Hello,
Assume I see the message above when I hook up a kernel debugger. Any way to find who the culprit is ? I am hooked up to a system with many drivers.
Thanks,
Shay
Yeah ? fix your symbols and then take a look at !analyze -v. Given your in a breakpoint or crash dump, with valid symbols loaded you may learn a lot.
Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
On Feb 6, 2012, at 1:04 PM, wrote:
> Hello,
>
> Assume I see the message above when I hook up a kernel debugger. Any way to find who the culprit is ? I am hooked up to a system with many drivers.
>
> Thanks,
> Shay
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
that would be easy, but, there is no panic 
This message just keeps scrolling as my system runs…
Shay
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Gary Little
Sent: Monday, February 06, 2012 4:14 PM
To: Windows System Software Devs Interest List
Cc: Gary Little
Subject: Re: [ntdev] “Invalid parameter passed to C runtime function”
Yeah … fix your symbols and then take a look at !analyze -v. Given your in a breakpoint or crash dump, with valid symbols loaded you may learn a lot.
Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.netmailto:xxxxx
On Feb 6, 2012, at 1:04 PM, > wrote:
Hello,
Assume I see the message above when I hook up a kernel debugger. Any way to find who the culprit is ? I am hooked up to a system with many drivers.
Thanks,
Shay
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx>
I get this when I run some of my test programs. For me it is not a driver
issue.
Bill Wandel
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@emc.com
Sent: Monday, February 06, 2012 4:28 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] “Invalid parameter passed to C runtime function”
that would be easy, but, there is no panic
This message just keeps scrolling as my system runs…
Shay
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gary Little
Sent: Monday, February 06, 2012 4:14 PM
To: Windows System Software Devs Interest List
Cc: Gary Little
Subject: Re: [ntdev] “Invalid parameter passed to C runtime function”
Yeah . fix your symbols and then take a look at !analyze -v. Given your in a
breakpoint or crash dump, with valid symbols loaded you may learn a lot.
Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
On Feb 6, 2012, at 1:04 PM, wrote:
Hello,
Assume I see the message above when I hook up a kernel debugger. Any way to
find who the culprit is ? I am hooked up to a system with many drivers.
Thanks,
Shay
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
So what you are saying is that some test program issues a runtime error?
In that case, I’d suggest using a user-mode debugger.
Sounds like your test program has a bug.
joe
I get this when I run some of my test programs. For me it is not a driver
issue.Bill Wandel
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@emc.com
Sent: Monday, February 06, 2012 4:28 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] “Invalid parameter passed to C runtime function”that would be easy, but, there is no panic
This message just keeps scrolling as my system runs…
Shay
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gary Little
Sent: Monday, February 06, 2012 4:14 PM
To: Windows System Software Devs Interest List
Cc: Gary Little
Subject: Re: [ntdev] “Invalid parameter passed to C runtime function”Yeah . fix your symbols and then take a look at !analyze -v. Given your in
a
breakpoint or crash dump, with valid symbols loaded you may learn a lot.Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.netOn Feb 6, 2012, at 1:04 PM, wrote:
>
>
>
> Hello,
>
>
>
> Assume I see the message above when I hook up a kernel debugger. Any way
> to
> find who the culprit is ? I am hooked up to a system with many drivers.
>
>
>
> Thanks,
>
> Shay
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
There is no “test” program. It’s a debugger hooked up via a serial port to a Win 2003 server system running a bunch of applications + a bunch of kernel drivers.
Shay
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@flounder.com
Sent: Wednesday, February 08, 2012 2:47 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] “Invalid parameter passed to C runtime function”
So what you are saying is that some test program issues a runtime error?
In that case, I’d suggest using a user-mode debugger.
Sounds like your test program has a bug.
joe
I get this when I run some of my test programs. For me it is not a driver
issue.Bill Wandel
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@emc.com
Sent: Monday, February 06, 2012 4:28 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] “Invalid parameter passed to C runtime function”that would be easy, but, there is no panic
This message just keeps scrolling as my system runs…
Shay
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gary Little
Sent: Monday, February 06, 2012 4:14 PM
To: Windows System Software Devs Interest List
Cc: Gary Little
Subject: Re: [ntdev] “Invalid parameter passed to C runtime function”Yeah . fix your symbols and then take a look at !analyze -v. Given your in
a
breakpoint or crash dump, with valid symbols loaded you may learn a lot.Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.netOn Feb 6, 2012, at 1:04 PM, wrote:
>
>
>
> Hello,
>
>
>
> Assume I see the message above when I hook up a kernel debugger. Any way
> to
> find who the culprit is ? I am hooked up to a system with many drivers.
>
>
>
> Thanks,
>
> Shay
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
What you see is usermode debug prints that drop to kernel debugger because there is no usermode debugger.
You could possibly catch the culprit if you hooked the actual debug print function (like the Sysinternals dbgview does).
In the hook, watch for the message text and break into kernel debugger.
But AFAIK dbgview sources have not been published.
