Debugging user process in kernel mode debugging

I’ve debugged user processes with windbg in kernel mode by putting a hard coded breakpoint in the program and when it is hit, reloading symbols and stepping into the program. Some folks I am working with are having problems getting this to work, and I remember there was a discussion of an alternate way to do this. Can someone remind me of the commands to get there?

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

Would that be kdbgctrl.exe -eu?

Instead of using int3, I usually use .process /i [EPROCESS], followed by .reload and bp. It doesn’t work 100% of the time. IIRC there was a nice OSR article some time ago that explained some of the limitations.

Regards,
Gary Kratkin

On Feb 10, 2011, at 1:24 PM, xxxxx@acm.org wrote:

I’ve debugged user processes with windbg in kernel mode by putting a hard coded breakpoint in the program and when it is hit, reloading symbols and stepping into the program. Some folks I am working with are having problems getting this to work, and I remember there was a discussion of an alternate way to do this. Can someone remind me of the commands to get there?

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Actually I believe there is a way to do this from entirely inside of Windbg. .process is not it.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

!bpid Processid ?

On Thu, Feb 10, 2011 at 10:32 PM, wrote:

> Actually I believe there is a way to do this from entirely inside of
> Windbg. .process is not it.
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


thanks and regards

raj_r

Use a CPU hardware breakpoint with “ba” ?

On Thu, Feb 10, 2011 at 8:24 AM, wrote:

> I’ve debugged user processes with windbg in kernel mode by putting a hard
> coded breakpoint in the program and when it is hit, reloading symbols and
> stepping into the program. Some folks I am working with are having
> problems getting this to work, and I remember there was a discussion of an
> alternate way to do this. Can someone remind me of the commands to get
> there?
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

kd> g
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
*
*
* You are seeing this message because you pressed
either *
* CTRL+C (if you run kd.exe)
or, *
* CTRL+BREAK (if you run
WinDBG), *
* on your debugger machine’s
keyboard. *
*
*
* THIS IS NOT A BUG OR A SYSTEM
CRASH *
*
*
* If you did not intend to break into the debugger, press the “g” key,
then *
* press the “Enter” key now. This message might immediately reappear. If
it *
* does, press “g” and “Enter”
again. *
*
*
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> !bpid -a 0174
Finding winlogon.exe (0)…
Waiting for winlogon.exe to break. This can take a couple of minutes…
Break instruction exception - code 80000003 (first chance)
Stepping to g_AttachProcessId check…
Break into process 174 set. The next break should be in the desired
process.

Microsoft (R) Windows User-Mode Debugger Version 5.1.2600.0
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Loaded dbghelp extension DLL
The call to LoadLibrary(ext) failed with error 2.
Please check your debugger configuration and/or network access
Loaded exts extension DLL
The call to LoadLibrary(uext) failed with error 2.
Please check your debugger configuration and/or network access
Loaded ntsdexts extension DLL
Symbol search path is: *** Invalid *** : Verify _NT_SYMBOL_PATH setting
Executable search path is:
ModLoad: 01000000 01014000 C:\WINDOWS\system32\notepad.exe
ModLoad: 7c900000 7c9af000 C:\WINDOWS\system32\ntdll.dll
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\comdlg32.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 773d0000 774d3000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll
ModLoad: 6f880000 6fa4a000 C:\WINDOWS\AppPatch\AcGenral.DLL
ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll
ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll
ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll
ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\UxTheme.dll
Break instruction exception - code 80000003 (first chance)
eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004
edi=00000005
eip=7c90120e esp=003bffcc ebp=003bfff4 iopl=0 nv up ei pl zr na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\system32\ntdll.dll -
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:001> ~*k
~*k

0 id: 174.178 Suspend: 1 Teb 7ffdd000 Unfrozen
*** ERROR: Module load completed but symbols could not be loaded for
C:\WINDOWS\system32\notepad.exe
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be
wrong.
0007fed8 01002a1b ntdll!KiFastSystemCallRet
0007ff1c 01007511 notepad+0x2a1b
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\system32\kernel32.dll -
0007ffc0 7c817067 notepad+0x7511
0007fff0 00000000 kernel32!RegisterWaitForInputIdle+0x49

