how can I find the source line from the dump file

I free builded driver cause BOSD. my driver’s symble file cannot be loaded successfully.
dump information list as the following:

BugCheck 8E, {c0000005,90CC0209,9F07EBAC,0}
…
FOLLOWUP_UP:
videofilter+1209
90cc0209 837F1401 cmp dword ptr[edi+4],1
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: videofilter+1209

…
IMAGE_NAME videofilter.sys

I search the instruction “cmp dword ptr[edi+4],1” in .asm file, but there is no this instruction.

I want to know can I get the source code line from virtual address and “videofiler+1209”?

thank you very much.

And you have already run thru these basic steps?

1. Create a checked build, try it along with its corresponding symbols.
2. Since c0000005 represents an access violation, I’m assuming your derefing
   a bad address (code / design review).
3. In some cases, Driver Verifier can help here (do you have it turned on)
4. Break points - single step then forward/watches
5. Repeat the above with checked kernel…

Finally, post the output of “analyze -v” from windbg here. What you posted
is not what should be
called dump information, such limited information is indeed “DUMP” related
though.

If you CAN get the actual source line, then some of the above steps must be
followed first.

Matt

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Sunday, February 15, 2009 12:42 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] how can I find the source line from the dump file

I free builded driver cause BOSD. my driver’s symble file cannot be loaded
successfully.
dump information list as the following:

BugCheck 8E, {c0000005,90CC0209,9F07EBAC,0}
…
FOLLOWUP_UP:
videofilter+1209
90cc0209 837F1401 cmp dword ptr[edi+4],1
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: videofilter+1209

…
IMAGE_NAME videofilter.sys

I search the instruction “cmp dword ptr[edi+4],1” in .asm file, but there is
no this instruction.

I want to know can I get the source code line from virtual address and
“videofiler+1209”?

thank you very much.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.10.23/1952 - Release Date: 02/14/09
18:01:00

> I want to know can I get the source code line from virtual address and “videofiler+1209”?

It is impossible without debug symbols. IIRC, it has been mathematically proved that compilation is a one -way process - given an ASM file generated by a compiler it is impossible to reproduce the original C file from it., because different sources may result in exactly the same ASM file. Therefore, assuming free built, your task is plainly infeasible - first of all, you have to build your binary with debug symbols if you want to accomplish something like that. This is what checked built is for…

Anton Bassov

Whether or not symbols are generated is independent of whether a checked or free build is made.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Sunday, February 15, 2009 2:27 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] how can I find the source line from the dump file

I want to know can I get the source code line from virtual address and “videofiler+1209”?

It is impossible without debug symbols. IIRC, it has been mathematically proved that compilation is a one -way process - given an ASM file generated by a compiler it is impossible to reproduce the original C file from it., because different sources may result in exactly the same ASM file. Therefore, assuming free built, your task is plainly infeasible - first of all, you have to build your binary with debug symbols if you want to accomplish something like that. This is what checked built is for…

Anton Bassov

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Why can’t your symbol file be loaded? Unless the reason is that you
don’t have one, this is without question the place to start.

1. What kind of error messages are you getting when you try to load your
   symbols?

2. Have your tried something like this?

.symopt+ 0x80000000
.sympath srv*c:\sym*http://msdl.microsoft.com/download/symbols
.reload -f -n

lme

The last command should list files that have symbol problems.

Good luck,

mm

Matt wrote:

And you have already run thru these basic steps?

1. Create a checked build, try it along with its corresponding symbols.
2. Since c0000005 represents an access violation, I’m assuming your derefing
   a bad address (code / design review).
3. In some cases, Driver Verifier can help here (do you have it turned on)
4. Break points - single step then forward/watches
5. Repeat the above with checked kernel…

Finally, post the output of “analyze -v” from windbg here. What you posted
is not what should be
called dump information, such limited information is indeed “DUMP” related
though.

If you CAN get the actual source line, then some of the above steps must be
followed first.

Matt

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Sunday, February 15, 2009 12:42 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] how can I find the source line from the dump file

I free builded driver cause BOSD. my driver’s symble file cannot be loaded
successfully.
dump information list as the following:

BugCheck 8E, {c0000005,90CC0209,9F07EBAC,0}
…
FOLLOWUP_UP:
videofilter+1209
90cc0209 837F1401 cmp dword ptr[edi+4],1
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: videofilter+1209

…
IMAGE_NAME videofilter.sys

I search the instruction “cmp dword ptr[edi+4],1” in .asm file, but there is
no this instruction.

