Designing Active Directory Child Domain Sainath K.E.V Directory Services MVP 5/Aug/2015.
Swug July 2010 - windows debugging by sainath
-
Upload
dennis-chung -
Category
Technology
-
view
799 -
download
3
description
Transcript of Swug July 2010 - windows debugging by sainath
![Page 1: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/1.jpg)
Sainath Sainath BT Frontline BT Frontline [email protected]@live.in
MVP – Active DirectoryMVP – Active DirectoryMicrosoft Technet Moderator – Win2k8 , Microsoft Technet Moderator – Win2k8 ,
NetworkingNetworkingMicrosoft Technet Magazine – AuthorMicrosoft Technet Magazine – AuthorMicrosoft Speaker – SWUGMicrosoft Speaker – SWUG
![Page 2: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/2.jpg)
Windows Windows Debugging Debugging
![Page 3: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/3.jpg)
Basic TermsBasic Terms
Process Process Thread Thread User mode User mode Kernel mode Kernel mode Call stack Call stack Register Register ExceptionException
![Page 4: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/4.jpg)
Basic TermsBasic Terms
IRQL IRQL Interrupt Interrupt Free BuildFree Build Check BuildCheck Build PagingPaging Non paged poolNon paged pool Paged poolPaged pool
![Page 5: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/5.jpg)
Basic TermsBasic Terms
Complete Memory Dump Complete Memory Dump
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControlHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl
CrashDumpEnabled REG_DWORD 0x0 = NoneCrashDumpEnabled REG_DWORD 0x0 = NoneCrashDumpEnabled REG_DWORD 0x1 = Complete memory dumpCrashDumpEnabled REG_DWORD 0x1 = Complete memory dumpCrashDumpEnabled REG_DWORD 0x2 = Kernel memory dumpCrashDumpEnabled REG_DWORD 0x2 = Kernel memory dumpCrashDumpEnabled REG_DWORD 0x3 = Small memory dump (64KB) CrashDumpEnabled REG_DWORD 0x3 = Small memory dump (64KB)
![Page 6: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/6.jpg)
ASK A QUESTION TO PROCEED ASK A QUESTION TO PROCEED
![Page 7: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/7.jpg)
Debugger Installation Debugger Installation SetupSetup
Http://www.microsoft.com/ddk/debuHttp://www.microsoft.com/ddk/debugginggging
Symbol file Symbol file
public symbols – global public symbols – global variables, FPOvariables, FPO
private symbols – local symbol, private symbols – local symbol, global varglobal var
![Page 8: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/8.jpg)
Debugger Setup Debugger Setup
Problem with Symbol File Problem with Symbol File ERROR: Symbol file could not be found. Defaulted to export ERROR: Symbol file could not be found. Defaulted to export
symbols for <xxx.exe>symbols for <xxx.exe>
Solution Solution Check for the symbol file path Check for the symbol file path Use .reload command Use .reload command
![Page 9: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/9.jpg)
AdPlus ToolAdPlus Tool User mode debugging tool User mode debugging tool Produces memory dumps of an Produces memory dumps of an
application and processesapplication and processes -notify switch notifies user using live -notify switch notifies user using live
messengermessenger
You Cannot You Cannot Debug startup applications Debug startup applications Programs generating lot of debug Programs generating lot of debug
informationinformation
![Page 10: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/10.jpg)
AdPlus ToolAdPlus Tool
Adplus Modes Adplus Modes
Hang ModeHang Mode Crash Mode Crash Mode
First chance exception First chance exception
second chance exception second chance exception
![Page 11: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/11.jpg)
AdPlus ToolAdPlus Tool
Command Line Switches Command Line Switches
Adplus –helpAdplus –help Adplus –hangAdplus –hang Adplus –crashAdplus –crash Adplus –pnAdplus –pn Adplus –iisAdplus –iis
![Page 12: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/12.jpg)
AdPlus ToolAdPlus Tool
Demo 1 Demo 1
Adplus hang dump Adplus hang dump Adplus crah dump Adplus crah dump Configuring symbols Configuring symbols Dumping processDumping process Analyzing dumpAnalyzing dump
![Page 13: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/13.jpg)
Understanding AssemblyUnderstanding Assemblyc pgmc pgm
void main()void main(){{int x =10;int x =10;int y = 20;int y = 20;
x= 30; x= 30; y = 40 ; y = 40 ;
Printf("value of x is %d \n", x); Printf("value of x is %d \n", x); }}
![Page 14: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/14.jpg)
Understanding AssemblyUnderstanding Assembly
Important Note : Important Note : CPU registers and Variables are different in assembly but CPU registers and Variables are different in assembly but
serve similar purposeserve similar purpose
12 Major CPU registers 12 Major CPU registers
AX, BX, CX, DX, SI, DI, CS , IP etc..AX, BX, CX, DX, SI, DI, CS , IP etc..
