SlideShare una empresa de Scribd logo
1 de 47
Descargar para leer sin conexión
Khalil Nassar
Senior Systems Engineer
Microsoft Corporation
Debug 01100101 (Debug 101)
x64 versus x86 Differences
Essential Command Reference
Windows Vista and
Windows Server code name “Longhorn”
Architectural Changes
Debugging Techniques
Top 10 Questions
What is a debugger
State
Debugger view
Breakpoints and scripts
What is a debugger?
State
Virtual memory
Process List -> Directory Base List -> VM
              -> Thread List -> Reg
  Context
State
Interrupts
Timeslice/Dispatch
Driver Debugging Basics
Manipulating Debugger View
 .process
 .cxr, .trap
 .thread
 .frame
Breakpoints and Scripts
  Pseudo registers
  Aliases
Useful Pseudo Registers
 $teb,$peb,$p,$ea,$proc,$thread,$tid,$tpid,
 $mod,$base,$addr,$imagename
 $ea2 – for instructions that have 2
 effective addresses
 $callret
 $dbgtime – debugger’s current time
 $scopeip – returns the instruction pointer
 for the currently set scope
 $bp – last hit break point
$bphit – user ID of breakpoint just hit
$frame – current frame number
$! – prefixing a symbol with $! will cause
only the current scope to be searched
$exentry – address of the entry point for
the first executable of the current process
$t0 - $t9 – actual pseudo registers used
for temporary values
$ip – The current instruction pointer
$eventip - The IP at the time of the current event.
This can be different from $ip if you switch
threads or manually change the IP register
$previp - The $eventip value from the last event.
The last event for a user means the last prompt.
If there wasn't a last event it'll be an error
$relip - Any related IP value for the current event.
When you are branch tracing it'll be the branch
source, otherwise it'll be an error.
$retreg = eax (x86) , ret0 (ia64),rax (x64)
$CurrentDumpPath
Debugger Aliases
     @#ModuleName     string
     @#ImageName      string
     @#LoadedImageName string
     @#SymbolFileName   string
     @#MappedImageName string
@#Base        ULONG64
@#Size        ULONG
@#TimeDateStamp    ULONG
@#Checksum       ULONG
@#Flags       ULONG
@#SymbolType     USHORT
@#ImageNameSize     ULONG
@#ModuleNameSize    ULONG
@#LoadedImageNameSize ULONG
@#SymbolFileNameSize ULONG
@#MappedImageNameSize ULONG
Useful Breakpoints
  Self clearing call returning –
bp func "bp /1 @$ra "r$retreg";g“
  Set a bp on a yet to be defined module –
bu /1 wmain "ba w4 g_Var "j (
  @@(g_Var==%1) ) '.echo broken
  because g_Var is %1'; 'gc' ";g“
bu notepad!winmain ".printf
  "notepad!winmain entered with hInstance
  = %pn", poi(hInstance);g"
Script Examples
  Search for kernel trap frames.
  Demonstrates arbitrary processing
  on each hit
.foreach ($addr { s-[1]d 80000000 l?7fffffff
  23 23 }) { ? $addr ; .trap $addr - 0n52 ; kv
  }!vm
Script Examples continued
Display full callstack for all threads
r? $t0 = &nt!PsActiveProcessHead
.for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r $t1 =
   poi(@$t1))
{
    r? $t2 = #CONTAINING_RECORD(@$t1,
    nt!_EPROCESS, ActiveProcessLinks);
    .process /p /r $t2
    !process $t2 7
}
Architectural Issues
