I'm trying to figure out why addind to the path AddDllDirectory()
instead of exiting the process PATH won't let me load a dll that is used in VBA functions. So I want to know what the third parameter of LoadLibraryExW()
is.
First problem is I have symbols loading correctly. My symbol server cache is full of pdb files. However, there are no symbols for kernelbase.dll are found.
Process monitor shows the stack traces but not he symbols.
I set a breakpoint for kernelbase!LoadLibraryExW
in WinDbgPreview, but I'm not sure how to read the stack trace. In this example is one of those hex values supposed to be the third parameter? Or is that freom the registers when I want stacks?
# Child-SP RetAddr : Args to Child : Call Site
00 00000051`184fe648 00007ffe`e30b5ae5 : 00007ffe`e3431380 00000000`00000060 00000051`184feac0 00000000`00000008 : KERNELBASE!LoadLibraryExW
01 00000051`184fe650 00007ffe`e30b5a45 : 00000051`184fe704 1103aa3e`00000001 00000000`00000008 00000000`00000007 : mso20win32client!Ordinal104 0x295
02 00000051`184fe690 00007ffe`e3090bb1 : 000001df`179f4860 00000000`02000000 00000000`00000008 00000000`00000000 : mso20win32client!Ordinal104 0x1f5
03 00000051`184fe6d0 00007ffe`e3091c11 : 00000051`184feb10 000001df`179f4860 00000000`00000000 00000051`184feaf0 : mso20win32client!Ordinal67 0x1f71
04 00000051`184fea50 00007ffe`d808e62a : 000001df`179f4860 00007ffe`d9c34730 000001df`17f7b1c0 00000000`00000000 : mso20win32client!Ordinal1818 0x8c1
05 00000051`184fead0 00007ffe`d808f3c3 : 000001df`179f4860 00007ffe`d9c34730 000001df`17f7b1c0 00007ffe`d9c33a10 : mso!Ordinal2534 0x51a
06 00000051`184feb10 00007ffe`d808f347 : 000001df`182fb2c0 000001df`00000001 000001df`182fb2c0 00000000`00000000 : mso!Ordinal2534 0x12b3
07 00000051`184feb50 00007ffe`d8153c24 : 000001df`182fb2c0 00000000`00000000 000001df`17f7b1c0 000001df`17f7b1c0 : mso!Ordinal2534 0x1237
08 00000051`184feb80 00007ffe`d80b1c8e : 00000051`184ff290 00000000`0001d4c0 000001df`17ed3700 00000051`184ff360 : mso!Ordinal1436 0x16b4
09 00000051`184ff0d0 00007ffe`d80b1925 : 000001df`12529600 00000000`00000000 000001df`17ca9430 000001df`12529600 : mso!Ordinal921 0xe6e
0a 00000051`184ff340 00007ffe`e2fe3c3c : 00000051`184ff488 00000051`184ff440 00000000`00000000 00000000`00000000 : mso!Ordinal921 0xb05
0b 00000051`184ff3d0 00007ffe`e2fe413b : 000001df`01849818 00000000`00000000 000001df`01849800 00000000`00000144 : mso20win32client!Ordinal1756 0xbc
0c 00000051`184ff460 00007ffe`e2fe3c3c : 000001df`11d96b90 000001df`17823c68 000001df`17ca9430 00007fff`88aa7551 : mso20win32client!Ordinal1756 0x5bb
0d 00000051`184ff4f0 00007ffe`e311741d : 000001df`1284a6a0 00000000`00000000 00000051`184ff790 00000000`00000000 : mso20win32client!Ordinal1756 0xbc
0e 00000051`184ff580 00007ffe`e3050e6e : 000001df`1284a6a0 00000000`00000000 000001df`1284a601 000001df`01a18f80 : mso20win32client!Ordinal1700 0x28d
0f 00000051`184ff5b0 00007ffe`e3051ed5 : 00000051`184ff710 000001df`1284a6a0 000001df`01a18f80 000001df`1284a6a0 : mso20win32client!Ordinal347 0x23e
10 00000051`184ff610 00007ffe`e305c2d6 : 000001df`017c9470 00000000`00000000 000001df`017c9470 00000000`00000000 : mso20win32client!Ordinal1966 0x6e5
11 00000051`184ff770 00007fff`873854e0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : mso20win32client!Ordinal2633 0x686
12 00000051`184ff7e0 00007fff`88a8485b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk 0x10
13 00000051`184ff810 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart 0x2b
Is there a way to get kernlbase.pdb? Is it available for older versions of windows? Is there a WinDbg command I can get to read the paramaters?
CodePudding user response:
This was meant to be a comment but it grew so answering
sometimes you have half downloaded or aborted downloads of pdb in such cases it may be evident that the symbol file is not being downloaded
the aborted downloads have .error extension
check if you have such file and remove them to redownload pdbs properly.
f:\symbols>set _NT_
_NT_SYMBOL_PATH=srv*f:\symbols*https://msdl.microsoft.com/download/symbols
f:\symbols>dir /s /b *.error
f:\symbols\windows.ui.xaml.pdb\7349BE8DF456ACFBEE7774E6197449541\downloadDA83A900E9B74A20B6A95465B35021C5.error
if your platform is x64 as already commented
the first four parameters are passed via rcx,rdx,r8, and r9 on windows
a breakon LoadLibraryExW on an arbitrary binary
0:000> k4
Child-SP RetAddr Call Site
000000a4`6013eda8 00007ffb`f5df62f1 KERNELBASE!LoadLibraryExW
000000a4`6013edb0 00007ffb`f5df6449 ucrtbase!try_get_function 0xa9
000000a4`6013ee00 00007ffb`f5df5e80 ucrtbase!_vcrt_FlsAlloc 0x25
000000a4`6013ee30 00007ffb`f5df5cb9 ucrtbase!_vcrt_initialize_ptd 0x10
0:000> r rcx,rdx,r8,r9
rcx=00007ffbf5e778a0 rdx=0000000000000000 r8=0000000000000800 r9=00007ffbf5e75a70
0:000> du @rcx
00007ffb`f5e778a0 "api-ms-win-core-fibers-l1-1-1"
0:000> ? @r8
Evaluate expression: 2048 = 00000000`00000800
0:000> .shell -ci ".echo looking for 0x800" pss LOAD_.*0x00000800 "c:\Program Files (x86)\Windows Kits\10\Include\10.0.17763.0\um\libloaderapi.h"
c:\Program Files (x86)\Windows Kits\10\Include\10.0.17763.0\um\libloaderapi.h:409:#define LOAD_LIBRARY_SEARCH_SYSTEM32 0x00000800
.shell: Process exited
0:000>