Debugging a specific Driver (.sys file)

Hi people,
I’,m Jayson and just new in kernel debugging using windbg. Just have a question…
Currently, i’m trying to debug a specific driver located in a VMWare environment (XP). The host and the VMWare setup is already good and they are connecting via serial port. My question is how will I breakpoint on the DriverEntry routine of the .sys file driver that i want to debug. I tried this in the commandline:

windbg -bu acblock!DriverEntry -k com:pipe,port=\.\pipe\com_1,resets=0

but it’s not working properly and it says that it “Could not create process ‘u !DriverEntry -k com:port=\.\com_1,resets=0’,Win32 error 0n2. The system cannot find the file speciied”

Hope you can help me on this…Thanks! :slight_smile:

Connect with this
windbg -k com:pipe,port=\.\pipe\com_1,resets=0

and then when you connect, break in and at the cmd prompt
bu acblock!DriverEntry

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, October 23, 2009 9:31 AM
To: Kernel Debugging Interest List
Subject: [windbg] Debugging a specific Driver (.sys file)

Hi people,
I’,m Jayson and just new in kernel debugging using windbg. Just have a question…
Currently, i’m trying to debug a specific driver located in a VMWare environment (XP). The host and the VMWare setup is already good and they are connecting via serial port. My question is how will I breakpoint on the DriverEntry routine of the .sys file driver that i want to debug. I tried this in the commandline:

windbg -bu acblock!DriverEntry -k com:pipe,port=\.\pipe\com_1,resets=0

but it’s not working properly and it says that it “Could not create process ‘u !DriverEntry -k com:port=\.\com_1,resets=0’,Win32 error 0n2. The system cannot find the file speciied”

Hope you can help me on this…Thanks! :slight_smile:


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Hi Doron,

Thanks for the immediate reply Doron. However, it seems that it can’t
connect to the VM using these parameters only. But when i put the “-b”,
windbg was able to connect. I am also wondering about this. Any thoughts?

Again, thanks a lot!
On Fri, Oct 23, 2009 at 9:44 AM, Doron Holan wrote:

> Connect with this
> windbg -k com:pipe,port=\.\pipe\com_1,resets=0
>
> and then when you connect, break in and at the cmd prompt
> bu acblock!DriverEntry
>
> d
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
> Sent: Friday, October 23, 2009 9:31 AM
> To: Kernel Debugging Interest List
> Subject: [windbg] Debugging a specific Driver (.sys file)
>
> Hi people,
> I’,m Jayson and just new in kernel debugging using windbg. Just have a
> question…
> Currently, i’m trying to debug a specific driver located in a VMWare
> environment (XP). The host and the VMWare setup is already good and they are
> connecting via serial port. My question is how will I breakpoint on the
> DriverEntry routine of the .sys file driver that i want to debug. I tried
> this in the commandline:
>
> windbg -bu acblock!DriverEntry -k com:pipe,port=\.\pipe\com_1,resets=0
>
> but it’s not working properly and it says that it “Could not create process
> ‘u !DriverEntry -k com:port=\.\com_1,resets=0’,Win32 error 0n2. The
> system cannot find the file speciied”
>
> Hope you can help me on this…Thanks! :slight_smile:
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Hi people,

hope someone can clarify this thing to me… thanks in advance

  1. I think that you’re probably just not telling it to break in. That’s one of the things that ‘-b’ does.

In particular, without ‘-b,’ you need to do something like:

a. press ctrl+break
b. take ‘Break in’ from the ‘Debug’ menu

  1. It is helpful to the list if you repeat the original question when you post. It prevents members from having to go back through the thread to figure what a post like your last one means.

Good luck,

mm

wrote in message news:xxxxx@windbg…
> Hi people,
>
> hope someone can clarify this thing to me… thanks in advance

Don’t enter “bu acblock!DriverEntry” on the command line of windbg.
Let the target system boot and hit the initial breakpoint , or break
manually before starting the driver.

Only then, enter “bu acblock!DriverEntry” command.

Regards,
--pa

Hi Pavel,

Thanks for the reply to. Yes, i was able to connect the VM to windbg by
using -b on the initial break point. But the VMWare hung. Will bu still work
even though the VM already hung?

