Kernel debugger debugging user mode application in x64

Hi,

I would like to known whether there is any kernel debugger able to debug a
user mode application in x64 editions of Windows.

Windbg debug user mode applications stopping only the debugged thread, not
the operating system, and Visual Softice simply doesn´t work due to
PatchGuard protection (processor IDT modification causes bugcheck
CRITICAL_STRUCTURE_CORRUPTION (109)).

I prefer kernel mode debugging because the user mode application is an
antivirus engine, and it has some time restrictions and dependences with
other components i need to maintain unaltered.

Any idea of another kernel debugger or anyone known how to disallow Visual
Softice patching Processor IDT?

Thank you,
mK


FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

.process /I will run the machine forward until some thread in the process has been scheduled (I don’t know the exact algorithm, but it’s something like that).

Debugging user-mode through the kernel debugger still has limitations (data could be paged out for example, though probably not what the thread is currently using) but it’s not too bad.

-p

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Misha Karpin
Sent: Thursday, June 16, 2005 12:49 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Kernel debugger debugging user mode application in x64

Hi,

I would like to known whether there is any kernel debugger able to debug a user mode application in x64 editions of Windows.

Windbg debug user mode applications stopping only the debugged thread, not the operating system, and Visual Softice simply doesn?t work due to PatchGuard protection (processor IDT modification causes bugcheck CRITICAL_STRUCTURE_CORRUPTION (109)).

I prefer kernel mode debugging because the user mode application is an antivirus engine, and it has some time restrictions and dependences with other components i need to maintain unaltered.

Any idea of another kernel debugger or anyone known how to disallow Visual Softice patching Processor IDT?

Thank you,
mK


FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com To unsubscribe send a blank email to xxxxx@lists.osr.com

Visual SoftICE ?

----- Original Message -----
From: “Peter Wieland”
To: “Windows System Software Devs Interest List”

Sent: Thursday, June 16, 2005 10:37 AM
Subject: RE: [ntdev] Kernel debugger debugging user mode
application in x64

.process /I will run the machine forward until some thread in
the process has been scheduled (I don’t know the exact
algorithm, but it’s something like that).

Debugging user-mode through the kernel debugger still has
limitations (data could be paged out for example, though
probably not what the thread is currently using) but it’s not
too bad.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Misha
Karpin
Sent: Thursday, June 16, 2005 12:49 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Kernel debugger debugging user mode application
in x64

Hi,

I would like to known whether there is any kernel debugger able
to debug a user mode application in x64 editions of Windows.

Windbg debug user mode applications stopping only the debugged
thread, not the operating system, and Visual Softice simply
doesn´t work due to PatchGuard protection (processor IDT
modification causes bugcheck CRITICAL_STRUCTURE_CORRUPTION
(109)).

I prefer kernel mode debugging because the user mode application
is an antivirus engine, and it has some time restrictions and
dependences with other components i need to maintain unaltered.

Any idea of another kernel debugger or anyone known how to
disallow Visual Softice patching Processor IDT?

Thank you,
mK

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@windows.microsoft.com To unsubscribe send a blank email
to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com

Alberto,

PatchGuard protects processor IDT modifications so Visual SoftIce causes
bugcheck in x64 editions of Windows in less than tree minutes.

Thanks,
mK

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] En nombre de Alberto Moreira
Enviado el: sábado, 18 de junio de 2005 2:05
Para: Windows System Software Devs Interest List
Asunto: Re: [ntdev] Kernel debugger debugging user mode application in x64

Visual SoftICE ?

----- Original Message -----
From: “Peter Wieland”
To: “Windows System Software Devs Interest List”

Sent: Thursday, June 16, 2005 10:37 AM
Subject: RE: [ntdev] Kernel debugger debugging user mode
application in x64

.process /I will run the machine forward until some thread in
the process has been scheduled (I don’t know the exact
algorithm, but it’s something like that).

Debugging user-mode through the kernel debugger still has
limitations (data could be paged out for example, though
probably not what the thread is currently using) but it’s not
too bad.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Misha
Karpin
Sent: Thursday, June 16, 2005 12:49 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Kernel debugger debugging user mode application
in x64

Hi,

I would like to known whether there is any kernel debugger able
to debug a user mode application in x64 editions of Windows.

