使用WinDbg启动可执行文件,然后装入多个模块,然后再进入调试器。
df.select(df.colRegex("'.+ _24$'")).show()
---------------------------------------------------------------------------
Py4JJavaError Traceback (most recent call last)
C:\spark\spark-3.0.0-preview-bin-hadoop2.7\python\pyspark\sql\utils.py in deco(*a, **kw)
97 try:
---> 98 return f(*a, **kw)
99 except py4j.protocol.Py4JJavaError as e:
C:\spark\spark-3.0.0-preview-bin-hadoop2.7\python\lib\py4j-0.10.8.1-src.zip\py4j\protocol.py in get_return_value(answer, gateway_client, target_id, name)
327 "An error occurred while calling {0}{1}{2}.\n".
--> 328 format(target_id, ".", name), value)
329 else:
Py4JJavaError: An error occurred while calling o151.colRegex.
: org.apache.spark.sql.AnalysisException: Cannot resolve column name "'.+[_24]$'" among (timestamp, log1p_meter_reading, square_feet, air_temperature_max_168, air_temperature_max_48, air_temperature_median_120, air_temperature_median_24, air_temperature_median_6, air_temperature_min_168, dew_temperature, dew_temperature_max_120, dew_temperature_max_48, dew_temperature_min_48, precip_depth_1_hr_mean_48, precip_depth_1_hr_mean_72, sea_level_pressure_mean_168, wind_direction_mean_12, wind_direction_mean_168, wind_direction_mean_24, wind_direction_mean_48, wind_speed, building_id, floor_count, hour, primary_use, week, year_built, dayofweek, log1p_meter_reading_pred_ridge, log1p_meter_reading_pred_RF, log1p_meter_reading_pred_xgboost, log1p_meter_reading_pred_lgb);
at org.apache.spark.sql.Dataset.$anonfun$resolve$1(Dataset.scala:267)
at scala.Option.getOrElse(Option.scala:189)
at org.apache.spark.sql.Dataset.resolve(Dataset.scala:260)
at org.apache.spark.sql.Dataset.colRegex(Dataset.scala:1364)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at py4j.reflection.MethodInvoker.invoke(MethodInvoker.java:244)
at py4j.reflection.ReflectionEngine.invoke(ReflectionEngine.java:357)
at py4j.Gateway.invoke(Gateway.java:282)
at py4j.commands.AbstractCommand.invokeMethod(AbstractCommand.java:132)
at py4j.commands.CallCommand.execute(CallCommand.java:79)
at py4j.GatewayConnection.run(GatewayConnection.java:238)
at java.lang.Thread.run(Unknown Source)
During handling of the above exception, another exception occurred:
AnalysisException Traceback (most recent call last)
<ipython-input-114-d25b73f87021> in <module>
----> 1 df.select(df.colRegex("'.+_24$'")).show()
C:\spark\spark-3.0.0-preview-bin-hadoop2.7\python\pyspark\sql\dataframe.py in colRegex(self, colName)
957 if not isinstance(colName, basestring):
958 raise ValueError("colName should be provided as string")
--> 959 jc = self._jdf.colRegex(colName)
960 return Column(jc)
961
C:\spark\spark-3.0.0-preview-bin-hadoop2.7\python\lib\py4j-0.10.8.1-src.zip\py4j\java_gateway.py in __call__(self, *args)
1284 answer = self.gateway_client.send_command(command)
1285 return_value = get_return_value(
-> 1286 answer, self.gateway_client, self.target_id, self.name)
1287
1288 for temp_arg in temp_args:
C:\spark\spark-3.0.0-preview-bin-hadoop2.7\python\pyspark\sql\utils.py in deco(*a, **kw)
100 converted = convert_exception(e.java_exception)
101 if not isinstance(converted, UnknownException):
--> 102 raise converted
103 else:
104 raise
AnalysisException: Cannot resolve column name "'.+[_24]$'" among (timestamp, log1p_meter_reading, square_feet, air_temperature_max_168, air_temperature_max_48, air_temperature_median_120, air_temperature_median_24, air_temperature_median_6, air_temperature_min_168, dew_temperature, dew_temperature_max_120, dew_temperature_max_48, dew_temperature_min_48, precip_depth_1_hr_mean_48, precip_depth_1_hr_mean_72, sea_level_pressure_mean_168, wind_direction_mean_12, wind_direction_mean_168, wind_direction_mean_24, wind_direction_mean_48, wind_speed, building_id, floor_count, hour, primary_use, week, year_built, dayofweek, log1p_meter_reading_pred_ridge, log1p_meter_reading_pred_RF, log1p_meter_reading_pred_xgboost, log1p_meter_reading_pred_lgb);
在模块加载上设置断点,例如sxe ld shell32.dll,并使用.restart重新启动进程不会触发中断。在用户模式下使用WinDbg可以做到这一点,因为我想分析在其中一个模块加载期间运行的一些代码。
答案 0 :(得分:2)
C:\>cdb -xe ld:ntdll calc
Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
CommandLine: calc
Response Time (ms) Location
Deferred xxxxxxxxxxxx
Symbol search path is: yyyyyyyyyyy
Executable search path is:
ModLoad: 004e0000 005a0000 calc.exe
ModLoad: 77630000 7776c000 ntdll.dll
eax=004f2d6c ebx=7ffd9000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=776770d8 esp=0015fb38 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000200
only the image and ntdll is loaded at this point executing t,p,g anything will
load all the system modules if you know the internals a bit set selective
breapoints before executing any execution commands
ntdll!RtlUserThreadStart:
776770d8 89442404 mov dword ptr [esp+4],eax ss:0023:0015fb3c=00000000
0:000> g
ModLoad: 77140000 77214000 C:\Windows\system32\kernel32.dll
irrelevent mod load spew cut
ModLoad: 74c80000 74c89000 C:\Windows\system32\VERSION.dll
(b40.198): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0015f650 edx=776770f4 esi=fffffffe edi=00000000
eip=776d05a6 esp=0015f66c ebp=0015f698 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
776d05a6 cc int 3 <<<<<<<<<<<<<< this comes later
0:000>
在某些内部进行了编辑,很滑
0:000> sxe ld:ntdll ;.restart
CommandLine: calc
Executable search path is:
ModLoad: 005c0000 00680000 calc.exe
ModLoad: 77630000 7776c000 ntdll.dll
eax=005d2d6c ebx=7ffdf000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=776770d8 esp=000bfb24 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000200
ntdll!RtlUserThreadStart:
776770d8 89442404 mov dword ptr [esp+4],eax ss:0023:000bfb28=00000000
0:000> u . l3
ntdll!RtlUserThreadStart:
776770d8 89442404 mov dword ptr [esp+4],eax
776770dc 895c2408 mov dword ptr [esp+8],ebx
776770e0 e9bec60100 jmp ntdll!_RtlUserThreadStart (776937a3)
0:000> ln @eax
(005d2d6c) calc!WinMainCRTStartup | (005d2e68) calc!__xc_a
Exact matches:
calc!WinMainCRTStartup (<no parameter info>)
0:000> dd @ebx l5
7ffdf000 08010000 ffffffff 005c0000 00000000
7ffdf010 00010000
0:000> $$ @ebx == ntdll!_CONTEXT
0:000> $$ 8010000 contextflag EXCEPTION_ACTIVE | CONTEXT_I386
0:000> ?? ((ntdll!_CONTEXT *) @ebx)->ContextFlags
unsigned long 0x8010000
0:000> ?? ((ntdll!_CONTEXT *) @ebx)->Dr1
unsigned long 0x5c0000
0:000> Dr1 Holds the Module Base of Image
0:000> bp ntdll!LdrLoadDll
0:000> g
Breakpoint 0 hit
eax=000bf72c ebx=7ffdf000 ecx=776936f6 edx=7770cd48 esi=77697de0 edi=00000000
eip=776922ae esp=000bf678 ebp=000bf7e4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrLoadDll:
776922ae 8bff mov edi,edi
0:000> dS poi(@esp+c)
77678230 "kernel32.dll" <<<<<<<<<< next module load is kernel32
0:000> lm
start end module name
005c0000 00680000 calc (pdb symbols) e:\symbols\calc.pdb\971D2945E998438C847643A9DB39C88E2\calc.pdb
77630000 7776c000 ntdll (pdb symbols) e:\symbols\ntdll.pdb\CD4062A231154A17A18DAE7D1A0FBACC2\ntdll.pdb
0:000> !gflag +2
New NtGlobalFlag contents: 0x00000072
sls - Show Loader Snaps
htc - Enable heap tail checking
hfc - Enable heap free checking
hpc - Enable heap parameter checking
0:000> kb
# ChildEBP RetAddr Args to Child
00 000bf674 77697d33 00000000 00000000 77697de0 ntdll!LdrLoadDll
01 000bf7e4 776960a7 000bf858 77630000 77fe439f ntdll!LdrpInitializeProcess+0xfe7
02 000bf834 77693659 000bf858 77630000 00000000 ntdll!_LdrpInitialize+0x78
03 000bf844 00000000 000bf858 77630000 00000000 ntdll!LdrInitializeThunk+0x10
0:000> bp 77697d33
0:000> g
ModLoad: 77140000 77214000 C:\Windows\system32\kernel32.dll
Breakpoint 0 hit
eax=776922ae ebx=00000000 ecx=000bf0e0 edx=00000062 esi=77688b19 edi=000bf100
eip=776922ae esp=000bf0c4 ebp=000bf0ec iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!LdrLoadDll:
776922ae 8bff mov edi,edi
0:000> dS poi(@esp+c)
00010020 "C:\Program Files\AVAST Software\"
00010060 "Avast\aswhook.dll"
0:000> bl
0 e Disable Clear 776922ae 0001 (0001) 0:**** ntdll!LdrLoadDll
1 e Disable Clear 77697d33 0001 (0001) 0:****
ntdll!LdrpInitializeProcess+0xfe7
0:000> g
ModLoad: 6afd0000 6afe0000 C:\Program Files\AVAST Software\Avast\aswhook.dll
ModLoad: 75890000 758da000 C:\Windows\system32\KERNELBASE.dll
Breakpoint 1 hit
eax=00000000 ebx=7ffdf000 ecx=000bf72c edx=7770789c esi=77697de0 edi=00000000
eip=77697d33 esp=000bf68c ebp=000bf7e4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpInitializeProcess+0xfe7:
77697d33 3bc7 cmp eax,edi
0:000> kb
# ChildEBP RetAddr Args to Child
00 000bf7e4 776960a7 000bf858 77630000 77fe439f ntdll!LdrpInitializeProcess+0xfe7
01 000bf834 77693659 000bf858 77630000 00000000 ntdll!_LdrpInitialize+0x78
02 000bf844 00000000 000bf858 77630000 00000000 ntdll!LdrInitializeThunk+0x10