How to set a breakpoint at IoCompleteRequest

Sasi_Rekha · December 14, 2011, 2:21pm

Sorry if this is a silly question.

How do I set a break point at IoCompleteRequest? ‘bp IoCompleteRequest’
doesn’t work. Nether does ‘bp Ntoskrnl!IoCompleteRequest’. I want to set a
breakpoint at IoCompleteRequest and associate a command with it to print
the IRP for which the function was called. Can someone help me figure out
how to do it?

Thanks,
Sasi Rekha

Doron_Holan · December 14, 2011, 2:27pm

That’s because it doesn’t exist :). From wdm.h

#define IoCompleteRequest(a,b) \
IofCompleteRequest(a,b)

Set your bp on IofCompleteRequest. Doubt you are going to have a usable system once you do this though

d

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Sasi Rekha
Sent: Wednesday, December 14, 2011 11:21 AM
To: Kernel Debugging Interest List
Subject: [windbg] How to set a breakpoint at IoCompleteRequest

Sorry if this is a silly question.

How do I set a break point at IoCompleteRequest? ‘bp IoCompleteRequest’ doesn’t work. Nether does ‘bp Ntoskrnl!IoCompleteRequest’. I want to set a breakpoint at IoCompleteRequest and associate a command with it to print the IRP for which the function was called. Can someone help me figure out how to do it?

Thanks,
Sasi Rekha

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Scott_Noone_OSR · December 14, 2011, 2:32pm

Is the target x86? If so, from wdm.h:

#define IoCompleteRequest(a,b) \
IofCompleteRequest(a,b)

So you want a breakpoint on nt!IofCompleteRequest (the, “f” here denotes
that this API uses the fastcall calling convention).

Note that this breakpoint will be hit a LOT.

-scott

–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Sasi Rekha” wrote in message news:xxxxx@windbg…
Sorry if this is a silly question.

How do I set a break point at IoCompleteRequest? ‘bp IoCompleteRequest’
doesn’t work. Nether does ‘bp Ntoskrnl!IoCompleteRequest’. I want to set a
breakpoint at IoCompleteRequest and associate a command with it to print the
IRP for which the function was called. Can someone help me figure out how to
do it?

Thanks,
Sasi Rekha

Gary_Little-3 · December 14, 2011, 2:46pm

Set your breakpoint on your call to the IRP or WDF completion, then step into the code.

Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

On Dec 14, 2011, at 1:20 PM, Sasi Rekha wrote:

Sorry if this is a silly question.

How do I set a break point at IoCompleteRequest? ‘bp IoCompleteRequest’ doesn’t work. Nether does ‘bp Ntoskrnl!IoCompleteRequest’. I want to set a breakpoint at IoCompleteRequest and associate a command with it to print the IRP for which the function was called. Can someone help me figure out how to do it?

Thanks,
Sasi Rekha

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Sasi_Rekha · December 14, 2011, 3:03pm

Thanks for the answer Doron and Scott. Breakpoint works. Once the
breakpoint is hit I wanted to know the IRP for which it was called. I
thought “kb” will print the first three parameters. Here is my ‘kb’ output:

0: kd> kb
RetAddr : Args to Child
: Call Site
fffff8800197fbce : 0000000000000001 0000000000068300 fffffa8001f64000
fffffa8001f62d50 : nt!IofCompleteRequest 0000000000000001 : 0000000000068300 fffffa8001f64000 fffffa8001f62d50 0000000000000002 : 0xfffff8800197fbce 0000000000068300 : fffffa8001f64000 fffffa8001f62d50 0000000000000002 fffffa8000000000 : 0x1
fffffa8001f64000 : fffffa8001f62d50 0000000000000002 fffffa8000000000
0000000000000001 : 0x68300 fffffa8001f62d50 : 0000000000000002 fffffa8000000000 0000000000000001 0000002700000029 : 0xfffffa8001f64000 0000000000000002 : fffffa8000000000 0000000000000001 0000002700000029 0000000000000000 : 0xfffffa8001f62d50 fffffa8000000000 : 0000000000000001 0000002700000029 0000000000000000 0000000000000001 : 0x2
0000000000000001 : 0000002700000029 0000000000000000 0000000000000001
0000000000000000 : 0xfffffa8000000000
0000002700000029 : 0000000000000000 0000000000000001 0000000000000000
0000000000000000 : 0x1 0000000000000000 : 0000000000000001 0000000000000000 0000000000000000 fffffa80024e2540 : 0x27`00000029

‘00000000`00000001’ however doesn’t looks like an IRP address. I tried
‘!irp’ on all the args. I get either ‘IRP signature does not match,
probably not an IRP’ or ‘Could not read Irp’ Why is that? How can I get the
IRP address?