Debugging Relevant Issues
Architectural
  Registers
  Exception handling
  Stack walking
Debugging Relevant
 Debug 32-bit processes
 with the 32-bit debugger
 UMDH issues with x64
 From the debugger – access CPU
 registers with @
 Issues encountered building the
 Keyboard filter driver for x64
 Virtual memory translation
 Practice inspection with quad words (dq)
Trap Frames
  Nonvolative registers (rbx, rsi, rdi, etc.)
  not preserved for perf reasons
  Must dig them out of the callee stacks
Debugger Setup
 .sympath, .srcpath, .lsrcpath, .lines
 .reload, lml
 !sym noisy
 .enable_unicode 1
 x
Virtual Memory
  !pool, !poolused, !poolval, !poolfind
  !vm
  !vprot, !address
System Wide
 !locks, !irpfind -4/v
 !pcr, !idt
 !object, !drvobj, !devstack
 !cpuid
Relative To Current Thread
 !peb, !teb
 !handle
 !thread
 .cxr, .trap
 .exr -1
Relative To Current Process
 !process, !pcr
Error Analysis
  !analyze –v, !verifier, !avrf
  !error, !errorlog, !gle
  .exr -1, .eventlog, .lastevent
Data Analysis
 dv, dt, ?, ??
 k (kp, kP, kv, kn)
 r (rMff)
 .formats
 d (dc, du, dq, dl, dds, dqs)
 !d
 u, ub, uf
Execution
 g, t, p, wt, bp, bu
 sx
.bpsync 1
.flash_on_break
Improved Thread Pooling – including
multiple thread pools
Boot environment reengineered
Need KD for unsigned kernel drivers on
x64
Driver Debugging Basics
#10: Is there a way to redirect the output
of a debugger extension to a text file?
#9: Is there a way to make the debugger
flash or emit a sound when a breakpoint
is hit?
#8: .kdfiles on Windows Vista
#7: Breaking in Main() from KD.
Module Load
#6: .crash behavior
#5: BCDEDIT
#4: Why Does KD Get Wedged
#3: kd -kl
#2: Can I force the symbols to match?
Driver Debugging Basics
Debugging effectively requires
understanding your target code, debugger
theory and Operating System (OS)
theory. This presentation has been an
introduction to operating system and
debugger theory with an emphasis on
debugger capabilities and commands.
The related lab gives hands on
experience with driver and OS theory
using the debugger as the enabler
Understand the system state,
not just your driver
 Virtual Memory
 Interrupts
 Timeslice/Dispatch
Go beyond Call Stacks and Exceptions
 Know more of the essential commands
Debugging Well is Very Rewarding
Web Resources
  Debugging Tools for Windows:
  http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx
  Training, message boards, etc:
  http://www.microsoft.com/whdc/devtools/debugging/resources.mspx
Related Sessions
  DVR-T410 Driver Debugging Basics
  DVR-C478 Debugging Drivers: Discussion
  DVR-C408 Driver Verifier: Internals Discussion
  DVR-H409 Debugging Bugs Exposed by Driver Verifier: Workshop
  DVR-H481 64-bit Driver Debugging Basics: Workshop (2 sessions)
Help: Create a support incident: DDK Developer Support
Feedback: Send suggestions or bug reports:
                   Windbgfb @ microsoft.com
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
     conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
                                 MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Más contenido relacionado

La actualidad más candente

Introduction to Assembly Language Programming
Introduction to Assembly Language ProgrammingIntroduction to Assembly Language Programming
Introduction to Assembly Language ProgrammingRahul P
 
Bozorgmeh os lab
Bozorgmeh os labBozorgmeh os lab
Bozorgmeh os labFS Karimi
 
Unix Command Line Productivity Tips
Unix Command Line Productivity TipsUnix Command Line Productivity Tips
Unix Command Line Productivity TipsKeith Bennett
 
Unix Basics
Unix BasicsUnix Basics
Unix BasicsDr.Ravi
 
USENIX Vault'19: Performance analysis in Linux storage stack with BPF
USENIX Vault'19: Performance analysis in Linux storage stack with BPFUSENIX Vault'19: Performance analysis in Linux storage stack with BPF
USENIX Vault'19: Performance analysis in Linux storage stack with BPFTaeung Song
 
Talk Unix Shell Script
Talk Unix Shell ScriptTalk Unix Shell Script
Talk Unix Shell ScriptDr.Ravi
 
Unix system programming
Unix system programmingUnix system programming
Unix system programmingSyed Mustafa
 
Airlover 20030324 1
Airlover 20030324 1Airlover 20030324 1
Airlover 20030324 1Dr.Ravi
 
Building robust and friendly command line applications in go
Building robust and friendly command line applications in goBuilding robust and friendly command line applications in go
Building robust and friendly command line applications in goAndrii Soldatenko
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Talk Unix Shell Script 1
Talk Unix Shell Script 1Talk Unix Shell Script 1
Talk Unix Shell Script 1Dr.Ravi
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
101 1.3 runlevels , shutdown, and reboot
101 1.3 runlevels , shutdown, and reboot101 1.3 runlevels , shutdown, and reboot
101 1.3 runlevels , shutdown, and rebootAcácio Oliveira
 
Kernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyKernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyAnne Nicolas
 

La actualidad más candente (20)

Introduction to Assembly Language Programming
Introduction to Assembly Language ProgrammingIntroduction to Assembly Language Programming
Introduction to Assembly Language Programming
 
Bozorgmeh os lab
Bozorgmeh os labBozorgmeh os lab
Bozorgmeh os lab
 
Emu8086
Emu8086Emu8086
Emu8086
 
Debugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to LinuxDebugging ZFS: From Illumos to Linux
Debugging ZFS: From Illumos to Linux
 
Next Stop, Android
Next Stop, AndroidNext Stop, Android
Next Stop, Android
 
Unix Command Line Productivity Tips
Unix Command Line Productivity TipsUnix Command Line Productivity Tips
Unix Command Line Productivity Tips
 
Unix Basics
Unix BasicsUnix Basics
Unix Basics
 
USENIX Vault'19: Performance analysis in Linux storage stack with BPF
USENIX Vault'19: Performance analysis in Linux storage stack with BPFUSENIX Vault'19: Performance analysis in Linux storage stack with BPF
USENIX Vault'19: Performance analysis in Linux storage stack with BPF
 
Talk Unix Shell Script
Talk Unix Shell ScriptTalk Unix Shell Script
Talk Unix Shell Script
 
Unix system programming
Unix system programmingUnix system programming
Unix system programming
 
Airlover 20030324 1
Airlover 20030324 1Airlover 20030324 1
Airlover 20030324 1
 
Building robust and friendly command line applications in go
Building robust and friendly command line applications in goBuilding robust and friendly command line applications in go
Building robust and friendly command line applications in go
 
Os lab manual
Os lab manualOs lab manual
Os lab manual
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Talk Unix Shell Script 1
Talk Unix Shell Script 1Talk Unix Shell Script 1
Talk Unix Shell Script 1
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
101 1.3 runlevels , shutdown, and reboot
101 1.3 runlevels , shutdown, and reboot101 1.3 runlevels , shutdown, and reboot
101 1.3 runlevels , shutdown, and reboot
 
Kernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyKernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easy
 
Linux on System z debugging with Valgrind
Linux on System z debugging with ValgrindLinux on System z debugging with Valgrind
Linux on System z debugging with Valgrind
 

Similar a Driver Debugging Basics

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Perl at SkyCon'12
Perl at SkyCon'12Perl at SkyCon'12
Perl at SkyCon'12Tim Bunce
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdfKhaledIbrahim10923
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 
A Replay Approach to Software Validation
A Replay Approach to Software ValidationA Replay Approach to Software Validation
A Replay Approach to Software ValidationJames Pascoe
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsBrendan Gregg
 
Virtual platform
Virtual platformVirtual platform
Virtual platformsean chen
 
Review unknown code with static analysis - bredaphp
Review unknown code with static analysis - bredaphpReview unknown code with static analysis - bredaphp
Review unknown code with static analysis - bredaphpDamien Seguy
 
php & performance
 php & performance php & performance
php & performancesimon8410
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance毅 吕
 
Ibm bpm problem determination
Ibm bpm problem determinationIbm bpm problem determination
Ibm bpm problem determinationLong Nguyen
 
