Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

re: Using virtual serial port for non-kernel debugging

Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
[New thread started to circumvent Lyris listserve limitations around character sets. Sorry.]

You can debug early user mode initialization by starting the debugger with -xe ld:ntdll (assuming that you're launching the process from the user mode debugger).

- S (Msft)

Comments

  • raj_rraj_r Member - All Emails Posts: 977
    SkyWing

    now that you posted -xe

    i have a question that has been nagging me for a long time which i cant find a
    satisfactory answer for

    why is that when you start debugging early process creation using the
    technique mentioned above
    the first instruction that is shown on the debugger window doesnt have
    any opcodes or asm

    and looks like ??????

    and only after hitting t (trace) or p (step)
    windbg / cdb shows KiUserApcDispatcher

    what is the magic


    7c810705 ?? ???
    0:000> t

    7c90e454 58 pop eax
    0:000> kb
    ChildEBP RetAddr Args to Child
    00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x4
    0:000>

    regards
    raj

    On 3/31/12, Skywing <xxxxx@valhallalegends.com> wrote:
    > [New thread started to circumvent Lyris listserve limitations around
    > character sets. Sorry.]
    >
    > You can debug early user mode initialization by starting the debugger with
    > -xe ld:ntdll (assuming that you're launching the process from the user mode
    > debugger).
    >
    > - S (Msft)
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    You are probably looking at a thunk residing in kernel32/kernelbase, which has not yet been mapped into the address space. The -xe ld:ntdll trick will get you control before any of the loader code runs, so nothing has mapped those modules in yet.

    - S (Msft)


    -----Original Message-----
    From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
    Sent: Friday, March 30, 2012 2:00 PM
    To: Kernel Debugging Interest List
    Subject: Re: [windbg] Using virtual serial port for non-kernel debugging

    SkyWing

    now that you posted -xe

    i have a question that has been nagging me for a long time which i cant find a satisfactory answer for

    why is that when you start debugging early process creation using the technique mentioned above the first instruction that is shown on the debugger window doesnt have any opcodes or asm

    and looks like ??????

    and only after hitting t (trace) or p (step)
    windbg / cdb shows KiUserApcDispatcher

    what is the magic


    7c810705 ?? ???
    0:000> t

    7c90e454 58 pop eax
    0:000> kb
    ChildEBP RetAddr Args to Child
    00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x4 0:000>

    regards
    raj

    On 3/31/12, Skywing <xxxxx@valhallalegends.com> wrote:
    > [New thread started to circumvent Lyris listserve limitations around
    > character sets. Sorry.]
    >
    > You can debug early user mode initialization by starting the debugger
    > with -xe ld:ntdll (assuming that you're launching the process from the
    > user mode debugger).
    >
    > - S (Msft)
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer

    ---
    WINDBG is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
  • raj_rraj_r Member - All Emails Posts: 977
    yes i have ran through it from kiUserApcDispatcher+0x04 till the
    normal SystemBreakPoint

    i was just wondering how hitting trace automagically provides the next
    statement

    as you can see the address space is also far apart from 7c810705 to 7c90e454

    can i find if the line at 7c810705 contains jmp 7c90e454



    0:000> u eip l1
    7c810705 ?? ???
    ^ Memory access error in 'u eip l1'
    0:000> t
    7c90e454 58 pop eax
    0:000> p
    7c90e455 ffd0 call eax {ntdll!LdrInitializeThunk (7c901166)}
    0:000> p
    WARNING: This break is not a step/trace completion.
    The last command has been cleared to prevent
    accidental continuation of this unrelated event.
    Check the event, location and thread before resuming.
    (f28.f2c): Break instruction exception - code 80000003 (first chance)
    7c90120e cc int 3
    0:000>

