Postmortem Debugging - Better Late Than Never

If there is a consistent repro, I would definitely prefer Early Debugging. However in the real life postmortem debugging seems to be unavoidable.  There are three concepts I wish to clarify before digging into the details: AeDebug is a set of registry keys which specify the behavior when unhandled exception happened in an user mode application. \\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug \\HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows…


Using Function Evaluation in WinDBG

People who develop debuggers would know in theory you cannot have a perfect disassembler (especially for x86) and stepper (especially for Step Over). People who develop commercial debuggers would know Function Evaluation (a.k.a. funceval) is a big challenge while implementing an Expression Evaluator. And people who develop the Visual Studio Debugger would face other difficulties – Interop Debugging, Edit & Continue….


Collection of WinDBG resources

A list of resources related to WinDBG, debugging on Windows NT, or how to write a debugger. Websites Daniel Pistelli’s Dmitry Vostokov’s Geoff Chappell – Software Analyst Robert Kuster’s Oleg Starodumov’s OSR Online Toby Opferman’s CodeProject Articles Uninformed Blogs Andrew Richards’s Blog Andy Pennell’s Blog Bing Xia’s Blog Doron Holan’s Blog Eric…


What is Autos Window?

The developers in Microsoft have done a great job by bringing a great number of nice features, however, some of these features are poorly documented or even not documented at all. Autos Window in the Visual Studio Debugger is one of the best example of the gaps between implementation and documentation. I’m sure you have seen this window…


Early Debugging

Early debugging is a wide topic, on a Windows PC it might be: Application startup Service startup WinLogon CSRSS (Client/Server Runtime Subsystem) Windows Setup and OS Loader MBR (Master boot record) BIOS POST (Power-on self-test) Application Startup As we have demonstrated in the user mode debug event loop, when an application was launched from a debugger,…


Undocumented WinDBG

Abstraction and encapsulation are good because they make it easier to build complex systems, however, there are times you have to peek inside the abstraction and demistify the encapsulation. This is especially true for debugging and performance tuning (I will not talk about reverse engineering this time). Familiar yourself with the right tools are very important, and…


Use Windows Debuggers for Non-Debugging Tasks

Many people who has been using Emacs for decades were shocked when they heard that Emacs is actually a text editor instead of an operating system. – vi advocator Sharing a similar spirit as Emacs, Windows Debuggers are also super good at non-debugging tasks. Calculator The builtin expression evaluator of Windows Debuggers can be used as…


Side Effects of Debugger

A target program might behave differently if it is being debugged, sometimes this can be very annoying. Also, these behavior deviations can be leveraged by anti-debugging. IsDebuggerPresent and CheckRemoteDebuggerPresent are well known APIs to tell if a program is attached by a debugger. 0:000> uf KERNELBASE!IsDebuggerPresent KERNELBASE!IsDebuggerPresent: 7512f41b 64a118000000    mov     eax,dword ptr fs:[00000018h] 7512f421 8b4030          mov     eax,dword ptr [eax+30h] 7512f424 0fb64002        movzx   eax,byte ptr [eax+2] 7512f428 c3              ret CloseHandle would raise an exception under a debugger, as stated…


Pop Quiz - Debug Event Loop and Timeslice Quota

You might have heard of the Popek and Goldberg Virtualization Requirements. In theory, debugger shares a similar set of problems as virtualization, this is especially true for func-eval (Function Evaluation). Here goes a pop quiz about the side effects of the presence of debugger: #define WIN32_LEAN_AND_MEAN #include <Windows.h> #define LOOPCOUNT 10 ULONG g_ulVariableA; ULONG g_ulVariableB; DWORD WINAPI ThreadProcA(LPVOID lpParameter) {   while(true)   {     for(int i = LOOPCOUNT; i; i–)       ++g_ulVariableA;   } // add a breakpoint here (BP1)  return 0; }…


A Debugging Approach to IFEO

IFEO (Image File Execution Options) is a feature provided by the NT based operating system. It can be helpful when you are trying to debug at the very beginning of an application launch. A few people also taked about IFEO on MSDN Blogs: Image File Execution Options by Junfeng. Inside ‘Image File Execution Options’ debugging…