I’ve look all over for this and I would think that this is something many developers would do. I need to trace to make sure the driver does some initialization correctly. The basic problem before it’s loaded you don’t know where to set the break point, after it’s loaded well it’s run through it’s initialzation. I would image there should be a flag, or I should be able to call a breakpoint() function in driver to get into the debugger. Any ideas?
Well you either put a breakpoint in your driver entry that you only execute when a particular registry key is set (BreakOnEntry) or you set windbg loader ld (loader exception breakpoint…) look up the sxe ld command
Mark Cariddi
OSR Open Systems Resources, Inc
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Monday, August 08, 2011 12:57 PM
To: Kernel Debugging Interest List
Subject: [windbg] How to debug/set break point when driver starts
I’ve look all over for this and I would think that this is something many developers would do. I need to trace to make sure the driver does some initialization correctly. The basic problem before it’s loaded you don’t know where to set the break point, after it’s loaded well it’s run through it’s initialzation. I would image there should be a flag, or I should be able to call a breakpoint() function in driver to get into the debugger. Any ideas?
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Bu !DriverEntry
Mm
On Aug 8, 2011 12:59 PM, wrote:
> I’ve look all over for this and I would think that this is something many
developers would do. I need to trace to make sure the driver does some
initialization correctly. The basic problem before it’s loaded you don’t
know where to set the break point, after it’s loaded well it’s run through
it’s initialzation. I would image there should be a flag, or I should be
able to call a breakpoint() function in driver to get into the debugger. Any
ideas?
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Thanks!
xxxxx@hotmail.com wrote:
I’ve look all over for this and I would think that this is something many developers would do. I need to trace to make sure the driver does some initialization correctly. The basic problem before it’s loaded you don’t know where to set the break point, after it’s loaded well it’s run through it’s initialzation. I would image there should be a flag, or I should be able to call a breakpoint() function in driver to get into the debugger. Any ideas?
If this is a driver you are developing, why don’t you know where to set
the breakpoint? If you want to break at a specific function, then you
do so:
bp mydriver!DoInitialization
As long as your symbol path is set up correctly, nothing could be simpler.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
> If this is a driver you are developing, why don’t you know where to set
the breakpoint? If you want to break at a specific function, then you
do so:
bp mydriver!DoInitialization
As long as your symbol path is set up correctly, nothing could be simpler.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
I was assuming that the debugger wouldn’t know yet about drivers that are not loaded yet. So that I wouldn’t be able to set breakpoints for non-loaded driver but you are saying that I can so great.
Thanks!
remember to use ‘bu’ instead of ‘bp’
I ‘think’ WinDbg will change a ‘bp’ to a ‘bu’ if you forget, but I think of it as a mental note that the driver is not yet loaded – (u)ninstantiated.
Typically you set WinDbg to break on entry. Once you break in, type
bu MyDriver!DriverEntry
g
The breakpoint is not set at that point, but WinDbg watches for MyDriver.sys. When it loads, then it sets the breakpoint before control is given to your driver.
----- Original Message -----
From: xxxxx@hotmail.com
To: “Kernel Debugging Interest List”
Sent: Tuesday, August 9, 2011 9:14:33 AM
Subject: RE:[windbg] How to debug/set break point when driver starts
> If this is a driver you are developing, why don’t you know where to set
the breakpoint? If you want to break at a specific function, then you
do so:
bp mydriver!DoInitialization
As long as your symbol path is set up correctly, nothing could be simpler.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
I was assuming that the debugger wouldn’t know yet about drivers that are not loaded yet. So that I wouldn’t be able to set breakpoints for non-loaded driver but you are saying that I can so great.
Thanks!
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
OK I have a breakpoint at my driver entry. I also have an event on load module:
Load module cspdrv.sys - enabled - not handled
I proceed with the install of my driver and first break point is at
nt!DebugService2+0x10:
8052e4f4 cc int 3
presumibly thats the Load module event?
then I check to see if my driver is loaded which it is ( both by module list and disassembly of it)
then I make sure that a breakpoint is set at my driver entry
and then hit go and I get this:
kd> g
*** Fatal System Error: 0x0000007e
(0xC0000005,0x805A3271,0xF7A4C9F8,0xF7A4C6F4)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target at (Mon Aug 15 14:20:48.347 2011 (UTC - 4:00)), ptr64 FALSE
Loading Kernel Symbols
…
…
Loading User Symbols
Loading unloaded module list
…
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7E, {c0000005, 805a3271, f7a4c9f8, f7a4c6f4}
Probably caused by : memory_corruption ( nt!MiEnablePagingOfDriver+27 )
Followup: MachineOwner
nt!RtlpBreakWithStatusInstruction:
80527c0c cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805a3271, The address that the exception occurred at
Arg3: f7a4c9f8, Exception Record Address
Arg4: f7a4c6f4, Context Record Address
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!MiEnablePagingOfDriver+27
805a3271 0fb74314 movzx eax,word ptr [ebx+14h]
EXCEPTION_RECORD: f7a4c9f8 – (.exr 0xfffffffff7a4c9f8)
ExceptionAddress: 805a3271 (nt!MiEnablePagingOfDriver+0x00000027)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000014
Attempt to read from address 00000014
CONTEXT: f7a4c6f4 – (.cxr 0xfffffffff7a4c6f4)
eax=00000000 ebx=00000000 ecx=f7a4cb3c edx=edcd4000 esi=00000000 edi=f7a4ccdc
eip=805a3271 esp=f7a4cac0 ebp=f7a4cad0 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!MiEnablePagingOfDriver+0x27:
805a3271 0fb74314 movzx eax,word ptr [ebx+14h] ds:0023:00000014=???
