After you click ‘OK’ in response to being asked whether you want to load the
pdb, look through the output window and see if you see any information about
the PDB.
Something like:
PDB: using DIA dll “C:\Program Files (x86)\Common Files\Microsoft
Shared\VC\msdia90.dll”
PDB: DIA interface version 9.0
PDB: loaded 0 types
PDB: total 142 symbols loaded for…
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jun Koi
Sent: Monday, November 08, 2010 10:36 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Disassemble some kernel functions, and see only
garbage?
On Mon, Nov 8, 2010 at 7:59 PM, Scott Noone wrote:
>> I tried to use IDAPro on ntoskrnl.exe, but because Vista doesnt seem
>> to export KiInitSystem, that doesnt work either.
>
> Which version of IDA are you using? I does support PDBs and the MS symbol
> server, so finding this function is just a matter of getting your symbols
> right.
>
yes, this is my concern now. my IDA is version 6, and when i open
“ntoskrnl.exe”, IDA asked me like: “do you want to find symbols from
PDB?”, and i said “Yes”. after that, i can see that IDA shows me a lot
of symbols, but i cannot find KiInitSystem symbol in the list of
exported symbols.
i guess smt must be wrong here on why IDA cannot find KiInitSystem,
because finally, WinDbg can find that.
perhaps i must somehow configure IDA for this? (though it said that it
did everything automatically for me, but i still have some doubts)
thanks,
J
> “Jun Koi” wrote in message news:xxxxx@windbg…
>>
>> On Mon, Nov 8, 2010 at 4:22 PM, Doron Holan
>> wrote:
>>>
>>> If the function was marked as INIT, it could have very well been thrown
>>> out after boot (note that the memory is all zeros)
>>>
>>
>> nice, that is what i anticipated.
>>
>> so the question is: if i want to see some code in INIT area (like
>> KiInitSystem() function), what should I do?
>>
>> I tried to use IDAPro on ntoskrnl.exe, but because Vista doesnt seem
>> to export KiInitSystem, that doesnt work either.
>>
>> thanks,
>> J
>>
>>
>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Jun Koi
>>> Sent: Monday, November 08, 2010 12:10 AM
>>> To: Kernel Debugging Interest List
>>> Subject: [windbg] Disassemble some kernel functions, and see only
>>> garbage?
>>>
>>> hi,
>>>
>>> i am playing around with WinDbg, and try to do local kernel debugging on
>>> Vista 64bit. and i found something intersting!
>>>
>>> that is when i run command “u KiInitSystem”, i got only meaningless
>>> result, like below. it seems all the garbage to me.
>>> why is that? perhaps Windows already cleaned some unused code after the
>>> initialization process is done?
>>>
>>> many thanks,
>>> Jun
>>>
>>> lkd> u KiInitSystem
>>> nt!KiInitSystem:
>>> fffff800020d3ef0 0000 ? ? ? ? ? ?add ? ? byte ptr [rax],al<br>>>> fffff800020d3ef2 0000 ? ? ? ? ? ?add ? ? byte ptr [rax],al
>>> fffff800020d3ef4 0000 ? ? ? ? ? ?add ? ? byte ptr [rax],al<br>>>> fffff800020d3ef6 0000 ? ? ? ? ? ?add ? ? byte ptr [rax],al
>>> fffff800020d3ef8 0000 ? ? ? ? ? ?add ? ? byte ptr [rax],al<br>>>> fffff800020d3efa 0000 ? ? ? ? ? ?add ? ? byte ptr [rax],al
>>> fffff800020d3efc 0000 ? ? ? ? ? ?add ? ? byte ptr [rax],al<br>>>> fffff800020d3efe 0000 ? ? ? ? ? ?add ? ? byte ptr [rax],al
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer