskrnl.exe用IDA分析，发现可以正确加载到符号表，于是我将提取到的ntoskrnl.exe放到windbg要找到的路径上去例如：

SYMSRV:  d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe not found

结果这次终于正常加载上了

3: kd> .reload /f ntDBGHELP: d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe - OKDBGENG:  d:\mysymbol\ntoskrnl.exe\56BCC7865ec000\ntoskrnl.exe - Mapped image memoryDBGHELP: nt - public symbols           d:\mysymbol\ntkrnlmp.pdb\D7EA2B6682984A0E8697620F5571B7BF2\ntkrnlmp.pdb

阅读全文

0 0