New PowerDbg – I Need Your Help

First, let me fix the title. It should be: “New PowerDbg – We Need Your Help”. I explain, a few weeks ago I received an e-mail from Piers Williams, a developer from Australia. Piers mentioned his blog article related to PowerDbg where he makes some constructive criticism. When reading the article I was like: “Why…


PSSCOR2, the Superset of SOS.DLL is Now Public!!!

Whenever I’m debugging with customers watching it’s inevitable: they always ask me what this PSSCOR2.dll extension is. The next question is always if PSSCOR2.DLL is going to be public. PSSCOR2.DLL is a superset of SOS.DLL and has much more commands and variations! The good news is that yes, now PSSCOR2.DLL is public, so you can download…


XPerf Tool – Why Can’t You Live Without It?

Israel Burman (Israel is one of the ADPlus creators and the guy who taught me the XPerf tool) and Mario Hewardt told me I should blog about the XPerf tool. Although I’m new to this tool I decided to follow their suggestions because I believe you’re going to wonder how you could live without using…


Special Command—Editing memory with a, eb, ed, ew, eza, ezu

  When talking about editing memory, we usually think about patching code. Patching code means changing the binary code in memory for, let’s say, when you want to prove a hypothesis while debugging and you don’t have access to the source code. This is a very exciting subject, and WinDbg has the right tools to…


[PowerShell Script] PowerDbg v5.3—Using PowerShell to Control WinDbg

This version has a fix in Parse-PowerDbgDSO. Thanks to Igor Dvorkin that found the bug and suggested the fix.     DOWNLOAD POWERDBG   Download PowerDbg   POWERDBG FILES   WinDbg.PSM1  ß Starting with this version this is the only file.   INSTALLATION   WinDbg.PSM1   Goes to %\WindowsPowerShell\Modules\WinDbg   Note: PowerDbg assumes the folder…


Special Command—Unassembling code with u, ub and uf

When debugging sooner or later you will need to disassemble code to get a better understanding of that code. By disassembling the code, you get the mnemonics translated from the 0s and 1s that constitute the binary code. It is a low level view of the code, but a higher level than seeing just numbers….


Special Command—Using # to Find Patterns of Assembly Instructions

  Sometimes you need to look for patterns of disassembled code. You can browse the disassembled code and manually look for a specific pattern, or you can use a command to automate it.  The # command does that.   # [Pattern] [Address [L Size ]]   Parameters:   Pattern – Specifies the pattern to search…


Special Command—Tracing Applications Using wt

wt [WatchOptions] [= StartAddress] [EndAddress]   Transcribing the WinDbg documentation, this command runs through the whole function and then displays statistics when executed at the beginning of a function call. Thus, this command can be used just when doing live debugging, not post mortem debugging (dump analysis). Think about Watch and Trace.   The WinDbg help file describes…


Special Command—Saving Modules Using .writemem

This command enables you to save memory into a disk file. The cool thing about it is that you can save modules too; however, it is just the raw memory. The parameters are:   .writemem <filename> <range>   Here is an example:   0:026> lm start    end        module name 00400000 00427000   mtgdi      (deferred)             5a700000 5acaf000  …


Special Command—Using .dump/.dumpcab to Get Dumps and Symbols from Production Servers

Using WinDbg you can create a dump file from an application running, for instance, in a production server. After collecting the dump file, you can load it in another machine and debug it. However, to be more effective during your debugging session you need symbols. Thus, thinking about it, here’s the trick to get both dump…