Efficient JavaScript Development
Efficient JavaScript DevelopmentEfficient JavaScript Development
Efficient JavaScript Developmentwolframkriesing
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
Debugging Tools & Techniques for Persistent Memory Programming
Debugging Tools & Techniques for Persistent Memory ProgrammingDebugging Tools & Techniques for Persistent Memory Programming
Debugging Tools & Techniques for Persistent Memory ProgrammingIntel® Software
 
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...Expert Insight
 
Crash Dump Analysis 101
Crash Dump Analysis 101Crash Dump Analysis 101
Crash Dump Analysis 101John Howard
 

Similar a Driver Debugging Basics (20)

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Perl at SkyCon'12
Perl at SkyCon'12Perl at SkyCon'12
Perl at SkyCon'12
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
 
A Replay Approach to Software Validation
A Replay Approach to Software ValidationA Replay Approach to Software Validation
A Replay Approach to Software Validation
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame Graphs
 
Java Memory Model
Java Memory ModelJava Memory Model
Java Memory Model
 
Virtual platform
Virtual platformVirtual platform
Virtual platform
 
Review unknown code with static analysis - bredaphp
Review unknown code with static analysis - bredaphpReview unknown code with static analysis - bredaphp
Review unknown code with static analysis - bredaphp
 
php & performance
 php & performance php & performance
php & performance
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance
 
Ibm bpm problem determination
Ibm bpm problem determinationIbm bpm problem determination
Ibm bpm problem determination
 
Efficient JavaScript Development
Efficient JavaScript DevelopmentEfficient JavaScript Development
Efficient JavaScript Development
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
bluespec talk
bluespec talkbluespec talk
bluespec talk
 
Debugging Tools & Techniques for Persistent Memory Programming
Debugging Tools & Techniques for Persistent Memory ProgrammingDebugging Tools & Techniques for Persistent Memory Programming
Debugging Tools & Techniques for Persistent Memory Programming
 
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
Session - Debugging memory stomps and other atrocities - Stefan Reinalter - T...
 
Crash Dump Analysis 101
Crash Dump Analysis 101Crash Dump Analysis 101
Crash Dump Analysis 101
 

Más de Bala Subra

Serverless architectures: APIs, Serverless Functions, Microservices - How to ...
Serverless architectures: APIs, Serverless Functions, Microservices - How to ...Serverless architectures: APIs, Serverless Functions, Microservices - How to ...
Serverless architectures: APIs, Serverless Functions, Microservices - How to ...Bala Subra
 
Windows Azure Sdk
Windows Azure SdkWindows Azure Sdk
Windows Azure SdkBala Subra
 
Mobile Development Architecture Ppt with Slides, Book Notes on using Web Silv...
Mobile Development Architecture Ppt with Slides, Book Notes on using Web Silv...Mobile Development Architecture Ppt with Slides, Book Notes on using Web Silv...
Mobile Development Architecture Ppt with Slides, Book Notes on using Web Silv...Bala Subra
 
Dean Keynote Ladis2009
Dean Keynote Ladis2009Dean Keynote Ladis2009
Dean Keynote Ladis2009Bala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
Scalable Resilient Web Services In .Net
Scalable Resilient Web Services In .NetScalable Resilient Web Services In .Net
Scalable Resilient Web Services In .NetBala Subra
 
What is new in WCF 4.0?
What is new in WCF 4.0?What is new in WCF 4.0?
What is new in WCF 4.0?Bala Subra
 
Advanced Windows Debugging
Advanced Windows DebuggingAdvanced Windows Debugging
Advanced Windows DebuggingBala Subra
 
System Center: Virtual Machine Manager 2008 Version 2.0
System Center: Virtual Machine Manager 2008 Version 2.0System Center: Virtual Machine Manager 2008 Version 2.0
System Center: Virtual Machine Manager 2008 Version 2.0Bala Subra
 
Parallel Computing For Managed Developers
Parallel Computing For Managed DevelopersParallel Computing For Managed Developers
Parallel Computing For Managed DevelopersBala Subra
 