I want to know can I get the source code line from virtual address and
“videofiler+1209”?

thank you very much.

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.10.23/1952 - Release Date: 02/14/09
18:01:00

Not that this is on topic, but you can sometimes produce something
useful, i. e. - Hexrays decompiler.

http://www.hex-rays.com/decompiler.shtml

I can’t say that I would have bet on this myself, but then again, I
didn’t write IDA, and it indeed does work quite well in some cases (I’m
told by people I trust; my copy is on its way).

mm

Skywing wrote:

Whether or not symbols are generated is independent of whether a checked or free build is made.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Sunday, February 15, 2009 2:27 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] how can I find the source line from the dump file

> I want to know can I get the source code line from virtual address and “videofiler+1209”?

It is impossible without debug symbols. IIRC, it has been mathematically proved that compilation is a one -way process - given an ASM file generated by a compiler it is impossible to reproduce the original C file from it., because different sources may result in exactly the same ASM file. Therefore, assuming free built, your task is plainly infeasible - first of all, you have to build your binary with debug symbols if you want to accomplish something like that. This is what checked built is for…

Anton Bassov

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

People have been reverse engineering assembly to a useful approximation of
the original sources for decades.
But the OP’s problem, as noted elsewhere, is the OP’s lack of symbols for
his free build driver . With those symbols, a debugger, and the original
source files, it is fairly trivial to get to the approximate line of code
where things went wrong. Note that the compiler is happy to produce the
source code annotated assembly output for your free build sources as well as
the symbols, which makes life even easier.

Mark Roddy

On Sun, Feb 15, 2009 at 2:34 PM, Martin O’Brien
wrote:

> Not that this is on topic, but you can sometimes produce something useful,
> i. e. - Hexrays decompiler.
>
> http://www.hex-rays.com/decompiler.shtml
>
> I can’t say that I would have bet on this myself, but then again, I didn’t
> write IDA, and it indeed does work quite well in some cases (I’m told by
> people I trust; my copy is on its way).
>
> mm
>
>
>
> Skywing wrote:
>
>> Whether or not symbols are generated is independent of whether a checked
>> or free build is made.
>>
>> - S
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com [mailto:
>> xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
>> Sent: Sunday, February 15, 2009 2:27 PM
>> To: Windows System Software Devs Interest List
>> Subject: RE:[ntdev] how can I find the source line from the dump file
>>
>> I want to know can I get the source code line from virtual address and
>>> “videofiler+1209”?
>>>
>>
>> It is impossible without debug symbols. IIRC, it has been mathematically
>> proved that compilation is a one -way process - given an ASM file generated
>> by a compiler it is impossible to reproduce the original C file from it.,
>> because different sources may result in exactly the same ASM file.
>> Therefore, assuming free built, your task is plainly infeasible - first of
>> all, you have to build your binary with debug symbols if you want to
>> accomplish something like that. This is what checked built is for…
>>
>>
>> Anton Bassov
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

From:
>I free builded driver cause BOSD. my driver’s symble file cannot be loaded
>successfully.
> dump information list as the following:
>

If you haven’t made any changes in your source code, you may be able to
simply rebuild it. Set the symbol search path to include the directory where
your .pdb file is, then do a .reload with the “-i” option to force WinDbg to
use your newly built symbol file.

Another option is to use the .map file that the linker will build if you say
LINKER_OPTIONS = -map in your SOURCES file. That will let you find the
function that contains the fault address. If you add the -Fa option to the
compiler options for the containing file, you’ll get an assembly listing
that you may be able to correlate with the instruction dump.

From now on, of course, you know you need to archive the .pdb files from
every build of your driver that you let anyone else have.

Walter Oney
Consulting and Training
www.oneysoft.com

The OP should also archive the .sys files too, or they won’t be able to debug minidumps.

The best way to do this is to create a symbol server store with symstore.exe that gets updated as part of the build process.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Walter Oney
Sent: Sunday, February 15, 2009 5:47 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how can I find the source line from the dump file

From:
>I free builded driver cause BOSD. my driver’s symble file cannot be loaded
>successfully.
> dump information list as the following:
>

If you haven’t made any changes in your source code, you may be able to
simply rebuild it. Set the symbol search path to include the directory where
your .pdb file is, then do a .reload with the “-i” option to force WinDbg to
use your newly built symbol file.

