The problem of WinDbg symbol

This article is excerpted from https://gclxry.com/problem-with-windbg-symbols/
Original author: gclxry
A

Recently, I analyzed dump to see the information in PEB, so I ran the! PEB command and returned as follows:

0:000> !peb
PEB at fffde000
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that     ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: ntdll!_PEB                                    ***
***                                                                   ***
*************************************************************************
error 3 InitTypeRead( nt!_PEB at fffde000)...

Prompt me PDB symbol is wrong, cause! PEB can’t see valid information. I’m very strange, because I’ve been doing well before, and my debug symbol path hasn’t changed, as follows:

0:000&> .sympath
Symbol search path is: SRV*D:\symbols*https://msdl.microsoft.com/download/symbols;SRV*D:\symbols*http://172.xx.xx.xx/symbols/

Expanded Symbol search path is: srv*d:\symbols*https://msdl.microsoft.com/download/symbols;srv*d:\symbols*http://172.xx.xx.xx/symbols/

Confirm that the debugging symbol servers of Microsoft and our company are normal.

Then use! Symnoise to turn on the symbol load noise mode,. Reload/F ntdll.dll See how to parse the load symbol.

0:000> !sym noisy
noisy mode - symbol prompts on
0:000> .reload /f ntdll.dll
SYMSRV:  BYINDEX: 0x9
         d:\symbols*https://msdl.microsoft.com/download/symbols
         ntdll.dll
         589C957A180000
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\ntdll.dll - path not found
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\ntdll.dl_ - path not found
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\file.ptr - path not found
SYMSRV:  HTTPGET: /download/symbols/ntdll.dll/589C957A180000/ntdll.dll
SYMSRV:  HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT
SYMSRV:  RESULT: 0x800C2EFD
SYMSRV:  BYINDEX: 0xA
         d:\symbols*http://172.xx.xx.xx/symbols/
         ntdll.dll
         589C957A180000
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\ntdll.dll - path not found
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\ntdll.dl_ - path not found
SYMSRV:  UNC: d:\symbols\ntdll.dll\589C957A180000\file.ptr - path not found
SYMSRV:  HTTPGET: /symbols//ntdll.dll/589C957A180000/ntdll.dll
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  HTTPGET: /symbols//ntdll.dll/589C957A180000/ntdll.dl_
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  HTTPGET: /symbols//ntdll.dll/589C957A180000/file.ptr
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  RESULT: 0x80190194
DBGHELP: C:\Program Files (x86)\Windows Kits\10\Debuggers\ntdll.dll - file not found
DBGENG:  C:\Windows\SysWOW64\ntdll.dll image header does not match memory image header.
DBGENG:  C:\Windows\SysWOW64\ntdll.dll - Couldn't map image from disk.
Unable to load image C:\Windows\SysWOW64\ntdll.dll, Win32 error 0n2
DBGENG:  ntdll.dll - Partial symbol image load missing image info
DBGHELP: Module is not fully loaded into memory.
DBGHELP: Searching for symbols using debugger-provided data.
SYMSRV:  BYINDEX: 0xB
         d:\symbols*https://msdl.microsoft.com/download/symbols
         wntdll.pdb
         611AE48A538F4C0B82726D75DE80A6A92
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\wntdll.pdb - path not found
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\wntdll.pd_ - path not found
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\file.ptr - path not found
SYMSRV:  HTTPGET: /download/symbols/wntdll.pdb/611AE48A538F4C0B82726D75DE80A6A92/wntdll.pdb
SYMSRV:  HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT
SYMSRV:  RESULT: 0x800C2EFD
SYMSRV:  BYINDEX: 0xC
         d:\symbols*http://172.xx.xx.xx/symbols/
         wntdll.pdb
         611AE48A538F4C0B82726D75DE80A6A92
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\wntdll.pdb - path not found
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\wntdll.pd_ - path not found
SYMSRV:  UNC: d:\symbols\wntdll.pdb\611AE48A538F4C0B82726D75DE80A6A92\file.ptr - path not found
SYMSRV:  HTTPGET: /symbols//wntdll.pdb/611AE48A538F4C0B82726D75DE80A6A92/wntdll.pdb
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  HTTPGET: /symbols//wntdll.pdb/611AE48A538F4C0B82726D75DE80A6A92/wntdll.pd_
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  HTTPGET: /symbols//wntdll.pdb/611AE48A538F4C0B82726D75DE80A6A92/file.ptr
SYMSRV:  HttpQueryInfo(HTTP_QUERY_CONTENT_LENGTH): 800C2F76 - ERROR_HTTP_HEADER_NOT_FOUND
SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
SYMSRV:  RESULT: 0x80190194
DBGHELP: wntdll.pdb - file not found
*** WARNING: Unable to verify timestamp for ntdll.dll
*** ERROR: Module load completed but symbols could not be loaded for ntdll.dll
DBGHELP: ntdll - no symbols loaded

************* Symbol Loading Error Summary **************
Module name            Error
ntdll                  The system cannot find the file specified
                The SYMSRV client failed to find a file in the UNC store, or there
                is an invalid UNC store (an invalid path or the pingme.txt file is
                not present in the root directory), or the file is present in the
                symbol server exclusion list.

Found the output SYMSRV: HttpSendRequest: 800C2EFD – ERROR_INTERNET_CANNOT_CONNECT, could it be that Microsoft’s symbolic server is walled? Manually open the ntdll.dll symbolic url in the browser https://msdl.microsoft.com/download/symbols/ntdll.dll/589C957A180000/ntdll.dll and found a redirect to https://vsblobprodscussu5shard87.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/787A6C8378595D38A99B4DAFBE7316691BFBE38E4D0CA1A7637EE21A8140836900.blob?sv=2017-04-17&sr=b&si=1&sig=SX5nGwAekvPaY8jUMSUlZRHUcLEH6rZ6A8Y39HjQwfM%3D&spr=https&se=2020-01-07T07%3A28%3A15Z&rscl=x-e2eid-12793ff4-22fd46ce-b05476a0-93cdf775-session-ca085441-b4d94ca1-a365b6a1-3c06aa71 。

This url can really only be opened with a proxy.

Similar Posts: