Fwd: RE: Kernel debug in Windbg using tcp - is it possible?

Speaking of Compuware, SoftICE and abusive marketing practices, did
anyone else get a call or e-mail today or recently from a rep offering
you, as a valued customer, the right to purchase a license for
DriverStudio with no future, no support, et. c. for 60% of retail, which
I think comes to around $1100? If not consider yourself lucky, as this
is one of the worse things of this type that I have heard of in a long
time.

mm

>> Martin O’Brien 2007-01-16 21:10 >>>
I hear you Michal. I just posted, but the long and short in my
opinion, is that SI committed suicide by abusive marketing practice,
and, while SI definitely had its issues (although I used the ethernet
transport for years), I think it is a reasonable question to ask how
much of a WinDbg lovefest there would people if people had to pay for
it.

mm

>> xxxxx@upek.com 2007-01-16 20:27 >>>

From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
on behalf of Don Burn[SMTP:xxxxx@acm.org]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, January 17, 2007 1:53 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Kernel debug in Windbg using tcp - is it
possible?

Some of us never got SoftIce to not mess up the way the system was
supposed
to work, so I for one would highly recomend against it. I applauded
it
demise or as Mark Twain said ‘‘I didn’t attend the funeral, but I
sent a
nice letter saying I approved of it.’’

Really wise. Nobody forced you to use SoftICE but for some of us it was
the easiest way how to explore live system. It allowed me to make my
work faster and better within all these years. The demise means there is
no choice, just WinDbg. Great post-mortem analysis tool and rather
clumsy debugger. Debugger is matter of personal preferences but it is
always better if there is a choice. And competition which makes software
better.

BTW, for previous poster, I successfully made SoftICE via TCP/IP
working. Just for curiosity; the real value for me was one computer
development.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Daniel Terhell wrote:

Interesting issues people here are raising are:

-Wouldn’t it be nice if we could do kernel debugging over a network
connection ?

Yes, but that requires a configured network stack and driver,
independent of the operating system, available at boot time. That’s a
Big Deal.

-Wouldn’t it be nice if we didn’t need to carry around a bunch of hardware
including multiple systems just to be able to do debugging but instead could
just do it on one single machine ?

Yes, but experience has shown that the Heisenberg principle is at work
here. Doing single machine debugging inevitably impacts the system
under test in unpredictable and undesirable ways. In particular, it is
darned near impossible to single-machine-debug a display driver.

A cheap laptop dedicated as a WinDbg host is pretty easy.

-Wouldn’t it improve the quality of WinDbg if there were some competition
and another kernel debugger were around ?

I’m not convinced of that. I can’t think of another example of an
operating system with multiple sets of kernel tools. It requires such
detailed and intimate knowledge of the internals of kernel – knowledge
that a proprietary operating system vendor might reasonably be unwilling
to share.

-Would WinDbg still be so popular if we had to pay for it ?

If we were paying for it, we all would have complained about it until it
got better.

-Was MS right to knock out SoftIce from the competition by inducing heavy
kernel restrictions with Patchguard ?

This is not the reason. SoftIce was fading rapidly long before
PatchGuard came into being.

-Wouldn’t it be nice if installing the debugger, getting the symbols and
connections right wouldn’t actually be a much harder task than anything else
in kernel land including writing an encryption file system filter driver ?

That’s just silly. I can remember a time when we dedicated the first
two days of every contract to screwing around with RS232 cables and
adapters and connectors to get the kernel debugger connected. Today, it
Just Works.

-Why WinDdbg doesn’t comply to the user interface guidelines of MS? Wouldn’t
it be nice if they just wouldn’t hexdump the crap out of us just because we
are kernel developers and we can read opcode anyway ? This Windbg is using
an absurd unintuitive syntax which is totally incompatible with both short
term and long term human memory, paged or non paged.

I don’t want a kernel debugger video game with blinky lights and
transparent flaming logo buttons. I want something that shows me
registers and opcodes, quickly, with no distractions. Indeed, I often
eschew the GUI altogether and run i386kd from a command line.

On the other hand, I agree that the command set is a bit arcane. Part
of that comes from maintaining backward compatibility with every
debugger since the MS-DOS debug.com, but that doesn’t help me choose
between dot-this and bang-that. It’s handy that many commands now
suggest to me the next command to try. The KMDF extension (wdfkd.dll)
is especially good at that.

However, there are one hell of a lot of commands in WinDbg. How would
you make them more clear? I have also used gdb. It is (ironically)
wordier than WinDbg, but every bit as arcane. Do I want “info”,
“display”, “show”, “print” or “examine”?

SoftIce is also arcane, although the context-sensitive help was a big aid.

If you have any comments, I would really appreciate your or other experts
views on these. My vision is that the people behind SoftIce really tried
hard and deserve merit for it.

For a while, they certainly did so, and in the mid-90s I gave them some
of my hard-earned dollars. As the kernel got more complex and component
interactions became more intertwined, it just became impossible for them
to provide the same functionality with each new version. Too many
special cases and weird configurations.

No matter what debugger is used, I see
debugging as a non-constructive evil which is sometimes unavoidable and like
a poisonous drug should only be used as a last recourse if really no other
options are available.

I’m not sure I agree with that. Printf-style debugging using something
like dbgview.exe can tell you a lot of information, but there are things
that cannot be understood without watching breakpoints and single stepping.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

My problems with SoftICE are:

• It installed its own display drivers (At least the last version I
  attempted to use did) and because of that it was picky about what
  system it would work on.
• You needed a license for every system you needed to debug. If you
  have a lab full of equipment and have to debug on different machines,
  I’d rather be able to simply modify the boot.ini file and connect my
  laptop to it than have to purchase yet another SoftICE license,
  install it and hope that its display drivers worked on that system.
• It was much more difficult to get SoftICE to use the correct symbols
  that it ever was to set that up on Windbg. SoftICE required massaging
  the symbols into its own format beforehand. I can’t tell you how many
  times I forgot to do that step.

Beverly

On 1/17/07, Daniel Terhell wrote:
> Thanks, I understand by now you and others like WinDbg more than SoftIce. As
> for “The driver crashes unless it is run
> under SoftICE, and we have no way to debug it” I recall reading an article
> in the NtInsider explaining the perfect Heisenbug when certain code was run
> under WinDbg it would run perfectly well and would crash as soon as the
> debugger was absent.
> ( http://www.osronline.com/article.cfm?id=380 )
>
> Interesting issues people here are raising are:
>
> -Wouldn’t it be nice if we could do kernel debugging over a network
> connection ?
> -Wouldn’t it be nice if we didn’t need to carry around a bunch of hardware
> including multiple systems just to be able to do debugging but instead could
> just do it on one single machine ?
> -Wouldn’t it improve the quality of WinDbg if there were some competition
> and another kernel debugger were around ?
> -Would WinDbg still be so popular if we had to pay for it ?
> -Was MS right to knock out SoftIce from the competition by inducing heavy
> kernel restrictions with Patchguard ?
> -Wouldn’t it be nice if installing the debugger, getting the symbols and
> connections right wouldn’t actually be a much harder task than anything else
> in kernel land including writing an encryption file system filter driver ?
> -Why WinDdbg doesn’t comply to the user interface guidelines of MS? Wouldn’t
> it be nice if they just wouldn’t hexdump the crap out of us just because we
> are kernel developers and we can read opcode anyway ? This Windbg is using
> an absurd unintuitive syntax which is totally incompatible with both short
> term and long term human memory, paged or non paged.
>
> If you have any comments, I would really appreciate your or other experts
> views on these. My vision is that the people behind SoftIce really tried
> hard and deserve merit for it. No matter what debugger is used, I see
> debugging as a non-constructive evil which is sometimes unavoidable and like
> a poisonous drug should only be used as a last recourse if really no other
> options are available. I prefer investing my time in improving the quality
> of my coding rather than setting up quirky debuggers, less there will be a
> need for it, at least for the code I write myself.
>
> /Daniel
>
>
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
> > Actually as a consultant there were times I was forced to use SoftICE.
> > About 3 years ago, I started telling my customers there was a 25%
> > surcharge if I had to use that piece of crap. Everytime I used it I found
> > places where they altered the normal behavior of the system. I did
> > benefit once, since I had a customer call me saying “The driver crashes
> > unless it is run under SoftICE, and we have no way to debug it” Between
> > using WinDBG and driver verifier I found over 10 bugs that SoftICE had
> > obscured.
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Tim Roberts[SMTP:xxxxx@probo.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, January 17, 2007 7:58 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it possible?