Another option is to use the .map file that the linker will build if you say
LINKER_OPTIONS = -map in your SOURCES file. That will let you find the
function that contains the fault address. If you add the -Fa option to the
compiler options for the containing file, you’ll get an assembly listing
that you may be able to correlate with the instruction dump.

From now on, of course, you know you need to archive the .pdb files from
every build of your driver that you let anyone else have.

Walter Oney
Consulting and Training
www.oneysoft.com

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> I didn’t write IDA, and it indeed does work quite well in some cases

Indeed, it is EXTREMELY useful tool when it comes to disassembly - it even can make some suggestion about the variables. However, using the term “decompiling” in reference to it is ,IMHO, still a gross exaggeration…

Anton Bassov

> Whether or not symbols are generated is independent of whether a checked or free build is made.

True, but in the latter case your symbols will be in a separate file, and, if I got it right, this is the root of the problem here - for this or that reason the OP is unable to load the symbol file. Therefore, I suggested that he can, probably, just use checked built …

Anton Bassov

No, unless you have gone (very) out of your way to do something strange to your build environment to convice it to use an ancient symbol format, the symbols will be placed in a .pdb and never embedded into the binary. That hasn’t been the standard for many, many years. All that is in the binary is a pointer to the .pdb.

All of this is completely independent of a checked or free build with the default build environment.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Sunday, February 15, 2009 6:43 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] how can I find the source line from the dump file

Whether or not symbols are generated is independent of whether a checked or free build is made.

True, but in the latter case your symbols will be in a separate file, and, if I got it right, this is the root of the problem here - for this or that reason the OP is unable to load the symbol file. Therefore, I suggested that he can, probably, just use checked built …

Anton Bassov

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

It has nothing to do with free or checked build.?You have?PDBs for checked or free when you build an executable at least?starting from ddk2195 as default build behavior. ?
?
Some?ancient (so old such that I couldn't remember off top of my head), the default build behavior is?embedding symbol?in the executable. For such case, rebase.exe will "cut" the symbols and "paste" 'em into a dot pdb file.
?

Calvin Guanb
Broadcom Corp.
Connecting Everything(r)

--- On Sun, 2/15/09, xxxxx@hotmail.com wrote:

From: xxxxx@hotmail.com
Subject: RE:[ntdev] how can I find the source line from the dump file
To: "Windows System Software Devs Interest List"
Date: Sunday, February 15, 2009, 3:42 PM

> Whether or not symbols are generated is independent of whether a checked or free build is made.

True, but in the latter case your symbols will be in a separate file, and, if I got it right, this is the root of the problem here - for this or that reason the OP is unable to load the symbol file. Therefore, I suggested that he can, probably, just use checked built .....

Anton Bassov

---
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
OSR Seminars – OSR

To unsubscribe, visit the List Server section of OSR Online at ListServer/Forum

thank you very much.

Yes, pbd file have been created with the free builded sys file.
In dumpfile, when I run analyze -v, there is the following message.
PEB is paged out (peb.ldr = 7ffd800c). type “.hh dbgerr001” for details.

thanks again.

That message can be safely ignored for your purposes, as the documentation states.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Sunday, February 15, 2009 8:30 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] how can I find the source line from the dump file

thank you very much.

Yes, pbd file have been created with the free builded sys file.
In dumpfile, when I run analyze -v, there is the following message.
PEB is paged out (peb.ldr = 7ffd800c). type “.hh dbgerr001” for details.

thanks again.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Johnson

That message can be safely ignored for your purposes, as the documentation states.

Was what you mean that I can load the symbol successfully?

thank you very much

> Some?ancient (so old such that I couldn’t remember off top of my head), the default build

behavior is?embedding symbol?in the executable. For such case, rebase.exe will “cut” the
symbols and “paste” 'em into a dot pdb file. ?

Actually, the above paragraph gives a pretty accurate description of how I was source-debugging Windows drivers (SoftIce was the tool of my choice ) . IIRC, I was building a binary( checked built) with -build -cz,
loading it into the SoftIce, then translating symbols, and, at this point, a symbol file appeared in the directory where my.sys file was located. Every subsequent rebuilt required reloading .sys and re-translating symbols - otherwise, outdated symbols were used by the SoftIce.

