I’ve been very happy with WinDbg live kernel debug – it’s very useful to be able to monitor and modify data on live systems that cannot be rebooted because they are servers in a customer environment.
Today I wanted to modify a bit of code (to use a different value) which was a trivial assembly patch, but live kernel debug wouldn’t let me modify it. (“Memory access error” when using EB, no error when using the Memory window.) I did verify that I could make the same change when using serial cable debug (sadly, Win2003 doesn’t support USB debug).
So, any ideas as to why I can’t modify the code during live kernel debug? Any way to get around that?
Mm
On Sep 8, 2011 8:04 PM, wrote: > I’ve been very happy with WinDbg live kernel debug – it’s very useful to be able to monitor and modify data on live systems that cannot be rebooted because they are servers in a customer environment. > > Today I wanted to modify a bit of code (to use a different value) which was a trivial assembly patch, but live kernel debug wouldn’t let me modify it. (“Memory access error” when using EB, no error when using the Memory window.) I did verify that I could make the same change when using serial cable debug (sadly, Win2003 doesn’t support USB debug). > > So, any ideas as to why I can’t modify the code during live kernel debug? Any way to get around that? > > (Thanks!) > > > — > WINDBG is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
You can use the physical memory write commands to modify the underlying physical page directly if you translate the VA to a physical address. Be warned that you are really taking matters into your own hands by doing this; going outside of what local KD permits generally means that you won’t have entirely correct cache/TLB flushing semantics etc which may lead to strange corruption, hangs, etc.
S (Msft)
From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] on behalf of Martin O’Brien [xxxxx@gmail.com]
Sent: Thursday, September 08, 2011 5:06 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Modify code with live kernel debug?
I don’t believe that you can.
Mm
On Sep 8, 2011 8:04 PM, > wrote: > I’ve been very happy with WinDbg live kernel debug – it’s very useful to be able to monitor and modify data on live systems that cannot be rebooted because they are servers in a customer environment. > > Today I wanted to modify a bit of code (to use a different value) which was a trivial assembly patch, but live kernel debug wouldn’t let me modify it. (“Memory access error” when using EB, no error when using the Memory window.) I did verify that I could make the same change when using serial cable debug (sadly, Win2003 doesn’t support USB debug). > > So, any ideas as to why I can’t modify the code during live kernel debug? Any way to get around that? > > (Thanks!) > > > — > WINDBG is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer — WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Mm
On Sep 8, 2011 10:48 PM, “Skywing” wrote: > You can use the physical memory write commands to modify the underlying physical page directly if you translate the VA to a physical address. Be warned that you are really taking matters into your own hands by doing this; going outside of what local KD permits generally means that you won’t have entirely correct cache/TLB flushing semantics etc which may lead to strange corruption, hangs, etc. > > > - S (Msft) > ________________________________ > From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] on behalf of Martin O’Brien [xxxxx@gmail.com] > Sent: Thursday, September 08, 2011 5:06 PM > To: Kernel Debugging Interest List > Subject: Re: [windbg] Modify code with live kernel debug? > > > I don’t believe that you can. > > Mm > > On Sep 8, 2011 8:04 PM, xxxxx@vertical.com>> wrote: >> I’ve been very happy with WinDbg live kernel debug – it’s very useful to be able to monitor and modify data on live systems that cannot be rebooted because they are servers in a customer environment. >> >> Today I wanted to modify a bit of code (to use a different value) which was a trivial assembly patch, but live kernel debug wouldn’t let me modify it. (“Memory access error” when using EB, no error when using the Memory window.) I did verify that I could make the same change when using serial cable debug (sadly, Win2003 doesn’t support USB debug). >> >> So, any ideas as to why I can’t modify the code during live kernel debug? Any way to get around that? >> >> (Thanks!) >> >> >> — >> WINDBG is sponsored by OSR >> >> For our schedule of WDF, WDM, debugging and other seminars visit: >> http://www.osr.com/seminars >> >> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer > — WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer > > — > WINDBG is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Years ago, before we had the CPUID instruction, the way to tell an 8088
from a 286, 386 or 486 was to modify code inline. Depending on the
architecture, the modified instruction may or may not have been fetched
into the instruction pipe, so depending on what you saw as a result, you
could tell how deep the instruction pipe was and therefore which
architecture you were running on. But caches and TLBs have messed that
up, but generally it no longer matters much because this is no longer a
valid way to distinguish architectures. If you care about CPU features,
for example, CPUID will reveal which instruction extensions are available
which allows you to make choices as to which code you might execute in a
subroutine. And with the increasing requirements for architectures for
Windows, you can pretty much believe if you are running on Win7, the
machine has the minimum feature set required for that OS.
joe
Did not know that.
Thanks, Ken.
Mm
On Sep 8, 2011 10:48 PM, “Skywing” wrote: >> You can use the physical memory write commands to modify the underlying > physical page directly if you translate the VA to a physical address. Be > warned that you are really taking matters into your own hands by doing > this; > going outside of what local KD permits generally means that you won’t have > entirely correct cache/TLB flushing semantics etc which may lead to > strange > corruption, hangs, etc. >> >> >> - S (Msft) >> ________________________________ >> From: xxxxx@lists.osr.com >> [xxxxx@lists.osr.com] > on behalf of Martin O’Brien [xxxxx@gmail.com] >> Sent: Thursday, September 08, 2011 5:06 PM >> To: Kernel Debugging Interest List >> Subject: Re: [windbg] Modify code with live kernel debug? >> >> >> I don’t believe that you can. >> >> Mm >> >> On Sep 8, 2011 8:04 PM, > xxxxx@vertical.com>> wrote: >>> I’ve been very happy with WinDbg live kernel debug – it’s very useful >>> to > be able to monitor and modify data on live systems that cannot be rebooted > because they are servers in a customer environment. >>> >>> Today I wanted to modify a bit of code (to use a different value) which > was a trivial assembly patch, but live kernel debug wouldn’t let me modify > it. (“Memory access error” when using EB, no error when using the Memory > window.) I did verify that I could make the same change when using serial > cable debug (sadly, Win2003 doesn’t support USB debug). >>> >>> So, any ideas as to why I can’t modify the code during live kernel >>> debug? > Any way to get around that? >>> >>> (Thanks!) >>> >>> >>> — >>> WINDBG is sponsored by OSR >>> >>> For our schedule of WDF, WDM, debugging and other seminars visit: >>> http://www.osr.com/seminars >>> >>> To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >> — WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging >> and > other seminars visit: http://www.osr.com/seminars To unsubscribe, visit > the > List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >> >> — >> WINDBG is sponsored by OSR >> >> For our schedule of WDF, WDM, debugging and other seminars visit: >> http://www.osr.com/seminars >> >> To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer > > — > WINDBG is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer