Post on 20-May-2015
description
Sainath Sainath BT Frontline BT Frontline sainathss@live.insainathss@live.in
MVP – Active DirectoryMVP – Active DirectoryMicrosoft Technet Moderator – Win2k8 , Microsoft Technet Moderator – Win2k8 ,
NetworkingNetworkingMicrosoft Technet Magazine – AuthorMicrosoft Technet Magazine – AuthorMicrosoft Speaker – SWUGMicrosoft Speaker – SWUG
Windows Windows Debugging Debugging
Basic TermsBasic Terms
Process Process Thread Thread User mode User mode Kernel mode Kernel mode Call stack Call stack Register Register ExceptionException
Basic TermsBasic Terms
IRQL IRQL Interrupt Interrupt Free BuildFree Build Check BuildCheck Build PagingPaging Non paged poolNon paged pool Paged poolPaged pool
Basic TermsBasic Terms
Complete Memory Dump Complete Memory Dump
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControlHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl
CrashDumpEnabled REG_DWORD 0x0 = NoneCrashDumpEnabled REG_DWORD 0x0 = NoneCrashDumpEnabled REG_DWORD 0x1 = Complete memory dumpCrashDumpEnabled REG_DWORD 0x1 = Complete memory dumpCrashDumpEnabled REG_DWORD 0x2 = Kernel memory dumpCrashDumpEnabled REG_DWORD 0x2 = Kernel memory dumpCrashDumpEnabled REG_DWORD 0x3 = Small memory dump (64KB) CrashDumpEnabled REG_DWORD 0x3 = Small memory dump (64KB)
ASK A QUESTION TO PROCEED ASK A QUESTION TO PROCEED
Debugger Installation Debugger Installation SetupSetup
Http://www.microsoft.com/ddk/debuHttp://www.microsoft.com/ddk/debugginggging
Symbol file Symbol file
public symbols – global public symbols – global variables, FPOvariables, FPO
private symbols – local symbol, private symbols – local symbol, global varglobal var
Debugger Setup Debugger Setup
Problem with Symbol File Problem with Symbol File ERROR: Symbol file could not be found. Defaulted to export ERROR: Symbol file could not be found. Defaulted to export
symbols for <xxx.exe>symbols for <xxx.exe>
Solution Solution Check for the symbol file path Check for the symbol file path Use .reload command Use .reload command
AdPlus ToolAdPlus Tool User mode debugging tool User mode debugging tool Produces memory dumps of an Produces memory dumps of an
application and processesapplication and processes -notify switch notifies user using live -notify switch notifies user using live
messengermessenger
You Cannot You Cannot Debug startup applications Debug startup applications Programs generating lot of debug Programs generating lot of debug
informationinformation
AdPlus ToolAdPlus Tool
Adplus Modes Adplus Modes
Hang ModeHang Mode Crash Mode Crash Mode
First chance exception First chance exception
second chance exception second chance exception
AdPlus ToolAdPlus Tool
Command Line Switches Command Line Switches
Adplus –helpAdplus –help Adplus –hangAdplus –hang Adplus –crashAdplus –crash Adplus –pnAdplus –pn Adplus –iisAdplus –iis
AdPlus ToolAdPlus Tool
Demo 1 Demo 1
Adplus hang dump Adplus hang dump Adplus crah dump Adplus crah dump Configuring symbols Configuring symbols Dumping processDumping process Analyzing dumpAnalyzing dump
Understanding AssemblyUnderstanding Assemblyc pgmc pgm
void main()void main(){{int x =10;int x =10;int y = 20;int y = 20;
x= 30; x= 30; y = 40 ; y = 40 ;
Printf("value of x is %d \n", x); Printf("value of x is %d \n", x); }}
Understanding AssemblyUnderstanding Assembly
Important Note : Important Note : CPU registers and Variables are different in assembly but CPU registers and Variables are different in assembly but
serve similar purposeserve similar purpose
12 Major CPU registers 12 Major CPU registers
AX, BX, CX, DX, SI, DI, CS , IP etc..AX, BX, CX, DX, SI, DI, CS , IP etc..
Declaring variablesDeclaring variables : :
X dw 10;X dw 10;
Y dw 20 ; Y dw 20 ;
Understanding AssemblyUnderstanding Assembly
Assembly Assembly
Mov [x], 10 Mov [x], 10
Mov [y], 20Mov [y], 20
Windbg Windbg
Mov dword ptr [ saiprj!x (0a003456) ], Mov dword ptr [ saiprj!x (0a003456) ], 1010
Assembly ContinuedAssembly Continued
Writing data to registers Writing data to registers
Mov eax, 15 Mov eax, 15
Mov eax, [x]Mov eax, [x]
Windbg Windbg
mov eax, [saipgm!x (a0302934)]mov eax, [saipgm!x (a0302934)]
Assembly ContinuedAssembly Continued
C programC programInt b = 10;Int b = 10;Int a = 20 ; Int a = 20 ; B = b+a ; B = b+a ;
Assembly Assembly mov eax , bmov eax , bAdd [a], eaxAdd [a], eax
Windbg Windbg Mov eax, [saipgm!b ( a0308923)]Mov eax, [saipgm!b ( a0308923)]Add [saipgm!a (02342343)], eaxAdd [saipgm!a (02342343)], eax
Assembly ContinuedAssembly Continued
Mov [x], 1Mov [x], 1
Mov [y], 1 Mov [y], 1
Mov eax, [x]Mov eax, [x]
Add [b], eax Add [b], eax
Inc eax Inc eax
What is the output ???What is the output ???
Registers Registers
Registers are small storage units Registers are small storage units generally 32 or 64bit widegenerally 32 or 64bit wide
Registers are always accessed using Registers are always accessed using names names
Wrong data in the registers are source Wrong data in the registers are source of bug of bug
R command to display registersR command to display registers
Registers Deep DiveRegisters Deep Dive
EAX = contains return values EAX = contains return values
EBX EBX
ECX = contains loop counter infoECX = contains loop counter info
EDX EDX
EIP = points to next instruction to be EIP = points to next instruction to be executedexecuted
ESP = Stack pointer , points to top of ESP = Stack pointer , points to top of stack.stack.
Registers Deep Dive Registers Deep Dive
EBP = Base pointer / Stack Frame EBP = Base pointer / Stack Frame PointerPointer
EBP will be set before function is EBP will be set before function is calledcalled
Reading MemoryReading Memory
Variable Types Variable Types Local variablesLocal variables Global variablesGlobal variables StringsStrings Unicode Unicode Arrays Arrays constants.constants.
Reading MemoryReading Memory
DD DD – display memory 32 bitsDD – display memory 32 bits Dw – display as words ( 16 bits ) Dw – display as words ( 16 bits ) DT – display type DT – display type
Example:Example:Eg: dt nt!<function name>Eg: dt nt!<function name>
dt yourexe!<function name>dt yourexe!<function name>
StacksStacks
Program 1 Program 1 function 1 function 1 function 2 function 2 program 2 program 2 calling function 1 calling function 1 (assigns (assigns
stack ) stack ) return return ( clears stack ) ( clears stack ) calling function 2 calling function 2
Stacks ContinuedStacks Continued
Every thread has 2 stacks Every thread has 2 stacks • User Mode 1 MBUser Mode 1 MB• Kernel Mode 12 KB Kernel Mode 12 KB
When ever a function is called you see When ever a function is called you see a return instruction.a return instruction.
Deep Dive Stacks.Deep Dive Stacks.
Dd esp Dd esp 0012fe6c 004113e0 00000005 0000000a 0127f5580012fe6c 004113e0 00000005 0000000a 0127f558
0012fe7c 007dca76 7ffd8000 cccccccc cccccccc0012fe7c 007dca76 7ffd8000 cccccccc cccccccc
004113e0 = return address 004113e0 = return address
00000005 = argument 1 00000005 = argument 1
0000000a = argument 2 0000000a = argument 2
Questions Please Questions Please