Windbg转储分析:在询问句柄信息时导致错误0x80004002的原因是什么?

问题描述 投票:1回答:1

我正在调试进程的内存转储,其中我假设句柄的数量变得太大。当我在Windbg中打开转储时,我看到以下错误/警告消息(我不知道这是否与我的问题相关):

Dir entry 8, HandleDataStream stream has too many elements (0xfefffd > 0x400000)

在启动Windbg !handle扩展命令时,我看到以下错误消息:

0:000> !handle
ERROR: !handle: extension exception 0x80004002.
    "Unable to read handle information"

我已经在同一进程的其他内存转储上启动了相同的扩展命令(可能是另一个版本)。因此,我不理解该错误代码的大多数Google结果的相关性(关于错误的界面)。

是否有人知道可能导致上述错误代码的原因以及我可以做些什么来查看应用程序转储中的句柄数量?

对于您的信息,我对每个句柄都不感兴趣,只是它们的总量。

首次评论后编辑

.dumpdebug的结果如下:(仅处理相关)

0:000> .dumpdebug
----- User Mini Dump Analysis

MINIDUMP_HEADER:
Version         A793 (62F0)
NumberOfStreams 13
Flags           61826
                0002 MiniDumpWithFullMemory
                0004 MiniDumpWithHandleData
                ...
Stream 8: type HandleDataStream (12), size 27D7FF98, RVA 101DEF6C
Dir entry 8, HandleDataStream stream has too many elements (0xfefffd >     0x400000)
Stream 9: type CommentStreamW (11), size 000001A0, RVA 000102E0
  '
*** "C:\Internal\Tools\Procdump\procdump.exe"  -ma  -accepteula 18732     C:\Dumps\Own_Application_PID_18732_2019_02_07_11_38_02_777_NOW.dmp
*** Manual dump'

(.dumpdebug和Dumpchk.exe的结果非常相似,我决定不添加它们)

在chdump.py结果后编辑

因此chdump.py的结果(部分):

MINIDUMP_HEADER EXCLUDING SIGNATURE
version                 0xa793
internal version        0x62f0
Number of Streams       0xd
Stream Directory RVA    0x20
CheckSum                0x0
u.TimeDateStamp         2019-02-07 11:45:24
Flags                   0x61826

