livekd - Could not resolve symbols for ntoskrnl.exe: MmPfnDatabase

windbg의 Local Kernel Debug 모드는,

Windbg - Local Kernel Debug 모드
; https://www.sysnet.pe.kr/2/0/934

(재부팅이 필요한) "bcdedit -debug on" 명령어가 실행된 환경이어야 해서 다소 번거로운데, 이런 불편함을 LiveKD가 해결해 줍니다.

Windbg를 이용한 로컬 커널 디버깅툴 LiveKD
; https://killdos.tistory.com/9

LiveKD는 전에 Hyper-V의 VM에 대한 메모리 덤프를 뜨는 방법 글에서도 소개한 적이 있는데, 다시 한번 실습을 위해 kd.exe가 있는 windbg의 경로를 맞춰준 후,

C:\SysInternals> set PATH=C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64;%PATH%

// set PATH=C:\Program Files (x86)\Windows Kits\10\Debuggers\x64;%PATH%

실행했더니 뜻하지 않은 오류가 발생합니다.

C:\SysInternals> livekd

LiveKd v5.62 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2016 Mark Russinovich and Ken Johnson

Symbols are not configured. Would you like LiveKd to set the _NT_SYMBOL_PATH
directory to reference the Microsoft symbol server so that symbols can be
obtained automatically? (y/n) y

Enter the folder to which symbols download (default is c:\symbols): c:\symbols

Could not resolve symbols for ntoskrnl.exe:
MmPfnDatabase

Ensure that your symbol path is correctly configured, either via the -y option
or the _NT_SYMBOL_PATH environmental variable.  Symbols are required in order
to initiate a debugging session.

The -vsym command line option will display additional details that may be used
to track down symbol resolution or symbol load issues.

The specified module could not be found.

Exiting LiveKd.

오류 메시지에 따라 "-vsym" 옵션을 주면 ntkrnlmp.pdb를 찾지 못하는 상태를 보여주는데,

C:\SysInternals> livekd -vsym

LiveKd v5.63 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2020 Mark Russinovich and Ken Johnson

SYMSRV:  BYINDEX: 0x1
         c:\symbols
         ntkrnlmp.pdb
         1C9875F76C8F0FBF3EB9A9D7C1C274061

SYMSRV:  UNC: c:\symbols\ntkrnlmp.pdb\1C9875F76C8F0FBF3EB9A9D7C1C274061\ntkrnlmp.pdb - path not found

SYMSRV:  UNC: c:\symbols\ntkrnlmp.pdb\1C9875F76C8F0FBF3EB9A9D7C1C274061\ntkrnlmp.pd_ - path not found

SYMSRV:  UNC: c:\symbols\ntkrnlmp.pdb\1C9875F76C8F0FBF3EB9A9D7C1C274061\file.ptr - path not found

SYMSRV:  RESULT: 0x80070003

DBGHELP: *http://msdl.microsoft.com/download/symbols\ntkrnlmp.pdb - file not found

DBGHELP: *http://msdl.microsoft.com/download/symbols\exe\ntkrnlmp.pdb - file not found

DBGHELP: *http://msdl.microsoft.com/download/symbols\symbols\exe\ntkrnlmp.pdb - file not found

DBGHELP: ntkrnlmp.pdb - file not found

DBGHELP: ntoskrnl - export symbols

...[생략]...

좀 이해가 안 됩니다. 중간의 "c:\symbols"로부터 캐시된 pdb 파일을 찾는 것에는 정상적으로 1C9875F76C8F0FBF3EB9A9D7C1C274061와 같은 signature+age 경로가 있는데 원격지(msdl.microsoft.com)로부터 다운로드할 때는 signature+age를 붙이지 않고 있습니다. (참고: PDB 기호 파일의 경로 구성 방식)

어쨌든, livekd가 그걸 하지 못하고 있으니 오류가 발생한 pdb에 대해서는 symchk.exe를 이용해 명시적으로 다운로드를 해야 합니다.