IT Management Firestarter
IT Management FirestarterIT Management Firestarter
IT Management FirestarterBala Subra
 
Demystifying Windows Communication Foundation
Demystifying Windows Communication FoundationDemystifying Windows Communication Foundation
Demystifying Windows Communication FoundationBala Subra
 
Basics & Intro to SQL Server Reporting Services: Sql Server Ssrs 2008 R2
Basics & Intro to SQL Server Reporting Services: Sql Server Ssrs 2008 R2Basics & Intro to SQL Server Reporting Services: Sql Server Ssrs 2008 R2
Basics & Intro to SQL Server Reporting Services: Sql Server Ssrs 2008 R2Bala Subra
 
Denny Lee\'s Data Camp v1.0 talk on SSRS Best Practices for IT
Denny Lee\'s Data Camp v1.0 talk on SSRS Best Practices for ITDenny Lee\'s Data Camp v1.0 talk on SSRS Best Practices for IT
Denny Lee\'s Data Camp v1.0 talk on SSRS Best Practices for ITBala Subra
 
BizTalk 2010 with Appfabric Hosting in the Cloud: WCF Services vs BT2010
BizTalk 2010 with Appfabric Hosting in the Cloud: WCF Services vs BT2010BizTalk 2010 with Appfabric Hosting in the Cloud: WCF Services vs BT2010
BizTalk 2010 with Appfabric Hosting in the Cloud: WCF Services vs BT2010Bala Subra
 
How to ace your .NET technical interview :: .Net Technical Check Tuneup
How to ace your .NET technical interview :: .Net Technical Check TuneupHow to ace your .NET technical interview :: .Net Technical Check Tuneup
How to ace your .NET technical interview :: .Net Technical Check TuneupBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
Sql Server Performance Tuning
Sql Server Performance TuningSql Server Performance Tuning
Sql Server Performance TuningBala Subra
 
Ssrs 2005 Reporting Services
Ssrs 2005 Reporting ServicesSsrs 2005 Reporting Services
Ssrs 2005 Reporting ServicesBala Subra
 

Más de Bala Subra (20)

Serverless architectures: APIs, Serverless Functions, Microservices - How to ...
Serverless architectures: APIs, Serverless Functions, Microservices - How to ...Serverless architectures: APIs, Serverless Functions, Microservices - How to ...
Serverless architectures: APIs, Serverless Functions, Microservices - How to ...
 
Windows Azure Sdk
Windows Azure SdkWindows Azure Sdk
Windows Azure Sdk
 
Mobile Development Architecture Ppt with Slides, Book Notes on using Web Silv...
Mobile Development Architecture Ppt with Slides, Book Notes on using Web Silv...Mobile Development Architecture Ppt with Slides, Book Notes on using Web Silv...
Mobile Development Architecture Ppt with Slides, Book Notes on using Web Silv...
 
Dean Keynote Ladis2009
Dean Keynote Ladis2009Dean Keynote Ladis2009
Dean Keynote Ladis2009
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
Scalable Resilient Web Services In .Net
Scalable Resilient Web Services In .NetScalable Resilient Web Services In .Net
Scalable Resilient Web Services In .Net
 
What is new in WCF 4.0?
What is new in WCF 4.0?What is new in WCF 4.0?
What is new in WCF 4.0?
 
Advanced Windows Debugging
Advanced Windows DebuggingAdvanced Windows Debugging
Advanced Windows Debugging
 
System Center: Virtual Machine Manager 2008 Version 2.0
System Center: Virtual Machine Manager 2008 Version 2.0System Center: Virtual Machine Manager 2008 Version 2.0
System Center: Virtual Machine Manager 2008 Version 2.0
 
Parallel Computing For Managed Developers
Parallel Computing For Managed DevelopersParallel Computing For Managed Developers
Parallel Computing For Managed Developers
 
IT Management Firestarter
IT Management FirestarterIT Management Firestarter
IT Management Firestarter
 
Demystifying Windows Communication Foundation
Demystifying Windows Communication FoundationDemystifying Windows Communication Foundation
Demystifying Windows Communication Foundation
 
Basics & Intro to SQL Server Reporting Services: Sql Server Ssrs 2008 R2
Basics & Intro to SQL Server Reporting Services: Sql Server Ssrs 2008 R2Basics & Intro to SQL Server Reporting Services: Sql Server Ssrs 2008 R2
Basics & Intro to SQL Server Reporting Services: Sql Server Ssrs 2008 R2
 
Denny Lee\'s Data Camp v1.0 talk on SSRS Best Practices for IT
Denny Lee\'s Data Camp v1.0 talk on SSRS Best Practices for ITDenny Lee\'s Data Camp v1.0 talk on SSRS Best Practices for IT
Denny Lee\'s Data Camp v1.0 talk on SSRS Best Practices for IT
 
BizTalk 2010 with Appfabric Hosting in the Cloud: WCF Services vs BT2010
BizTalk 2010 with Appfabric Hosting in the Cloud: WCF Services vs BT2010BizTalk 2010 with Appfabric Hosting in the Cloud: WCF Services vs BT2010
BizTalk 2010 with Appfabric Hosting in the Cloud: WCF Services vs BT2010
 
Biz talk BI
Biz talk BIBiz talk BI
Biz talk BI
 
How to ace your .NET technical interview :: .Net Technical Check Tuneup
How to ace your .NET technical interview :: .Net Technical Check TuneupHow to ace your .NET technical interview :: .Net Technical Check Tuneup
How to ace your .NET technical interview :: .Net Technical Check Tuneup
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
Sql Server Performance Tuning
Sql Server Performance TuningSql Server Performance Tuning
Sql Server Performance Tuning
 
Ssrs 2005 Reporting Services
Ssrs 2005 Reporting ServicesSsrs 2005 Reporting Services
Ssrs 2005 Reporting Services
 