Windbg debug user mode applications stopping only the debugged
thread, not the operating system, and Visual Softice simply
doesn´t work due to PatchGuard protection (processor IDT
modification causes bugcheck CRITICAL_STRUCTURE_CORRUPTION
(109)).

I prefer kernel mode debugging because the user mode application
is an antivirus engine, and it has some time restrictions and
dependences with other components i need to maintain unaltered.

Any idea of another kernel debugger or anyone known how to
disallow Visual Softice patching Processor IDT?

Thank you,
mK


FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@windows.microsoft.com To unsubscribe send a blank email
to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to xxxxx@lists.osr.com


FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

Sorry for the ignorance, what’s PatchGuard ?

Alberto.

----- Original Message -----
From: “Misha Karpin”
To: “Windows System Software Devs Interest List”

Sent: Tuesday, June 21, 2005 10:12 AM
Subject: RE: [ntdev] Kernel debugger debugging user mode
application in x64

> Alberto,
>
> PatchGuard protects processor IDT modifications so Visual
> SoftIce causes bugcheck in x64 editions of Windows in less
> than tree minutes.
>
> Thanks,
> mK
>
> -----Mensaje original-----
> De: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] En nombre de Alberto
> Moreira
> Enviado el: sábado, 18 de junio de 2005 2:05
> Para: Windows System Software Devs Interest List
> Asunto: Re: [ntdev] Kernel debugger debugging user mode
> application in x64
>
> Visual SoftICE ?
>
> ----- Original Message -----
> From: “Peter Wieland”
> To: “Windows System Software Devs Interest List”
>
> Sent: Thursday, June 16, 2005 10:37 AM
> Subject: RE: [ntdev] Kernel debugger debugging user mode
> application in x64
>
>
> .process /I will run the machine forward until some thread in
> the process has been scheduled (I don’t know the exact
> algorithm, but it’s something like that).
>
> Debugging user-mode through the kernel debugger still has
> limitations (data could be paged out for example, though
> probably not what the thread is currently using) but it’s not
> too bad.
>
> -p
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Misha
> Karpin
> Sent: Thursday, June 16, 2005 12:49 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Kernel debugger debugging user mode
> application
> in x64
>
> Hi,
>
> I would like to known whether there is any kernel debugger
> able
> to debug a user mode application in x64 editions of Windows.
>
> Windbg debug user mode applications stopping only the debugged
> thread, not the operating system, and Visual Softice simply
> doesn´t work due to PatchGuard protection (processor IDT
> modification causes bugcheck CRITICAL_STRUCTURE_CORRUPTION
> (109)).
>
> I prefer kernel mode debugging because the user mode
> application
> is an antivirus engine, and it has some time restrictions and
> dependences with other components i need to maintain
> unaltered.
>
> Any idea of another kernel debugger or anyone known how to
> disallow Visual Softice patching Processor IDT?
>
> Thank you,
> mK
>
>
> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@windows.microsoft.com To unsubscribe send a blank
> email
> to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag
> argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@pandasoftware.es
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>

> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

Actually, I’ve read the Microsoft web page on it. Well - you get
what you pay for, and looks like you’re out of luck. Like,
Windbg or bust ? Wallow in it. Dudes, am I glad I don’t deal
with that kind of nonsense any longer. But if I were to write a
debugger today, I’d make it run as a virtual machine underneath
Windows: far from the eyes, far from the heart, you can’t
prevent what you don’t know is going on.

Alberto.

----- Original Message -----
From: “Alberto Moreira”
To: “Windows System Software Devs Interest List”

Sent: Tuesday, June 21, 2005 11:00 PM
Subject: Re: [ntdev] Kernel debugger debugging user mode
application in x64

> Sorry for the ignorance, what’s PatchGuard ?
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Misha Karpin”
> To: “Windows System Software Devs Interest List”
>
> Sent: Tuesday, June 21, 2005 10:12 AM
> Subject: RE: [ntdev] Kernel debugger debugging user mode
> application in x64
>
>
>> Alberto,
>>
>> PatchGuard protects processor IDT modifications so Visual
>> SoftIce causes bugcheck in x64 editions of Windows in less
>> than tree minutes.
>>
>> Thanks,
>> mK
>>
>> -----Mensaje original-----
>> De: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] En nombre de
>> Alberto Moreira
>> Enviado el: sábado, 18 de junio de 2005 2:05
>> Para: Windows System Software Devs Interest List
>> Asunto: Re: [ntdev] Kernel debugger debugging user mode
>> application in x64
>>
>> Visual SoftICE ?
>>
>> ----- Original Message -----
>> From: “Peter Wieland”
>> To: “Windows System Software Devs Interest List”
>>
>> Sent: Thursday, June 16, 2005 10:37 AM
>> Subject: RE: [ntdev] Kernel debugger debugging user mode
>> application in x64
>>
>>
>> .process /I will run the machine forward until some thread in
>> the process has been scheduled (I don’t know the exact
>> algorithm, but it’s something like that).
>>
>> Debugging user-mode through the kernel debugger still has
>> limitations (data could be paged out for example, though
>> probably not what the thread is currently using) but it’s not
>> too bad.
>>
>> -p
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Misha
>> Karpin
>> Sent: Thursday, June 16, 2005 12:49 AM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] Kernel debugger debugging user mode
>> application
>> in x64
>>
>> Hi,
>>
>> I would like to known whether there is any kernel debugger
>> able
>> to debug a user mode application in x64 editions of Windows.
>>
>> Windbg debug user mode applications stopping only the
>> debugged
>> thread, not the operating system, and Visual Softice simply
>> doesn´t work due to PatchGuard protection (processor IDT
>> modification causes bugcheck CRITICAL_STRUCTURE_CORRUPTION
>> (109)).
>>
>> I prefer kernel mode debugging because the user mode
>> application
>> is an antivirus engine, and it has some time restrictions and
>> dependences with other components i need to maintain
>> unaltered.
>>
>> Any idea of another kernel debugger or anyone known how to
>> disallow Visual Softice patching Processor IDT?
>>
>> Thank you,
>> mK
>>
>>
>> FREE pop-up blocking with the new MSN Toolbar - get it now!
>> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as:
>> xxxxx@windows.microsoft.com To unsubscribe send a blank
>> email
>> to xxxxx@lists.osr.com
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: unknown lmsubst tag
>> argument: ‘’
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as:
>> xxxxx@pandasoftware.es
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>>
>>

>> FREE pop-up blocking with the new MSN Toolbar - get it now!
>> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

Nice:

The x64 versions of Windows also support Microsoft’s PatchGuard technology that prevents non-Microsoft originated programs from patching the Windows kernel. This technology, available only on Windows x64 Editions, prevents kernel mode drivers from extending or replacing kernel services including system service dispatch tables, the interrupt descriptor table (IDT), and the global descriptor table (GDT). Third-party software is also prevented from allocating kernel stacks or patching any part of the kernel.

Maybe it’ll finally stop NAV from stack switching. On the other hand the “non-Microsoft originated programs” part can start next antimonopoly case :wink:

Can’t it be turned off? For example using boot.ini switch (if available at x64). For debugger it’d be enough.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]


From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Alberto Moreira[SMTP:xxxxx@ieee.org]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, June 22, 2005 5:07 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel debugger debugging user mode application in x64

Actually, I’ve read the Microsoft web page on it. Well - you get
what you pay for, and looks like you’re out of luck. Like,
Windbg or bust ? Wallow in it. Dudes, am I glad I don’t deal
with that kind of nonsense any longer. But if I were to write a
debugger today, I’d make it run as a virtual machine underneath
Windows: far from the eyes, far from the heart, you can’t
prevent what you don’t know is going on.

Alberto.

