求助 - mini版大，可以幫我分析dmp檔嗎？可否指導我怎麼分析

[風流瀟灑]

MINI版大好，我是今天剛加入論壇的新手，在GOOGLE搜尋如何檢視dmp檔，找到版大的文章，也順利產生報告，這是我安裝卡巴6.0後，發生錯誤產生的dmp檔，我對系統稍有瞭解，也很想學怎麼看dmp檔，可否請幫大幫我們系統出了什麼錯誤，關於以下的報告內容有什麼重點，可助於分析呢？謝謝(因為字元太長，我刪除一中間一小段，應該沒關係吧)
Microsoft (R) Windows Debugger Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\******\AVP.6.678_06.27_10.27_608.SRV.mini.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
Windows XP Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
Debug session time: Wed Jun 27 10:27:58.000 2007 (GMT+8)
System Uptime: not available
Process Uptime: 0 days 1:40:50.000
..................................................................................................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(608.fd0): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=00000000 esp=00000000 ebp=00000000 iopl=0 nv up di pl nz na po nc
cs=0000 ss=0000 ds=0000 es=0000 fs=0000 gs=0000 efl=00000000
00000000 ?? ???
0:032> !analyze -v
WARNING: Teb 32 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 13 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 13 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 22 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 22 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 23 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 23 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 24 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 24 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 25 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 25 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 26 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 26 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 27 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 27 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 28 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 28 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 29 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 29 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 30 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 30 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 31 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 31 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 33 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 33 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 34 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 34 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 35 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 35 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 36 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 36 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 37 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 37 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 32 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 32 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 32 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 32 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 32 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
WARNING: Teb 32 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
WARNING: Teb 32 pointer is NULL - defaulting to 7ffde000
WARNING: 7ffde000 does not appear to be a TEB

FAULTING_IP:
+32b2028
032b2028 c002aa rol byte ptr [edx],0AAh

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 032b2028
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000000
Attempt to write to address 00000000

PROCESS_NAME: avp.exe

FAULTING_MODULE: 7c920000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

WRITE_ADDRESS: 00000000

FAILED_INSTRUCTION_ADDRESS:
+32b2028
032b2028 c002aa rol byte ptr [edx],0AAh

LAST_CONTROL_TRANSFER: from 00000000 to 032b2028

STACK_TEXT:
04a3fa1c 00000000 00000000 00000000 00000000 0x32b2028


SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

FAULTING_THREAD: 00000fd0

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR

BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_STACK_CORRUPTION

STACK_COMMAND: ~32s; .ecxr ; kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

[mini]

其實這只能看出一些片段
看這一大堆字
請排除 * 號所圍繞的文字，因為那些是固定的說命註解文字
在執行 WinDbg 後可先清除一下 (Edit -> Clear Command Output)
再執行 !analyze -v 來分析
會比較易讀一些

首先最淺顯易懂的是
出錯的程序是 (PROCESS_NAME) avp.exe

執行的斷層是 rol byte ptr [edx],0AAh 這一行指令
BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_STACK_CORRUPTION
這裡說到
壞的指令指標堆疊造成應用程式錯誤
就是指這一段

異常記錄是 EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
很明顯有溢位之嫌，windows當機幾乎都與溢位有關

斷層模組是 FAULTING_MODULE: 7c920000 ntdll

所以可判斷出
是 卡巴使用到 ntdll.dll 模組時出錯

據MS修正記載裡曾提到
ntdll.dll 的動態 連結資料庫(DLL)。這個 DLL 是作業系統與 Windows kernel 互動的一個核心元件。 ntdll.dll 中有一個緩衝區滿溢(buffer overflow)的安全弱點，而 Windows 作業系統中 有很多不同元件使用到 ntdll.dll。
or
http://support.microsoft.com/kb/261317/zh-tw (Ntdll.dll 中的死結造成程式當掉)

所以你可以試試 Windows Update 看看有沒有 更新

不過像這種情況
問題出在 windows的 核心元件
一般問題不會像debuger講的這麼單純
如果每次安裝卡巴都會當機的話
還要靠其他工具來進一步分析

這裡給個建議
.先清除 C:\WINDOWS\Prefetch 裡面所有檔案

.接著下一個 MS的 BootVis
執行以下步驟:
執行之後依序點選「Trace」→「Next Boot+Drivers Delays」，出現「Trace Repetitions」視窗後按下「OK」重新開機；
重開機後再執行BootVis，點選「File」→「Open」開啟「TRACE_BOOT+DRIVERS_1_1.BIN」這個檔案，再點選「Trace」→「Optimize System」就行了。
(會再次重開機，進入windows時請不要做什麼，等 BootVis 自己結束為止)

====================================

像
PROCESS_NAME: avp.exe

FAULTING_MODULE: 7c920000 ntdll

這兩行 會有藍色的底線 文字出現
您只要點一下
他就會繼續分析

比如:
FAULTING_MODULE: 804d8000 nt
點一下 nt

會分析出
kd> lmvm nt
start end module name
804d8000 806ec480 nt T (no symbols)
Loaded symbol image file: ntoskrnl.exe
Image path: ntoskrnl.exe
Image name: ntoskrnl.exe
Timestamp: Wed Feb 28 17:10:41 2007 (45E54711)
CheckSum: 00217A95
ImageSize: 00214480
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

那不就更清楚表示出
執行時的斷層出現在 ntoskrnl.exe 裡嗎 ?

[風流瀟灑]

喔喔!!感謝mini的解答，其實我也看出了一些東西，不過第一次玩dmp。看來mini大的很懂反組譯語言及程式的高手，我對防毒上是些小專精啦，現在因為user遇到系統發生錯誤的問題，產生了dmp檔，所以看是否能直接找到問題點，下載個什麼修正程式或重新註冊.dll檔就好了不過看起來沒這麼簡單，我還有些問題再麻煩mini大解答了

[風流瀟灑]

另外，您要我先清除一下，輸入 clear command oupput ，再執行!analyze -v，不過當我輸入後，出現一堆ERROR，這是正常的嗎？
0:032> clear command output
*** ERROR: Module load completed but symbols could not be loaded for avp.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for prloader.dll -
*** ERROR: Module load completed but symbols could not be loaded for pxstub.ppl
*** ERROR: Module load completed but symbols could not be loaded for params.ppl
*** ERROR: Module load completed but symbols could not be loaded for tm.ppl
*** ERROR: Module load completed but symbols could not be loaded for nfio.ppl
*** ERROR: Module load completed but symbols could not be loaded for bl.ppl
*** ERROR: Symbol file could not be found. Defaulted to export symbols for wmihlpr.ppl -
*** ERROR: Module load completed but symbols could not be loaded for ndetect.ppl
*** ERROR: Module load completed but symbols could not be loaded for crpthlpr.ppl
*** ERROR: Module load completed but symbols could not be loaded for schedule.ppl
*** ERROR: Module load completed but symbols could not be loaded for lic60.ppl
*** ERROR: Module load completed but symbols could not be loaded for report.ppl
*** ERROR: Module load completed but symbols could not be loaded for avs.ppl
*** ERROR: Module load completed but symbols could not be loaded for WDiskIO.ppl
*** ERROR: Module load completed but symbols could not be loaded for avspm.ppl
*** ERROR: Module load completed but symbols could not be loaded for aphish.ppl
*** ERROR: Module load completed but symbols could not be loaded for qb.ppl
*** ERROR: Module load completed but symbols could not be loaded for dtreg.ppl
*** ERROR: Module load completed but symbols could not be loaded for httpanlz.ppl
*** ERROR: Module load completed but symbols could not be loaded for iChkSA.ppl
*** ERROR: Module load completed but symbols could not be loaded for httpscan.ppl
*** ERROR: Symbol file could not be found. Defaulted to export symbols for klaveng.dll -
*** ERROR: Module load completed but symbols could not be loaded for oas.ppl
*** ERROR: Module load completed but symbols could not be loaded for popupchk.ppl
*** ERROR: Module load completed but symbols could not be loaded for ahids.ppl
*** ERROR: Module load completed but symbols could not be loaded for pdm.ppl
*** ERROR: Module load completed but symbols could not be loaded for mc.ppl
*** ERROR: Module load completed but symbols could not be loaded for aphisht.ppl
*** ERROR: Module load completed but symbols could not be loaded for ahfw.ppl
*** ERROR: Module load completed but symbols could not be loaded for sc.ppl

[風流瀟灑]

我剛剛點了
7c920000 7c9b5000 ntdll ，出現以下的結果，但看不到您所謂的斷層(.exe)之類的，以下這一段如何分析呢？
0:032> lmvm ntdll
start end module name
7c920000 7c9b5000 ntdll T (no symbols)
Loaded symbol image file: ntdll.dll
Image path: C:\WINDOWS\system32\ntdll.dll
Image name: ntdll.dll
Timestamp: Wed Aug 04 15:47:32 2004 (41109494)
CheckSum: 00092448
ImageSize: 00095000
File version: 5.1.2600.2180
Product version: 5.1.2600.2180
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

[風流瀟灑]

mini大，以下這裡有點不懂，是在命令提示字元下嗎？還是…煩請解答，謝謝
.接著下一個 MS的 BootVis
執行以下步驟:
執行之後依序點選「Trace」→「Next Boot+Drivers Delays」，出現「Trace Repetitions」視窗後按下「OK」重新開機；
重開機後再執行BootVis，點選「File」→「Open」開啟「TRACE_BOOT+DRIVERS_1_1.BIN」這個檔案，再點選「Trace」→「Optimize System」就行了。
(會再次重開機，進入windows時請不要做什麼，等 BootVis 自己結束為止)

[風流瀟灑]

sorry，瞭解什麼是bootvis了，已經下載安裝~~

[mini]

引用:

作者: 風流瀟灑

我剛剛點了
7c920000 7c9b5000 ntdll ，出現以下的結果，但看不到您所謂的斷層(.exe)之類的，以下這一段如何分析呢？
0:032> lmvm ntdll
start end module name
7c920000 7c9b5000 ntdll T (no symbols)
Loaded symbol image file: ntdll.dll
Image path: C:\WINDOWS\system32\ntdll.dll
Image name: ntdll.dll
Timestamp: Wed Aug 04 15:47:32 2004 (41109494)
CheckSum: 00092448
ImageSize: 00095000
File version: 5.1.2600.2180
Product version: 5.1.2600.2180
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

所謂的 執行的斷層 是指
機械碼指令暫存器 執行到這一行後
因為事故 就無法執行下一行指令了

引用:

作者: mini

比如:
FAULTING_MODULE: 804d8000 nt
點一下 nt

會分析出
kd> lmvm nt
start end module name
804d8000 806ec480 nt T (no symbols)
Loaded symbol image file: ntoskrnl.exe
....

那不就更清楚表示出
執行時的斷層出現在 ntoskrnl.exe 裡嗎 ?

是指本來
FAULTING_MODULE: 804d8000 nt
只 指出 是 nt模組

但點下去後
就出現完整的
Loaded symbol image file: ntoskrnl.exe
原來 nt模組 是指 ntoskrnl.exe ...