–pa
well if you are adventurous / dont worry crashing the user mode
executable / work in vm etc etc (you can try this on production or
important machine / whatever on YOUR OWN RISK this example is just a
DEBUG ONLY METHOD or a GOOD TO KNOW ONLY METHOD)
assumption (you know what assume means isnt it
debugprnts from usermode are probably sent via OutputDebugStringA
fact 1
OutputDebugString is kernl32 export
it is a dll mapped on process so it will have a physical page
modifying the physical page will set breakpoint on all processes for this api
on break the process context will show which process is issuing the dbgprint
fact 2
by employing this method you stand to crash the user mode process
fact 3
if other process are sending dbg prints they may also crash and may
send you on wild goose chase
it is not just me warning windbg docs also warn you about setting
!ubp’s so please read them i am not using !ubp but doing something
similar here
lets rock
find a process that may contain kernl32.dll change to its process
context and find the virtual address of OutputDebugStringA Function
explorer.exe is a good choice if it is running
kd> !process 0 0 Explorer.exe
PROCESS 81151b28 SessionId: 0 Cid: 0420 Peb: 7ffdb000 ParentCid: 0400
DirBase: 0088d000 ObjectTable: e19a2478 HandleCount: 290.
Image: explorer.exe
kd> .process /p /P /r 81151b28
Implicit process is now 81151b28
.cache forcedecodeptes done
Loading User Symbols
…
…
kd> ? kernel32!OutputDebugStringA
Evaluate expression: 2089135228 = 7c85ac7c
convert the virtual address to physical address
kd> !vtop 88d 7c85ac7c
X86VtoP: Virt 7c85ac7c, pagedir 88d000
X86VtoP: PDE 88d7c8 - 00d31067
X86VtoP: PTE d31168 - 03f2c067
X86VtoP: Mapped phys 3f2cc7c
Virtual address 7c85ac7c translates to physical address 3f2cc7c.
check the physical page
kd> !db 3f2cc7c
3f2cc7c 68 34 02 00 00 68 a8 af-85 7c e8 4b 78 fa ff a1 h4…h…|.Kx…
3f2cc8c cc 56 88 7c 89 45 e4 8b-4d 08 89 8d c4 fd ff ff .V.|.E…M…
3f2cc9c 83 65 fc 00 8b c1 8d 70-01 8a 10 40 84 d2 75 f9 .e…p…@…u.
confirm they are indeed Real Bytes
7C85AD4C kernel32.OutputDebugStringA /$ 68 34020000
PUSH 234
7C85AD51 |. 68 78B0857C
PUSH kernel32.7C85B078
7C85AD56 |. E8 7B77FAFF
CALL kernel32._SEH_prolog
7C85AD5B |. A1 CC56887C
MOV EAX, DWORD PTR DS:[__security_cookie]
7C85AD60 |. 8945 E4
MOV DWORD PTR SS:[EBP-1C], EAX
i assume here you know abot aslr and will discount the base address
difference in the bytes above
write an int 3 aka 0xcc at the physical page
kd> !eb 3f2cc7c 0xcc
kd> !db 3f2cc7c
3f2cc7c cc 34 02 00 00 68 a8 af-85 7c e8 4b 78 fa ff a1 .4…h…|.Kx…
and run
kd> g
Break instruction exception - code 80000003 (first chance)
kernel32!OutputDebugStringA:
001b:7c85ac7c cc int 3
kd> !process @$proc 1f
PROCESS 8118b020 SessionId: 0 Cid: 0140 Peb: 7ffdb000 ParentCid: 0420
DirBase: 02596000 ObjectTable: e1097360 HandleCount: 10.
Image: dbgstrnocrt.exe
VadRoot 810eaa00 Vads 26 Clone 0 Private 39. Modified 0. Locked 0.
DeviceMap e18a5bc8
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
*** WARNING: Unable to verify checksum for dbgstrnocrt.exe
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for dbgstrnocrt.exe -
Win32 Start Address dbgstrnocrt (0x00401000)
Start Address kernel32!BaseProcessStartThunk (0x7c8106f5)
Stack Init f91a4000 Current f91a3c70 Base f91a4000 Limit f91a0000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
0012fd80 00401189 kernel32!OutputDebugStringA (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ff8c 00407d3e dbgstrnocrt!_GetExceptDLLinfo+0x130
0012ffc0 7c817067 dbgstrnocrt!_GetExceptDLLinfo+0x6ce5
0012fff0 00000000 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])
kd> da 0012fd80+c
0012fd8c "Function Ptr is <?dml ?>0012fdac “=“ln /D 409a5c.”>Clickme.”
0012fdcc “”
google says that this exe can be a qt compiled exe see if you have one running
maybe someweird QLabel(this) isnt defined
On 2/8/12, xxxxx@fastmail.fm wrote:
> What you see is usermode debug prints that drop to kernel debugger because
> there is no usermode debugger.
> You could possibly catch the culprit if you hooked the actual debug print
> function (like the Sysinternals dbgview does).
> In the hook, watch for the message text and break into kernel debugger.
> But AFAIK dbgview sources have not been published.
>
> --pa
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>