Yes, but experience has shown that the Heisenberg principle is at work
here. Doing single machine debugging inevitably impacts the system
under test in unpredictable and undesirable ways.

I don’t see a fundamental difference against kernel debugger connected via a cable. The second can be even worse because cable connection is always slower.

In particular, it is
darned near impossible to single-machine-debug a display driver.

If I remember correctly, there were people who did it using SoftICE mono monitor support.

A cheap laptop dedicated as a WinDbg host is pretty easy.

My case is just opposite: I have a lot of new laptop prototypes here and none of them have a serial port. Some probably don’t have the only recommended 1394 chip.

> -Wouldn’t it improve the quality of WinDbg if there were some competition
> and another kernel debugger were around ?

I’m not convinced of that. I can’t think of another example of an
operating system with multiple sets of kernel tools. It requires such
detailed and intimate knowledge of the internals of kernel – knowledge
that a proprietary operating system vendor might reasonably be unwilling
to share.

IMO MS would only gain if kernel sources are available similarly as WinCE sources, for example. It’d make our life easier, our drivers more reliable and we could more easily find and point out OS bugs. Did they lose anything when NT4 and part of w2k sources leaked?

This is not the reason. SoftIce was fading rapidly long before
PatchGuard came into being.

It is correct SI development stopped before PatchGuard but I don’t remember fading. It was developed and updated for currect SPs and then it demised.

However, there are one hell of a lot of commands in WinDbg. How would
you make them more clear? I have also used gdb. It is (ironically)
wordier than WinDbg, but every bit as arcane. Do I want “info”,
“display”, “show”, “print” or “examine”?

SoftIce is also arcane, although the context-sensitive help was a big aid.

Personally, I have no problem with WinDbg command line. It should have more intelligent history and completion as SI or 4NT have but it is generally useful. The GUI is horrible; simple SI windows are much better.

I’m not sure I agree with that. Printf-style debugging using something
like dbgview.exe can tell you a lot of information, but there are things
that cannot be understood without watching breakpoints and single stepping.

An example? Within past few years I debugged all my code using DbgView only. Kernel drivers, user mode apps and DLLs, firmware and WinCE code. I had to write some tools which allowed me to show remote traces, though. I need a debugger only to see and debug 3rd patry and OS code for which I don’t have sources and can’t add traces. Instead of breakpoints I use asserts

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

What I would like to see improved about Windbg:

I would like to cast an address to a structure and display it C-style
the way gdb works

print *(SOME_STRUCT *)struct_ptr

would cast struct_ptr to SOME_STRUCT * and print its contents member
by member. dt gets you there in a roundabout way but this is much more
intuitive IMO. (and I am NOT a Linux fan!)

Beverly

On 1/17/07, Peter Wieland wrote:
> Ah - I love conspiracy theory Tuesdays. I console myself with the
> knowledge that if we did charge for WinDBG or if we had ever supported
> single machine debugging that an equal number of theories about how it
> was a plot by MS to increase (something) would abound.
>
>
> I would be interested in a list of features that SoftICE had that made
> it more useful than WinDBG aside from single-machine support. Better
> disassemble? Better breakpoint support? Better single step ability?
> Better functionality without symbols?
>
> Ethernet support sounds like one thing. Did it work with any Ethernet
> controller, or just one or two? Was there any security on it?
>
> I suspect I can search the archive to find this in bits and pieces - did
> anyone ever make an exhaustive list?
>
> -p
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
> Sent: Tuesday, January 16, 2007 6:41 PM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it possible?
>
> > ----------
> > From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
>] on behalf of Martin O’Brien[SMTP:xxxxx@evitechnology.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, January 17, 2007 3:10 AM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
> possible?
> >
> > I hear you Michal. I just posted, but the long and short in my
> opinion,
> > is that SI committed suicide by abusive marketing practice, and, while
> > SI definitely had its issues (although I used the ethernet transport
> for
> > years), I think it is a reasonable question to ask how much of a
> WinDbg
> > lovefest there would people if people had to pay for it.
> >
> I agree with both suicide and WinDbg price. It isn’t so long the main
> argument of WinDbg advocates here was no fee.
>
> Well, I didn’t want to awake old SI versus WinDbg thread. The game is
> over. I wonder if MS developers aren’t able to do what NuMega did or if
> the necessity to have two computers is the intention. SI was widely used
> as hackers’ tool mainly because of its one-machine debugging abilities.
> Or maybe they don’t care. With access to OS sources they don’t need a
> tool which helps with reverse engineering and they got used to two
> machines setup.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Also, to be able to access a struct member using C-style syntax would be good.

print struct_ptr->member

Beverly

On 1/17/07, Beverly Brown wrote:
> What I would like to see improved about Windbg:
>
> I would like to cast an address to a structure and display it C-style
> the way gdb works
>
> print *(SOME_STRUCT *)struct_ptr
>
> would cast struct_ptr to SOME_STRUCT * and print its contents member
> by member. dt gets you there in a roundabout way but this is much more
> intuitive IMO. (and I am NOT a Linux fan!)
>
> Beverly
>
> On 1/17/07, Peter Wieland wrote:
> > Ah - I love conspiracy theory Tuesdays. I console myself with the
> > knowledge that if we did charge for WinDBG or if we had ever supported
> > single machine debugging that an equal number of theories about how it
> > was a plot by MS to increase (something) would abound.
> >
> >
> > I would be interested in a list of features that SoftICE had that made
> > it more useful than WinDBG aside from single-machine support. Better
> > disassemble? Better breakpoint support? Better single step ability?
> > Better functionality without symbols?
> >
> > Ethernet support sounds like one thing. Did it work with any Ethernet
> > controller, or just one or two? Was there any security on it?
> >
> > I suspect I can search the archive to find this in bits and pieces - did
> > anyone ever make an exhaustive list?
> >
> > -p
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
> > Sent: Tuesday, January 16, 2007 6:41 PM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it possible?
> >
> > > ----------
> > > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
> >] on behalf of Martin O’Brien[SMTP:xxxxx@evitechnology.com]
> > > Reply To: Windows System Software Devs Interest List
> > > Sent: Wednesday, January 17, 2007 3:10 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
> > possible?
> > >
> > > I hear you Michal. I just posted, but the long and short in my
> > opinion,
> > > is that SI committed suicide by abusive marketing practice, and, while
> > > SI definitely had its issues (although I used the ethernet transport
> > for
> > > years), I think it is a reasonable question to ask how much of a
> > WinDbg
> > > lovefest there would people if people had to pay for it.
> > >
> > I agree with both suicide and WinDbg price. It isn’t so long the main
> > argument of WinDbg advocates here was no fee.
> >
> > Well, I didn’t want to awake old SI versus WinDbg thread. The game is
> > over. I wonder if MS developers aren’t able to do what NuMega did or if
> > the necessity to have two computers is the intention. SI was widely used
> > as hackers’ tool mainly because of its one-machine debugging abilities.
> > Or maybe they don’t care. With access to OS sources they don’t need a
> > tool which helps with reverse engineering and they got used to two
> > machines setup.
> >
> > Best regards,
> >
> > Michal Vodicka
> > UPEK, Inc.
> > [xxxxx@upek.com, http://www.upek.com]
> >
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> >
>

1. I had never considered the prospect of debugging a display driver on
   one machine. That is a really, really terrible thought.

