为什么WinDBG在转储中显示不匹配的FileVersion?

时间:2013-10-18 11:47:34

标签: windbg portable-executable memory-dump fileversioninfo rsrc

TL; DR

为什么WinDBG lmv会显示两个版本信息字段(当我知道其他工具没有这样做时)以及这些字段在哪些情况下会有所不同?

背景:我的应用程序有一个实时转储(来自死锁)。符号被正确加载,我能够追溯死锁到Microsoft的pdm.dll(用于我们的vbscript引擎的“Process Debug Manager”)。

然后我想检查在生产站点的会话中加载了哪个版本的DLL:

0:000> lmv m pdm
start    end        module name
51860000 518b8000   pdm      # (pdb symbols)          d:\symcache\pdm.pdb\7BE601EDE9234816B72B49DA4A25DF042\pdm.pdb
    Loaded symbol image file: pdm.dll
    Image path: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\pdm.dll
    Image name: pdm.dll
    Timestamp:        Tue Jul 29 16:46:11 2008 (488F2D33)
    CheckSum:         000663E0
    ImageSize:        00058000
??  File version:     9.0.30729.1
??  Product version:  9.0.30729.1
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Visual Studio .NET
    InternalName:     pdm.dll
    OriginalFilename: pdm.dll
??  ProductVersion:   7.10.3077
??  FileVersion:      7.10.3077
    FileDescription:  Process Debug Manager
    LegalCopyright:   Copyright© Microsoft Corporation.  All rights reserved.

如您所见,文件和产品版本显示两次,但它们在转储中不匹配!

当我在我的机器上交叉检查(显然,请参阅时间戳和校验和!)运行的iexplore流程的相同文件:

0:043> lmv m pdm
start    end        module name
3efa0000 3eff8000   pdm        (pdb symbols)          c:\windows\symbols\martin-cache\pdm.pdb\415D0A165EB24613BC01CE516512062C2\pdm.pdb
    Loaded symbol image file: C:\Program Files (x86)\Internet Explorer\pdm.dll
    Image path: C:\Program Files (x86)\Internet Explorer\pdm.dll
    Image name: pdm.dll
    Timestamp:        Tue Jul 29 16:46:11 2008 (488F2D33)
    CheckSum:         000663E0
    ImageSize:        00058000
    File version:     9.0.30729.1
    Product version:  9.0.30729.1
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Visual Studio® 2008
    InternalName:     pdm.dll
    OriginalFilename: pdm.dll
    ProductVersion:   9.0.30729.1
    FileVersion:      9.0.30729.1 built by: SP
    FileDescription:  Process Debug Manager
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

版本信息匹配。

1 个答案:

答案 0 :(得分:2)

lmv显示资源文件中定义的字符串

enter image description here

我不知道为什么两组文件/产品版本的名称相同,除了一些空格。

0:041> lmv m kernel32
start    end        module name
753e0000 754f0000   kernel32   (deferred)             
    Image path: C:\Windows\SysWOW64\kernel32.dll
    Image name: kernel32.dll
    Timestamp:        Fri Aug 02 03:53:25 2013 (51FB1115)
    CheckSum:         00111A9F
    ImageSize:        00110000
    File version:     6.1.7601.18229
    Product version:  6.1.7601.18229
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     kernel32
    OriginalFilename: kernel32
    ProductVersion:   6.1.7601.18229
    FileVersion:      6.1.7601.18229 (win7sp1_gdr.130801-1533)

在您的情况下,您有两个不同的dll,请查看图像文件路径。

Image path: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\


Image path: C:\Program Files (x86)\Internet Explorer

它们必须在资源部分中有不同的字符串,winDbg除了显示它之外不能做任何事情。 由于时间戳相同,因此可能已被篡改。

相关问题
最新问题