A Debugging Approach to Windows RT

Recently I got a Surface with Windows RT. Needless to mention, it’s wonderful! I’ve figured out some quick facts about Windows RT by looking at the C:\Windows\system32\ntdll.dll from Windows RT: A complete NT (instead of WINCE) kernel and almost a full stack of Windows operating system. Almost the same PE/COFF structure as x86. Using ARM’s “non classic RISC style”…

1

Postmortem Debugging – Better Late Than Never

If there is a consistent repro, I would definitely prefer Early Debugging. However in the real life postmortem debugging seems to be unavoidable.  There are three concepts I wish to clarify before digging into the details: AeDebug is a set of registry keys which specify the behavior when unhandled exception happened in an user mode application. \\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug \\HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows…

0

Windows 8 and conhost.exe

While debugging a console application on Windows 8, I noticed the console application is trying to create a process in the very beginning: windbg.exe -xe ld:ntdll.dll -c “bm ntdll!*CreateProcess*; g; k” cmd.exe CommandLine: cmd.exeModLoad: 000007ff`01d60000 000007ff`01f1e000   ntdll.dllntdll!RtlUserThreadStart:000007ff`01d7c3d0 4883ec48        sub     rsp,48hProcessing initial command ‘bm ntdll!*CreateProcess*; g; k’0:000> bm ntdll!*CreateProcess*; g; k  1: 000007ff`01d90f60 @!”ntdll!RtlCreateProcessParametersEx”  2: 000007ff`01d63070…

1

Visualize Assembly using DGML

Starting from Visual Studio 2010 Ultimate there is a cool feature called DGML (Directed Graph Markup Language). I wrote a small script to convert the disassembled code from WinDBG into a DGML. In order to use it, simply type the following commands under a debug session: .shell -o LoadLibraryA.dgml -ci “uf kernel32!LoadLibraryA” cscript.exe /nologo dasm2dgml.js…

0

Using Function Evaluation in WinDBG

People who develop debuggers would know in theory you cannot have a perfect disassembler (especially for x86) and stepper (especially for Step Over). People who develop commercial debuggers would know Function Evaluation (a.k.a. funceval) is a big challenge while implementing an Expression Evaluator. And people who develop the Visual Studio Debugger would face other difficulties – Interop Debugging, Edit & Continue….

1

A Debugging Approach to Application Verifier

Application Verifier, also known as AppVerifier, is a dynamic instrumentation tool for user mode applications. It is free available from SDK/PSDK, with a set of GUI applications and DLL extensions, plus a good document. Let’s begin by adding the most famous application – notepad.exe – from the appverif.exe GUI, and launch notepad.exe from WinDBG: windbg.exe notepad.exe ModLoad: 00620000 00650000   notepad.exeModLoad:…

1

Collection of WinDBG resources

A list of resources related to WinDBG, debugging on Windows NT, or how to write a debugger. Websites Daniel Pistelli’s ntcore.com Dmitry Vostokov’s www.dumpanalysis.org Geoff Chappell – Software Analyst Robert Kuster’s windbg.info Oleg Starodumov’s debuginfo.com OSR Online Toby Opferman’s CodeProject Articles Uninformed Blogs Andrew Richards’s Blog Andy Pennell’s Blog Bing Xia’s Blog Doron Holan’s Blog Eric…

0

A Note for Binary Hooking and Instrumentation

One intern in my team has been working on a utility, which makes use of binary instrumentation. So I think it’s time to recap on that. Understand the Fundamentals As we mentioned in Microsoft Binary Technologies and Debugging, there are many binary technologies. Most of these technologies can be used either statically (patch and write back to the disk) or…

0

x86 Linear Address Space Paging Revisited

Last time we revisited x86 segment addressing, which translates logical-address into linear-address. As we mentioned earlier, two stages of address translation would be used to arrive at a physical address: logical-address translation and linear address space paging. Paging in x86 is optional and is controlled by CR0.PG. If paging is disabled (CR0.PG = 0), the linear-address would be mapped…

0