----- Original Message -----
From: “Alberto Moreira”
> To: “Windows System Software Devs Interest List”
>
> Sent: Tuesday, June 21, 2005 11:00 PM
> Subject: Re: [ntdev] Kernel debugger debugging user mode
> application in x64
>
>
> > Sorry for the ignorance, what’s PatchGuard ?
> >
> > Alberto.
> >
> >
> > ----- Original Message -----
> > From: “Misha Karpin”
> > To: “Windows System Software Devs Interest List”
> >
> > Sent: Tuesday, June 21, 2005 10:12 AM
> > Subject: RE: [ntdev] Kernel debugger debugging user mode
> > application in x64
> >
> >
> >> Alberto,
> >>
> >> PatchGuard protects processor IDT modifications so Visual
> >> SoftIce causes bugcheck in x64 editions of Windows in less
> >> than tree minutes.
> >>
> >> Thanks,
> >> mK
> >>
> >> -----Mensaje original-----
> >> De: xxxxx@lists.osr.com
> >> [mailto:xxxxx@lists.osr.com] En nombre de
> >> Alberto Moreira
> >> Enviado el: s?bado, 18 de junio de 2005 2:05
> >> Para: Windows System Software Devs Interest List
> >> Asunto: Re: [ntdev] Kernel debugger debugging user mode
> >> application in x64
> >>
> >> Visual SoftICE ?
> >>
> >> ----- Original Message -----
> >> From: “Peter Wieland”
> >> To: “Windows System Software Devs Interest List”
> >>
> >> Sent: Thursday, June 16, 2005 10:37 AM
> >> Subject: RE: [ntdev] Kernel debugger debugging user mode
> >> application in x64
> >>
> >>
> >> .process /I will run the machine forward until some thread in
> >> the process has been scheduled (I don’t know the exact
> >> algorithm, but it’s something like that).
> >>
> >> Debugging user-mode through the kernel debugger still has
> >> limitations (data could be paged out for example, though
> >> probably not what the thread is currently using) but it’s not
> >> too bad.
> >>
> >> -p
> >>
> >> -----Original Message-----
> >> From: xxxxx@lists.osr.com
> >> [mailto:xxxxx@lists.osr.com] On Behalf Of Misha
> >> Karpin
> >> Sent: Thursday, June 16, 2005 12:49 AM
> >> To: Windows System Software Devs Interest List
> >> Subject: [ntdev] Kernel debugger debugging user mode >
> >> application
> >> in x64
> >>
> >> Hi,
> >>
> >> I would like to known whether there is any kernel debugger
> >> able
> >> to debug a user mode application in x64 editions of Windows.
> >>
> >> Windbg debug user mode applications stopping only the
> >> debugged
> >> thread, not the operating system, and Visual Softice simply
> >> doesn?t work due to PatchGuard protection (processor IDT
> >> modification causes bugcheck CRITICAL_STRUCTURE_CORRUPTION
> >> (109)).
> >>
> >> I prefer kernel mode debugging because the user mode
> >> application
> >> is an antivirus engine, and it has some time restrictions and
> >> dependences with other components i need to maintain
> >> unaltered.
> >>
> >> Any idea of another kernel debugger or anyone known how to
> >> disallow Visual Softice patching Processor IDT?
> >>
> >> Thank you,
> >> mK
> >>
> >>
> >> FREE pop-up blocking with the new MSN Toolbar - get it now!
> >> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as:
> >> xxxxx@windows.microsoft.com To unsubscribe send a blank
> >> email
> >> to xxxxx@lists.osr.com
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as: unknown lmsubst tag
> >> argument: ‘’
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as:
> >> xxxxx@pandasoftware.es
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >>
> >>

> >> FREE pop-up blocking with the new MSN Toolbar - get it now!
> >> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as: xxxxx@ieee.org
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@ieee.org
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

FYI to clear bad impressions about Visual SoftICE:

It appears to be able to be shutoff with the /DEBUG switch, even if WinDBG is not run.
Also Visual SoftICE gets around it just fine, if it has the appropriate OSI data files for the
OS version (available from tech support)

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]


From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Michal Vodicka[SMTP:xxxxx@upek.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, June 22, 2005 6:32 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Kernel debugger debugging user mode application in x64

Nice:

The x64 versions of Windows also support Microsoft’s PatchGuard technology that prevents non-Microsoft originated programs from patching the Windows kernel. This technology, available only on Windows x64 Editions, prevents kernel mode drivers from extending or replacing kernel services including system service dispatch tables, the interrupt descriptor table (IDT), and the global descriptor table (GDT). Third-party software is also prevented from allocating kernel stacks or patching any part of the kernel.

