Undocumented Environment Variables

Although we have less Easter Eggs, there are still a huge number of undocumented behaviors. Recently I’m writing a CLR profiler using ICorProfilerCallback for fun, the CLR profiler was modeled as an in-proc COM server, and the activition was done through environment variables: SET COR_ENABLE_PROFILING=1 SET COR_PROFILER={XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} SET COR_PROFILER_PATH=”C:\FOO\BAR\MyProfiler.dll” Immediately I realized there must be a lot more…


A Debugging Approach to Windows RT

Recently I got a Surface with Windows RT. Needless to mention, it’s wonderful! I’ve figured out some quick facts about Windows RT by looking at the C:\Windows\system32\ntdll.dll from Windows RT: A complete NT (instead of WINCE) kernel and almost a full stack of Windows operating system. Almost the same PE/COFF structure as x86. Using ARM’s “non classic RISC style”…


Postmortem Debugging – Better Late Than Never

If there is a consistent repro, I would definitely prefer Early Debugging. However in the real life postmortem debugging seems to be unavoidable.  There are three concepts I wish to clarify before digging into the details: AeDebug is a set of registry keys which specify the behavior when unhandled exception happened in an user mode application. \\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug \\HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows…


Windows 8 and conhost.exe

While debugging a console application on Windows 8, I noticed the console application is trying to create a process in the very beginning: windbg.exe -xe ld:ntdll.dll -c “bm ntdll!*CreateProcess*; g; k” cmd.exe CommandLine: cmd.exeModLoad: 000007ff`01d60000 000007ff`01f1e000   ntdll.dllntdll!RtlUserThreadStart:000007ff`01d7c3d0 4883ec48        sub     rsp,48hProcessing initial command ‘bm ntdll!*CreateProcess*; g; k’0:000> bm ntdll!*CreateProcess*; g; k  1: 000007ff`01d90f60 @!”ntdll!RtlCreateProcessParametersEx”  2: 000007ff`01d63070…


Visualize Assembly using DGML

Starting from Visual Studio 2010 Ultimate there is a cool feature called DGML (Directed Graph Markup Language). I wrote a small script to convert the disassembled code from WinDBG into a DGML. In order to use it, simply type the following commands under a debug session: .shell -o LoadLibraryA.dgml -ci “uf kernel32!LoadLibraryA” cscript.exe /nologo dasm2dgml.js…


Using Function Evaluation in WinDBG

People who develop debuggers would know in theory you cannot have a perfect disassembler (especially for x86) and stepper (especially for Step Over). People who develop commercial debuggers would know Function Evaluation (a.k.a. funceval) is a big challenge while implementing an Expression Evaluator. And people who develop the Visual Studio Debugger would face other difficulties – Interop Debugging, Edit & Continue….


A Debugging Approach to Application Verifier

Application Verifier, also known as AppVerifier, is a dynamic instrumentation tool for user mode applications. It is free available from SDK/PSDK, with a set of GUI applications and DLL extensions, plus a good document. Let’s begin by adding the most famous application – notepad.exe – from the appverif.exe GUI, and launch notepad.exe from WinDBG: windbg.exe notepad.exe ModLoad: 00620000 00650000   notepad.exeModLoad:…


Collection of WinDBG resources

A list of resources related to WinDBG, debugging on Windows NT, or how to write a debugger. Websites Daniel Pistelli’s ntcore.com Dmitry Vostokov’s www.dumpanalysis.org Geoff Chappell – Software Analyst Robert Kuster’s windbg.info Oleg Starodumov’s debuginfo.com OSR Online Toby Opferman’s CodeProject Articles Uninformed Blogs Andrew Richards’s Blog Andy Pennell’s Blog Bing Xia’s Blog Doron Holan’s Blog Eric…


Early Debugging

Early debugging is a wide topic, on a Windows PC it might be: Application startup Service startup WinLogon CSRSS (Client/Server Runtime Subsystem) Windows Setup and OS Loader MBR (Master boot record) BIOS POST (Power-on self-test) Application Startup As we have demonstrated in the user mode debug event loop, when an application was launched from a debugger,…


Undocumented WinDBG

Abstraction and encapsulation are good because they make it easier to build complex systems, however, there are times you have to peek inside the abstraction and demistify the encapsulation. This is especially true for debugging and performance tuning (I will not talk about reverse engineering this time). Familiar yourself with the right tools are very important, and…