When I am debugging an application in user mode using WinDbg, I can set a
break on access for fs:00000f94 (ba r4 fs:f94) and it breaks, sometimes.
When I randomly break in user mode and check the value (dd fs:f94 L1) and
see that it has changed but yet the “ba r4 fs:f94” breakpoint did not
trigger I assumed some code in the kernel modified the memory and user
debugging could not pick it up. I then broke into kernel mode so that I
could set a breakpoint on access for the same user mode virtual memory
address. My problem is I don’t know how to do that. I’ve done this so far:
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 8134a838 SessionId: none Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1001d88 HandleCount: 283.
Image: System
:
:
:
PROCESS ff96bc88 SessionId: 0 Cid: 0520 Peb: 7ffdf000 ParentCid: 0740
DirBase: 0af7e000 ObjectTable: e10a5550 HandleCount: 410.
Image: WinAlign.exe
kd> .process /i ff96bc88
You need to continue execution (press ‘g’ ) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
80510b26 cc int 3
kd> !peb
PEB at 7ffdf000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 00400000
Ldr 00251e90
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00251f28 . 00255530
Ldr.InLoadOrderModuleList: 00251ec0 . 00255520
Ldr.InMemoryOrderModuleList: 00251ec8 . 00255528
Base TimeStamp Module
400000 41c1b1f3 Dec 16 10:04:03 2004
C:\HEPROGS\aligner\EXECUTE\WinAlign.exe
77f50000 3eb1b41a May 01 18:56:10 2003 C:\WINDOWS\System32\ntdll.dll
77e60000 40d1dbcb Jun 17 12:58:35 2004
C:\WINDOWS\system32\kernel32.dll
5ed00000 3d6df9e5 Aug 29 05:39:33 2002
C:\WINDOWS\System32\OPENGL32.dll
77c10000 3d6dfa27 Aug 29 05:40:39 2002
C:\WINDOWS\system32\msvcrt.dll
77dd0000 3d6dfa28 Aug 29 05:40:40 2002
C:\WINDOWS\system32\ADVAPI32.dll
78000000 4049346b Mar 05 20:16:11 2004
C:\WINDOWS\system32\RPCRT4.dll
7f000000 40d1dbcb Jun 17 12:58:35 2004 C:\WINDOWS\system32\GDI32.dll
77d40000 40d1dbcb Jun 17 12:58:35 2004
C:\WINDOWS\system32\USER32.dll
68b20000 3b7dfe60 Aug 18 00:34:24 2001 C:\WINDOWS\System32\GLU32.dll
51000000 40ee6af9 Jul 09 04:52:57 2004 C:\WINDOWS\System32\DDRAW.dll
73bc0000 3b7dfe25 Aug 18 00:33:25 2001
C:\WINDOWS\System32\DCIMAN32.dll
76b40000 3d6dfa20 Aug 29 05:40:32 2002 C:\WINDOWS\System32\WINMM.dll
71b20000 3b7dfe31 Aug 18 00:33:37 2001 C:\WINDOWS\system32\MPR.dll
:
:
:
:
:
71a50000 3b7dfe31 Aug 18 00:33:37 2001
C:\WINDOWS\system32\mswsock.dll
71a90000 3b7dfe33 Aug 18 00:33:39 2001
C:\WINDOWS\System32\wshtcpip.dll
74cb0000 3d6dfa12 Aug 29 05:40:18 2002
C:\WINDOWS\System32\mshtmled.dll
60000000 45899a70 Dec 20 14:17:52 2006
C:\WINDOWS\System32\nvoglnt.dll
SubSystemData: 00000000
ProcessHeap: 00150000
ProcessParameters: 00020000
WindowTitle: ‘C:\Documents and Settings\All Users\Desktop\WinAlign.lnk’
ImageFile: ‘C:\HEPROGS\aligner\EXECUTE\WinAlign.exe’
CommandLine: '“C:\HEPROGS\aligner\EXECUTE\WinAlign.exe” ‘
DllPath: C:\WINDOWS\System32;C:\WINDOWS\system;c:\WinDbg’
Environment: 00010000
=::=::<br> =C:=C:\HEPROGS\aligner
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Technician\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RM-811TEST
ComSpec=C:\WINDOWS\system32\cmd.exe
devmgr_show_details=1
devmgr_show_nonpresent_devices=1
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Technician
LOGONSERVER=\RM-811TEST
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\WinDbg
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\TECHNI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\TECHNI~1\LOCALS~1\Temp
USERDOMAIN=RM-811TEST
USERNAME=Technician
USERPROFILE=C:\Documents and Settings\Technician
windir=C:\WINDOWS
_NT_DEBUG_1394_CHANNEL=10
_NT_DEBUG_BUS=1394
_NT_SYMBOL_PATH=c:\Windows\Symbols;srvc:\Windows\Symbolsz:;srvc:\Windows
\Symbolsy:;srvc:\Windows\Symbolshttp://msdl.microsoft.com/download/symbo
ls
__COMPAT_LAYER=Win98
kd> .reload
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading symbols for 804d4000 ntoskrnl.exe ->
DBGHELP:
c:\Windows\Symbols\ntoskrnl.pdb\8592B6763F34476B9BB560395A383F962\ntoskrnl.p
db - mismatched pdb
DBGHELP:
c:\Windows\Symbols\ntoskrnl.pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.p
db - mismatched pdb
ntoskrnl.exe
DBGHELP: nt - public symbols
c:\Windows\Symbols\ntoskrnl.pdb\EDF6F8E0622B4C00B5C842490E8F49A72\ntoskrnl.p
db
ModLoad: 804d4000 806c8e00 ntoskrnl.exe
Loading Kernel Symbols
.ModLoad: 806c9000 806e8380 halaacpi.dll
.ModLoad: f9761000 f9762b80 kd1394.dll
.ModLoad: f9671000 f9674000 \WINDOWS\system32\BOOTVID.dll
:
:
:
.ModLoad: f93b1000 f93bee00 \SystemRoot\system32\drivers\sysaudio.sys
Loading unloaded module list
…
Loading User Symbols
.ModLoad: 77f50000 77ff7000 C:\WINDOWS\System32\ntdll.dll
.ModLoad: 77e60000 77f46000 C:\WINDOWS\system32\kernel32.dll
.ModLoad: 5ed00000 5edc6000 C:\WINDOWS\System32\OPENGL32.dll
:
:
:
.ModLoad: 74cb0000 74d1f000 C:\WINDOWS\System32\mshtmled.dll
.ModLoad: 60000000 60526000 C:\WINDOWS\System32\nvoglnt.dll
kd> u 60000000 L100
nvoglnt:
60000000 4d dec ebp
60000001 5a pop edx
60000002 90 nop
:
:
kd> u 602906ec L100
nvoglnt!DrvCopyContext+0x16ac1c:
602906ec ?? ???
^ Memory access error in ‘u 602906ec l100’