How to know the caller?

WINDBG
1

Hi Guys, I would like to know how to can I know the the caller of a certain API function,
for example, if I put a breakpoint on NtQuerySystemInformation ( from kernel mode of course ) I would like to know what process was the caller of that function, I can debug until the Ret instruction ( from NtQuerySystemInformation ) alright, but when I’m on the process space, how to know process name it is? thanks!

2

Hi Gilbert,

You can use !process extension using -1 as the process identifier, which will show you information about the current process.

Just like this:

0: kd> !process -1 0
PROCESS fffffa800c353060
SessionId: 1 Cid: 1928 Peb: 7fffffd9000 ParentCid: 1820
DirBase: 119782000 ObjectTable: fffff8a002741940 HandleCount: 221.
Image: windbg.exe

Regards,
Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

3

Thank you mate

4

if you are unsure and want to be conditional you can stick this around
to every bp you set and you can get the current process where you
broke echoed to screen automatically

kd> bl
0 e 8057bc36 0001 (0001) nt!NtQuerySystemInformation “?
$proc;!process $proc 0;gc”

any app calling Ntwhatever will be logged

Evaluate expression: -2129565864 = 81116758
PROCESS 81116758 SessionId: 0 Cid: 04a4 Peb: 7ffd7000 ParentCid: 0564
DirBase: 03f4a000 ObjectTable: e12413d8 HandleCount: 30.
Image: ollydbg.exe

Evaluate expression: -4686432 = ffb87da0
PROCESS ffb87da0 SessionId: 0 Cid: 03f8 Peb: 7ffdd000 ParentCid: 02fc
DirBase: 02c9c000 ObjectTable: e11dff60 HandleCount: 1340.
Image: svchost.exe

Evaluate expression: -4686432 = ffb87da0
PROCESS ffb87da0 SessionId: 0 Cid: 03f8 Peb: 7ffdd000 ParentCid: 02fc
DirBase: 02c9c000 ObjectTable: e11dff60 HandleCount: 1340.
Image: svchost.exe

Evaluate expression: -4686432 = ffb87da0
PROCESS ffb87da0 SessionId: 0 Cid: 03f8 Peb: 7ffdd000 ParentCid: 02fc
DirBase: 02c9c000 ObjectTable: e11dff60 HandleCount: 1340.
Image: svchost.exe

i would like to echo what scott nooned posted a few days ago on these bps

it is an api that is called very frequently from lots of process
(klugdewares favourite pet)

it is in hotpath

so the system may be next to impossible to use normally

graphics would be stuttering in frames

On 11/5/12, xxxxx@hotmail.com wrote:
> Thank you mate
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>