It relates to an implementation detail on how NT bootstraps a new user mode thread. Suffice to say that until the thread starts running, the initial context value respresents the ‘desired’ context for the thread start procedure. When it is time for the thread to first begin to run, it is arranged for it to first start running the loader code so that the loader can bootstrap the new process, invoke DLL callouts for a new thread, etc. Once this has completed, control transfers to the ‘desired’ initial thread context and the user’s supplied thread code will get to run.
Note that this behavior may of course change in the future, but it is useful to know for debugging early startup.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Friday, March 30, 2012 2:19 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Using virtual serial port for non-kernel debugging
yes i have ran through it from kiUserApcDispatcher+0x04 till the normal SystemBreakPoint
i was just wondering how hitting trace automagically provides the next statement
as you can see the address space is also far apart from 7c810705 to 7c90e454
can i find if the line at 7c810705 contains jmp 7c90e454
0:000> u eip l1
7c810705 ?? ???
^ Memory access error in ‘u eip l1’
0:000> t
7c90e454 58 pop eax
0:000> p
7c90e455 ffd0 call eax {ntdll!LdrInitializeThunk (7c901166)}
0:000> p
WARNING: This break is not a step/trace completion.
The last command has been cleared to prevent accidental continuation of this unrelated event.
Check the event, location and thread before resuming.
(f28.f2c): Break instruction exception - code 80000003 (first chance)
7c90120e cc int 3
0:000>
On 3/31/12, Skywing wrote:
> You are probably looking at a thunk residing in kernel32/kernelbase,
> which has not yet been mapped into the address space. The -xe
> ld:ntdll trick will get you control before any of the loader code
> runs, so nothing has mapped those modules in yet.
>
> - S (Msft)
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
> Sent: Friday, March 30, 2012 2:00 PM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] Using virtual serial port for non-kernel
> debugging
>
> SkyWing
>
> now that you posted -xe
>
> i have a question that has been nagging me for a long time which i
> cant find a satisfactory answer for
>
> why is that when you start debugging early process creation using the
> technique mentioned above the first instruction that is shown on the
> debugger window doesnt have any opcodes or asm
>
> and looks like ???
>
> and only after hitting t (trace) or p (step)
> windbg / cdb shows KiUserApcDispatcher
>
> what is the magic
>
>
> 7c810705 ?? ???
> 0:000> t
>
> 7c90e454 58 pop eax
> 0:000> kb
> ChildEBP RetAddr Args to Child
> 00000000 00000000 00000000 00000000 00000000
> ntdll!KiUserApcDispatcher+0x4 0:000>
>
> regards
> raj
>
> On 3/31/12, Skywing wrote:
>> [New thread started to circumvent Lyris listserve limitations around
>> character sets. Sorry.]
>>
>> You can debug early user mode initialization by starting the debugger
>> with -xe ld:ntdll (assuming that you’re launching the process from
>> the user mode debugger).
>>
>> - S (Msft)
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer