ntdll module not loading correctly in windbg, but why?

Asked 26/8, 2015 at 2:29 Answered 22/10, 2015 at 11:17

I've used windbg for user mode debugging before, but I suspect I did something to my system because I don't recall having a problem using for example the extension command !heap before.

I can clearly see ntdll is a loaded module:

77760000 778e0000   ntdll      (pdb symbols)          C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\wntdll.pdb\FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb

0:001> lmvm ntdll
start    end        module name
77760000 778e0000   ntdll      (pdb symbols)          C:\Program Files     (x86)\Windows Kits\8.1\Debuggers\x86\sym\wntdll.pdb    \FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb
    Loaded symbol image file: C:\Windows\SysWOW64\ntdll.dll
    Image path: C:\Windows\SysWOW64\ntdll.dll
    Image name: ntdll.dll
    Timestamp:        Wed Jul 15 13:53:36 2015 (55A69E20)
    CheckSum:         00142A8B
    ImageSize:        00180000
    File version:     6.1.7601.18933
    Product version:  6.1.7601.18933
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     ntdll.dll
    OriginalFilename: ntdll.dll
    ProductVersion:   6.1.7601.18933
    FileVersion:      6.1.7601.18933 (win7sp1_gdr.150715-0600)
    FileDescription:  NT Layer DLL
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

and

0:001> !chksym ntdll

C:\Windows\SysWOW64\ntdll.dll
    Timestamp: 55A69E20
  SizeOfImage: 180000
          pdb: wntdll.pdb
      pdb sig: FA9C48F9-C11D-4E08-94B8-970DECD92C97
          age: 2

Loaded pdb is C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\wntdll.pdb\FA9C48F9C11D4E0894B8970DECD92C972\wntdll.pdb

wntdll.pdb
      pdb sig: FA9C48F9-C11D-4E08-94B8-970DECD92C97
          age: 2

MATCH: wntdll.pdb and C:\Windows\SysWOW64\ntdll.dll<code>

When I try to use my heap extension, I get:

0:001> !heap -stat
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: ntdll!_PEB                                    ***
***                                                                   ***

.symopt- 100 doesn't help either

and if I try to use the critical section extension I get a similar error:

Bad symbols for NTDLL (error 3). Aborting.

I've read this can occur if you have a mismatch between 32 and 64bit or if you simply don't have symbols properly set up in the first place but I've used .symfix and can force my symbols to reload with .reload /f, I'm using the x86 debugger on an x86 process or a 32-bit dump so I don't see how those issues are at play.

I've started fresh and uninstalled windbg completely and reinstalled the debugging tools for windows from MSDN and still run into the same issue. Surely I'm missing something obvious?

Purulent answered 26/8, 2015 at 2:29 Comment(12)

there appears to be a problem with symbols setup there are quiet a few threads in osr windbg lists that talk about recent symbol problems as of yet these reports do not have an official answers from ms osronline.com/showthread.cfm?link=269221 – Mosul 26/8, 2015 at 4:0

run !sym noisy;.reload /f /v and look for ntdll outputs. – Ruphina 26/8, 2015 at 4:10

@Thomas, I'm using 6.3.9600.17298 X86 – Purulent 26/8, 2015 at 13:49

@Mosul I agree the thread you point out appears to be the same issue I'm experiencing, some type of recent change from MS has caused this – Purulent 26/8, 2015 at 13:51

This also seems to break application verifier. Any !avrf command results in similar error messages. – Sergu 28/8, 2015 at 7:20

See how you might workaround this issue by using an older version of wntdll.pdb. – Sergu 28/8, 2015 at 20:29

I asked Microsoft and they are aware of it and try to find the cause and try to provide good symbols again. – Ruphina 4/9, 2015 at 4:20

@Ruphina Please let us know what you hear from Microsoft. – Recombination 9/9, 2015 at 16:34

@Recombination have you tried it again after this months patchday? Do the new symbols work again? – Ruphina 9/9, 2015 at 18:18

@Ruphina Not yet, is it expected to be fixed there? – Recombination 10/9, 2015 at 18:48

@Recombination I don't know. try it – Ruphina 11/9, 2015 at 4:1

@kgibm: It is the most likely day to find that such issues have been fixed, especially if such a fix would involve a new build of the kernel and ntdll.dll. (Which wouldn't be technically necessary unless MS had somehow lost their private symbols, too, but who knows how hard it is to replace existing files on their symbol server?) – Rolfston 31/10, 2015 at 20:58

MS is getting rid of all type information in the latest Windows 7 PDBs. This breaks !heap. Here's a twitter conversation about it started by Alex Ionescu, a co-author of "Windows Internals, Sixth Edition": https://twitter.com/aionescu/status/634028737458114560

UPDATE: 10/12/2015: Possible workaround using the PDB Type Theft python script which copies type information from one PDB to another. The usage would be to copy the type information from an older PDB that has the type information that was removed in later PDBs. This link has all the details: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/PDB-Type-Theft/ba-p/6801065#.Vhv2gPm6fmE

UPDATE: 10/22/2015: With the Microsoft patch day (2015-10-13) and KB3088195, symbols are available again. However, symbols for the broken version have not been provided, so above may still be useful.

Papilla answered 26/8, 2015 at 14:25 Comment(0)

It seems that with the Windows Updates distributed on 20151013 , the heap information is available again.

0:018> !chksym ntdll

C:\Windows\SysWOW64\ntdll.dll
Timestamp: 56099FFA
SizeOfImage: 180000
      pdb: wntdll.pdb
  pdb sig: C2B37FDB-B631-4EA7-8A6D-7F51123F151E
      age: 2

Loaded pdb is microsoft\wntdll.pdb   \C2B37FDBB6314EA78A6D7F51123F151E2\wntdll.pdb

wntdll.pdb
  pdb sig: C2B37FDB-B631-4EA7-8A6D-7F51123F151E
      age: 2

MATCH: wntdll.pdb and C:\Windows\SysWOW64\ntdll.dll

and

0:018> lm v m *ntdll*
start    end        module name
77530000 776b0000   ntdll      (pdb symbols)        microsoft\wntdll.pdb\C2B37FDBB6314EA78A6D7F51123F151E2\wntdll.pdb
Loaded symbol image file: C:\Windows\SysWOW64\ntdll.dll
Image path: C:\Windows\SysWOW64\ntdll.dll
Image name: ntdll.dll
Timestamp:        Mon Sep 28 22:15:54 2015 (56099FFA)
CheckSum:         001412F8
ImageSize:        00180000
File version:     6.1.7601.23223
Product version:  6.1.7601.23223
File flags:       0 (Mask 3F)
File OS:          40004 NT Win32
File type:        2.0 Dll
File date:        00000000.00000000
Translations:     0409.04b0
CompanyName:      Microsoft Corporation
ProductName:      Microsoft® Windows® Operating System
InternalName:     ntdll.dll
OriginalFilename: ntdll.dll
ProductVersion:   6.1.7601.23223
FileVersion:      6.1.7601.23223 (win7sp1_ldr.150928-0600)
FileDescription:  NT Layer DLL
LegalCopyright:   © Microsoft Corporation. All rights reserved.

Can you install the updates, rebuild your application and try again?

Klecka answered 22/10, 2015 at 11:17 Comment(5)

What does rebuilding have to do with anything? – Rolfston 31/10, 2015 at 20:50

@SamB: so signatures in the PDB of the application are updated to the new set of microsoft PDBs. – Klecka 8/11, 2015 at 15:25

I don't think the application has ANYTHING to do with what PDBs are used for ntdll; PDBs are looked up based on information from the corresponding PE image, in this case the ntdll.dll file(s). So if the ntdll.dll in question never had a bad PDB file published, then you don't need to do anything. If the ntdll.dll in question did have a bad PDB published but it was replaced on the symbol server with a good PDB, you should delete any cached copies of the bad PDB you may have, which the lm v m command above should help you to find. – Rolfston 21/11, 2015 at 19:47

How come that dumps from the same software built at different times try to load different versions of PDBs for ntdll then? I currently have 10 different versions for wntdll.pdb ranging from 2010 to 2015 – Klecka 23/11, 2015 at 7:46

Were these dumps all made at the same time? There seem to have been a lot of updates to ntdll lately... – Rolfston 15/12, 2015 at 4:37

Recommended topics

Hot tags