Maybe it’ll finally stop NAV from stack switching. On the other hand the “non-Microsoft originated programs” part can start next antimonopoly case :wink:

Can’t it be turned off? For example using boot.ini switch (if available at x64). For debugger it’d be enough.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Alberto Moreira[SMTP:xxxxx@ieee.org]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, June 22, 2005 5:07 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Kernel debugger debugging user mode application in x64
>
> Actually, I’ve read the Microsoft web page on it. Well - you get
> what you pay for, and looks like you’re out of luck. Like,
> Windbg or bust ? Wallow in it. Dudes, am I glad I don’t deal
> with that kind of nonsense any longer. But if I were to write a
> debugger today, I’d make it run as a virtual machine underneath
> Windows: far from the eyes, far from the heart, you can’t
> prevent what you don’t know is going on.
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Alberto Moreira”
> > To: “Windows System Software Devs Interest List”
> >
> > Sent: Tuesday, June 21, 2005 11:00 PM
> > Subject: Re: [ntdev] Kernel debugger debugging user mode
> > application in x64
> >
> >
> > > Sorry for the ignorance, what’s PatchGuard ?
> > >
> > > Alberto.
> > >
> > >
> > > ----- Original Message -----
> > > From: “Misha Karpin”
> > > To: “Windows System Software Devs Interest List”
> > >
> > > Sent: Tuesday, June 21, 2005 10:12 AM
> > > Subject: RE: [ntdev] Kernel debugger debugging user mode
> > > application in x64
> > >
> > >
> > >> Alberto,
> > >>
> > >> PatchGuard protects processor IDT modifications so Visual
> > >> SoftIce causes bugcheck in x64 editions of Windows in less
> > >> than tree minutes.
> > >>
> > >> Thanks,
> > >> mK
> > >>
> > >> -----Mensaje original-----
> > >> De: xxxxx@lists.osr.com
> > >> [mailto:xxxxx@lists.osr.com] En nombre de
> > >> Alberto Moreira
> > >> Enviado el: s?bado, 18 de junio de 2005 2:05
> > >> Para: Windows System Software Devs Interest List
> > >> Asunto: Re: [ntdev] Kernel debugger debugging user mode
> > >> application in x64
> > >>
> > >> Visual SoftICE ?
> > >>
> > >> ----- Original Message -----
> > >> From: “Peter Wieland” >
> > >> To: “Windows System Software Devs Interest List”
> > >>
> > >> Sent: Thursday, June 16, 2005 10:37 AM
> > >> Subject: RE: [ntdev] Kernel debugger debugging user mode
> > >> application in x64
> > >>
> > >>
> > >> .process /I will run the machine forward until some thread in
> > >> the process has been scheduled (I don’t know the exact
> > >> algorithm, but it’s something like that).
> > >>
> > >> Debugging user-mode through the kernel debugger still has
> > >> limitations (data could be paged out for example, though
> > >> probably not what the thread is currently using) but it’s not
> > >> too bad.
> > >>
> > >> -p
> > >>
> > >> -----Original Message-----
> > >> From: xxxxx@lists.osr.com
> > >> [mailto:xxxxx@lists.osr.com] On Behalf Of Misha
> > >> Karpin
> > >> Sent: Thursday, June 16, 2005 12:49 AM
> > >> To: Windows System Software Devs Interest List
> > >> Subject: [ntdev] Kernel debugger debugging user mode >
> > >> application
> > >> in x64
> > >>
> > >> Hi,
> > >>
> > >> I would like to known whether there is any kernel debugger
> > >> able
> > >> to debug a user mode application in x64 editions of Windows.
> > >>
> > >> Windbg debug user mode applications stopping only the
> > >> debugged
> > >> thread, not the operating system, and Visual Softice simply
> > >> doesn?t work due to PatchGuard protection (processor IDT
> > >> modification causes bugcheck CRITICAL_STRUCTURE_CORRUPTION
> > >> (109)).
> > >>
> > >> I prefer kernel mode debugging because the user mode
> > >> application
> > >> is an antivirus engine, and it has some time restrictions and
> > >> dependences with other components i need to maintain
> > >> unaltered.
> > >>
> > >> Any idea of another kernel debugger or anyone known how to
> > >> disallow Visual Softice patching Processor IDT?
> > >>
> > >> Thank you,
> > >> mK
> > >>
> > >>
> > >> FREE pop-up blocking with the new MSN Toolbar - get it now!
> > >> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> > >>
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as:
> > >> xxxxx@windows.microsoft.com To unsubscribe send a blank
> > >> email
> > >> to xxxxx@lists.osr.com
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as: unknown lmsubst tag
> > >> argument: ‘’
> > >> To unsubscribe send a blank email to
> > >> xxxxx@lists.osr.com
> > >>
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as:
> > >> xxxxx@pandasoftware.es
> > >> To unsubscribe send a blank email to
> > >> xxxxx@lists.osr.com
> > >>
> > >>