. 1 id: 174.354 Suspend: 1 Teb 7ffdc000 Unfrozen
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be
wrong.
003bfff4 00000000 ntdll!DbgBreakPoint
0:001>

On Thu, Feb 10, 2011 at 10:39 PM, raj_r wrote:

> !bpid Processid ?
>
>
>
>
> On Thu, Feb 10, 2011 at 10:32 PM, wrote:
>
>> Actually I believe there is a way to do this from entirely inside of
>> Windbg. .process is not it.
>>
>> Don Burn (MVP, Windows DKD)
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> –
> thanks and regards
>
> raj_r
>


thanks and regards

raj_r

A hardware breakpoint won’t by default be active in all register contexts
(.apply_db).

What kind of problems are they having? Doesn’t break in, symbols/stack
makes no sense,.?

Do they have a user mode debugger active/AeDebug (Post mortem debugger)
registered?

How about using the whole ‘controlling the user mode debugger from the
kernel mode debugger’ thing?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jeff Glass
Sent: Thursday, February 10, 2011 12:15 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Debugging user process in kernel mode debugging

Use a CPU hardware breakpoint with “ba” ?

On Thu, Feb 10, 2011 at 8:24 AM, wrote:

I’ve debugged user processes with windbg in kernel mode by putting a hard
coded breakpoint in the program and when it is hit, reloading symbols and
stepping into the program. Some folks I am working with are having
problems getting this to work, and I remember there was a discussion of an
alternate way to do this. Can someone remind me of the commands to get
there?

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Whoops - never mind the part about whether they have a post-mortem debugger
enabled. That couldn’t be the problem.

One other thought - have they been using ‘sxi?’

mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@acm.org
Sent: Thursday, February 10, 2011 11:24 AM
To: Kernel Debugging Interest List
Subject: [windbg] Debugging user process in kernel mode debugging

I’ve debugged user processes with windbg in kernel mode by putting a hard
coded breakpoint in the program and when it is hit, reloading symbols and
stepping into the program. Some folks I am working with are having
problems getting this to work, and I remember there was a discussion of an
alternate way to do this. Can someone remind me of the commands to get
there?

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

I just wrote about the use of .process here if it helps:

http://osronline.com/article.cfm?id=576&nocache=1

-scott


Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Gary Kratkin” wrote in message news:xxxxx@windbg…
Would that be kdbgctrl.exe -eu?

Instead of using int3, I usually use .process /i [EPROCESS], followed by
.reload and bp. It doesn’t work 100% of the time. IIRC there was a nice OSR
article some time ago that explained some of the limitations.

Regards,
Gary Kratkin

On Feb 10, 2011, at 1:24 PM, xxxxx@acm.org wrote:

I’ve debugged user processes with windbg in kernel mode by putting a hard
coded breakpoint in the program and when it is hit, reloading symbols and
stepping into the program. Some folks I am working with are having
problems getting this to work, and I remember there was a discussion of an
alternate way to do this. Can someone remind me of the commands to get
there?

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Just posted this comment on that article:

Nice article.
.thread /r /p works in a live debug, too, shortening the switch/reload into
one step.
I’ve been able to debug the unmanaged shim to my minifilter using this
technique, but I’ve not been able to get around in the managed UM code that
drives my shim at all. Finally gave up and used Visual Studio for the
managed code, and the kernel debugger for the unmanaged shim and kernel
code. Really be interested to hear if someone has been more successful at
that than I.
Also, any concise recipe for configuring the kernel debugger so the Studio
can handle UM exceptions?

Thanks,

Phil

Philip D. Barila??? (303) 776-1264

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: Thursday, February 10, 2011 10:43 AM
To: Kernel Debugging Interest List
Subject: Re:[windbg] Debugging user process in kernel mode debugging

I just wrote about the use of .process here if it helps:

http://osronline.com/article.cfm?id=576&nocache=1

-scott


Scott Noone
Consulting Associate and Chief System Problem Analyst