2. I have long considered the question of how to make the
   documentation of the commands better, because I just can’t seem to
   remember certain commands, and the only option left is search, which
   will produce far too many hits than the I have patience deal with, for
   most any of the basic concepts which a command involves. The one that I
   can never seem to remember is “dg,” because I seem to have the idea in
   my head that there is a “!gdt,” and searching for “descriptor” produces
   28 hits, while “global descriptor” yields zero. After much
   consideration, I have arrived a nothing, except having long aliases more
   or less entirely for this purpose. This seems a little extreme.

3. As far as issues with documentation goes, a lot of commands simply
   don’t have any. Ever open up the most recent README and tried to look
   up one of the highlighted new commands or new options for any existing
   one? It’s rather difficult.

To me the benefit of SI, while situational, was a very practical one
when it existed. Attaching online at least for a first look beat going
to site with a serial cable. This was frequently not an option, but
when it was the price and situational instability didn’t seem all that
bad.

But they’re still pirates.

mm

>> xxxxx@probo.com 2007-01-17 13:58 >>>
Daniel Terhell wrote:
Interesting issues people here are raising are:

-Wouldn’t it be nice if we could do kernel debugging over a network
connection ?

Yes, but that requires a configured network stack and driver,
independent of the operating system, available at boot time. That’s a
Big Deal.

-Wouldn’t it be nice if we didn’t need to carry around a bunch of
hardware
including multiple systems just to be able to do debugging but
instead could
just do it on one single machine ?

Yes, but experience has shown that the Heisenberg principle is at work
here. Doing single machine debugging inevitably impacts the system
under test in unpredictable and undesirable ways. In particular, it
is
darned near impossible to single-machine-debug a display driver.

A cheap laptop dedicated as a WinDbg host is pretty easy.

-Wouldn’t it improve the quality of WinDbg if there were some
competition
and another kernel debugger were around ?

I’m not convinced of that. I can’t think of another example of an
operating system with multiple sets of kernel tools. It requires such
detailed and intimate knowledge of the internals of kernel –
knowledge
that a proprietary operating system vendor might reasonably be
unwilling
to share.

-Would WinDbg still be so popular if we had to pay for it ?

If we were paying for it, we all would have complained about it until
it
got better.

-Was MS right to knock out SoftIce from the competition by inducing
heavy
kernel restrictions with Patchguard ?

This is not the reason. SoftIce was fading rapidly long before
PatchGuard came into being.

-Wouldn’t it be nice if installing the debugger, getting the symbols
and
connections right wouldn’t actually be a much harder task than
anything else
in kernel land including writing an encryption file system filter
driver ?

That’s just silly. I can remember a time when we dedicated the first
two days of every contract to screwing around with RS232 cables and
adapters and connectors to get the kernel debugger connected. Today,
it
Just Works.

-Why WinDdbg doesn’t comply to the user interface guidelines of MS?
Wouldn’t
it be nice if they just wouldn’t hexdump the crap out of us just
because we
are kernel developers and we can read opcode anyway ? This Windbg is
using
an absurd unintuitive syntax which is totally incompatible with both
short
term and long term human memory, paged or non paged.

I don’t want a kernel debugger video game with blinky lights and
transparent flaming logo buttons. I want something that shows me
registers and opcodes, quickly, with no distractions. Indeed, I often
eschew the GUI altogether and run i386kd from a command line.

On the other hand, I agree that the command set is a bit arcane. Part
of that comes from maintaining backward compatibility with every
debugger since the MS-DOS debug.com, but that doesn’t help me choose
between dot-this and bang-that. It’s handy that many commands now
suggest to me the next command to try. The KMDF extension (wdfkd.dll)
is especially good at that.

However, there are one hell of a lot of commands in WinDbg. How would
you make them more clear? I have also used gdb. It is (ironically)
wordier than WinDbg, but every bit as arcane. Do I want “info”,
“display”, “show”, “print” or “examine”?

SoftIce is also arcane, although the context-sensitive help was a big
aid.

If you have any comments, I would really appreciate your or other
experts
views on these. My vision is that the people behind SoftIce really
tried
hard and deserve merit for it.

For a while, they certainly did so, and in the mid-90s I gave them
some
of my hard-earned dollars. As the kernel got more complex and
component
interactions became more intertwined, it just became impossible for
them
to provide the same functionality with each new version. Too many
special cases and weird configurations.

No matter what debugger is used, I see
debugging as a non-constructive evil which is sometimes unavoidable
and like
a poisonous drug should only be used as a last recourse if really no
other
options are available.

I’m not sure I agree with that. Printf-style debugging using
something
like dbgview.exe can tell you a lot of information, but there are
things
that cannot be understood without watching breakpoints and single
stepping.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

IMO, using a debugger is a lot faster than cluttering your code with
lots of debugging printfs. That is usually an iterative process where
you display something, see that it’s wrong and then need to display
something else to see why it’s wrong. Using a debugger, you can
examine other variable and look at the stack, set breakpoints, etc,
and therefore find the reason why something got set wrong a lot
faster.

In fact, stepping through code the first time it’s executed can catch
bugs that wouldn’t show up otherwise until sometime later in the
development/test cycle, or worse, in the end user’s system.

Beverly

On 1/17/07, Michal Vodicka wrote:
> > ----------
> > From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Tim Roberts[SMTP:xxxxx@probo.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, January 17, 2007 7:58 PM
> > To: Windows System Software Devs Interest List
> > Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it possible?
> >
> > Yes, but experience has shown that the Heisenberg principle is at work
> > here. Doing single machine debugging inevitably impacts the system
> > under test in unpredictable and undesirable ways.
> >
> I don’t see a fundamental difference against kernel debugger connected via a cable. The second can be even worse because cable connection is always slower.
>
> > In particular, it is
> > darned near impossible to single-machine-debug a display driver.
> >
> If I remember correctly, there were people who did it using SoftICE mono monitor support.
>
> > A cheap laptop dedicated as a WinDbg host is pretty easy.
> >
> My case is just opposite: I have a lot of new laptop prototypes here and none of them have a serial port. Some probably don’t have the only recommended 1394 chip.
>
> > > -Wouldn’t it improve the quality of WinDbg if there were some competition
> > > and another kernel debugger were around ?
> >
> > I’m not convinced of that. I can’t think of another example of an
> > operating system with multiple sets of kernel tools. It requires such
> > detailed and intimate knowledge of the internals of kernel – knowledge
> > that a proprietary operating system vendor might reasonably be unwilling
> > to share.
> >
> IMO MS would only gain if kernel sources are available similarly as WinCE sources, for example. It’d make our life easier, our drivers more reliable and we could more easily find and point out OS bugs. Did they lose anything when NT4 and part of w2k sources leaked?
>
> > This is not the reason. SoftIce was fading rapidly long before
> > PatchGuard came into being.
> >
> It is correct SI development stopped before PatchGuard but I don’t remember fading. It was developed and updated for currect SPs and then it demised.
>
> > However, there are one hell of a lot of commands in WinDbg. How would
> > you make them more clear? I have also used gdb. It is (ironically)
> > wordier than WinDbg, but every bit as arcane. Do I want “info”,
> > “display”, “show”, “print” or “examine”?
> >
> > SoftIce is also arcane, although the context-sensitive help was a big aid.
> >
> Personally, I have no problem with WinDbg command line. It should have more intelligent history and completion as SI or 4NT have but it is generally useful. The GUI is horrible; simple SI windows are much better.
>
> > I’m not sure I agree with that. Printf-style debugging using something
> > like dbgview.exe can tell you a lot of information, but there are things
> > that cannot be understood without watching breakpoints and single stepping.
> >
> An example? Within past few years I debugged all my code using DbgView only. Kernel drivers, user mode apps and DLLs, firmware and WinCE code. I had to write some tools which allowed me to show remote traces, though. I need a debugger only to see and debug 3rd patry and OS code for which I don’t have sources and can’t add traces. Instead of breakpoints I use asserts
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Beverly Brown[SMTP:xxxxx@gmail.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, January 17, 2007 9:03 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it possible?

