Hi,
I am trying to single step dissambly code for MapViewOfFile().
After sometime, I hit SYSENTER. How do I get past this ?.
Thanks,
Vinay
Impossible…
SYSENTER is the entry to the kernel mode, and, at this point, UM debugger cannot do anything. The only tool that allowed stepping between KM and UM was SoftIce, but it is gone now…
Anton Bassov
You need a kernel debugger to step thru the kernel’s implementation of
NtMapViewOfSection
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> Hi,
>
> I am trying to single step dissambly code for MapViewOfFile().
>
> After sometime, I hit SYSENTER. How do I get past this ?.
>
>
> Thanks,
> Vinay
>
So, if I use kd and put a breakpoint in NtMapViewOfSection(), that should work, right ?
Vinay
On 8/12/08, xxxxx@gmail.com wrote:
> So, if I use kd and put a breakpoint in NtMapViewOfSection(), that should work, right ?
yes
but ntmapviewofsection is in hotpath (ie it is called innumerable times)
so filter down the bp as much as possible
use
!process 0 0 “Your Exe”
then do
.process /i "EPROCESS FROM !process 0 0 “your Exe”
then
do
bp /p “EPROCESS”
and then when you step into sysenter kd should break and you should be
in right place 
here is an output for referance
kd> kv
ChildEBP RetAddr Args to Child
f7551d34 804df06b 000000d4 ffffffff 0012fe24 nt!NtMapViewOfSection
(FPO: [Non-Fpo])
f7551d34 7c90eb94 000000d4 ffffffff 0012fe24 nt!KiFastCallEntry+0xf8
(FPO: [0,0] TrapFrame @ f7551d64)
0012fdd4 7c90dc61 7c80b779 000000d4 ffffffff ntdll!KiFastSystemCallRet
(FPO: [0,0,0])
0012fdd8 7c80b779 000000d4 ffffffff 0012fe24
ntdll!NtMapViewOfSection+0xc (FPO: [10,0,0])
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fe10 7c80b7a8 000000d4 00000004 00000000 0x7c80b779
0012fe30 0040129b 000000d4 00000004 00000000 0x7c80b7a8
0012fe4c 77d48709 000400b4 00000111 00000002 0x40129b
0012fe78 77d487eb 00401118 000400b4 00000111 0x77d48709
0012ffd0 8054b038 0012ffc8 811afda8 ffffffff 0x77d487eb
00130008 00000000 000000c4 00000000 00000020
nt!ExFreePoolWithTag+0x676 (FPO: [Non-Fpo])
kd> dd esp la
f7551d38 804df06b 000000d4 ffffffff 0012fe24
f7551d48 00000000 00000000 0012fe08 0012fe20
f7551d58 00000001 00000000
kd> ? poi(esp+c)
Evaluate expression: 1244708 = 0012fe24
kd> db poi(esp+c) l10
0012fe24 00 00 00 00 00 00 00 00-00 00 00 00 4c fe 12 00 …L…
kd> db poi(esp+18) l10
0012fe08 00 00 00 00 00 00 00 00-30 fe 12 00 a8 b7 80 7c …0…|
kd> db poi(esp+1c) l10
0012fe20 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
kd> ? eip
Evaluate expression: -2141766652 = 80573c04
kd> ln eip
(80573c04) nt!NtMapViewOfSection | (80573f30)
nt!FsRtlAcquireToCreateMappedSection
Exact matches:
nt!NtMapViewOfSection =
kd> !handle d4 Section
, process 811d8998
PROCESS 811d8998 SessionId: 0 Cid: 06c8 Peb: 7ffd8000 ParentCid: 016c
DirBase: 02a56000 ObjectTable: e16d34e8 HandleCount: 78.
Image: FILEMAP.EXE
Handle table at e102c000 with 78 Entries in use
00d4: Object: e192bc50 GrantedAccess: 000f0005 Entry: e102c1a8
Object: e192bc50 Type: (812e5040) Section
ObjectHeader: e192bc38 (old version)
HandleCount: 1 PointerCount: 1
kd> !object e192bc50
Object: e192bc50 Type: (812e5040) Section
ObjectHeader: e192bc38 (old version)
HandleCount: 1 PointerCount: 1
kd> bl
1 e 80573c04 0001 (0001) nt!NtMapViewOfSection
Match process data 811d8998
corresponding usermode stack
0012FDDC 7C80B779 RETURN to kernel32.MapViewOfFileEx+5B from
ntdll.ZwMapViewOfSection
0012FDE0 000000D4
0012FDE4 FFFFFFFF
0012FDE8 0012FE24
0012FDEC 00000000
0012FDF0 00000000
0012FDF4 0012FE08
0012FDF8 0012FE20
0012FDFC 00000001
0012FE00 00000000
0012FE04 00000002
0012FE08 00000000
0012FE0C 00000000
0012FE10 /0012FE30
0012FE14 |7C80B7A8 RETURN to kernel32.7C80B7A8 from kernel32.MapViewOfFileEx
0012FE18 |000000D4
0012FE1C |00000004
0012FE20 |00001000
0012FE24 |009D0000 ASCII “This is the example from Iczelion’s Win32
Assembly Tutorial part 13.