Declaring variablesDeclaring variables : :
X dw 10;X dw 10;
Y dw 20 ; Y dw 20 ;
![Page 15: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/15.jpg)
Understanding AssemblyUnderstanding Assembly
Assembly Assembly
Mov [x], 10 Mov [x], 10
Mov [y], 20Mov [y], 20
Windbg Windbg
Mov dword ptr [ saiprj!x (0a003456) ], Mov dword ptr [ saiprj!x (0a003456) ], 1010
![Page 16: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/16.jpg)
Assembly ContinuedAssembly Continued
Writing data to registers Writing data to registers
Mov eax, 15 Mov eax, 15
Mov eax, [x]Mov eax, [x]
Windbg Windbg
mov eax, [saipgm!x (a0302934)]mov eax, [saipgm!x (a0302934)]
![Page 17: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/17.jpg)
Assembly ContinuedAssembly Continued
C programC programInt b = 10;Int b = 10;Int a = 20 ; Int a = 20 ; B = b+a ; B = b+a ;
Assembly Assembly mov eax , bmov eax , bAdd [a], eaxAdd [a], eax
Windbg Windbg Mov eax, [saipgm!b ( a0308923)]Mov eax, [saipgm!b ( a0308923)]Add [saipgm!a (02342343)], eaxAdd [saipgm!a (02342343)], eax
![Page 18: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/18.jpg)
Assembly ContinuedAssembly Continued
Mov [x], 1Mov [x], 1
Mov [y], 1 Mov [y], 1
Mov eax, [x]Mov eax, [x]
Add [b], eax Add [b], eax
Inc eax Inc eax
What is the output ???What is the output ???
![Page 19: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/19.jpg)
Registers Registers
Registers are small storage units Registers are small storage units generally 32 or 64bit widegenerally 32 or 64bit wide
Registers are always accessed using Registers are always accessed using names names
Wrong data in the registers are source Wrong data in the registers are source of bug of bug
R command to display registersR command to display registers
![Page 20: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/20.jpg)
Registers Deep DiveRegisters Deep Dive
EAX = contains return values EAX = contains return values
EBX EBX
ECX = contains loop counter infoECX = contains loop counter info
EDX EDX
EIP = points to next instruction to be EIP = points to next instruction to be executedexecuted
ESP = Stack pointer , points to top of ESP = Stack pointer , points to top of stack.stack.
![Page 21: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/21.jpg)
Registers Deep Dive Registers Deep Dive
EBP = Base pointer / Stack Frame EBP = Base pointer / Stack Frame PointerPointer
EBP will be set before function is EBP will be set before function is calledcalled
![Page 22: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/22.jpg)
Reading MemoryReading Memory
Variable Types Variable Types Local variablesLocal variables Global variablesGlobal variables StringsStrings Unicode Unicode Arrays Arrays constants.constants.
![Page 23: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/23.jpg)
Reading MemoryReading Memory
DD DD – display memory 32 bitsDD – display memory 32 bits Dw – display as words ( 16 bits ) Dw – display as words ( 16 bits ) DT – display type DT – display type
Example:Example:Eg: dt nt!<function name>Eg: dt nt!<function name>
dt yourexe!<function name>dt yourexe!<function name>
![Page 24: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/24.jpg)
StacksStacks
Program 1 Program 1 function 1 function 1 function 2 function 2 program 2 program 2 calling function 1 calling function 1 (assigns (assigns
stack ) stack ) return return ( clears stack ) ( clears stack ) calling function 2 calling function 2
![Page 25: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/25.jpg)
Stacks ContinuedStacks Continued
Every thread has 2 stacks Every thread has 2 stacks • User Mode 1 MBUser Mode 1 MB• Kernel Mode 12 KB Kernel Mode 12 KB
When ever a function is called you see When ever a function is called you see a return instruction.a return instruction.
![Page 26: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/26.jpg)
Deep Dive Stacks.Deep Dive Stacks.
Dd esp Dd esp 0012fe6c 004113e0 00000005 0000000a 0127f5580012fe6c 004113e0 00000005 0000000a 0127f558
0012fe7c 007dca76 7ffd8000 cccccccc cccccccc0012fe7c 007dca76 7ffd8000 cccccccc cccccccc
004113e0 = return address 004113e0 = return address
00000005 = argument 1 00000005 = argument 1
0000000a = argument 2 0000000a = argument 2
![Page 27: Swug July 2010 - windows debugging by sainath](https://reader036.fdocuments.us/reader036/viewer/2022062418/555c41e6d8b42a2c068b4e06/html5/thumbnails/27.jpg)
Questions Please Questions Please