Sasi

On Thu, Dec 15, 2011 at 1:03 AM, Scott Noone wrote:

> Is the target x86? If so, from wdm.h:
>
> #define IoCompleteRequest(a,b) > IofCompleteRequest(a,b)
>
> So you want a breakpoint on nt!IofCompleteRequest (the, “f” here denotes
> that this API uses the fastcall calling convention).
>
> Note that this breakpoint will be hit a LOT.
>
> -scott
>
> –
> Scott Noone
> Consulting Associate and Chief System Problem Analyst
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
> “Sasi Rekha” wrote in message news:xxxxx@windbg.
> …
>
> Sorry if this is a silly question.
>
> How do I set a break point at IoCompleteRequest? ‘bp IoCompleteRequest’
> doesn’t work. Nether does ‘bp Ntoskrnl!IoCompleteRequest’. I want to set a
> breakpoint at IoCompleteRequest and associate a command with it to print
> the IRP for which the function was called. Can someone help me figure out
> how to do it?
>
> Thanks,
> Sasi Rekha
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.**cfm?name=ListServer http:
></http:>

Scott_Noone_OSR · December 14, 2011, 3:43pm

See this post:

http://analyze-v.com/?p=7

Because this is the x64, you’ll find the first parameter to the function in
RCX (link to a description of the x64 calling convention also found in the
above article).

-scott

–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Sasi Rekha” wrote in message news:xxxxx@windbg…
Thanks for the answer Doron and Scott. Breakpoint works. Once the breakpoint
is hit I wanted to know the IRP for which it was called. I thought “kb” will
print the first three parameters. Here is my ‘kb’ output:

0: kd> kb
RetAddr : Args to Child
: Call Site
fffff8800197fbce : 0000000000000001 0000000000068300 fffffa8001f64000
fffffa8001f62d50 : nt!IofCompleteRequest 0000000000000001 : 0000000000068300 fffffa8001f64000 fffffa8001f62d50 0000000000000002 : 0xfffff8800197fbce 0000000000068300 : fffffa8001f64000 fffffa8001f62d50 0000000000000002 fffffa8000000000 : 0x1
fffffa8001f64000 : fffffa8001f62d50 0000000000000002 fffffa8000000000
0000000000000001 : 0x68300 fffffa8001f62d50 : 0000000000000002 fffffa8000000000 0000000000000001 0000002700000029 : 0xfffffa8001f64000 0000000000000002 : fffffa8000000000 0000000000000001 0000002700000029 0000000000000000 : 0xfffffa8001f62d50 fffffa8000000000 : 0000000000000001 0000002700000029 0000000000000000 0000000000000001 : 0x2
0000000000000001 : 0000002700000029 0000000000000000 0000000000000001
0000000000000000 : 0xfffffa8000000000
0000002700000029 : 0000000000000000 0000000000000001 0000000000000000
0000000000000000 : 0x1 0000000000000000 : 0000000000000001 0000000000000000 0000000000000000 fffffa80024e2540 : 0x2700000029 '0000000000000001’ however doesn’t looks like an IRP address. I tried
‘!irp’ on all the args. I get either ‘IRP signature does not match, probably
not an IRP’ or ‘Could not read Irp’ Why is that? How can I get the IRP
address?

- Sasi

On Thu, Dec 15, 2011 at 1:03 AM, Scott Noone wrote:
Is the target x86? If so, from wdm.h:

#define IoCompleteRequest(a,b) IofCompleteRequest(a,b)

So you want a breakpoint on nt!IofCompleteRequest (the, “f” here denotes
that this API uses the fastcall calling convention).

Note that this breakpoint will be hit a LOT.

-scott

–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Sasi Rekha” wrote in message news:xxxxx@windbg…

Sorry if this is a silly question.

How do I set a break point at IoCompleteRequest? ‘bp IoCompleteRequest’
doesn’t work. Nether does ‘bp Ntoskrnl!IoCompleteRequest’. I want to set a
breakpoint at IoCompleteRequest and associate a command with it to print the
IRP for which the function was called. Can someone help me figure out how to
do it?

Thanks,
Sasi Rekha

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer