Категорія: Tools

WinDbg: як встановити точку зупинки прикладної прогрими в режимі ядра

Коли налагодження программи йде в режимі ядра налагоджувач (WinDbg в даному випадку) працює у глобальній області видимості і грубо кажучи не розрізнює процеси. Тому і не можливо в такому режимі просто так встановити точку зупинки (breakpoint).

Тим не менш це можливо з певними додатковими діями.

Спочатку знайдемо ідентифікатор процеса який нас цікавить:

kd>!process 0 0 notepad.exe
PROCESS 8fa35c80  SessionId: 0  Cid: 07b8    Peb: 7fe37000  ParentCid: 0354

Далі переключимося у процес і виконаємо одну команду щоб налагоджувач зупинився саме у нашому процесі:

kd>.process /i 8fa35c80

kd>g

kd>!process –1 0

Тепер можна встановити точку зупинки в поточному процесі:

kd>.reload /user

kd>bp /p 8fa35c80 USER32!GetMessageW

Зауваження: Точку зупинки звісно можна встановити і в режимі ядра, але там не можливо її встановити для конкретного процеса. Наприклад:

kd>bp USER32!GetMessageW

встановить точку зупинки для будь-якого процесу що викликає GetMessage.

Visual Studio: Formatting Symbols for Watch Window Memory Dump

Formatting Symbols for Watch Window Memory Dump

Stmbol

Description

ma

64 ASCII characters

m, mb

16 bytes in hex followed by 16 ASCII chars

mw

8 words

md

4 dwords

Mq

4 qwords

mu

2-byte characters (Unicode)

#

Expands a pointer to the specified number of values

WinDbg–корисні команди

Некласифіковані (поки що) команди

Command

Meaning

Exampe

uf

Show function disasembled code

uf main

.asm no_code_bytes

Do not show machine codes in assembler window

Symbols

Command

Variants/Params

Description/Examples

.sympath

.sympath

.sympath+

Display or set symbol search path

Append directories to previous symbol path

.symfix

.symfix

.symfix+ DownstreamStore

Display or set symbol search path

Append directories to previous symbol path

.reload

.reload

.reload [/f | /v]

.reload [/f | /v] Module

Reload symbol information for all modules**

f = force immediate symbol load (overrides lazy loading); v = verbose mode

Module = for Module only

 

**Note: The .reload command does not actually cause symbol information to be read. It just lets the debugger know that the symbol files may have changed, or that a new module should be added to the module list. To force actual symbol loading to occur use the /f option, or the ld (Load Symbols) command.

 

.reload /f @”ntdll.dll”

Immediately reload symbols for ntdll.dll.

.reload /f @”C:WINNTSystem32verifier.dll”

Reload symbols for verifier. Use the given path.

 

Breakpoints

Command

Variants/Params

Description/Examples

bp

bp [Addr]

bp [Addr] [“CmdString”]

 

[~Thrd] bp[#] [Options] [Addr] [Passes] [“CmdString”]

Set breakpoint at address

CmdString = Cmd1; Cmd2; .. Executed every time the BP is hit.

 

~Thrd == thread that the bp applies too.

# = Breakpoint ID

Passes = Activate breakpoint after #Passes (it is ignored before)

 

 

 

 

Memory

Command

Variants/Params

Description/Examples

d*

d[a| u| b| w| W| d| c| q| f| D] [/c #] [Addr]

 

Display memory [#columns to display]

a = ascii chars

u = Unicode chars

b = byte + ascii

w = word (2b)

W = word (2b) + ascii

d = dword (4b)

c = dword (4b) + ascii

q = qword (8b)

f = floating point (single precision – 4b)

D = floating point (double precision – 8b)

dy*

dy[b | d] ..

Display memory [#columns to display]

b = binary + byte

d = binary + dword

d*s

dds [/c #] [Addr]

dqs [/c #] [Addr]

Display words and symbols (memory at Addr is assumed to be a series of addresses in the symbol table)

dds = dwords (4b)

dqs = qwords (8b)

 

Call Stack

Command

Variants/Params

Description/Examples

k

k [n] [f] [L] [#Frames]

kb …

kp …

kP …

kv …

dump stack; n = with frame #; f = distance between adjacent frames; L = omit source lines; number of stack frames to display

first 3 params

all params: param type + name + value

all params formatted (new line)

FPO info, calling convention

 

 

 

 

Register

Command

Variants/Params

Description/Examples

r

r

r Reg1, Reg2

r Reg=Value

 

r Reg:Type

 

 

 

 

 

 

 

 

 

 

 

r Reg:[Num]Type

 

 

~Thread r [Reg:[Num]Type]

Dump all registers

Dump only specified registers (i.e.: r eax, edx)

Value to assign to the register (i.e.: r eax=5, edx=6)

 

Type = data format in which to display the register (i.e.: r eax:uw)

ib = Signed byte

ub = Unsigned byte

iw = Signed word (2b)

uw = Unsigned word (2b)

id = Signed dword (4b)

ud = Unsigned dword (4b)

iq = Signed qword (8b)

uq = Unsigned qword (8b)

f = 32-bit floating-point

d = 64-bit floating-point

 

Num = number of elements to display (i.e.: r eax:1uw)

Default is full register length, thus r eax:uw would display two values as EAX is a 32-bit register.

 

Thread = thread from which the registers are to be read (i.e.: ~1 r eax)

 

 

 

 

Exceptions, events and crash analysis

Command

Variants/Params

Description/Examples

.ecxr

 

displays exception context record (registers) associated with the current exception

 

 

 

 

Sources

Command

Variants/Params

Description/Examples

.srcpath

.srcpath

.srcpath+ DIR

Display or set source search path

Append directory to the searched source path

 

 

 

 

Executable

Command Variants/Params Description/Examples
.exepath .exepath

.exepath+ DIR

 Display or set executable search path

Append directory to the searched executable path

WinDbg online resources and documentation

MSDN

Інші ресурси