分析 Windows 中的崩溃:错误消息告诉我们什么?

2022-01-12 00:00:00 windows debugging assembly crash c++

我为个人使用而制作的一个小实用程序(用 C++ 编写)昨天随机崩溃了(我已经使用了大约 100 多个小时,到目前为止没有任何问题),虽然我通常不这样做,但我是感觉有点冒险,想尝试更多地了解这个问题.我决定进入事件查看器并查看 Windows 记录的有关崩溃的内容:

A small utility of mine that I made for personal use (written in C++) crashed randomly yesterday (I've used it roughly 100+ hours with no issues so far) and while I don't normally do this, I was feeling a bit adventurous and wanted to try and learn more about the problem. I decided to go into the Event Viewer and see what Windows had logged about the crash:

Faulting application StraightToM.exe, version 0.0.0.0, time stamp 0x4a873d19 
Faulting module name : StraightToM.exe, version 0.0.0.0, time stamp 0x4a873d19
Exception code : 0xc0000005
Fault offset : 0x0002d160,
Faulting process id: 0x17b4
Faulting application start time: time 0x01ca238d9e6b48b9.

我的问题是,这些东西是什么意思,我将如何使用它们来调试我的程序?这是我目前所知道的:异常代码描述了错误,0xc0000005 是内存访问冲突(试图访问它不拥有的内存).我特别有兴趣了解以下内容:

My question is, what do each of these things mean, and how would I use these to debug my program? Here's what I know so far: exception code describes the error, and 0xc0000005 is a memory access violation (tried to access memory it didn't own). I'm specifically interested in knowing more about the following:

  1. 故障偏移是什么意思?这是否代表文件中发生错误的位置,还是表示发生错误的装配行"?知道了故障偏移量,我将如何使用像 OllyDbg 这样的程序来查找导致错误的相应汇编代码?或者――甚至更好――是否可以(轻松)确定 C++ 源代码中的哪一行代码导致了这个错误?
  2. 很明显,时间戳对应崩溃时的 32 位 UNIX 时间,但是 64 位应用程序启动时间是什么意思呢?如果时间戳是 32,为什么会是 64 位?

请注意,我主要是一名 C++ 程序员,所以虽然我对汇编有所了解,但我对它的了解非常有限.此外,这确实不是一个需要修复的严重问题(鉴于程序的性质,也不容易重现),我只是更多地以此为借口来了解这些错误消息的含义.我在网上找到的有关这些崩溃日志的大部分信息通常是针对最终用户的,因此它们对我(作为程序员)的帮助不大.

Note that I'm primarily a C++ programmer, so while I know something about assembly, my knowledge of it is very limited. Additionally, this really isn't a serious problem that needs fixing (and is also not easily reproduced, given the nature of the program), I'm just using this more as an excuse to learn more about what these error messages mean. Most of the information about these crash logs that I've found online are usually aimed at the end-user, so they haven't helped me (as the programmer) very much.

提前致谢

推荐答案

64 位时间戳是应用程序的主线程自 1601 年 1 月 1 日(UTC)以 100 纳秒为间隔创建的时间(这称为 <代码>文件时间).32 位时间戳确实是 time_t 格式(它告诉了模块的创建时间并存储在模块的标头中).

The 64-bit time stamp is the time application's primary thread was created in 100-nanosecond intervals since January 1, 1601 (UTC) (this is known as FILETIME). The 32-bit timestamp is indeed in time_t format (it tells the time the module was created and is stored in the module's header).

我会说 0x0002d160 是模块加载地址的偏移量(对于绝对地址来说似乎太低了).启动 Visual Studio,启动调试器,查看模块"调试窗口.您的 exe 文件应在此处列出.找到加载模块的地址,将 0x0002d160 添加到该地址并查看结果地址处的反汇编.Visual Studio 显示与程序集混合的源代码,您应该可以毫无问题地找出导致问题的源代码行.

I'd say 0x0002d160 is an offset from the module's load address (it seems too low for an absolute address). Fire up Visual Studio, start the debugger, take a look at the "modules" debug window. Your exe file should be listed there. Find the address where the module is loaded, add 0x0002d160 to that address and take a look at the disassembly at the resulting address. Visual Studio shows source code intermixed with the assembly, you should have no problem figuring out what source line caused the problem.

相关文章