Process and Job Objects

Just like we mentioned in The Main Thread Problem, some questions do not have direct answer just because they are invalid by definition. Today, the invalid question would be: How do I kill a process tree in Windows? Unfortunately, the question is invalid, since Windows by design doesn’t keep a tree of process creation relationship….


CRT Startup

In my previous blog Early Debugging, we’ve demonstrated how early can you get using a user mode debugger. Normally we don’t want to be such early, there are some other places we would want to start with: OEP (Original Entry Point) of the EXE module. WinDBG has a predefined Pseudo-Register called $exentry which makes it a lot…


x86 Segment Addressing Revisited

Memory segmentation was first introduced to x86 family with 8086, to make it possible to access 1MB physical memory under 16bit addressing mode. Real Mode Logical address points directly into physical memory location. Logical address consists of two parts: segment and offset. Physical address is calculated as Segment * 16 + Offset, and if the…


The Main Thread Problem

Every few months I heard people asking the same question: Given a process ID (or handle), how can I get its main thread ID (or handle)? Normally that would raise another question: What is the definition of a main thread? While the Windows operating system doesn’t have a concept called main thread, and threads donnot…


What is Autos Window?

The developers in Microsoft have done a great job by bringing a great number of nice features, however, some of these features are poorly documented or even not documented at all. Autos Window in the Visual Studio Debugger is one of the best example of the gaps between implementation and documentation. I’m sure you have seen this window…


Early Debugging

Early debugging is a wide topic, on a Windows PC it might be: Application startup Service startup WinLogon CSRSS (Client/Server Runtime Subsystem) Windows Setup and OS Loader MBR (Master boot record) BIOS POST (Power-on self-test) Application Startup As we have demonstrated in the user mode debug event loop, when an application was launched from a debugger,…


Undocumented WinDBG

Abstraction and encapsulation are good because they make it easier to build complex systems, however, there are times you have to peek inside the abstraction and demistify the encapsulation. This is especially true for debugging and performance tuning (I will not talk about reverse engineering this time). Familiar yourself with the right tools are very important, and…


Use Windows Debuggers for Non-Debugging Tasks

Many people who has been using Emacs for decades were shocked when they heard that Emacs is actually a text editor instead of an operating system. – vi advocator Sharing a similar spirit as Emacs, Windows Debuggers are also super good at non-debugging tasks. Calculator The builtin expression evaluator of Windows Debuggers can be used as…


Yet Another Hello World

Recently I heard there is a COOL programming language called C#, which runs on a popular environment called .NET platform (formally known as COMPLUS), so I decided to give it a try. It took me some time to understand why I need to define a class and a static method in order to say hello to the world,…


Side Effects of Debugger

A target program might behave differently if it is being debugged, sometimes this can be very annoying. Also, these behavior deviations can be leveraged by anti-debugging. IsDebuggerPresent and CheckRemoteDebuggerPresent are well known APIs to tell if a program is attached by a debugger. 0:000> uf KERNELBASE!IsDebuggerPresent KERNELBASE!IsDebuggerPresent: 7512f41b 64a118000000    mov     eax,dword ptr fs:[00000018h] 7512f421 8b4030          mov     eax,dword ptr [eax+30h] 7512f424 0fb64002        movzx   eax,byte ptr [eax+2] 7512f428 c3              ret CloseHandle would raise an exception under a debugger, as stated…