Category Archives

4 Articles
Posted by Oleksandr Golovatyi on

WinDbg: як встановити точку зупинки прикладної прогрими в режимі ядра

Коли налагодження программи йде в режимі ядра налагоджувач (WinDbg в даному випадку) працює у глобальній області видимості і грубо кажучи не розрізнює процеси. Тому і не можливо в такому режимі просто так встановити точку зупинки (breakpoint).

Тим не менш це можливо з певними додатковими діями.

Спочатку знайдемо ідентифікатор процеса який нас цікавить:

kd>!process 0 0 notepad.exe
PROCESS 8fa35c80  SessionId: 0  Cid: 07b8    Peb: 7fe37000  ParentCid: 0354

Далі переключимося у процес і виконаємо одну команду щоб налагоджувач зупинився саме у нашому процесі:

kd>.process /i 8fa35c80

kd>g

kd>!process –1 0

Тепер можна встановити точку зупинки в поточному процесі:

kd>.reload /user

kd>bp /p 8fa35c80 USER32!GetMessageW

Зауваження: Точку зупинки звісно можна встановити і в режимі ядра, але там не можливо її встановити для конкретного процеса. Наприклад:

kd>bp USER32!GetMessageW

встановить точку зупинки для будь-якого процесу що викликає GetMessage.

Posted by Oleksandr Golovatyi on

WinDbg–корисні команди

Некласифіковані (поки що) команди

Command

Meaning

Exampe

uf

Show function disasembled code

uf main

.asm no_code_bytes

Do not show machine codes in assembler window

Symbols

Command

Variants/Params

Description/Examples

.sympath

.sympath

.sympath+

Display or set symbol search path

Append directories to previous symbol path

.symfix

.symfix

.symfix+ DownstreamStore

Display or set symbol search path

Append directories to previous symbol path

.reload

.reload

.reload [/f | /v]

.reload [/f | /v] Module

Reload symbol information for all modules**

f = force immediate symbol load (overrides lazy loading); v = verbose mode

Module = for Module only

 

**Note: The .reload command does not actually cause symbol information to be read. It just lets the debugger know that the symbol files may have changed, or that a new module should be added to the module list. To force actual symbol loading to occur use the /f option, or the ld (Load Symbols) command.

 

.reload /f @”ntdll.dll”

Immediately reload symbols for ntdll.dll.

.reload /f @”C:WINNTSystem32verifier.dll”

Reload symbols for verifier. Use the given path.

 

Breakpoints

Command

Variants/Params

Description/Examples

bp

bp [Addr]

bp [Addr] [“CmdString”]

 

[~Thrd] bp[#] [Options] [Addr] [Passes] [“CmdString”]

Set breakpoint at address

CmdString = Cmd1; Cmd2; .. Executed every time the BP is hit.

 

~Thrd == thread that the bp applies too.

# = Breakpoint ID

Passes = Activate breakpoint after #Passes (it is ignored before)

 

 

 

 

Memory

Command

Variants/Params

Description/Examples

d*

d[a| u| b| w| W| d| c| q| f| D] [/c #] [Addr]

 

Display memory [#columns to display]

a = ascii chars

u = Unicode chars

b = byte + ascii

w = word (2b)

W = word (2b) + ascii

d = dword (4b)

c = dword (4b) + ascii

q = qword (8b)

f = floating point (single precision – 4b)

D = floating point (double precision – 8b)

dy*

dy[b | d] ..

Display memory [#columns to display]

b = binary + byte

d = binary + dword

d*s

dds [/c #] [Addr]

dqs [/c #] [Addr]

Display words and symbols (memory at Addr is assumed to be a series of addresses in the symbol table)

dds = dwords (4b)

dqs = qwords (8b)

 

Call Stack

Command

Variants/Params

Description/Examples

k

k [n] [f] [L] [#Frames]

kb …

kp …

kP …

kv …

dump stack; n = with frame #; f = distance between adjacent frames; L = omit source lines; number of stack frames to display

first 3 params

all params: param type + name + value

all params formatted (new line)

FPO info, calling convention

 

 

 

 

Register

Command

Variants/Params

Description/Examples

r

r

r Reg1, Reg2

r Reg=Value

 

r Reg:Type

 

 

 

 

 

 

 

 

 

 

 

r Reg:[Num]Type

 

 

~Thread r [Reg:[Num]Type]

Dump all registers

Dump only specified registers (i.e.: r eax, edx)

Value to assign to the register (i.e.: r eax=5, edx=6)

 

Type = data format in which to display the register (i.e.: r eax:uw)

ib = Signed byte

ub = Unsigned byte

iw = Signed word (2b)

uw = Unsigned word (2b)

id = Signed dword (4b)

ud = Unsigned dword (4b)

iq = Signed qword (8b)

uq = Unsigned qword (8b)

f = 32-bit floating-point

d = 64-bit floating-point

 

Num = number of elements to display (i.e.: r eax:1uw)

Default is full register length, thus r eax:uw would display two values as EAX is a 32-bit register.

 

Thread = thread from which the registers are to be read (i.e.: ~1 r eax)

 

 

 

 

Exceptions, events and crash analysis

Command

Variants/Params

Description/Examples

.ecxr

 

displays exception context record (registers) associated with the current exception

 

 

 

 

Sources

Command

Variants/Params

Description/Examples

.srcpath

.srcpath

.srcpath+ DIR

Display or set source search path

Append directory to the searched source path

 

 

 

 

Executable

Command Variants/Params Description/Examples
.exepath .exepath

.exepath+ DIR

 Display or set executable search path

Append directory to the searched executable path

Posted by Oleksandr Golovatyi on

WinDbg online resources and documentation

MSDN

Інші ресурси