Chapter 8 - Advanced Native Code Techniques with WinDBG

Download Report

Transcript Chapter 8 - Advanced Native Code Techniques with WinDBG

Chapter 8 - Advanced Native
Code Techniques with WinDBG
Spring 2004 - Testing Seminar
Debugging Applications for .Net and Microsoft Windows
John Robbins
Coordinator: Dr.James Fawcett
Presented by
Priyaa Nachimuthu
Agenda









Overview
Installation notes
The Basics
Debugging Situations
General Debugging with Command Window
The Magical Extensions
Dealing with dump files
Son of Strike (SOS)
Summary
Overview




Microsoft Visual Studio debugger vs. WinDBG.
User-mode native applications.
Gives real memory breakpoints and binary
handling for minidumps.
Allows to see complete OS heaps and all handle
information of a process.
Overview




Goal – starting out,power commands,bugs and strange
problems with WinDBG.
SOS ( Son of Strike) – managed applications and dump
files.
Version used :6.1.0017.0 . Recent : 6.3.5 Beta
Refer http://www.microsoft.com/ddk/debugging for the
latest information on Debugging Tools for Windows.
Installation Notes




Include SDK
UI – a veneer over
DBGENG.DLL
Microsoft NTSD - NT
Symbolic Debugger
(console application)
Documentation –
DEBUGGER.CHM
Installation Notes
Additional Tools Installed with Debugging Tools for Windows
Programs
Description
CDB.EXE
The same debugger, as NTSD except it will use the existing command shell
when started instead of creating a new one.
LOGGER.EXE,
LOGVIEWER.EXE
LIST.EXE
A logging system to log all your API calls, record parameters, and return values
so that you can track down operating system interaction issues.
UMDH.EXE
The user mode heap dumping utility.
TLIST.EXE
Lists the currently running process to a console window.
KILL.EXE
An absolute process killer that will remove any user mode process from
memory.
BREAKIN.EXE
Forces a Debug Break call in the process specified on the command line.
A console based text file listing utility.
The Basics




WinDBG – not so helpful as VS.Net in finding
symbols and source code.
VS.Net - .pdb gives the path to any source file.
Symbol server setup.
WinDBG chooses _NT_SYMBOL_PATH
variable as the base symbol path.
The Basics



Workspace – specific information about each
process which includes breakpoints,window
layout,and symbol paths.
Base workspace settings – store common values
needed across the processes.
Source file paths – set _NT_SOURCE_PATH or
use source path search dialog popup on
WinDBG.
The Basics

Default location – C run-time and MFC/ATL
source code
<Visual Studio .NET Installation Dir>\vc7\crt\src;
<Visual Studio .NET Installation Dir>\vc7\crt\src\intel;
<Visual Studio .NET Installation Dir>\vc7\atlmfc\include;
<Visual Studio .NET Installation Dir>\vc7\atlmfc\src\mfc;
<Visual Studio .NET Installation Dir>\vc7\atlmfc\src\atl;
<Visual Studio .NET Installation Dir>\vc7\atlmfc\src\atl\atls;
<Visual Studio .NET Installation Dir>\vc7\atlmfc\src\atl\atlmincrt;
The Basics





Live debugging – loads binary files automatically.
Debugging minidumps – gets binaries directly
from your symbol server.
WinDBG is vital for handling minidumps and for
squashing bugs.
Opening processes – workspace gets updated
with specific symbol,source and binary paths.
F5 – VS.Net vs. WinDBG
The Basics

Debugger windows for registers,memory and
locals.

Scratch pad for taking debug notes.
The Basics

How to change
the command
line argument to
a process when
it is opened in
WinDBG?
Debugging Situations



Command window
To specify the address:
module!format
To specify an address based on a source
and line:
‘[[module!]filename][:linenumber]’
Eg: ‘foo.cpp:23’
Debugging Situations
WinDBG commands:
 Regular commands – control the debuggee.
 Meta commands – control the debugger and the
act of debugging.
 Extension commands – digs into the debuggee
and analyses states.
Debugging Situations



Use command help - ?
.help – meta commands.
.hh – HTML help file.
Ensuring correct symbols are loaded.
 WinDBG – an excellent symbol handling.
 Force symbols to reload at any time.
 Check Reload option.
Debugging Situations
0:000> lm
start
00400000
10200000
10480000
60000000
6d510000
70a70000
71950000
77c00000
77c10000
77c70000
77d40000
77dd0000
77e60000
77f50000
78000000
end
0040a000
10287000
1053c000
6004a000
6d58d000
70ad4000
71a34000
77c07000
77c63000
77cb0000
77dc6000
77e5d000
77f46000
77ff7000
module name
AssertTest (deferred)
MSVCR71D (deferred)
MSVCP71D (deferred)
BugslayerUtil (deferred)
dbghelp (deferred)
SHLWAPI (deferred)
COMCTL32 (deferred)
VERSION (deferred)
msvcrt (deferred)
GDI32
(deferred)
USER32 (deferred)
ADVAPI32 (deferred)
kernel32 (deferred)
ntdll
(pdb symbols)
\\zeno\WebSymbols\ntdll.pdb\3D6DE29B2\ntdll.pdb
78086000
RPCRT4
(deferred)
Debugging Situations


Lazy symbol loading ( Deferred ) – to save memory.
To force a symbol load:
0.000> ld assert test
**** Warning : Unable to verify checksum for AssertTest.exe
Symbols loaded for AssertTest
0.000> ld * ( all symbol loading)
0.000> .RELOAD /f ( reports only the modules with symbol
problems )

/Release switch – should be /CHECKSUM

To verify proper symbol loading :
0.000> lm
Debugging Situations
0:000> lm
start
00400000
end
0040a000
10200000
10287000
10480000
1053c000



module name
AssertTest C (pdb symbols)
D:\Dev\BookTwo\Disk\Output\AssertTest.pdb
MSVCR71D (pdb symbols)
e:\winnt\system32\msvcr71d.pdb
MSVCP71D (pdb symbols)
e:\winnt\system32\msvcp71d.pdb
# (octothorpe) - COMCTL32.DLL.
C – checksums are not set for symbols.
To examine the address in memory :
0.000>x kernel32!LoadLibraryW
77e8a379 KERNEL32!LoadLibraryW
Debugging Situations

0:000> lm v m gdi32
start
77c70000
end
77cb0000
module name
GDI32
(pdb symbols)
\\zeno\WebSymbols\
gdi32.pdb\3D6DE59F2\gdi32.pdb
Loaded symbol image file: E:\WINNT\system32\GDI32.dll
Image path: E:\WINNT\system32\GDI32.dll
Timestamp: Thu Aug 29 06:40:39 2002 (3D6DFA27)
Checksum: 0004285C
File version: 5.1.2600.1106
Product version: 5.1.2600.1106
File flags:
0 (Mask 3F)
File OS:
40004 NT Win32
File type:
2.0 Dll
File date:
00000000.00000000
CompanyName:
Microsoft Corporation
ProductName:
Microsoft® Windows® Operating System
InternalName: gdi32
OriginalFilename: gdi32
ProductVersion: 5.1.2600.1106
FileVersion:
5.1.2600.1106 (xpsp1.020828-1920)
FileDescription: GDI Client DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.
Debugging Situations



Processes and
threads
Debugging
child
processes
.CHILDDBG
1/0
Debugging Situations
1.001 > | ( for processes)
0 id:9ac create name:cmd.exe
1 id:3d0 child notepad.exe

1.001>~ ( for threads)
1 Id: 3d0.39c Suspend:1 Teb: 7ffde000 Unfrozen
2 Id: 3d0.1a4 Suspend: 1 Teb: 7ffdd000 Unfrozen
3 Id: 3d0.8f0 Suspend: 1 Teb: 7ffdc000 Unfrozen
4 Id: 3d0.950 Suspend: 1 Teb: 7ffdb000 Unfrozen

Debugging Situations


To create a process from the command window:
.create “E:\winnt\system32\sol.exe
To Attach to a process:
.attach (process id)
.tlist (lists process ids)
0n1544 e:\winnt\system32\sol.exe
0n1436 E:\Program Files\Windows
NT\Pinball\pinball.exe
0n2120 E:\WINNT\system32\winmine.exe
Debugging Situations



To Detach from a process:
.DETACH
Non-Invasive Attaching –
dedicated instance of
WinDBG.
Warning – Process 1612 is
not attached as a
debuggee.The process can be
examined but debug events
will not be received.
General debugging with command window

Looking at and evaluating variables
K – display stack backtrace
N – to see the call stack with frame
numbers on the left.
.frame 1
dv
cFuncFMT = CResString
cIM = CImageHlp_Module
szBaseName = Array [260]
pMark = cccccccc
dwBase = 0x400000
bEnumRet = 0xcccccccc
argc = 2
argv = 00344e18
fileOutput = 00000000
szOutputName = Array [260]
iRetValue = 0
bRet = 1
hFile = 000007c8
cRS = CResString
General debugging with command window


DT ( Display Type)
dt pdb2map!IMAGE*
?? – Evaluate C++ expressions and
check pointer arithmetic.
General debugging with command window




Executing,Stepping and Tracing
F5 - G (Go command)
Shift +F11 – G followed by an
address.
$ra – use pseudo register as
parameter to find the return address.
General debugging with command window





T – tracing (step into)
P – stepping (step over)
.LINES – Toggle source line support
(step by assembly instructions).
TC – Trace to Next Call
PC – Step to Next Call
General debugging with command window





Trace and Watch Data
Helps to track down performance
issues.
Eg: STL Code
A hierarchical display of function calls
A Summary of calls
General debugging with command window





Saving options
.LOGOPEN – open log file
.LOGAPPEND – append log file
.LOGCLOSE – close log file
Displays till it hits the return address.
General debugging with command window
0:000> wt
Tracing WTExample!wmain to return address 0040139c

3
3
3
3
3
3
3
3
3
3
3
6
3
3
18
15
16
0 [ 0] WTExample!wmain
0 [ 1] WTExample!Foo
0 [ 2] WTExample!Bar
0 [ 3]
WTExample!Baz
0 [ 4]
WTExample!Do
0 [ 5]
WTExample!Re
0 [ 6]
WTExample!Mi
0 [ 7]
WTExample!Fa
0 [ 8]
WTExample!So
0 [ 9]
WTExample!La
0 [10]
WTExample!Ti
0 [11]
WTExample!Do2
0 [12]
kernel32!Sleep
0 [13]
kernel32!SleepEx
0 [14]
kernel32!_SEH_prolog
18 [13]
kernel32!SleepEx
0 [14]
ntdll!
General debugging with command window
240 instructions were executed in 239 events (0 from other threads)
Function Name
SharedUserData!SystemCallStub
WTExample!Bar
WTExample!Baz
WTExample!Do
WTExample!Do2
WTExample!Fa
WTExample!Foo
WTExample!La
Invocations
1
1
1
1
1
1
1
1
1 system call was executed
Calls System Call1
ntdll!ZwDelayExecution
MinInst
2
7
7
7
13
7
7
7
MaxInst
2
7
7
7
13
7
7
7
AvgInst
2
7
7
7
13
7
7
7
General debugging with command window





WT
-nc : supresses the hierarchy
-ns : displays just the hierarchy
-0a : displays address,source and line
information
- l : maximum depth of calls to
display
General debugging with command window
Breakpoints
 BP – hard breakpoint that WinDBG
associates with the process.
 BU – associated with the symbol.saved
in the workspace.
 Limited breakpoints dialog box.
 BL – currently active breakpoint list.
General debugging with command window


BE – Breakpoint Enable
BD – Breakpoint Disable
[~Thread] bu[ID] [Address [Passes]] ["CommandString"]


~Thread- WinDBG thread no.
Passes –how many times a breakpoint
can be skipped before stopping.
j expression 'if true command' ; 'if false command'
General debugging with command window

Memory Access Breakpoints
[~Thread] ba[ID] Access Size [Address [Passes]] ["CommandString"]



BA – Break on Access command
Uses Intel debug registers
KP:g – to see the stack at the time of access
General debugging with command window




Exceptions and Events
Events – standard events passed to
debuggers by MS Win32 debugging API.
SX,SXD,SXE,SXI,SXN – to manipulate
exceptions and events.
Use of dialog box is recommended.
General debugging with command window





Exception group
box provides
various options.
Enabled
Disabled
Output
Ignore
General debugging with command window
Exception Break Status
Status
Description
Enabled
When the exception occurs, execution occurs and the target will break
into the debugger.
Disabled
The first time the exception occurs, the debugger will ignore it. The
second time it occurs, execution will halt and the target will break into the
debugger.
Output
When the exception occurs, it won't break into the debugger.
However, a message informing the user of this exception will be
displayed.
Ignore
When the exception occurs, the debugger will ignore it. No
message will be displayed.
General debugging with command window