MINIDUMP_DIRECTORY
StreamType              DataSize                RVA
0x3                     0x754                   0x434
0x11                    0x9cc                   0xb88
0x4                     0x1588                  0x1554
0x13                    0x290                   0x2adc
0x9                     0x12250                 0x37fc9f84
0x10                    0x6b080                 0x37f5ef04
0x7                     0x38                    0xbc
0xf                     0x340                   0xf4
0xc                     0x27d7ff98              0x101def6c
0xb                     0x1a0                   0x102e0
0x0                     0x0                     0x0
0x0                     0x0                     0x0
0x0                     0x0                     0x0
_MHDesc2
Handle        TypeNameRva   ObjectNameRva Attributes    GrantedAccess HandleCount   PointerCount  ObjectInfoRva Reserved0
0x4           0x10490       0x104a8       0x10          0x3           0x7c          0x1ee0c0b     0x0           0x0
0x8           0x104c2       0x0           0x0           0x100020      0x2           0x80001       0x0           0x0
0xc           0x104d0       0x104dc       0x0           0x1           0x2           0x80001       0x0           0x0
0x10          0x1055e       0x1056a       0x0           0x20019       0x2           0x80000       0x0           0x0
0x14          0x105f6       0x0           0x0           0x1f0000      0x2           0x80002       0x0           0x0
0x18          0x1060e       0x0           0x0           0x1f0003      0x2           0x80001       0x0           0x0
0x28          0x1061e       0x1062a       0x0           0xf003f       0x2           0x7ffba       0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x30          0x10652       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0x34          0x10662       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0x38          0x10672       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0x3c          0x10682       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0x40          0x10692       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0x44          0x106a2       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x4c          0x106b2       0x106ca       0x10          0xf           0x44          0xfe9d9c      0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x78          0x106f2       0x0           0x0           0x1f0003      0x2           0x7ffc7       0x0           0x0
0x7c          0x10702       0x1070e       0x0           0x20019       0x2           0x7fffe       0x0           0x0
0x80          0x1077a       0x0           0x0           0x100020      0x2           0x40002       0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x88          0x10788       0x0           0x0           0x100003      0x2           0x40002       0x0           0x0
0x8c          0x107a0       0x0           0x0           0x100003      0x2           0x40002       0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0xb0          0x107b8       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0xb4          0x107c8       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0xb8          0x107d8       0x0           0x0           0x1f0003      0x2           0x7fddf       0x0           0x0
0xbc          0x107f0       0x0           0x0           0x1f0003      0x2           0x7fea0       0x0           0x0
0xc0          0x10808       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0xc4          0x10820       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0xc8          0x10838       0x0           0x0           0x1f0003      0x2           0x7fff6       0x0           0x0
0xcc          0x10850       0x0           0x0           0x1f0003      0x2           0x7fd62       0x0           0x0
0xd0          0x10868       0x0           0x0           0x1f0003      0x2           0x6f1cc       0x0           0x0
0xd4          0x10878       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0xd8          0x10888       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0xdc          0x108a0       0x108ac       0x0           0xf003f       0x2           0x80000       0x0           0x0
0xe0          0x108f6       0x10902       0x0           0x20019       0x2           0x80000       0x0           0x0
0xe4          0x10958       0x10964       0x0           0x20019       0x2           0x80001       0x0           0x0
0xe8          0x10a08       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0xec          0x10a18       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0xf0          0x10a28       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x100         0x10a38       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0x104         0x10a48       0x0           0x0           0x1fffff      0x4           0xff501       0x10a5a       0x0
0x108         0x10a96       0x0           0x0           0x1f0000      0x2           0x7fff8       0x0           0x0
0x10c         0x10aae       0x0           0x0           0x1f0003      0x2           0x7fffe       0x0           0x0
0x110         0x10abe       0x0           0x0           0x1f0003      0x2           0x5ebe2       0x0           0x0
0x114         0x10adc       0x0           0x0           0xf00ff       0x2           0x73b3f       0x0           0x0
0x118         0x10b00       0x0           0x0           0x100002      0x2           0x80002       0x0           0x0
0x11c         0x10b10       0x0           0x0           0x1           0x2           0x80002       0x0           0x0
0x120         0x10b3e       0x0           0x0           0x100002      0x2           0x7d72d       0x0           0x0
0x124         0x10b4e       0x0           0x0           0x1           0x2           0x5ebe2       0x0           0x0
0x128         0x10b7c       0x0           0x0           0x1f0003      0x2           0x80000       0x0           0x0
0x12c         0x10b8c       0x0           0x0           0x1f0003      0x2           0x80000       0x0           0x0
0x130         0x10b9c       0x0           0x0           0x1f0003      0x2           0x5671f       0x0           0x0
0x134         0x10bac       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0x138         0x10bbc       0x0           0x0           0x1fffff      0x4           0xbf505       0x10bce       0x0
0x13c         0x10c0a       0x0           0x0           0x1f0003      0x2           0x40002       0x0           0x0
0x140         0x10c1a       0x0           0x0           0x1f0003      0x2           0x74432       0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x148         0x10c2a       0x0           0x0           0x1f0003      0x2           0x80001       0x0           0x0
0x14c         0x10c3a       0x0           0x0           0x100001      0x2           0x7feb3       0x0           0x0
0x150         0x10c48       0x0           0x0           0x1f0003      0x2           0x80001       0x0           0x0
0x154         0x10c58       0x0           0x0           0x1f0000      0x2           0x4d899       0x0           0x0
0x158         0x10c70       0x0           0x0           0x1f0003      0x2           0x7ffdc       0x0           0x0
0x15c         0x10c80       0x0           0x0           0x1f0003      0x2           0x80000       0x0           0x0
0x160         0x10c90       0x10c9c       0x0           0xf003f       0x2           0x7ffd6       0x0           0x0
0x164         0x10ce6       0x0           0x0           0x1f0003      0x2           0x80000       0x0           0x0
0x168         0x10cf6       0x10d0a       0x0           0x4           0xa3          0x28c0002     0x0           0x0
0x16c         0x10d5a       0x10d66       0x0           0xf003f       0x2           0x7ffc4       0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x174         0x10db0       0x10dc0       0x10          0x100001      0x53          0x18003f      0x0           0x0
0x178         0x10e10       0x10e1c       0x0           0x20019       0x2           0x7fff4       0x0           0x0
0x17c         0x10e94       0x10ea0       0x0           0x20019       0x2           0x7fff4       0x0           0x0
0x180         0x10f1c       0x10f30       0x0           0x4           0xa3          0x28c0002     0x0           0x0
0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0           0x0
0x188         0x10f80       0x0           0x0           0x120089      0x2           0x7fffc       0x0           0x0
0x18c         0x10f8e       0x0           0x0           0xf0005       0x2           0x80001       0x0           0x0