In order to assemble the example, you have to have ml.exe, link.exe
rc.exe and nmake.exe in your path.
If they’re not in the path, you will have to edit makefile to i”…
h
hope that helps
regards
raj
Hi,
I am doing kernel debugging. I have put break point in NtMapViewOfSection() and when it breaks, I want to single step the code.
after a couple of single stepping, sysenter is called. when I press F11, it is calling ret from NtMapViewOfSection(). Looks like it has not gone past the NtMapViewOfSection().
Have pasted the output. Please let me know why this is happening.
2: kd> p
ntdll!NtMapViewOfSection+0xa:
001b:7c90dc5f ff12 call dword ptr [edx]
2: kd> p
KtFilter…
ntdll!NtMapViewOfSection+0xc:
001b:7c90dc61 c22800 ret 28h
2: kd> g
Breakpoint 0 hit
ntdll!ZwMapViewOfSection:
001b:7c90dc55 b86c000000 mov eax,6Ch
7: kd> p
ntdll!NtMapViewOfSection+0x5:
001b:7c90dc5a ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7: kd> p
ntdll!NtMapViewOfSection+0xa:
001b:7c90dc5f ff12 call dword ptr [edx]
7: kd> t
ntdll!KiFastSystemCall:
001b:7c90eb8b 8bd4 mov edx,esp
7: kd> p
ntdll!KiFastSystemCall+0x2:
001b:7c90eb8d 0f34 sysenter
7: kd> t
ntdll!NtMapViewOfSection+0xc:
001b:7c90dc61 c22800 ret 28h
7: kd> p
001b:75b5a0d4 3bc3 cmp eax,ebx
7: kd> p
001b:75b5a0d6 7c02 jl 75b5a0da
7: kd> p
001b:75b5a0d8 0137 add dword ptr [edi],esi
7: kd> p
001b:75b5a0da 5f pop edi
Thanks,
Vinay
Put a break point on ZwMapViewOfSection() and then see what happens
when sysenter is executed. When you understand how that works you’ll
have genuinely learned something about the kernel.
Mark.
At 11:10 11/09/2008, xxxxx@gmail.com wrote:
Hi,
I am doing kernel debugging. I have put break point in
NtMapViewOfSection() and when it breaks, I want to single step the code.after a couple of single stepping, sysenter is called. when I press
F11, it is calling ret from NtMapViewOfSection(). Looks like it has
not gone past the NtMapViewOfSection().Have pasted the output. Please let me know why this is happening.
2: kd> p
ntdll!NtMapViewOfSection+0xa:
001b:7c90dc5f ff12 call dword ptr [edx]
2: kd> p
KtFilter…
ntdll!NtMapViewOfSection+0xc:
001b:7c90dc61 c22800 ret 28h
2: kd> g
Breakpoint 0 hit
ntdll!ZwMapViewOfSection:
001b:7c90dc55 b86c000000 mov eax,6Ch
7: kd> p
ntdll!NtMapViewOfSection+0x5:
001b:7c90dc5a ba0003fe7f mov edx,offset
SharedUserData!SystemCallStub (7ffe0300)
7: kd> p
ntdll!NtMapViewOfSection+0xa:
001b:7c90dc5f ff12 call dword ptr [edx]
7: kd> t
ntdll!KiFastSystemCall:
001b:7c90eb8b 8bd4 mov edx,esp
7: kd> p
ntdll!KiFastSystemCall+0x2:
001b:7c90eb8d 0f34 sysenter
7: kd> t
ntdll!NtMapViewOfSection+0xc:
001b:7c90dc61 c22800 ret 28h
7: kd> p
001b:75b5a0d4 3bc3 cmp eax,ebx
7: kd> p
001b:75b5a0d6 7c02 jl 75b5a0da
7: kd> p
001b:75b5a0d8 0137 add dword ptr [edi],esi
7: kd> p
001b:75b5a0da 5f pop ediThanks,
Vinay
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
xxxxx@gmail.com wrote:
I am doing kernel debugging.
No, you’re not. Well, you may be using a kernel debugger, but you are
doing user-mode debugging.
I have put break point in NtMapViewOfSection() and when it breaks, I want to single step the code.
after a couple of single stepping, sysenter is called. when I press F11, it is calling ret from NtMapViewOfSection(). Looks like it has not gone past the NtMapViewOfSection().
No, of course not. “sysenter” causes a transition to kernel mode, where
the bulk of NtMapViewOfSection is implemented. windbg cannot
single-step from user-mode to kernel-mode, so it hops over the top of
the “sysenter” instruction. When it returns, the section has been
mapped, so NtMapViewOfSection can return.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.