However, it was not that long ago…

Anton Bassov

It was fairly easy to add a step to the build to create the NMS file for
SoftIce. I always built it as windbg wasn’t worth even trying. It was a
few years later when windbg became stable and I quit also building the same
drivers for 9x (different sources, but functionally the same).

wrote in message news:xxxxx@ntdev…
>> Some?ancient (so old such that I couldn’t remember off top of my head),
>> the default build
>> behavior is?embedding symbol?in the executable. For such case,
>> rebase.exe will “cut” the
>> symbols and “paste” 'em into a dot pdb file. ?
>
> Actually, the above paragraph gives a pretty accurate description of how I
> was source-debugging Windows drivers (SoftIce was the tool of my choice )
> . IIRC, I was building a binary( checked built) with -build -cz,
> loading it into the SoftIce, then translating symbols, and, at this point,
> a symbol file appeared in the directory where my.sys file was located.
> Every subsequent rebuilt required reloading .sys and re-translating
> symbols - otherwise, outdated symbols were used by the SoftIce.
>
> However, it was not that long ago…
>
> Anton Bassov
>

Another cool thing is that you can embeded source files into the nms. Softice is damn cool.? (yes I know it can get wild)
?
Calvin Guan
Broadcom Corp.
Connecting Everything(r)

— On Sun, 2/15/09, xxxxx@hotmail.com wrote:

From: xxxxx@hotmail.com
Subject: RE:[ntdev] how can I find the source line from the dump file
To: “Windows System Software Devs Interest List”
Date: Sunday, February 15, 2009, 8:24 PM

> Some?ancient (so old such that I couldn’t remember off top of my head), the default build
>? behavior is?embedding symbol?in the executable. For such case, rebase.exe will “cut” the
> symbols and “paste” 'em into a dot pdb file. ?

Actually, the above paragraph gives a pretty accurate description of how I was source-debugging Windows drivers (SoftIce was the tool of my choice ) .? IIRC, I was building a binary( checked built)? with -build -cz,
loading it into the SoftIce, then translating symbols, and, at this point, a symbol file appeared in the directory where my.sys file was located. Every subsequent rebuilt required reloading .sys and re-translating symbols - otherwise, outdated symbols were used by the SoftIce.

However, it was not that long ago…

Anton Bassov

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Via an automated tool (as a first pass)?

mm

Mark Roddy wrote:

People have been reverse engineering assembly to a useful approximation
of the original sources for decades.

But the OP’s problem, as noted elsewhere, is the OP’s lack of symbols
for his free build driver . With those symbols, a debugger, and the
original source files, it is fairly trivial to get to the approximate
line of code where things went wrong. Note that the compiler is happy to
produce the source code annotated assembly output for your free build
sources as well as the symbols, which makes life even easier.

Mark Roddy

On Sun, Feb 15, 2009 at 2:34 PM, Martin O’Brien
> wrote:
>
> Not that this is on topic, but you can sometimes produce something
> useful, i. e. - Hexrays decompiler.
>
> http://www.hex-rays.com/decompiler.shtml
>
> I can’t say that I would have bet on this myself, but then again, I
> didn’t write IDA, and it indeed does work quite well in some cases
> (I’m told by people I trust; my copy is on its way).
>
> mm
>
>
>
> Skywing wrote:
>
> Whether or not symbols are generated is independent of whether a
> checked or free build is made.
>
> - S
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> mailto:xxxxx
> [mailto:xxxxx@lists.osr.com
> mailto:xxxxx] On Behalf Of
> xxxxx@hotmail.com mailto:xxxxx
> Sent: Sunday, February 15, 2009 2:27 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] how can I find the source line from the dump
> file
>
> I want to know can I get the source code line from virtual
> address and “videofiler+1209”?
>
>
> It is impossible without debug symbols. IIRC, it has been
> mathematically proved that compilation is a one -way process -
> given an ASM file generated by a compiler it is impossible to
> reproduce the original C file from it., because different
> sources may result in exactly the same ASM file. Therefore,
> assuming free built, your task is plainly infeasible - first of
> all, you have to build your binary with debug symbols if you
> want to accomplish something like that. This is what checked
> built is for…
>
>
> Anton Bassov
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars
> visit: http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>