From: raj_r Sent: Thursday, January 01, 2009 10:54 To: Kernel Debugging Interest List Subject: [windbg] windbg doesnt display data (or how to force windbg to display data )
i was checking some vpc hooks on ntoskrnl via !chkimg -d
i see vpc hooking lots of instructions (125 errors)
kd> !chkimg nt 0 errors : nt kd> g Breakpoint 0 hit vpc_8042+0x2cdd: f9897cdd 0f ??? kd> !chkimg nt 125 errors : nt (804d910c-804ef20c)
most of these hooks are in nt!ExAcquireSharedWaitForExclusive patching the setinterrupt (sti) clearinterrupt(cli) and trampolines to vmsti, vmcli
On 1/2/09, Skywing wrote: > > What’s !pte say? > > ? S >
the output of pte and pfn commands are at the end of this session paste ken thanks for replying (also a hardware bp doesnt seem to work as well)
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86 Copyright (c) Microsoft Corporation. All rights reserved.
Waiting for pipe \.\pipe\debugPipe <file:> Waiting to reconnect… Connected to Windows XP 2600 x86 compatible target at (Fri Jan 2 21:55:54.359 2009 (GMT+5)), ptr64 FALSE Kernel Debugger connection established. Symbol search path is: SRVF:\SYMBOLS HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS Executable search path is: Windows XP Kernel Version 2600 UP Free x86 compatible Built by: 2600.xpsp_sp2_rtm.040803-2158 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20 System Uptime: not available Break instruction exception - code 80000003 (first chance) nt!DbgBreakPoint: 804e3b14 cc int 3 kd> bp vpc_8042+0x2cdd;g;!chkimg nt;u 804d9545 l3;ba w1 804d9545;g;!chkimg nt;u 804d9545 l3;bp 804d9545;g;g Bp expression ‘vpc_8042+0x2cdd’ could not be resolved, adding deferred bp Breakpoint 0 hit * ERROR: Module load completed but symbols could not be loaded for vpc-8042.sys 0 errors : nt nt!ExAcquireResourceSharedLite+0x10: 804d9545 fa cli 804d9546 8b7508 mov esi,dword ptr [ebp+8] 804d9549 33db xor ebx,ebx ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5 ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5 ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5 Breakpoint 0 hit 125 errors : nt (804d910c-804ef20c) nt!ExAcquireResourceSharedLite+0x10: 804d9545 e91b474c01 jmp 8199dc65 804d954a cc int 3 804d954b 66395e0c cmp word ptr [esi+0Ch],bx Breakpoint 0 hit Breakpoint 2 hit nt!ExAcquireResourceSharedLite+0x10: 804d9545 e91b474c01 jmp 8199dc65 kd> p 8199dc65 e967240200 jmp 819c00d1 kd> p 819c00d1 9c pushfd kd> p 819c00d2 50 push eax kd> p 819c00d3 a1002040f7 mov eax,dword ptr ds:[F7402000h] kd> dd F7402000 l4 f7402000 ??? ??? ??? ??? kd> dd poi(F7402000) Memory access error at ‘)’ kd> !address F7402000 address f7402000 not found in any known Kernel Address Range ---- *kd> !pte F7402000 VA f7402000 PDE at C0300F74 PTE at C03DD008 contains 0100D163 contains 00000000 pfn 100d -G-DA–KWEV *
*kd> !pfn 100d PFN 0000100D at address 81047138 flink 00000000 blink / share count 00000002 pteaddress C0300F74 reference count 0001 Cached color 0 restore pte 00000000 containing page 000039 Active
The PTE is invalid, the PFN that you show there is for the PDE. So, it would
like as if the page is indeed invalid.
I’ve never looked at VirtualPC before, any chance that address falls in the
device memory range for some PCI device presented to the guest? I’d think
you could still decode it from the debugger, but maybe not.
“raj_r” wrote in message news:xxxxx@windbg… ken do you happen to notice anything usable in the !pte and !pfn output any ideas
thanks and regards
raj
On 1/2/09, raj_r wrote:
On 1/2/09, Skywing wrote: What’s !pte say?
– S
the output of pte and pfn commands are at the end of this session paste ken thanks for replying (also a hardware bp doesnt seem to work as well)
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86 Copyright (c) Microsoft Corporation. All rights reserved. Waiting for pipe \.\pipe\debugPipe Waiting to reconnect… Connected to Windows XP 2600 x86 compatible target at (Fri Jan 2 21:55:54.359 2009 (GMT+5)), ptr64 FALSE Kernel Debugger connection established. Symbol search path is: SRVF:\SYMBOLSHTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS Executable search path is: Windows XP Kernel Version 2600 UP Free x86 compatible Built by: 2600.xpsp_sp2_rtm.040803-2158 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20 System Uptime: not available Break instruction exception - code 80000003 (first chance) nt!DbgBreakPoint: 804e3b14 cc int 3 kd> bp vpc_8042+0x2cdd;g;!chkimg nt;u 804d9545 l3;ba w1 804d9545;g;!chkimg nt;u 804d9545 l3;bp 804d9545;g;g Bp expression ‘vpc_8042+0x2cdd’ could not be resolved, adding deferred bp Breakpoint 0 hit *** ERROR: Module load completed but symbols could not be loaded for vpc-8042.sys 0 errors : nt nt!ExAcquireResourceSharedLite+0x10: 804d9545 fa cli 804d9546 8b7508 mov esi,dword ptr [ebp+8] 804d9549 33db xor ebx,ebx ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5 ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5 ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5 Breakpoint 0 hit 125 errors : nt (804d910c-804ef20c) nt!ExAcquireResourceSharedLite+0x10: 804d9545 e91b474c01 jmp 8199dc65 804d954a cc int 3 804d954b 66395e0c cmp word ptr [esi+0Ch],bx Breakpoint 0 hit Breakpoint 2 hit nt!ExAcquireResourceSharedLite+0x10: 804d9545 e91b474c01 jmp 8199dc65 kd> p 8199dc65 e967240200 jmp 819c00d1 kd> p 819c00d1 9c pushfd kd> p 819c00d2 50 push eax kd> p 819c00d3 a1002040f7 mov eax,dword ptr ds:[F7402000h] kd> dd F7402000 l4 f7402000 ??? ??? ??? ??? kd> dd poi(F7402000) Memory access error at ‘)’ kd> !address F7402000 address f7402000 not found in any known Kernel Address Range ---- kd> !pte F7402000 VA f7402000 PDE at C0300F74 PTE at C03DD008 contains 0100D163 contains 00000000 pfn 100d -G-DA–KWEV kd> !pfn 100d PFN 0000100D at address 81047138 flink 00000000 blink / share count 00000002 pteaddress C0300F74 reference count 0001 Cached color 0 restore pte 00000000 containing page 000039 Active thanks and regards raj_r