• It installed its own display drivers (At least the last version I
  attempted to use did) and because of that it was picky about what
  system it would work on.

Maybe some very old version. I started working with it at NT about 10 years before and used secondary mono monitor. Later they added universal display driver approach which worked with all modern display adapters (I guess with any which supports Direct Draw).

• You needed a license for every system you needed to debug. If you
  have a lab full of equipment and have to debug on different machines,
  I’d rather be able to simply modify the boot.ini file and connect my
  laptop to it than have to purchase yet another SoftICE license,
  install it and hope that its display drivers worked on that system.

Only host + target installation needed a licence. You could install target only at as many machines as you wanted.

• It was much more difficult to get SoftICE to use the correct symbols
  that it ever was to set that up on Windbg. SoftICE required massaging
  the symbols into its own format beforehand. I can’t tell you how many
  times I forgot to do that step.

Yes, as I already said, it is the only thing where WinDbg is better. However, it is understandable. PDB format is undocumented and it is necessary to access it via user mode DLLs. So the easiest way is to extract all symbols to own format. Maybe they could emulate user mode environment for these DLLs.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

dt does that

dt Foo Field->Struct.Blah

as for the casting, you can use ?? to do it, e.g. ?? ((foo*) ptr)

d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Beverly Brown
Sent: Wednesday, January 17, 2007 12:23 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it possible?

Also, to be able to access a struct member using C-style syntax would be
good.

print struct_ptr->member

Beverly

On 1/17/07, Beverly Brown wrote:
> What I would like to see improved about Windbg:
>
> I would like to cast an address to a structure and display it C-style
> the way gdb works
>
> print *(SOME_STRUCT *)struct_ptr
>
> would cast struct_ptr to SOME_STRUCT * and print its contents member
> by member. dt gets you there in a roundabout way but this is much more
> intuitive IMO. (and I am NOT a Linux fan!)
>
> Beverly
>
> On 1/17/07, Peter Wieland wrote:
> > Ah - I love conspiracy theory Tuesdays. I console myself with the
> > knowledge that if we did charge for WinDBG or if we had ever
supported
> > single machine debugging that an equal number of theories about how
it
> > was a plot by MS to increase (something) would abound.
> >
> >
> > I would be interested in a list of features that SoftICE had that
made
> > it more useful than WinDBG aside from single-machine support.
Better
> > disassemble? Better breakpoint support? Better single step
ability?
> > Better functionality without symbols?
> >
> > Ethernet support sounds like one thing. Did it work with any
Ethernet
> > controller, or just one or two? Was there any security on it?
> >
> > I suspect I can search the archive to find this in bits and pieces -
did
> > anyone ever make an exhaustive list?
> >
> > -p
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Michal
Vodicka
> > Sent: Tuesday, January 16, 2007 6:41 PM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
possible?
> >
> > > ----------
> > > From:
> >
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
> >] on behalf of Martin O’Brien[SMTP:xxxxx@evitechnology.com]
> > > Reply To: Windows System Software Devs Interest List
> > > Sent: Wednesday, January 17, 2007 3:10 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
> > possible?
> > >
> > > I hear you Michal. I just posted, but the long and short in my
> > opinion,
> > > is that SI committed suicide by abusive marketing practice, and,
while
> > > SI definitely had its issues (although I used the ethernet
transport
> > for
> > > years), I think it is a reasonable question to ask how much of a
> > WinDbg
> > > lovefest there would people if people had to pay for it.
> > >
> > I agree with both suicide and WinDbg price. It isn’t so long the
main
> > argument of WinDbg advocates here was no fee.
> >
> > Well, I didn’t want to awake old SI versus WinDbg thread. The game
is
> > over. I wonder if MS developers aren’t able to do what NuMega did or
if
> > the necessity to have two computers is the intention. SI was widely
used
> > as hackers’ tool mainly because of its one-machine debugging
abilities.
> > Or maybe they don’t care. With access to OS sources they don’t need
a
> > tool which helps with reverse engineering and they got used to two
> > machines setup.
> >
> > Best regards,
> >
> > Michal Vodicka
> > UPEK, Inc.
> > [xxxxx@upek.com, http://www.upek.com]
> >
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> >
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Martin O’Brien[SMTP:xxxxx@evitechnology.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, January 17, 2007 7:56 PM
To: Windows System Software Devs Interest List
Subject: Fwd: RE: [ntdev] Kernel debug in Windbg using tcp - is it possible?

Speaking of Compuware, SoftICE and abusive marketing practices, did
anyone else get a call or e-mail today or recently from a rep offering
you, as a valued customer, the right to purchase a license for
DriverStudio with no future, no support, et. c. for 60% of retail, which
I think comes to around $1100? If not consider yourself lucky, as this
is one of the worse things of this type that I have heard of in a long
time.

I’d consider it if it contains complete source code

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

You can do this right now. Use ?? *(foo!SOME_STRUCT*)struct_ptr . This is documented in several places in the WinDbg help.

? uses the default evaluator syntax, which defaults to assembler.
?? uses C++ evaluator syntax.

In any expression context, you can override the current evaluator syntax with the @@ prefix. @@c++(…) evaluates the inner expression using the C++ evaluator, and @@masm(…) uses the assembly evaluator. Both syntaxes have their joys and pains.

To get the C++ evaluator to do what you want, you’ll have to make sure that you are using the correct structure name. It’s very common for C++ headers to use #define or typedefs to hide/change/alias/mangle/whatever type names. Most of NT uses _FOO_BAR as its naming convention for structures, but there’s also tagFOOBAR, PFOOBAR, etc. Use “dt foo!*something*” to find the right mangled name of the structure, and then be consistent when you invoke ??.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Beverly Brown
Sent: Wednesday, January 17, 2007 3:08 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it possible?

What I would like to see improved about Windbg:

I would like to cast an address to a structure and display it C-style
the way gdb works

print *(SOME_STRUCT *)struct_ptr

would cast struct_ptr to SOME_STRUCT * and print its contents member
by member. dt gets you there in a roundabout way but this is much more
intuitive IMO. (and I am NOT a Linux fan!)

Beverly

On 1/17/07, Peter Wieland wrote:
> Ah - I love conspiracy theory Tuesdays. I console myself with the
> knowledge that if we did charge for WinDBG or if we had ever supported
> single machine debugging that an equal number of theories about how it
> was a plot by MS to increase (something) would abound.
>
>
> I would be interested in a list of features that SoftICE had that made
> it more useful than WinDBG aside from single-machine support. Better
> disassemble? Better breakpoint support? Better single step ability?
> Better functionality without symbols?
>
> Ethernet support sounds like one thing. Did it work with any Ethernet
> controller, or just one or two? Was there any security on it?
>
> I suspect I can search the archive to find this in bits and pieces - did
> anyone ever make an exhaustive list?
>
> -p
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
> Sent: Tuesday, January 16, 2007 6:41 PM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it possible?
>
> > ----------
> > From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
>] on behalf of Martin O’Brien[SMTP:xxxxx@evitechnology.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, January 17, 2007 3:10 AM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
> possible?
> >
> > I hear you Michal. I just posted, but the long and short in my
> opinion,
> > is that SI committed suicide by abusive marketing practice, and, while
> > SI definitely had its issues (although I used the ethernet transport
> for
> > years), I think it is a reasonable question to ask how much of a
> WinDbg
> > lovefest there would people if people had to pay for it.
> >
> I agree with both suicide and WinDbg price. It isn’t so long the main
> argument of WinDbg advocates here was no fee.
>
> Well, I didn’t want to awake old SI versus WinDbg thread. The game is
> over. I wonder if MS developers aren’t able to do what NuMega did or if
> the necessity to have two computers is the intention. SI was widely used
> as hackers’ tool mainly because of its one-machine debugging abilities.
> Or maybe they don’t care. With access to OS sources they don’t need a
> tool which helps with reverse engineering and they got used to two
> machines setup.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Try

?? (SOME_STRUCT *) struct_ptr

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Beverly Brown
Sent: Wednesday, January 17, 2007 12:08 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it possible?

What I would like to see improved about Windbg:

I would like to cast an address to a structure and display it C-style
the way gdb works

print *(SOME_STRUCT *)struct_ptr

would cast struct_ptr to SOME_STRUCT * and print its contents member
by member. dt gets you there in a roundabout way but this is much more
intuitive IMO. (and I am NOT a Linux fan!)

Beverly

On 1/17/07, Peter Wieland wrote:
> Ah - I love conspiracy theory Tuesdays. I console myself with the
> knowledge that if we did charge for WinDBG or if we had ever supported
> single machine debugging that an equal number of theories about how it
> was a plot by MS to increase (something) would abound.
>
>
> I would be interested in a list of features that SoftICE had that made
> it more useful than WinDBG aside from single-machine support. Better
> disassemble? Better breakpoint support? Better single step ability?
> Better functionality without symbols?
>
> Ethernet support sounds like one thing. Did it work with any Ethernet
> controller, or just one or two? Was there any security on it?
>
> I suspect I can search the archive to find this in bits and pieces -
did
> anyone ever make an exhaustive list?
>
> -p
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
> Sent: Tuesday, January 16, 2007 6:41 PM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
possible?
>
> > ----------
> > From:
>
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
>] on behalf of Martin O’Brien[SMTP:xxxxx@evitechnology.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, January 17, 2007 3:10 AM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
> possible?
> >
> > I hear you Michal. I just posted, but the long and short in my
> opinion,
> > is that SI committed suicide by abusive marketing practice, and,
while
> > SI definitely had its issues (although I used the ethernet transport
> for
> > years), I think it is a reasonable question to ask how much of a
> WinDbg
> > lovefest there would people if people had to pay for it.
> >
> I agree with both suicide and WinDbg price. It isn’t so long the main
> argument of WinDbg advocates here was no fee.
>
> Well, I didn’t want to awake old SI versus WinDbg thread. The game is
> over. I wonder if MS developers aren’t able to do what NuMega did or
if
> the necessity to have two computers is the intention. SI was widely
used
> as hackers’ tool mainly because of its one-machine debugging
abilities.
> Or maybe they don’t care. With access to OS sources they don’t need a
> tool which helps with reverse engineering and they got used to two
> machines setup.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

But it’s still not very intuitive. What exactly is of type Foo in that
example? Is it Field? Why do I have to tell it the type? Doesn’t the
debugger already know?

What I want is this:

My source code has a pointer in it whose symbolic name is ptr. It is
declared to be a pointer to a struct of type FOO like so:

FOO *ptr.

I want to refer to one of its members with a command like this

print ptr->member.another_ptr->foo

without having to give it any type information. The debugger should
already know that from the symbols. (It knows it in the locals window)
This is useful for accessing things that aren’t displayed easily in
the locals window (like linked-lists). I realize windbg has a way to
display linked lists, but it is not intuitive and I can never remember
how to do it. Or if ptr is an array, but the debugger cannot know how
big it is because it was dynamically allocated (and therefore can only
show the first element in the locals window), I’d like to say

print ptr[3] or print *(ptr+3)

For casting I certainly wouldn’t have guessed that you could use ?? to
use C-style syntax. Again, not intuitive. The last time I looked up
how to do this, there were some very unintuitive things you had to do
with pointers and such (and I could never remember what they were or
what the rules were for using them) for asm-style vs C-style in order
to cast and display variables. (Using ?? is pretty unintuitive, too,
BTW. Why is that necessary? Is that the command or a prefix?).

Beverly

On 1/17/07, Doron Holan wrote:
> dt does that
>
> dt Foo Field->Struct.Blah
>
> as for the casting, you can use ?? to do it, e.g. ?? ((foo*) ptr)
>
> d
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Beverly Brown
> Sent: Wednesday, January 17, 2007 12:23 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it possible?
>
> Also, to be able to access a struct member using C-style syntax would be
> good.
>
> print struct_ptr->member
>
> Beverly
>
> On 1/17/07, Beverly Brown wrote:
> > What I would like to see improved about Windbg:
> >
> > I would like to cast an address to a structure and display it C-style
> > the way gdb works
> >
> > print *(SOME_STRUCT *)struct_ptr
> >
> > would cast struct_ptr to SOME_STRUCT * and print its contents member
> > by member. dt gets you there in a roundabout way but this is much more
> > intuitive IMO. (and I am NOT a Linux fan!)
> >
> > Beverly
> >
> > On 1/17/07, Peter Wieland wrote:
> > > Ah - I love conspiracy theory Tuesdays. I console myself with the
> > > knowledge that if we did charge for WinDBG or if we had ever
> supported
> > > single machine debugging that an equal number of theories about how
> it
> > > was a plot by MS to increase (something) would abound.
> > >
> > >
> > > I would be interested in a list of features that SoftICE had that
> made
> > > it more useful than WinDBG aside from single-machine support.
> Better
> > > disassemble? Better breakpoint support? Better single step
> ability?
> > > Better functionality without symbols?
> > >
> > > Ethernet support sounds like one thing. Did it work with any
> Ethernet
> > > controller, or just one or two? Was there any security on it?
> > >
> > > I suspect I can search the archive to find this in bits and pieces -
> did
> > > anyone ever make an exhaustive list?
> > >
> > > -p
> > >
> > >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Michal
> Vodicka
> > > Sent: Tuesday, January 16, 2007 6:41 PM
> > > To: Windows System Software Devs Interest List
> > > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
> possible?
> > >
> > > > ----------
> > > > From:
> > >
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
> > >] on behalf of Martin O’Brien[SMTP:xxxxx@evitechnology.com]
> > > > Reply To: Windows System Software Devs Interest List
> > > > Sent: Wednesday, January 17, 2007 3:10 AM
> > > > To: Windows System Software Devs Interest List
> > > > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
> > > possible?
> > > >
> > > > I hear you Michal. I just posted, but the long and short in my
> > > opinion,
> > > > is that SI committed suicide by abusive marketing practice, and,
> while
> > > > SI definitely had its issues (although I used the ethernet
> transport
> > > for
> > > > years), I think it is a reasonable question to ask how much of a
> > > WinDbg
> > > > lovefest there would people if people had to pay for it.
> > > >
> > > I agree with both suicide and WinDbg price. It isn’t so long the
> main
> > > argument of WinDbg advocates here was no fee.
> > >
> > > Well, I didn’t want to awake old SI versus WinDbg thread. The game
> is
> > > over. I wonder if MS developers aren’t able to do what NuMega did or
> if
> > > the necessity to have two computers is the intention. SI was widely
> used
> > > as hackers’ tool mainly because of its one-machine debugging
> abilities.
> > > Or maybe they don’t care. With access to OS sources they don’t need
> a
> > > tool which helps with reverse engineering and they got used to two
> > > machines setup.
> > >
> > > Best regards,
> > >
> > > Michal Vodicka
> > > UPEK, Inc.
> > > [xxxxx@upek.com, http://www.upek.com]
> > >
> > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> > > http://www.osronline.com/page.cfm?name=ListServer
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> > >
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

My problem with that is that it’s not intuitive. There should be no
prefixes necessary.

