Breaking on access, process creation and module load!

WINDBG
1

Hello all,

I am kernel debugging using Firewire 1394 I am creating a section in
my driver and mapping it into user-space for a certain process to use.
For some reason, when my process executes the data in this section,
the process crashes. So, what I would like to do is set a break point
if ANY code touches the section of memory. I use “ba r4 pSection” and
“ba e1 pSection”, but the break point is never hit. I also use “sxe
cpr” and “sxe ld” to break on process creation and module load from
the kernel debugger, and it never breakpoints. Does anyone have any
clues to why this could be?

Is there a way to set a break point in the application when it hits
the access denied error so I could determine the exact problem? or is
there a way from the kernel debugger to set a breakpoint on when any
application gets access denied?

Thanks!

2

Cripes what makes you think you can do that!?!? Did you not search this
forum and find that which you propose is verboten? If its code that needs to
run in both spaces then define an IOCTL and use that from the application to
execute that code in the kernel. If it’s code that is only executed in user
mode, then keep it in your application and forget the kernel.

You might build the code as a DLL that is loadable in both kernel and user
spaces. Obviously a copy will be loaded into each space when invoked by
either mode, but you maintain a common code base.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
Sent: Friday, April 09, 2010 7:43 PM
To: Kernel Debugging Interest List
Subject: [windbg] Breaking on access, process creation and module load!

Hello all,

I am kernel debugging using Firewire 1394 I am creating a section in
my driver and mapping it into user-space for a certain process to use.
For some reason, when my process executes the data in this section,
the process crashes. So, what I would like to do is set a break point
if ANY code touches the section of memory. I use “ba r4 pSection” and
“ba e1 pSection”, but the break point is never hit. I also use “sxe
cpr” and “sxe ld” to break on process creation and module load from
the kernel debugger, and it never breakpoints. Does anyone have any
clues to why this could be?

Is there a way to set a break point in the application when it hits
the access denied error so I could determine the exact problem? or is
there a way from the kernel debugger to set a breakpoint on when any
application gets access denied?

Thanks!

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET Smart Security, version of virus signature
database 5014 (20100409) __________

The message was checked by ESET Smart Security.

http://www.eset.com

__________ Information from ESET Smart Security, version of virus signature
database 5014 (20100409) __________

The message was checked by ESET Smart Security.

http://www.eset.com

3

What about just “bp ”

You may also read a recent NT insider article about missed breakpoint from windbg for an explanation – what it essentially says is yes, you may miss a debug breakpoint if you are debugging some user space code from the kernel debugger due to paging and there is no easy?solution to it:-)

And you can also use gflag to set the debugger to be launched in the user mode when a specific application is launched. Then if you know the address of the code to execute in the user mode debugger, you should be able to catch it from the user mode debugger reliably.

Lijun

________________________________
From: Jonathon
To: Kernel Debugging Interest List
Sent: Fri, April 9, 2010 8:42:57 PM
Subject: [windbg] Breaking on access, process creation and module load!

Hello all,

I am kernel debugging using Firewire 1394? I am creating a section in
my driver and mapping it into user-space for a certain process to use.
For some reason, when my process executes the data in this section,
the process crashes.? So, what I would like to do is set a break point
if ANY code touches the section of memory.? I use “ba r4 pSection” and
“ba e1 pSection”, but the break point is never hit.? I also use “sxe
cpr” and “sxe ld” to break on process creation and module load from
the kernel debugger, and it never breakpoints.? Does anyone have any
clues to why this could be?

Is there a way to set a break point in the application when it hits
the access denied error so I could determine the exact problem? or is
there a way from the kernel debugger to set a breakpoint on when any
application gets access denied?

Thanks!


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

On Intel IA-32/Intel 64, hardware breakpoint can cover at most one machine word, so there’s no direct way to set a breakpoint on anything larger than that, like a whole section.

Regarding the rest of your question, I confused - when are you encountering the ‘access denied’ error? I thought you weren’t hitting any breakpoints.

mm