First chance exception
.LASTEVENT – Display Last Event
General debugging with command window







Controlling WinDBG
Meta commands
.CLS
.ENABLE_UNICODE
.SHELL
.SHELL_QUIT
OutputDebugString calls
General debugging with command window
void Baz ( int )
{
// To see the following convert into WinDBG commands, issue the
// command ".ocommand WINDBGCMD:" inside WinDBG
OutputDebugString ( _T ( "WINDBGCMD: .echo \"Hello from
WinDBG\";g" ));
OutputDebugString ( _T ( "WINDBGCMD: kp;g" ) ) ;
OutputDebugString ( _T ("WINDBGCMD: .echo \"Stack walk is
done\";g")) ;
}
The Magical Extensions



Extensions are DLL files that export specific
function names to do the work.
Debugging tools for Windows directory
contains OS versions of the extension
commands. (Win 2000 free build and Win XP)
.CHAIN – List Debugger Extensions
The Magical Extensions







.LOAD – to load an extension.
.UNLOAD – to unload an extension DLL.
Extension commands are lowercase and are case sensitive.
Syntax to call a command:
!dllname.command
e.g.: !ntsdexts.help
!analyze – v command : quick analysis of the current
exception(exception record, and call stack)
!locks – to see all the locked critical sections.
!handle – shows the handle value,and how many of each type of object
is in the process.
The Magical Extensions



!imgreloc – runs through loaded modules and tells whether all modules
are loaded at your preferred address.
:003> !imgreloc
00400000 tp4serv - at preferred address
00c50000 tp4uires - RELOCATED from 00400000
5ad70000 uxtheme - at preferred address
6b800000 S3appdll - at preferred address
76360000 WINSTA - at preferred address
76f50000 wtsapi32 - at preferred address
!net_send – to send messages to other users
!for_each_frame – undocumented and very useful
!for_each_frame dv – each frame’s local variables up the stack.
Dealing with dump files


.DUMP – to create adump file during
live debugging.
Options:
/u – appends date,time and PID.
/c – comment specification.
/a – write out dump files for multiple
processes.
Dealing with dump files





Two types – full and mini dump files
Full – includes everything about the
process.specified with /f option.
Mini – specify using /m option(default).loaded
modules versions and sufficient stack
information to produce call stacks for all active
threads.
/mh – writes active handle information.
/b – save dump file as a .CAB file.
Dealing with dump files
Open dump files from file menu – Open Crash Dump.
 WinDBG gets everything loaded automatically.
Steps:
 LM command with v option – to determine missing
symbols in some modules.
 Update the symbol file path for missing symbols.
 Set the image paths.Paste the symbol path string in
the Executable Image Search Path dialog box.
 WinDBG automatically searches the symbol server for
binaries.

Dealing with dump files





Set up the source path.
Force a symbol reload .RELOAD /f
LM – to check for symbol mismatches
Symbols and binaries are vital for
debugging dump files.
.DUMPCAB –a : writes all symbols to a
file
Son of Strike (SOS)



Managed applications are hard to debug.
Helpful when creating new .NET front-ends
that leverage the existing COM components
using COM interop.
SOS – debugger extension to help watch
.NET portions of dump or live application.
Son of Strike (SOS)



.load sos - Get SOS.Dll loaded
SOS.Dll is a part of .NET Framework
The basic documentation for SOS –
SOS.htm file in <Visual Studio .Net
Installation Dir?\SDK\v1.1\Tool
Developers Guide\Samples\SOS
Directory.
Summary




The intent was to show the power of
WinDBG.
The biggest trick with WinDBG is getting the
symbols and source set up.
WinDBG offers flexibility for controlling
exactly where symbols are found and loaded.
An outstanding breakpoint control and dump
file handling.
References


Minidumps
http://www.codeproject.com/debug/postmortemdebug
_standalone1.asp
MSDN – WinDBG trends
http://msdn.microsoft.com/library/default.asp?url=/libr
ary/en-us/dnbda/html/DBGrm.asp
Thank you!