Beverly

On 1/17/07, Arlie Davis wrote:
> You can do this right now. Use ?? (foo!SOME_STRUCT)struct_ptr . This is documented in several places in the WinDbg help.
>
> ? uses the default evaluator syntax, which defaults to assembler.
> ?? uses C++ evaluator syntax.
>
> In any expression context, you can override the current evaluator syntax with the @@ prefix. @@c++(…) evaluates the inner expression using the C++ evaluator, and @@masm(…) uses the assembly evaluator. Both syntaxes have their joys and pains.
>
> To get the C++ evaluator to do what you want, you’ll have to make sure that you are using the correct structure name. It’s very common for C++ headers to use #define or typedefs to hide/change/alias/mangle/whatever type names. Most of NT uses _FOO_BAR as its naming convention for structures, but there’s also tagFOOBAR, PFOOBAR, etc. Use “dt foo!something” to find the right mangled name of the structure, and then be consistent when you invoke ??.
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Beverly Brown
> Sent: Wednesday, January 17, 2007 3:08 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it possible?
>
> What I would like to see improved about Windbg:
>
> I would like to cast an address to a structure and display it C-style
> the way gdb works
>
> print *(SOME_STRUCT *)struct_ptr
>
> would cast struct_ptr to SOME_STRUCT * and print its contents member
> by member. dt gets you there in a roundabout way but this is much more
> intuitive IMO. (and I am NOT a Linux fan!)
>
> Beverly
>
> On 1/17/07, Peter Wieland wrote:
> > Ah - I love conspiracy theory Tuesdays. I console myself with the
> > knowledge that if we did charge for WinDBG or if we had ever supported
> > single machine debugging that an equal number of theories about how it
> > was a plot by MS to increase (something) would abound.
> >
> >
> > I would be interested in a list of features that SoftICE had that made
> > it more useful than WinDBG aside from single-machine support. Better
> > disassemble? Better breakpoint support? Better single step ability?
> > Better functionality without symbols?
> >
> > Ethernet support sounds like one thing. Did it work with any Ethernet
> > controller, or just one or two? Was there any security on it?
> >
> > I suspect I can search the archive to find this in bits and pieces - did
> > anyone ever make an exhaustive list?
> >
> > -p
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
> > Sent: Tuesday, January 16, 2007 6:41 PM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it possible?
> >
> > > ----------
> > > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
> >] on behalf of Martin O’Brien[SMTP:xxxxx@evitechnology.com]
> > > Reply To: Windows System Software Devs Interest List
> > > Sent: Wednesday, January 17, 2007 3:10 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
> > possible?
> > >
> > > I hear you Michal. I just posted, but the long and short in my
> > opinion,
> > > is that SI committed suicide by abusive marketing practice, and, while
> > > SI definitely had its issues (although I used the ethernet transport
> > for
> > > years), I think it is a reasonable question to ask how much of a
> > WinDbg
> > > lovefest there would people if people had to pay for it.
> > >
> > I agree with both suicide and WinDbg price. It isn’t so long the main
> > argument of WinDbg advocates here was no fee.
> >
> > Well, I didn’t want to awake old SI versus WinDbg thread. The game is
> > over. I wonder if MS developers aren’t able to do what NuMega did or if
> > the necessity to have two computers is the intention. SI was widely used
> > as hackers’ tool mainly because of its one-machine debugging abilities.
> > Or maybe they don’t care. With access to OS sources they don’t need a
> > tool which helps with reverse engineering and they got used to two
> > machines setup.
> >
> > Best regards,
> >
> > Michal Vodicka
> > UPEK, Inc.
> > [xxxxx@upek.com, http://www.upek.com]
> >
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> >
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

It was the question about whether two machine debugging was part of some
master plan which gave me visions of tin foil hats and black helicopters

No problem. The feedback is good. I too find WinDBG’s GUI pretty
horrendous, but I usually use kd for everything but stepping through
source code lines (remoting WINDBG into KD is a very nice feature)

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Wednesday, January 17, 2007 10:33 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it possible?

---

From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
] on behalf of Peter Wieland[SMTP:xxxxx@windows.microsoft.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, January 17, 2007 6:17 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
possible?

Ah - I love conspiracy theory Tuesdays. I console myself with the
knowledge that if we did charge for WinDBG or if we had ever supported
single machine debugging that an equal number of theories about how it
was a plot by MS to increase (something) would abound.

I had no intention to make conspiracy theories and if I did, I
apologize. I just wonder why MS doesn’t implement what NuMega developers
did long years ago.

I would be interested in a list of features that SoftICE had that made
it more useful than WinDBG aside from single-machine support. Better
disassemble? Better breakpoint support? Better single step ability?
Better functionality without symbols?

It is hard to say. The main advangate which influences user experience
is immediate availability when a hotkey is pressed. For me the single
machine support is the most important and even if everything else is
worse, it would prevail. Simply, when I need to examine or change
something, press a hotkey and can do anything.

Next main difference is UI. SI text mode UI was simple, intuitive and
easy to control. WinDbg GUI makes me scream. To be honest, CompuWare
attempts to make something similar were even worse.

It’d be possible to compare feature by feature but it’d take a lot of
time. I’d say it differently – comparing SI and WinDbg user experience
is similar as comparing 4NT and command.com (not cmd.exe). The first has
intelligent command history, filename completion and a lot of small
improvements and even if you can use both to perform the same tasks, the
difference is enormous and the first is much more efficient.

The only thing which is better in WinDbg is access to symbols. For SI
symbols had to be prepared/downloaded and translated at first and it
wasn’t possible to add more symbols without leaving SI. On the other
hand, I really hate WinDbg when I make a typo and it then loads symbols
for all modules from symbol server which can’t be broken. It can be
probably configured somewhere but who can remember how?

Ethernet support sounds like one thing. Did it work with any Ethernet
controller, or just one or two? Was there any security on it?

Yes, there was security on it. It could be configured what IP addresses
are allowed to access it and password could be used. I don’t exactly
remember if it worked with any Ethernet controller or with all. I
vaguelly remember a there was an universal driver which could hook and
utilize any existing NDIS driver but I’m not sure.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

That is what I gave you

dt ptr member.another_ptr->foo

no type info, just the symbol by name and then the underlying “C”
statement to get at the right field.

Look at the -a flag for dt to look at dumping arrays.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Beverly Brown
Sent: Wednesday, January 17, 2007 1:24 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it possible?

But it’s still not very intuitive. What exactly is of type Foo in that
example? Is it Field? Why do I have to tell it the type? Doesn’t the
debugger already know?

What I want is this:

My source code has a pointer in it whose symbolic name is ptr. It is
declared to be a pointer to a struct of type FOO like so:

FOO *ptr.

I want to refer to one of its members with a command like this

print ptr->member.another_ptr->foo

without having to give it any type information. The debugger should
already know that from the symbols. (It knows it in the locals window)
This is useful for accessing things that aren’t displayed easily in
the locals window (like linked-lists). I realize windbg has a way to
display linked lists, but it is not intuitive and I can never remember
how to do it. Or if ptr is an array, but the debugger cannot know how
big it is because it was dynamically allocated (and therefore can only
show the first element in the locals window), I’d like to say

print ptr[3] or print *(ptr+3)

For casting I certainly wouldn’t have guessed that you could use ?? to
use C-style syntax. Again, not intuitive. The last time I looked up
how to do this, there were some very unintuitive things you had to do
with pointers and such (and I could never remember what they were or
what the rules were for using them) for asm-style vs C-style in order
to cast and display variables. (Using ?? is pretty unintuitive, too,
BTW. Why is that necessary? Is that the command or a prefix?).

Beverly

On 1/17/07, Doron Holan wrote:
> dt does that
>
> dt Foo Field->Struct.Blah
>
> as for the casting, you can use ?? to do it, e.g. ?? ((foo*) ptr)
>
> d
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Beverly Brown
> Sent: Wednesday, January 17, 2007 12:23 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it
possible?
>
> Also, to be able to access a struct member using C-style syntax would
be
> good.
>
> print struct_ptr->member
>
> Beverly
>
> On 1/17/07, Beverly Brown wrote:
> > What I would like to see improved about Windbg:
> >
> > I would like to cast an address to a structure and display it
C-style
> > the way gdb works
> >
> > print *(SOME_STRUCT *)struct_ptr
> >
> > would cast struct_ptr to SOME_STRUCT * and print its contents member
> > by member. dt gets you there in a roundabout way but this is much
more
> > intuitive IMO. (and I am NOT a Linux fan!)
> >
> > Beverly
> >
> > On 1/17/07, Peter Wieland wrote:
> > > Ah - I love conspiracy theory Tuesdays. I console myself with the
> > > knowledge that if we did charge for WinDBG or if we had ever
> supported
> > > single machine debugging that an equal number of theories about
how
> it
> > > was a plot by MS to increase (something) would abound.
> > >
> > >
> > > I would be interested in a list of features that SoftICE had that
> made
> > > it more useful than WinDBG aside from single-machine support.
> Better
> > > disassemble? Better breakpoint support? Better single step
> ability?
> > > Better functionality without symbols?
> > >
> > > Ethernet support sounds like one thing. Did it work with any
> Ethernet
> > > controller, or just one or two? Was there any security on it?
> > >
> > > I suspect I can search the archive to find this in bits and pieces
-
> did
> > > anyone ever make an exhaustive list?
> > >
> > > -p
> > >
> > >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Michal
> Vodicka
> > > Sent: Tuesday, January 16, 2007 6:41 PM
> > > To: Windows System Software Devs Interest List
> > > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
> possible?
> > >
> > > > ----------
> > > > From:
> > >
>
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
> > >] on behalf of Martin O’Brien[SMTP:xxxxx@evitechnology.com]
> > > > Reply To: Windows System Software Devs Interest List
> > > > Sent: Wednesday, January 17, 2007 3:10 AM
> > > > To: Windows System Software Devs Interest List
> > > > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is
it
> > > possible?
> > > >
> > > > I hear you Michal. I just posted, but the long and short in my
> > > opinion,
> > > > is that SI committed suicide by abusive marketing practice, and,
> while
> > > > SI definitely had its issues (although I used the ethernet
> transport
> > > for
> > > > years), I think it is a reasonable question to ask how much of a
> > > WinDbg
> > > > lovefest there would people if people had to pay for it.
> > > >
> > > I agree with both suicide and WinDbg price. It isn’t so long the
> main
> > > argument of WinDbg advocates here was no fee.
> > >
> > > Well, I didn’t want to awake old SI versus WinDbg thread. The game
> is
> > > over. I wonder if MS developers aren’t able to do what NuMega did
or
> if
> > > the necessity to have two computers is the intention. SI was
widely
> used
> > > as hackers’ tool mainly because of its one-machine debugging
> abilities.
> > > Or maybe they don’t care. With access to OS sources they don’t
need
> a
> > > tool which helps with reverse engineering and they got used to two
> > > machines setup.
> > >
> > > Best regards,
> > >
> > > Michal Vodicka
> > > UPEK, Inc.
> > > [xxxxx@upek.com, http://www.upek.com]
> > >
> > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> > > http://www.osronline.com/page.cfm?name=ListServer
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> > >
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

BEVERLY:

I suppose that at this point is this safe to ask: Is (2) really
correct. Not that I didn’t follow this, of course. That was not my
understanding. It would seem unlikely, as the product is only entered
for installation on the host, if I remember correctly.

mm

>> xxxxx@gmail.com 2007-01-17 15:03 >>>
My problems with SoftICE are:

• It installed its own display drivers (At least the last version I
  attempted to use did) and because of that it was picky about what
  system it would work on.
• You needed a license for every system you needed to debug. If you
  have a lab full of equipment and have to debug on different machines,
  I’d rather be able to simply modify the boot.ini file and connect my
  laptop to it than have to purchase yet another SoftICE license,
  install it and hope that its display drivers worked on that system.
• It was much more difficult to get SoftICE to use the correct symbols
  that it ever was to set that up on Windbg. SoftICE required massaging
  the symbols into its own format beforehand. I can’t tell you how many
  times I forgot to do that step.

Beverly

On 1/17/07, Daniel Terhell wrote:
> Thanks, I understand by now you and others like WinDbg more than
SoftIce. As
> for “The driver crashes unless it is run
> under SoftICE, and we have no way to debug it” I recall reading an
article
> in the NtInsider explaining the perfect Heisenbug when certain code
was run
> under WinDbg it would run perfectly well and would crash as soon as
the
> debugger was absent.
> ( http://www.osronline.com/article.cfm?id=380 )
>
> Interesting issues people here are raising are:
>
> -Wouldn’t it be nice if we could do kernel debugging over a network
> connection ?
> -Wouldn’t it be nice if we didn’t need to carry around a bunch of
hardware
> including multiple systems just to be able to do debugging but
instead could
> just do it on one single machine ?
> -Wouldn’t it improve the quality of WinDbg if there were some
competition
> and another kernel debugger were around ?
> -Would WinDbg still be so popular if we had to pay for it ?
> -Was MS right to knock out SoftIce from the competition by inducing
heavy
> kernel restrictions with Patchguard ?
> -Wouldn’t it be nice if installing the debugger, getting the symbols
and
> connections right wouldn’t actually be a much harder task than
anything else
> in kernel land including writing an encryption file system filter
driver ?
> -Why WinDdbg doesn’t comply to the user interface guidelines of MS?
Wouldn’t
> it be nice if they just wouldn’t hexdump the crap out of us just
because we
> are kernel developers and we can read opcode anyway ? This Windbg is
using
> an absurd unintuitive syntax which is totally incompatible with both
short
> term and long term human memory, paged or non paged.
>
> If you have any comments, I would really appreciate your or other
experts
> views on these. My vision is that the people behind SoftIce really
tried
> hard and deserve merit for it. No matter what debugger is used, I
see
> debugging as a non-constructive evil which is sometimes unavoidable
and like
> a poisonous drug should only be used as a last recourse if really no
other
> options are available. I prefer investing my time in improving the
quality
> of my coding rather than setting up quirky debuggers, less there will
be a
> need for it, at least for the code I write myself.
>
> /Daniel
>
>
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
> > Actually as a consultant there were times I was forced to use
SoftICE.
> > About 3 years ago, I started telling my customers there was a 25%
> > surcharge if I had to use that piece of crap. Everytime I used it
I found
> > places where they altered the normal behavior of the system. I
did
> > benefit once, since I had a customer call me saying “The driver
crashes
> > unless it is run under SoftICE, and we have no way to debug it”
Between
> > using WinDBG and driver verifier I found over 10 bugs that SoftICE
had
> > obscured.
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

That is not intuitive. I thought the first arg was a type.