Driver Debugging Basics

  • 1. Khalil Nassar Senior Systems Engineer Microsoft Corporation
  • 2. Debug 01100101 (Debug 101) x64 versus x86 Differences Essential Command Reference Windows Vista and Windows Server code name “Longhorn” Architectural Changes Debugging Techniques Top 10 Questions
  • 3. What is a debugger State Debugger view Breakpoints and scripts
  • 4. What is a debugger?
  • 5. State Virtual memory Process List -> Directory Base List -> VM -> Thread List -> Reg Context
  • 8. Manipulating Debugger View .process .cxr, .trap .thread .frame
  • 9. Breakpoints and Scripts Pseudo registers Aliases
  • 10. Useful Pseudo Registers $teb,$peb,$p,$ea,$proc,$thread,$tid,$tpid, $mod,$base,$addr,$imagename $ea2 – for instructions that have 2 effective addresses $callret $dbgtime – debugger’s current time $scopeip – returns the instruction pointer for the currently set scope $bp – last hit break point
  • 11. $bphit – user ID of breakpoint just hit $frame – current frame number $! – prefixing a symbol with $! will cause only the current scope to be searched $exentry – address of the entry point for the first executable of the current process $t0 - $t9 – actual pseudo registers used for temporary values
  • 12. $ip – The current instruction pointer $eventip - The IP at the time of the current event. This can be different from $ip if you switch threads or manually change the IP register $previp - The $eventip value from the last event. The last event for a user means the last prompt. If there wasn't a last event it'll be an error $relip - Any related IP value for the current event. When you are branch tracing it'll be the branch source, otherwise it'll be an error. $retreg = eax (x86) , ret0 (ia64),rax (x64) $CurrentDumpPath
  • 13. Debugger Aliases @#ModuleName string @#ImageName string @#LoadedImageName string @#SymbolFileName string @#MappedImageName string
  • 14. @#Base ULONG64 @#Size ULONG @#TimeDateStamp ULONG @#Checksum ULONG @#Flags ULONG @#SymbolType USHORT
  • 15. @#ImageNameSize ULONG @#ModuleNameSize ULONG @#LoadedImageNameSize ULONG @#SymbolFileNameSize ULONG @#MappedImageNameSize ULONG
  • 16. Useful Breakpoints Self clearing call returning – bp func "bp /1 @$ra "r$retreg";g“ Set a bp on a yet to be defined module – bu /1 wmain "ba w4 g_Var "j ( @@(g_Var==%1) ) '.echo broken because g_Var is %1'; 'gc' ";g“ bu notepad!winmain ".printf "notepad!winmain entered with hInstance = %pn", poi(hInstance);g"
  • 17. Script Examples Search for kernel trap frames. Demonstrates arbitrary processing on each hit .foreach ($addr { s-[1]d 80000000 l?7fffffff 23 23 }) { ? $addr ; .trap $addr - 0n52 ; kv }!vm
  • 18. Script Examples continued Display full callstack for all threads r? $t0 = &nt!PsActiveProcessHead .for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r $t1 = poi(@$t1)) { r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks); .process /p /r $t2 !process $t2 7 }
  • 20. Architectural Registers Exception handling Stack walking
  • 21. Debugging Relevant Debug 32-bit processes with the 32-bit debugger UMDH issues with x64 From the debugger – access CPU registers with @ Issues encountered building the Keyboard filter driver for x64 Virtual memory translation Practice inspection with quad words (dq)
  • 22. Trap Frames Nonvolative registers (rbx, rsi, rdi, etc.) not preserved for perf reasons Must dig them out of the callee stacks
  • 23. Debugger Setup .sympath, .srcpath, .lsrcpath, .lines .reload, lml !sym noisy .enable_unicode 1 x
  • 24. Virtual Memory !pool, !poolused, !poolval, !poolfind !vm !vprot, !address
  • 25. System Wide !locks, !irpfind -4/v !pcr, !idt !object, !drvobj, !devstack !cpuid
  • 26. Relative To Current Thread !peb, !teb !handle !thread .cxr, .trap .exr -1
  • 27. Relative To Current Process !process, !pcr
  • 28. Error Analysis !analyze –v, !verifier, !avrf !error, !errorlog, !gle .exr -1, .eventlog, .lastevent
  • 29. Data Analysis dv, dt, ?, ?? k (kp, kP, kv, kn) r (rMff) .formats d (dc, du, dq, dl, dds, dqs) !d u, ub, uf
  • 30. Execution g, t, p, wt, bp, bu sx
  • 32. Improved Thread Pooling – including multiple thread pools Boot environment reengineered Need KD for unsigned kernel drivers on x64
  • 34. #10: Is there a way to redirect the output of a debugger extension to a text file?
  • 35. #9: Is there a way to make the debugger flash or emit a sound when a breakpoint is hit?
  • 36. #8: .kdfiles on Windows Vista
  • 37. #7: Breaking in Main() from KD. Module Load
  • 40. #4: Why Does KD Get Wedged
  • 42. #2: Can I force the symbols to match?
  • 44. Debugging effectively requires understanding your target code, debugger theory and Operating System (OS) theory. This presentation has been an introduction to operating system and debugger theory with an emphasis on debugger capabilities and commands. The related lab gives hands on experience with driver and OS theory using the debugger as the enabler
  • 45. Understand the system state, not just your driver Virtual Memory Interrupts Timeslice/Dispatch Go beyond Call Stacks and Exceptions Know more of the essential commands Debugging Well is Very Rewarding
  • 46. Web Resources Debugging Tools for Windows: http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx Training, message boards, etc: http://www.microsoft.com/whdc/devtools/debugging/resources.mspx Related Sessions DVR-T410 Driver Debugging Basics DVR-C478 Debugging Drivers: Discussion DVR-C408 Driver Verifier: Internals Discussion DVR-H409 Debugging Bugs Exposed by Driver Verifier: Workshop DVR-H481 64-bit Driver Debugging Basics: Workshop (2 sessions) Help: Create a support incident: DDK Developer Support Feedback: Send suggestions or bug reports: Windbgfb @ microsoft.com
  • 47. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.