Thanks

On Sat, Oct 24, 2009 at 6:31 PM, Pavel A. wrote:

> wrote in message news:xxxxx@windbg…
>
> Hi people,
>>
>> hope someone can clarify this thing to me… thanks in advance
>>
>
> Don’t enter “bu acblock!DriverEntry” on the command line of windbg.
> Let the target system boot and hit the initial breakpoint , or break
> manually before starting the driver.
>
> Only then, enter “bu acblock!DriverEntry” command.
>
> Regards,
> --pa
>
>
>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

hi people,

hope someone can help me. I’m quite stuck on this for a while and it’s kinda urgent (sorry for the hassles). I just want to debug my specific driver (.sys filer) using windbg in such a way that i can see the returns and contents of the registers (eax, ebx, edx, etc.) and stack per line (if possible). I’m a newbie in device driver programming/ device driver debugging and have limited idea on how to do this.

many thanks

I’m not really sure what you are looking for, but I fear that the answer is going to be the same - there is unfortunately no quick way to get up to speed with windbg.

mm

Hope somebody can clarify on this. I’m quite stuck on this for a while and
its quite urgent. I’m, a newbie in device driver programming/ device driver
debugging and I need to debug my specific driver (.sys file) in such a way
that I can see the contents of the registers (eax, ebx,etc…) and stack on
a per line basis (if possible)

Thanks in advance!

On Fri, Oct 23, 2009 at 9:31 AM, wrote:

> Hi people,
> I’,m Jayson and just new in kernel debugging using windbg. Just have a
> question…
> Currently, i’m trying to debug a specific driver located in a VMWare
> environment (XP). The host and the VMWare setup is already good and they are
> connecting via serial port. My question is how will I breakpoint on the
> DriverEntry routine of the .sys file driver that i want to debug. I tried
> this in the commandline:
>
> windbg -bu acblock!DriverEntry -k com:pipe,port=\.\pipe\com_1,resets=0
>
> but it’s not working properly and it says that it “Could not create process
> ‘u !DriverEntry -k com:port=\.\com_1,resets=0’,Win32 error 0n2. The
> system cannot find the file speciied”
>
> Hope you can help me on this…Thanks! :slight_smile:
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

This is not a newsgroup where continually prodding the membership works.
We do have jobs and typically can only answer when we have free time.

–Mark Cariddi

OSR, Open Systems Resources…

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jayson Pryde
Sent: Monday, October 26, 2009 1:01 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Debugging a specific Driver (.sys file)

Hope somebody can clarify on this. I’m quite stuck on this for a while and
its quite urgent. I’m, a newbie in device driver programming/ device driver
debugging and I need to debug my specific driver (.sys file) in such a way
that I can see the contents of the registers (eax, ebx,etc…) and stack on
a per line basis (if possible)

Thanks in advance!

On Fri, Oct 23, 2009 at 9:31 AM, wrote:

Hi people,
I’,m Jayson and just new in kernel debugging using windbg. Just have a
question…
Currently, i’m trying to debug a specific driver located in a VMWare
environment (XP). The host and the VMWare setup is already good and they are
connecting via serial port. My question is how will I breakpoint on the
DriverEntry routine of the .sys file driver that i want to debug. I tried
this in the commandline:

windbg -bu acblock!DriverEntry -k com:pipe,port=\.\pipe\com_1,resets=0

but it’s not working properly and it says that it “Could not create process
‘u !DriverEntry -k com:port=\.\com_1,resets=0’,Win32 error 0n2. The
system cannot find the file speciied”

Hope you can help me on this…Thanks! :slight_smile:


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks for the reply. I know that there are no easy way on windbg. But i
hope there are some simple but comprehensive references on how to start.

thanks a lot

On Mon, Oct 26, 2009 at 10:25 AM, wrote:

> I’m not really sure what you are looking for, but I fear that the answer is
> going to be the same - there is unfortunately no quick way to get up to
> speed with windbg.
>
>
> mm
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Simple but comprehensive? That would be a no.

The only intro of which I am aware is the ‘kernel_debugging_tutorial.doc’ file in the root of the windbg installation.

Good luck,

mm

If you google “codeproject windbg” there is a tutorial that while it is not
focused on Kernel mode, many of the same things apply.

On Mon, Oct 26, 2009 at 1:41 PM, wrote:

> Simple but comprehensive? That would be a no.
>
> The only intro of which I am aware is the ‘kernel_debugging_tutorial.doc’
> file in the root of the windbg installation.
>
>
> Good luck,
>
> mm
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

xxxxx@gmail.com wrote:

hope someone can help me. I’m quite stuck on this for a while and it’s kinda urgent (sorry for the hassles). I just want to debug my specific driver (.sys filer) using windbg in such a way that i can see the returns and contents of the registers (eax, ebx, edx, etc.) and stack per line (if possible). I’m a newbie in device driver programming/ device driver debugging and have limited idea on how to do this.

You need to set a breakpoint at some function in your code using the
“bp” command, or as a last resort embed a DbgBreakPoint call in the
driver. After that, you can single step using the “t” and “p” commands
and watch the registers change.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Alternately, use Ctl+Alt+K to cycle to “Will request initial breakpoint at
next boot”. Once there, enter “bu mydriver!DriverEntry”, and given
everything else is copecetic, you should break at DriverEntry.

The personal opinion of
Gary G. Little

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Monday, October 26, 2009 12:20 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Debugging a specific Driver (.sys file)

xxxxx@gmail.com wrote:

hope someone can help me. I’m quite stuck on this for a while and it’s
kinda urgent (sorry for the hassles). I just want to debug my specific
driver (.sys filer) using windbg in such a way that i can see the returns
and contents of the registers (eax, ebx, edx, etc.) and stack per line (if
possible). I’m a newbie in device driver programming/ device driver
debugging and have limited idea on how to do this.

You need to set a breakpoint at some function in your code using the
“bp” command, or as a last resort embed a DbgBreakPoint call in the
driver. After that, you can single step using the “t” and “p” commands
and watch the registers change.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET Smart Security, version of virus signature
database 4545 (20091026) __________

The message was checked by ESET Smart Security.

http://www.eset.com

__________ Information from ESET Smart Security, version of virus signature
database 4545 (20091026) __________

The message was checked by ESET Smart Security.

http://www.eset.com

Jason,

I really am not trying to be insulting, but the honest truth is setting up windbg for debugging is the easiest part of kernel-mode driver development. It sounds like you have been told by some manager that you have to debug a driver. Or you have contracted for a job that you are definitely not qualified for. If it is the former, you need to tell the manager that just because he/she wants a driver expert doesn’t make you one. If you have contracted for a job that you aren’t qualified to do, then you need to get out of it.

How to connect and debug is described in detail in the help file. Also, “Advanced Windows Debugging” can be purchased from most online or brick and mortar book stores to fill in the gaps about windbg. Understanding how a kernel-mode driver works takes years, although patching a driver could be done in as little as a month if you are OS savvy.

I’m trying to be polite, but you are in over your head based on your questions so far. Read the documentation from MS.

Good luck,
Paul

I hope you realize that it sounds like you have been given a job and I am trying to give you a short, honest answer. I am not trying to insult you.

----- Original Message -----
From: xxxxx@gmail.com
To: “Kernel Debugging Interest List”
Sent: Monday, October 26, 2009 1:08:30 PM GMT -05:00 US/Canada Eastern
Subject: RE:[windbg] Debugging a specific Driver (.sys file)

hi people,

hope someone can help me. I’m quite stuck on this for a while and it’s kinda urgent (sorry for the hassles). I just want to debug my specific driver (.sys filer) using windbg in such a way that i can see the returns and contents of the registers (eax, ebx, edx, etc.) and stack per line (if possible). I’m a newbie in device driver programming/ device driver debugging and have limited idea on how to do this.

many thanks


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Sorry, I haven’t read this NG for few days. Hope you’ve sorted it out now.
–pa

“Jayson Pryde” wrote in message news:xxxxx@windbg…
> Hi Pavel,
>
> Thanks for the reply to. Yes, i was able to connect the VM to windbg by
> using -b on the initial break point. But the VMWare hung. Will bu still
> work
> even though the VM already hung?
>
> Thanks
>
> On Sat, Oct 24, 2009 at 6:31 PM, Pavel A. wrote:
>
>> wrote in message news:xxxxx@windbg…
>>
>> Hi people,
>>>
>>> hope someone can clarify this thing to me… thanks in advance
>>>
>>
>> Don’t enter “bu acblock!DriverEntry” on the command line of windbg.
>> Let the target system boot and hit the initial breakpoint , or break
>> manually before starting the driver.
>>
>> Only then, enter “bu acblock!DriverEntry” command.
>>
>> Regards,
>> --pa
>>
>>
>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>