C:\SysInternals> symchk -v C:\Windows\System32\ntoskrnl.exe /s srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
[SYMCHK] Searching for symbols to C:\Windows\System32\ntoskrnl.exe in path srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
[SYMCHK] Using search path "srv*c:\Symbols*http://msdl.microsoft.com/download/symbols"
DBGHELP: No header for C:\Windows\System32\ntoskrnl.exe.  Searching for image on disk
DBGHELP: C:\Windows\System32\ntoskrnl.exe - OK
SYMSRV:  BYINDEX: 0x1
         c:\Symbols*http://msdl.microsoft.com/download/symbols
         ntkrnlmp.pdb
         1C9875F76C8F0FBF3EB9A9D7C1C274061
SYMSRV:  UNC: c:\Symbols\ntkrnlmp.pdb\1C9875F76C8F0FBF3EB9A9D7C1C274061\ntkrnlmp.pdb - path not found
SYMSRV:  UNC: c:\Symbols\ntkrnlmp.pdb\1C9875F76C8F0FBF3EB9A9D7C1C274061\ntkrnlmp.pd_ - path not found
SYMSRV:  UNC: c:\Symbols\ntkrnlmp.pdb\1C9875F76C8F0FBF3EB9A9D7C1C274061\file.ptr - path not found
SYMSRV:  HTTPGET: /download/symbols/index2.txt
SYMSRV:  HttpQueryInfo: 80190190 - HTTP_STATUS_BAD_REQUEST
SYMSRV:  HTTPGET: /download/symbols/ntkrnlmp.pdb/1C9875F76C8F0FBF3EB9A9D7C1C274061/ntkrnlmp.pdb
SYMSRV:  HttpQueryInfo: 801900c8 - HTTP_STATUS_OK
SYMSRV:  ntkrnlmp.pdb from http://msdl.microsoft.com/download/symbols: 8596480 bytes -    copied
SYMSRV:  PATH: c:\Symbols\ntkrnlmp.pdb\1C9875F76C8F0FBF3EB9A9D7C1C274061\ntkrnlmp.pdb
SYMSRV:  RESULT: 0x00000000
DBGHELP: ntoskrnl - public symbols
        c:\Symbols\ntkrnlmp.pdb\1C9875F76C8F0FBF3EB9A9D7C1C274061\ntkrnlmp.pdb
[SYMCHK] MODULE64 Info ----------------------
[SYMCHK] Struct size: 1680 bytes
[SYMCHK] Base: 0x140000000
[SYMCHK] Image size: 17063936 bytes
[SYMCHK] Date: 0x07503e39
[SYMCHK] Checksum: 0x00a7ae11
[SYMCHK] NumSyms: 0
[SYMCHK] SymType: SymPDB
[SYMCHK] ModName: ntoskrnl
[SYMCHK] ImageName: C:\Windows\System32\ntoskrnl.exe
[SYMCHK] LoadedImage: C:\Windows\System32\ntoskrnl.exe
[SYMCHK] PDB: "c:\Symbols\ntkrnlmp.pdb\1C9875F76C8F0FBF3EB9A9D7C1C274061\ntkrnlmp.pdb"
[SYMCHK] CV: RSDS
[SYMCHK] CV DWORD: 0x53445352
[SYMCHK] CV Data:  ntkrnlmp.pdb
[SYMCHK] PDB Sig:  0
[SYMCHK] PDB7 Sig: {1C9875F7-6C8F-0FBF-3EB9-A9D7C1C27406}
[SYMCHK] Age: 1
[SYMCHK] PDB Matched:  TRUE
[SYMCHK] DBG Matched:  TRUE
[SYMCHK] Line nubmers: FALSE
[SYMCHK] Global syms:  FALSE
[SYMCHK] Type Info:    TRUE
[SYMCHK] ------------------------------------
SymbolCheckVersion  0x00000002
Result              0x00130001
DbgFilename
DbgTimeDateStamp    0x07503e39
DbgSizeOfImage      0x01046000
DbgChecksum         0x00a7ae11
PdbFilename         c:\Symbols\ntkrnlmp.pdb\1C9875F76C8F0FBF3EB9A9D7C1C274061\ntkrnlmp.pdb
PdbSignature        {00000000-0000-0000-0000-000000000000}
PdbDbiAge           0x00000000
[SYMCHK] [ 0x00000000 - 0x00130001 ] Checked "C:\Windows\System32\ntoskrnl.exe"

SYMCHK: FAILED files = 0
SYMCHK: PASSED + IGNORED files = 1

이후, 다시 livekd를 실행하면 ^^ 잘 동작하는 것을 확인할 수 있습니다.