    On 3/31/12, Skywing <xxxxx@valhallalegends.com> wrote:
    > You are probably looking at a thunk residing in kernel32/kernelbase, which
    > has not yet been mapped into the address space. The -xe ld:ntdll trick will
    > get you control before any of the loader code runs, so nothing has mapped
    > those modules in yet.
    >
    > - S (Msft)
    >
    >
    > -----Original Message-----
    > From: xxxxx@lists.osr.com
    > [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
    > Sent: Friday, March 30, 2012 2:00 PM
    > To: Kernel Debugging Interest List
    > Subject: Re: [windbg] Using virtual serial port for non-kernel debugging
    >
    > SkyWing
    >
    > now that you posted -xe
    >
    > i have a question that has been nagging me for a long time which i cant find
    > a satisfactory answer for
    >
    > why is that when you start debugging early process creation using the
    > technique mentioned above the first instruction that is shown on the
    > debugger window doesnt have any opcodes or asm
    >
    > and looks like ??????
    >
    > and only after hitting t (trace) or p (step)
    > windbg / cdb shows KiUserApcDispatcher
    >
    > what is the magic
    >
    >
    > 7c810705 ?? ???
    > 0:000> t
    >
    > 7c90e454 58 pop eax
    > 0:000> kb
    > ChildEBP RetAddr Args to Child
    > 00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x4
    > 0:000>
    >
    > regards
    > raj
    >
    > On 3/31/12, Skywing <xxxxx@valhallalegends.com> wrote:
    >> [New thread started to circumvent Lyris listserve limitations around
    >> character sets. Sorry.]
    >>
    >> You can debug early user mode initialization by starting the debugger
    >> with -xe ld:ntdll (assuming that you're launching the process from the
    >> user mode debugger).
    >>
    >> - S (Msft)
    >>
    >>
    >> ---
    >> WINDBG is sponsored by OSR
    >>
    >> For our schedule of WDF, WDM, debugging and other seminars visit:
    >> http://www.osr.com/seminars
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at
    >> http://www.osronline.com/page.cfm?name=ListServer
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    It relates to an implementation detail on how NT bootstraps a new user mode thread. Suffice to say that until the thread starts running, the initial context value respresents the 'desired' context for the thread start procedure. When it is time for the thread to first begin to run, it is arranged for it to first start running the loader code so that the loader can bootstrap the new process, invoke DLL callouts for a new thread, etc. Once this has completed, control transfers to the 'desired' initial thread context and the user's supplied thread code will get to run.

    Note that this behavior may of course change in the future, but it is useful to know for debugging early startup.

    - S (Msft)


    -----Original Message-----
    From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
    Sent: Friday, March 30, 2012 2:19 PM
    To: Kernel Debugging Interest List
    Subject: Re: [windbg] Using virtual serial port for non-kernel debugging

    yes i have ran through it from kiUserApcDispatcher+0x04 till the normal SystemBreakPoint

    i was just wondering how hitting trace automagically provides the next statement

    as you can see the address space is also far apart from 7c810705 to 7c90e454

    can i find if the line at 7c810705 contains jmp 7c90e454



    0:000> u eip l1
    7c810705 ?? ???
    ^ Memory access error in 'u eip l1'
    0:000> t
    7c90e454 58 pop eax
    0:000> p
    7c90e455 ffd0 call eax {ntdll!LdrInitializeThunk (7c901166)}
    0:000> p
    WARNING: This break is not a step/trace completion.
    The last command has been cleared to prevent accidental continuation of this unrelated event.
    Check the event, location and thread before resuming.
    (f28.f2c): Break instruction exception - code 80000003 (first chance)
    7c90120e cc int 3
    0:000>

    On 3/31/12, Skywing <xxxxx@valhallalegends.com> wrote:
    > You are probably looking at a thunk residing in kernel32/kernelbase,
    > which has not yet been mapped into the address space. The -xe
    > ld:ntdll trick will get you control before any of the loader code
    > runs, so nothing has mapped those modules in yet.
    >
    > - S (Msft)
    >
    >
    > -----Original Message-----
    > From: xxxxx@lists.osr.com
    > [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
    > Sent: Friday, March 30, 2012 2:00 PM
    > To: Kernel Debugging Interest List
    > Subject: Re: [windbg] Using virtual serial port for non-kernel
    > debugging
    >
    > SkyWing
    >
    > now that you posted -xe
    >
    > i have a question that has been nagging me for a long time which i
    > cant find a satisfactory answer for
    >
    > why is that when you start debugging early process creation using the
    > technique mentioned above the first instruction that is shown on the
    > debugger window doesnt have any opcodes or asm
    >
    > and looks like ??????
    >
    > and only after hitting t (trace) or p (step)
    > windbg / cdb shows KiUserApcDispatcher
    >
    > what is the magic
    >
    >
    > 7c810705 ?? ???
    > 0:000> t
    >
    > 7c90e454 58 pop eax
    > 0:000> kb
    > ChildEBP RetAddr Args to Child
    > 00000000 00000000 00000000 00000000 00000000
    > ntdll!KiUserApcDispatcher+0x4 0:000>
    >
    > regards
    > raj
    >
    > On 3/31/12, Skywing <xxxxx@valhallalegends.com> wrote:
    >> [New thread started to circumvent Lyris listserve limitations around
    >> character sets. Sorry.]
    >>
    >> You can debug early user mode initialization by starting the debugger
    >> with -xe ld:ntdll (assuming that you're launching the process from
    >> the user mode debugger).
    >>
    >> - S (Msft)
    >>
    >>
    >> ---
    >> WINDBG is sponsored by OSR
    >>
    >> For our schedule of WDF, WDM, debugging and other seminars visit:
    >> http://www.osr.com/seminars
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at
    >> http://www.osronline.com/page.cfm?name=ListServer
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >

    ---
    WINDBG is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA