I recently had to debug a crash that occurred when I unloaded my
driver. The crash had to do with something like “driver unloaded
without cancelling pending operations”. When I had the crash dump or
debugger attached, I would get the stack, but one of the items would
be <unloaded_mydriver.sys>+0x1fda0.
I have the PDBs for my driver, but I guess windbg won’t look at them
for unloaded drivers. The only way I could think of mapping 0x1fda0
to some function was to reboot, then break into a running system with
the driver loaded, then disassemble the driver base address+offset and
see what winbg came up with.
So, long story short, my question is: is there an easier way of
getting windbg to lookup the function for an offset from an unloaded
module? I’d preferably like to do it within the same debugging/crash
analysis session.
Hopefully the answer isn’t too trivial 
thanks!</unloaded_mydriver.sys>
There are a couple of ways. On your target machine (or any normally
running machine with the right binary) You can directly open your driver
with -z, like
kd -z .sys -y
and then you can use ln to resolve addresses to symbols.
Even easier, if your kd has the right setup and the module list slot
that your driver was using is open you can directly recreate the module
entry with
.reload /unl .sys
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of KT
Sent: Thursday, May 18, 2006 5:09 PM
To: Kernel Debugging Interest List
Subject: [windbg] how to easily map offset of unloaded image to function
name
I recently had to debug a crash that occurred when I unloaded my driver.
The crash had to do with something like “driver unloaded without
cancelling pending operations”. When I had the crash dump or debugger
attached, I would get the stack, but one of the items would be
<unloaded_mydriver.sys>+0x1fda0.
I have the PDBs for my driver, but I guess windbg won’t look at them for
unloaded drivers. The only way I could think of mapping 0x1fda0 to some
function was to reboot, then break into a running system with the driver
loaded, then disassemble the driver base address+offset and see what
winbg came up with.
So, long story short, my question is: is there an easier way of getting
windbg to lookup the function for an offset from an unloaded module?
I’d preferably like to do it within the same debugging/crash analysis
session.
Hopefully the answer isn’t too trivial
thanks!
—
You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com</unloaded_mydriver.sys>