C:\SysInternals> livekd

LiveKd v5.63 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2020 Mark Russinovich and Ken Johnson

Launching C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\kd.exe:

Microsoft (R) Windows Debugger Version 10.0.19041.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available

Comment: 'LiveKD live system view'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\symbols
*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\symbols
*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff802`4f600000 PsLoadedModuleList = 0xfffff802`5022a2f0
Debug session time: Wed Aug 26 11:27:55.035 2020 (UTC + 9:00)
System Uptime: 2 days 11:42:44.572
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.........................
Loading User Symbols
..................................
Loading unloaded module list
................................
For analysis of this file, run !analyze -v

0: kd> !process
PROCESS ffffa9028cbb0080
    SessionId: 1  Cid: 5380    Peb: 454c98000  ParentCid: 8930
    DirBase: 31098002  ObjectTable: ffff83898d947880  HandleCount: 133.
    Image: kd.exe
    VadRoot ffffa90299012660 Vads 91 Clone 0 Private 6618. Modified 19. Locked 6.
    DeviceMap ffff8389521421c0
    Token                             ffff838969e295f0
    ElapsedTime                       00:00:00.917
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         134928
    QuotaPoolUsage[NonPagedPool]      12928
    Working Set Sizes (now,min,max)  (9146, 50, 345) (36584KB, 200KB, 1380KB)
    PeakWorkingSetSize                9060
    VirtualSize                       2101383 Mb
    PeakVirtualSize                   2101383 Mb
    PageFaultCount                    18354
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      6872

        THREAD ffffa9029f1f2080  Cid 5380.701c  Teb: 0000000454c99000 Win32Thread: ffffa902a4edb380 RUNNING on processor 1
        THREAD ffffa9028c887080  Cid 4824.4444  Teb: 0000000000000000 Win32Thread: 0000000000000000 TERMINATED
        THREAD ffffa9028dcc72c0  Cid 7f1c.9a1c  Teb: 0000000000000000 Win32Thread: 0000000000000000 TERMINATED
        THREAD ffffa902ad9a3080  Cid 4c24.5918  Teb: 0000000000000000 Win32Thread: 0000000000000000 TERMINATED
        THREAD ffffa9029fff5080  Cid 4c24.5c04  Teb: 0000000000000000 Win32Thread: 0000000000000000 TERMINATED
        THREAD ffffa902b5715080  Cid 4c24.7af8  Teb: 0000000000000000 Win32Thread: 0000000000000000 TERMINATED
        THREAD ffffa9029d6df080  Cid 4c24.39ac  Teb: 00000000004fb000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
            ffffa90292a3fe40  QueueObject

        THREAD ffffa9029218c080  Cid 4c24.90a4  Teb: 00000000005f4000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
            ffffa90292a3fe40  QueueObject

        THREAD ffffa90289949080  Cid 4c24.86d4  Teb: 0000000000493000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
            ffffa90292a3fe40  QueueObject

        THREAD ffffa9028c7ed080  Cid 4c24.8e4c  Teb: 00000000004bd000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
            ffffa90292a40b40  QueueObject

TYPE mismatch for thread object at ffffa902988d9db8

---

[이 글에 대해서 여러분들과 의견을 공유하고 싶습니다. 틀리거나 미흡한 부분 또는 의문 사항이 있으시면 언제든 댓글 남겨주십시오.]

[최초 등록일: 8/27/2020]
[최종 수정일: 8/28/2020]


이 저작물은 크리에이티브 커먼즈 코리아 저작자표시-비영리-변경금지 2.0 대한민국 라이센스에 따라 이용하실 수 있습니다.

by SeongTae Jeong, mailto:techsharer at outlook.com