Using Function Evaluation in WinDBG

People who develop debuggers would know in theory you cannot have a perfect disassembler (especially for x86) and stepper (especially for Step Over). People who develop commercial debuggers would know Function Evaluation (a.k.a. funceval) is a big challenge while implementing an Expression Evaluator. And people who develop the Visual Studio Debugger would face other difficulties – Interop Debugging, Edit & Continue….

1

A Debugging Approach to Application Verifier

Application Verifier, also known as AppVerifier, is a dynamic instrumentation tool for user mode applications. It is free available from SDK/PSDK, with a set of GUI applications and DLL extensions, plus a good document. Let’s begin by adding the most famous application – notepad.exe – from the appverif.exe GUI, and launch notepad.exe from WinDBG: windbg.exe notepad.exe ModLoad: 00620000 00650000   notepad.exeModLoad:…

1

Collection of WinDBG resources

A list of resources related to WinDBG, debugging on Windows NT, or how to write a debugger. Websites Daniel Pistelli’s ntcore.com Dmitry Vostokov’s www.dumpanalysis.org Geoff Chappell – Software Analyst Robert Kuster’s windbg.info Oleg Starodumov’s debuginfo.com OSR Online Toby Opferman’s CodeProject Articles Uninformed Blogs Andrew Richards’s Blog Andy Pennell’s Blog Bing Xia’s Blog Doron Holan’s Blog Eric…


A Note for Binary Hooking and Instrumentation

One intern in my team has been working on a utility, which makes use of binary instrumentation. So I think it’s time to recap on that. Understand the Fundamentals As we mentioned in Microsoft Binary Technologies and Debugging, there are many binary technologies. Most of these technologies can be used either statically (patch and write back to the disk) or…


x86 Linear Address Space Paging Revisited

Last time we revisited x86 segment addressing, which translates logical-address into linear-address. As we mentioned earlier, two stages of address translation would be used to arrive at a physical address: logical-address translation and linear address space paging. Paging in x86 is optional and is controlled by CR0.PG. If paging is disabled (CR0.PG = 0), the linear-address would be mapped…


Process and Job Objects

Just like we mentioned in The Main Thread Problem, some questions do not have direct answer just because they are invalid by definition. Today, the invalid question would be: How do I kill a process tree in Windows? Unfortunately, the question is invalid, since Windows by design doesn’t keep a tree of process creation relationship….


CRT Startup

In my previous blog Early Debugging, we’ve demonstrated how early can you get using a user mode debugger. Normally we don’t want to be such early, there are some other places we would want to start with: OEP (Original Entry Point) of the EXE module. WinDBG has a predefined Pseudo-Register called $exentry which makes it a lot…


x86 Segment Addressing Revisited

Memory segmentation was first introduced to x86 family with 8086, to make it possible to access 1MB physical memory under 16bit addressing mode. Real Mode Logical address points directly into physical memory location. Logical address consists of two parts: segment and offset. Physical address is calculated as Segment * 16 + Offset, and if the…


The Main Thread Problem

Every few months I heard people asking the same question: Given a process ID (or handle), how can I get its main thread ID (or handle)? Normally that would raise another question: What is the definition of a main thread? While the Windows operating system doesn’t have a concept called main thread, and threads donnot…

1

What is Autos Window?

The developers in Microsoft have done a great job by bringing a great number of nice features, however, some of these features are poorly documented or even not documented at all. Autos Window in the Visual Studio Debugger is one of the best example of the gaps between implementation and documentation. I’m sure you have seen this window…