So what if it wasn’t a pointer? What if it was a struct and I wanted to print

foo.member->ptr->bar

Beverly

On 1/17/07, Doron Holan wrote:
> That is what I gave you
>
> dt ptr member.another_ptr->foo
>
> no type info, just the symbol by name and then the underlying “C”
> statement to get at the right field.
>
> Look at the -a flag for dt to look at dumping arrays.
>
> d
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Beverly Brown
> Sent: Wednesday, January 17, 2007 1:24 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it possible?
>
> But it’s still not very intuitive. What exactly is of type Foo in that
> example? Is it Field? Why do I have to tell it the type? Doesn’t the
> debugger already know?
>
> What I want is this:
>
> My source code has a pointer in it whose symbolic name is ptr. It is
> declared to be a pointer to a struct of type FOO like so:
>
> FOO *ptr.
>
> I want to refer to one of its members with a command like this
>
> print ptr->member.another_ptr->foo
>
> without having to give it any type information. The debugger should
> already know that from the symbols. (It knows it in the locals window)
> This is useful for accessing things that aren’t displayed easily in
> the locals window (like linked-lists). I realize windbg has a way to
> display linked lists, but it is not intuitive and I can never remember
> how to do it. Or if ptr is an array, but the debugger cannot know how
> big it is because it was dynamically allocated (and therefore can only
> show the first element in the locals window), I’d like to say
>
> print ptr[3] or print (ptr+3)
>
> For casting I certainly wouldn’t have guessed that you could use ?? to
> use C-style syntax. Again, not intuitive. The last time I looked up
> how to do this, there were some very unintuitive things you had to do
> with pointers and such (and I could never remember what they were or
> what the rules were for using them) for asm-style vs C-style in order
> to cast and display variables. (Using ?? is pretty unintuitive, too,
> BTW. Why is that necessary? Is that the command or a prefix?).
>
> Beverly
>
> On 1/17/07, Doron Holan wrote:
> > dt does that
> >
> > dt Foo Field->Struct.Blah
> >
> > as for the casting, you can use ?? to do it, e.g. ?? ((foo) ptr)
> >
> > d
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Beverly Brown
> > Sent: Wednesday, January 17, 2007 12:23 PM
> > To: Windows System Software Devs Interest List
> > Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it
> possible?
> >
> > Also, to be able to access a struct member using C-style syntax would
> be
> > good.
> >
> > print struct_ptr->member
> >
> > Beverly
> >
> > On 1/17/07, Beverly Brown wrote:
> > > What I would like to see improved about Windbg:
> > >
> > > I would like to cast an address to a structure and display it
> C-style
> > > the way gdb works
> > >
> > > print *(SOME_STRUCT *)struct_ptr
> > >
> > > would cast struct_ptr to SOME_STRUCT * and print its contents member
> > > by member. dt gets you there in a roundabout way but this is much
> more
> > > intuitive IMO. (and I am NOT a Linux fan!)
> > >
> > > Beverly
> > >
> > > On 1/17/07, Peter Wieland wrote:
> > > > Ah - I love conspiracy theory Tuesdays. I console myself with the
> > > > knowledge that if we did charge for WinDBG or if we had ever
> > supported
> > > > single machine debugging that an equal number of theories about
> how
> > it
> > > > was a plot by MS to increase (something) would abound.
> > > >
> > > >
> > > > I would be interested in a list of features that SoftICE had that
> > made
> > > > it more useful than WinDBG aside from single-machine support.
> > Better
> > > > disassemble? Better breakpoint support? Better single step
> > ability?
> > > > Better functionality without symbols?
> > > >
> > > > Ethernet support sounds like one thing. Did it work with any
> > Ethernet
> > > > controller, or just one or two? Was there any security on it?
> > > >
> > > > I suspect I can search the archive to find this in bits and pieces
> -
> > did
> > > > anyone ever make an exhaustive list?
> > > >
> > > > -p
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: xxxxx@lists.osr.com
> > > > [mailto:xxxxx@lists.osr.com] On Behalf Of Michal
> > Vodicka
> > > > Sent: Tuesday, January 16, 2007 6:41 PM
> > > > To: Windows System Software Devs Interest List
> > > > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is it
> > possible?
> > > >
> > > > > ----------
> > > > > From:
> > > >
> >
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
> > > >] on behalf of Martin O’Brien[SMTP:xxxxx@evitechnology.com]
> > > > > Reply To: Windows System Software Devs Interest List
> > > > > Sent: Wednesday, January 17, 2007 3:10 AM
> > > > > To: Windows System Software Devs Interest List
> > > > > Subject: RE: [ntdev] Kernel debug in Windbg using tcp - is
> it
> > > > possible?
> > > > >
> > > > > I hear you Michal. I just posted, but the long and short in my
> > > > opinion,
> > > > > is that SI committed suicide by abusive marketing practice, and,
> > while
> > > > > SI definitely had its issues (although I used the ethernet
> > transport
> > > > for
> > > > > years), I think it is a reasonable question to ask how much of a
> > > > WinDbg
> > > > > lovefest there would people if people had to pay for it.
> > > > >
> > > > I agree with both suicide and WinDbg price. It isn’t so long the
> > main
> > > > argument of WinDbg advocates here was no fee.
> > > >
> > > > Well, I didn’t want to awake old SI versus WinDbg thread. The game
> > is
> > > > over. I wonder if MS developers aren’t able to do what NuMega did
> or
> > if
> > > > the necessity to have two computers is the intention. SI was
> widely
> > used
> > > > as hackers’ tool mainly because of its one-machine debugging
> > abilities.
> > > > Or maybe they don’t care. With access to OS sources they don’t
> need
> > a
> > > > tool which helps with reverse engineering and they got used to two
> > > > machines setup.
> > > >
> > > > Best regards,
> > > >
> > > > Michal Vodicka
> > > > UPEK, Inc.
> > > > [xxxxx@upek.com, http://www.upek.com]
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > —
> > > > Questions? First check the Kernel Driver FAQ at
> > > > http://www.osronline.com/article.cfm?id=256
> > > >
> > > > To unsubscribe, visit the List Server section of OSR Online at
> > > > http://www.osronline.com/page.cfm?name=ListServer
> > > >
> > > >
> > > > —
> > > > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> > > >
> > > > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> > > >
> > >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Beverly Brown[SMTP:xxxxx@gmail.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, January 17, 2007 9:27 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel debug in Windbg using tcp - is it possible?

IMO, using a debugger is a lot faster than cluttering your code with
lots of debugging printfs.

Traces should be integral part of code. Our standard is every function reports its name, all parameters, return value and elapsed time. Traces infrastructure adds other important info as PID + TID, system time, IRQL, CPU number etc. Developer can add more traces when feel there is something important to print. For example when an API or DDI returns an error.

If code is written reasonably, you don’t need to add traces just for debugging. They should be already there.

That is usually an iterative process where
you display something, see that it’s wrong and then need to display
something else to see why it’s wrong. Using a debugger, you can
examine other variable and look at the stack, set breakpoints, etc,
and therefore find the reason why something got set wrong a lot
faster.

Iterative process is good for learning. Otherwise, it is very limited and inefficient. Most of problems we have to solve are real time where debugger can’t be used at all.

The main advantage of traces is that all the tiresome work can be done by somebody else. When somebody reports me a problem, I just reply with instructions how to set traces. Sometimes later I receive captured traces, examine it and in the most cases I can see a problem within 5 minutes. We already taught our QA what traces we need to see for common scenarios so we usually receive a report with traces. This way I save a lot of time which can be used for something more important than playing with a debugger. For example, for such discussions

In fact, stepping through code the first time it’s executed can catch
bugs that wouldn’t show up otherwise until sometime later in the
development/test cycle, or worse, in the end user’s system.

This is job for static analysis tools and mainly for asserts. It is much more efficient than stepping through code. Assert always guards the code even if there is no developer with a debugger. Asserts should be intergal part of code, too.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]