它做得很远:由于内存错误,Python脚本在生成了±1300万(!)行结果后甚至停止了。

提前致谢

windbg dump handle
1个回答
0
投票

Minidump文件的格式几乎已记录您可以自己解析文件而无需依赖windbg 用python说

错误似乎是明确的_MINIDUMP_DIRECTORY->DataSize有一些腐败

最大手柄数iirc限制为每个过程10000个手柄 (浏览Raymond Chens博客旧新事物) 所以在违反时必须有一些硬编码的流大小限制 导致该错误

下面是一个快速搅拌的python脚本,它接受转储并转储原始数据,在hexeditor中打开转储并在周围或者修补程序恢复部件句柄信息

%%writefile chkdump.py
import sys
import os
import struct
import datetime
scriptname = os.path.split(sys.argv[0])[1]
if (len(sys.argv) != 2 ):
        sys.exit("usage python %s path_to_dump" % scriptname)
fin = open(sys.argv[1],'rb')
if( fin.read(4) != 'MDMP' ):
        fin.close()
        sys.exit("not a windbg dump file no  MDMP signature")
print ( "MINIDUMP_HEADER EXCLUDING SIGNATURE") 
dmphdr = struct.unpack("<HHiiiiQ",fin.read(28))
print ( "%-20s\t0x%x") % ( "version", dmphdr[0] )
print ( "%-20s\t0x%x") % ( "internal version", dmphdr[1] )
print ( "%-20s\t0x%x") % ( "Number of Streams", dmphdr[2] )
print ( "%-20s\t0x%x") % ( "Stream Directory RVA", dmphdr[3] )
print ( "%-20s\t0x%x") % ( "CheckSum", dmphdr[4] )
print ( "%-20s\t")     % ( "u.TimeDateStamp" ),
print ( datetime.datetime.fromtimestamp(dmphdr[5]))
print ( "%-20s\t0x%x") % ( "Flags", dmphdr[6] )
print ("\nMINIDUMP_DIRECTORY ")
print ("%-24s%-24s%-24s") % ("StreamType" , "DataSize","RVA")
streamdata = []
for i in range(0,dmphdr[2],1):
    streamdata.insert(i,struct.unpack("<iii",fin.read(12)))
    print ("%-24s%-24s%-24s") % ( hex(streamdata[i][0]),
                    hex(streamdata[i][1]),hex(streamdata[i][2]))    
HStreamLoc, = [z for (x,y,z) in streamdata if x == 0xc]
HStreamDSize, = [y for (x,y,z) in streamdata if x == 0xc]
fin.seek(HStreamLoc)
sizeof_HDStream = 16 
HDStream = struct.unpack("<iiii",fin.read(sizeof_HDStream))
assert (HDStream[1] * HDStream[2] + sizeof_HDStream ) == HStreamDSize
print ("_MHDesc2")
sizeof_MHDesc2 = 40
HDesc = []
print ("%-14s%-14s%-14s%-14s%-14s%-14s%-14s%-14s%-14s") % ("Handle" ,"TypeNameRva",
    "ObjectNameRva","Attributes","GrantedAccess","HandleCount","PointerCount",
                                                "ObjectInfoRva","Reserved0")
for i in range(0,HDStream[2],1):
    HDesc.insert(i,struct.unpack("<Qiiiiiiii",fin.read(sizeof_MHDesc2)))
    print ("%-14s%-14s%-14s%-14s%-14s%-14s%-14s%-14s%-14s") % ( hex(HDesc[i][0]), 
    hex(HDesc[i][1]), hex(HDesc[i][2]), hex(HDesc[i][3]),hex(HDesc[i][4]),
    hex(HDesc[i][5]), hex(HDesc[i][6]),hex(HDesc[i][7]), hex(HDesc[i][8]))

执行时,它将为句柄流返回这样的数据

MINIDUMP_HEADER EXCLUDING SIGNATURE
version                 0xa793
internal version        0x61b1
Number of Streams       0xd
Stream Directory RVA    0x20
CheckSum                0x0
u.TimeDateStamp         2019-02-14 02:38:24
Flags                   0x61826

MINIDUMP_DIRECTORY 
StreamType              DataSize                RVA                     
0x3                     0x94                    0x1dc                   
0x11                    0xcc                    0x270                   
0x4                     0xc40                   0x33c                   
0x13                    0x388                   0xf7c                   
0x9                     0x1100                  0x91f0                  
0x10                    0x4f30                  0x42c0                  
0x7                     0x38                    0xbc                    
0xf                     0xe8                    0xf4                    
0xc                     0xb28                   0x3798                  
0xb                     0x58                    0x294c                  
0x0                     0x0                     0x0                     
0x0                     0x0                     0x0                     
0x0                     0x0                     0x0                     
_MHDesc2
Handle        TypeNameRva   ObjectNameRva Attributes    GrantedAccess HandleCount   PointerCount  ObjectInfoRva Reserved0     
0x4           0x29b4        0x29cc        0x10          0x3           0x2d          0x54          0x0           0x0           
0x8           0x29e6        0x0           0x0           0x100020      0x2           0x3           0x0           0x0           
0xc           0x29f4        0x0           0x0           0x100020      0x2           0x3           0x0           0x0           
0x10          0x2a02        0x0           0x0           0x100020      0x2           0x3           0x0           0x0           
0x14          0x2a10        0x0           0x0           0x1f0000      0x2           0x5           0x0           0x0         

编辑

我编辑了代码来打印句柄,输入名称,对象名称并将其放入here

结果会像

Handle  TypeName        ObjectName
0x4     Directory       \KnownDlls
0x8     File            No ObjName
0xc     File            No ObjName
0x10    File            No ObjName
0x14    ALPC Port       No ObjName
0x18    Key             \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions

如果它们存在,它应该打印转储中的所有1670万个句柄

热门问题
推荐问题
最新问题