Resetting default scope
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000014
READ_ADDRESS: 00000014
FOLLOWUP_IP:
nt!MiEnablePagingOfDriver+27
805a3271 0fb74314 movzx eax,word ptr [ebx+14h]
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from 805a4366 to 805a3271
STACK_TEXT:
f7a4cad0 805a4366 edcd4000 805540c0 805540e0 nt!MiEnablePagingOfDriver+0x27
f7a4cc6c 80576595 f7a4ccf0 00000000 00000000 nt!MmLoadSystemImage+0xaae
f7a4cd4c 805769a1 80000924 00000001 00000000 nt!IopLoadDriver+0x371
f7a4cd74 80534ca0 80000924 00000000 867c4640 nt!IopLoadUnloadDriver+0x45
f7a4cdac 805c62c2 f70becf4 00000000 00000000 nt!ExpWorkerThread+0x100
f7a4cddc 80541e82 80534ba0 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!MiEnablePagingOfDriver+27
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4d00d46f
STACK_COMMAND: .cxr 0xfffffffff7a4c6f4 ; kb
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0x7E_nt!MiEnablePagingOfDriver+27
BUCKET_ID: 0x7E_nt!MiEnablePagingOfDriver+27
Followup: MachineOwner
I know it has to be my driver yet the driverentry point never get’s hit. Any ideas on how to interpret this?
Bernie
Have you built this driver with the normal WDK environment,
or with something else (Visual C, makefile etc) ?
–pa
On 15-Aug-2011 21:32, xxxxx@hotmail.com wrote:
OK I have a breakpoint at my driver entry. I also have an event on load module:
Load module cspdrv.sys - enabled - not handledI proceed with the install of my driver and first break point is at
nt!DebugService2+0x10:
8052e4f4 cc int 3presumibly thats the Load module event?
then I check to see if my driver is loaded which it is ( both by module list and disassembly of it)
then I make sure that a breakpoint is set at my driver entryand then hit go and I get this:
kd> g
*** Fatal System Error: 0x0000007e
(0xC0000005,0x805A3271,0xF7A4C9F8,0xF7A4C6F4)Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target at (Mon Aug 15 14:20:48.347 2011 (UTC - 4:00)), ptr64 FALSE
Loading Kernel Symbols
…
…
Loading User SymbolsLoading unloaded module list
…
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************Use !analyze -v to get detailed debugging information.
BugCheck 7E, {c0000005, 805a3271, f7a4c9f8, f7a4c6f4}
Probably caused by : memory_corruption ( nt!MiEnablePagingOfDriver+27 )
Followup: MachineOwner
nt!RtlpBreakWithStatusInstruction:
80527c0c cc int 3kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805a3271, The address that the exception occurred at
Arg3: f7a4c9f8, Exception Record Address
Arg4: f7a4c6f4, Context Record AddressDebugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!MiEnablePagingOfDriver+27
805a3271 0fb74314 movzx eax,word ptr [ebx+14h]EXCEPTION_RECORD: f7a4c9f8 – (.exr 0xfffffffff7a4c9f8)
ExceptionAddress: 805a3271 (nt!MiEnablePagingOfDriver+0x00000027)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000014
Attempt to read from address 00000014CONTEXT: f7a4c6f4 – (.cxr 0xfffffffff7a4c6f4)
eax=00000000 ebx=00000000 ecx=f7a4cb3c edx=edcd4000 esi=00000000 edi=f7a4ccdc
eip=805a3271 esp=f7a4cac0 ebp=f7a4cad0 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!MiEnablePagingOfDriver+0x27:
805a3271 0fb74314 movzx eax,word ptr [ebx+14h] ds:0023:00000014=???
Resetting default scopePROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000014
READ_ADDRESS: 00000014
FOLLOWUP_IP:
nt!MiEnablePagingOfDriver+27
805a3271 0fb74314 movzx eax,word ptr [ebx+14h]BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from 805a4366 to 805a3271
STACK_TEXT:
f7a4cad0 805a4366 edcd4000 805540c0 805540e0 nt!MiEnablePagingOfDriver+0x27
f7a4cc6c 80576595 f7a4ccf0 00000000 00000000 nt!MmLoadSystemImage+0xaae
f7a4cd4c 805769a1 80000924 00000001 00000000 nt!IopLoadDriver+0x371
f7a4cd74 80534ca0 80000924 00000000 867c4640 nt!IopLoadUnloadDriver+0x45
f7a4cdac 805c62c2 f70becf4 00000000 00000000 nt!ExpWorkerThread+0x100
f7a4cddc 80541e82 80534ba0 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!MiEnablePagingOfDriver+27
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4d00d46f
STACK_COMMAND: .cxr 0xfffffffff7a4c6f4 ; kb
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0x7E_nt!MiEnablePagingOfDriver+27
BUCKET_ID: 0x7E_nt!MiEnablePagingOfDriver+27
Followup: MachineOwner
I know it has to be my driver yet the driverentry point never get’s hit. Any ideas on how to interpret this?
Bernie