Setting debugger target architecture: .effmach

Sometimes, you may find dumps with callstacks that point to the wow64 thunks with little else of value.  For example: 0:000> k # Child-SP RetAddr Call Site 00 00000000`0063e958 00000000`6c8d210d wow64cpu!<redacted>+0xc 01 00000000`0063e960 00000000`6c88bfa1 wow64cpu!<redacted>+0xc 02 (Inline Function) ——–`——– wow64!<redacted>+0xd 03 00000000`0063ea10 00000000`6c87cbb0 wow64!<redacted>+0xf311 04 00000000`0063ea90 00007ffd`d1ef2a11 wow64!<redacted>+0x120 05 00000000`0063ed40 00007ffd`d1f28986 ntdll!LdrpInitializeProcess+0x1551 06 00000000`0063f140 00007ffd`d1ed9fae ntdll!_LdrpInitialize+0x4e982 07…

0

Kd breakpoints don't persist through reboot

Old nugget of information here, but useful to remember when the situation arises… When debugging in kd, a reboot will wipe out your breakpoints.  The break-in instruction gets replaced on OS reboot because everything is initializing from scratch, and the external debugger is not designed to be in the OS startup path.  I sometimes forget…

0

Debugging LoadLibrary Failures

It looks like the topic of Debugging LoadLibrary Failures has been covered pretty well, but it is worth repeating: If you are seeing a ERROR_MOD_NOT_FOUND (0n126, 0x7E, 0x8007007E) failure during a LoadLibrary, make sure the DLL in question is in the DLL search path.  If it is in the DLL search path, then the next…

0

SOS Versioning with Windbg

I’m not a .NET developer, but I have to debug dumps from .NET processes from time to time.  I picked up some nuggets of information that may be known to .NET developers, but was not known to me. It turns out, the SOS.dll version that you use in your debugger needs to match the version…

0

Driver debug breakpoint

The DebugBreak() API is the primary way to implement a breakpoint through code.  It’s great to use when developing a prototype and exploring your environment. User mode developers (such as myself) may not be aware that this can also be used from a kernel mode driver.  This enables us to explore some aspects of kernel…

0

Sample debugging session without symbols

I was asked to debug some code where we roughly knew what was going on in the source code, but we didn’t have access to the symbols. This gave me a good chance to dust off some old ASM knowledge, and work on the art of debugging without symbols.  It’s not an ideal situation, but…

0

Intro to kernel debugging 3

Topic: Probing, Altering User Mode Memory This is part 3 of the intro to kernel debugging series.  Other posts: Intro to kernel debugging 1 KD setup Intro to kernel debugging 2 Debugger context In this post, we will explore the following: Probe memory of a user mode process Alter user mode process memory Reminders about how…

0

Intro to kernel debugging 1

Topic: KD Setup I am a user-mode developer, but part of the job of working on the Windows team (HoloLens runs on Windows!) requires knowing how to work with a kernel debugger on that OS.  Some problems are difficult to debug through user-mode debuggers alone and can be simpler in a kernel debugger . Examples…

0

Intro to kernel debugging 2

Topic: Debugger Context This is part 2 of the intro to kernel debugging series.  Other posts: Intro to kernel debugging 1 KD setup Intro to kernel debugging 3 Probing, altering user mode memory In this post, we will explore the following: What the debugger is looking at when it first breaks in Get current call…

0

Holding a critical section during SendMessage

Can you spot the defect with the following code? EnterCriticalSection(&cs);SendMessage(hwnd, WM_MYMESSAGE, 0, 0);LeaveCriticalSection(&cs); The problem is that the SendMessage() is a blocking call, and Windows can do many things from within this call.  This creates a situation that is highly prone to deadlocking. In the best case scenario, the application will remain responsive but its…

0