D3v3l0p3r PF3s – 0bs3rv1ng Th3m in Th31r Natural Hab1tat

PFE has engineers who specialize in areas which can contain one or more technologies.  This species is universally known as D3v PF3 (Developer PFE).  Not everyone really knows their habits and role and, as a consequence, sometimes it’s hard for customers to engage them. Their specialty is problem isolation, application debugging, knowledge transfer, code review,…

3

New Debugging Book – Windows Debugging Notebook: Essential User Space WinDbg Commands

A reference book for technical support and escalation engineers troubleshooting and debugging complex software issues. The book is also invaluable for software maintenance and development engineers debugging Windows applications and services.   Do you want to know more about this book? Check out here…

2

Special Command—Editing memory with a, eb, ed, ew, eza, ezu

  When talking about editing memory, we usually think about patching code. Patching code means changing the binary code in memory for, let’s say, when you want to prove a hypothesis while debugging and you don’t have access to the source code. This is a very exciting subject, and WinDbg has the right tools to…

0

Special Command—Unassembling code with u, ub and uf

When debugging sooner or later you will need to disassemble code to get a better understanding of that code. By disassembling the code, you get the mnemonics translated from the 0s and 1s that constitute the binary code. It is a low level view of the code, but a higher level than seeing just numbers….

2

Special Command—Using # to Find Patterns of Assembly Instructions

  Sometimes you need to look for patterns of disassembled code. You can browse the disassembled code and manually look for a specific pattern, or you can use a command to automate it.  The # command does that.   # [Pattern] [Address [L Size ]]   Parameters:   Pattern – Specifies the pattern to search…

0

Special Command—Tracing Applications Using wt

wt [WatchOptions] [= StartAddress] [EndAddress]   Transcribing the WinDbg documentation, this command runs through the whole function and then displays statistics when executed at the beginning of a function call. Thus, this command can be used just when doing live debugging, not post mortem debugging (dump analysis). Think about Watch and Trace.   The WinDbg help file describes…

1

Special Command—Saving Modules Using .writemem

This command enables you to save memory into a disk file. The cool thing about it is that you can save modules too; however, it is just the raw memory. The parameters are:   .writemem <filename> <range>   Here is an example:   0:026> lm start    end        module name 00400000 00427000   mtgdi      (deferred)             5a700000 5acaf000  …

1

Special Command—Using .dump/.dumpcab to Get Dumps and Symbols from Production Servers

Using WinDbg you can create a dump file from an application running, for instance, in a production server. After collecting the dump file, you can load it in another machine and debug it. However, to be more effective during your debugging session you need symbols. Thus, thinking about it, here’s the trick to get both dump…

3

Special Command—Using !chksym/!itoldyouso to Check PDB Files Against Modules

These are two debugger extensions that are used to see the PDB file that matches a specific module. Note that !itoldyouso is not documented. The output of both commands is identical.   Usage:   0:025> !chksym ntdll   ntdll.dll     Timestamp: 49EEA706   SizeOfImage: 180000           pdb: wntdll.pdb       pdb sig: E06BEA15-5E97-48BE-A818-E2D0DD2FED95           age: 2…

0

Special Command—Displaying Information From Modules/DLLs with !dlls

!dlls extension displays the table entries of all loaded modules. You can also use it to display all modules that a specified thread or process is using. The WinDbg help file describes all parameters. Here we are going to show the most common usage.   Displays file headers and section headers:   !dlls –a  …

2