Debug Fundamentals Exercise 3: Calling conventions

  Today’s exercise will focus on x86 function calling conventions.  The calling convention of a function describes the following:   ·         The order in which parameters are passed ·         Where parameters are placed (pushed on the stack or placed in registers) ·         Whether the caller or the callee is responsible for unwinding the stack on return…

19

Debug Fundamentals Exercise 2: Some reverse engineering for Thanksgiving

  Continuing our series on “Fundamentals Exercises”, we have some more reverse engineering for you!  Again, these exercises are designed more as learning experiences rather than simply puzzlers.  We hope you find them interesting and educational!  Feel free to post your responses here, but we won’t put them on the site until after we post…

42

How to modify an application behavior when you don’t have the source

  From time to time we need to help customers change the way an application interacts with the operating system or SDKs.  The challenge is often the access to the code.  Sometimes neither party may own the application in question and none of the parties have access to the source.   Luckily, the Microsoft Research team…

3

Debug Fundamentals Exercise 1: Reverse engineer a function

  Hello ntdebuggers!  We’ve seen a lot of interest in our Puzzlers, and we’ve also seen requests and interest in topics covering debugging fundamentals.  So we’ve decided to combine the two topics and post a series of “Fundamentals Exercises”.  These exercises will be designed more as learning experiences rather than simply puzzlers.  We hope you…

38

Ntfs Misreporting Free Space (Part 2)

Continuing our discussion on the internals of disk usage, we will now shift our focus to internal metadata usage. …….. KB in …. Indexes.   Consider for a moment a world without indexes…  The $MFT is a database containing records that are accessed via FRS (file record segment) numbers.  This FRS number includes an embedded sequence number…

4

Remote kernel or user mode debugging of dumps or live systems

  GES (Global Escalation Services) is not only responsible for helping our external customers, but we spend a great deal of time collaborating with engineers and developers around the world at our support and development sites.  We often look at large dump files, but in some cases we perform a live debug to determine root…

3

Windows Hotfixes and Updates – How do they work?

Today I would like to talk about some of the work the Windows Serviceability (WinSE) team does regarding servicing Windows and releasing updates. The operating system is divided into multiple components. Each component can consist of one or more files, registry keys, configuration settings, etc.  WinSE releases updates based on components rather than the entire…

13

Unlocking some puzzles requires building a better key… board

Hi, this is Matt from the Windows Performance team.  Sometimes we are presented with problems that defy our usual troubleshooting and require a creative approach.  In a recent case, we needed a way to test the responsiveness of an application as text was typed into its fields.  Initially, we tested the program using a script…

2

NDIS Case Study 1 – NDIS Packet Double Completion

Hi, this is Anurag again. Here is a case study of an NDIS driver causing a problem due to double completion of a send packet.   A protocol driver allocates a NDIS packet and gives it to the miniport driver to be sent on the wire. A miniport driver is supposed to send or complete…

4