> > >> FREE pop-up blocking with the new MSN Toolbar - get it now!
> > >> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> > >>
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as: xxxxx@ieee.org
> > >> To unsubscribe send a blank email to
> > >> xxxxx@lists.osr.com
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@ieee.org
> > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@upek.com>
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Guys,

Michal is right and I stand corrected. My Compuware connection
told me that the issue has been taken care of. Contact their
tech support and they’ll fix the problem for you.

Alberto.

----- Original Message -----
From: “Michal Vodicka”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, June 22, 2005 4:01 PM
Subject: RE: [ntdev] Kernel debugger debugging user mode
application in x64

FYI to clear bad impressions about Visual SoftICE:

It appears to be able to be shutoff with the /DEBUG switch, even
if WinDBG is not run.
Also Visual SoftICE gets around it just fine, if it has the
appropriate OSI data files for the
OS version (available from tech support)

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Michal Vodicka[SMTP:xxxxx@upek.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, June 22, 2005 6:32 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] Kernel debugger debugging user mode
> application in x64
>
> Nice:
>
> The x64 versions of Windows also support Microsoft’s
> PatchGuard technology that prevents non-Microsoft originated
> programs from patching the Windows kernel. This technology,
> available only on Windows x64 Editions, prevents kernel mode
> drivers from extending or replacing kernel services including
> system service dispatch tables, the interrupt descriptor table
> (IDT), and the global descriptor table (GDT). Third-party
> software is also prevented from allocating kernel stacks or
> patching any part of the kernel.
>
> Maybe it’ll finally stop NAV from stack switching. On the
> other hand the “non-Microsoft originated programs” part can
> start next antimonopoly case :wink:
>
> Can’t it be turned off? For example using boot.ini switch (if
> available at x64). For debugger it’d be enough.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Alberto Moreira[SMTP:xxxxx@ieee.org]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, June 22, 2005 5:07 AM
> > To: Windows System Software Devs Interest List
> > Subject: Re: [ntdev] Kernel debugger debugging user mode
> > application in x64
> >
> > Actually, I’ve read the Microsoft web page on it. Well - you
> > get
> > what you pay for, and looks like you’re out of luck. Like,
> > Windbg or bust ? Wallow in it. Dudes, am I glad I don’t deal
> > with that kind of nonsense any longer. But if I were to
> > write a
> > debugger today, I’d make it run as a virtual machine
> > underneath
> > Windows: far from the eyes, far from the heart, you can’t
> > prevent what you don’t know is going on.
> >
> > Alberto.
> >
> >
> > ----- Original Message -----
> > From: “Alberto Moreira”
> > To: “Windows System Software Devs Interest List”
> >
> > Sent: Tuesday, June 21, 2005 11:00 PM
> > Subject: Re: [ntdev] Kernel debugger debugging user mode
> > application in x64
> >
> >
> > > Sorry for the ignorance, what’s PatchGuard ?
> > >
> > > Alberto.
> > >
> > >
> > > ----- Original Message -----
> > > From: “Misha Karpin”
> > > To: “Windows System Software Devs Interest List”
> > >
> > > Sent: Tuesday, June 21, 2005 10:12 AM
> > > Subject: RE: [ntdev] Kernel debugger debugging user mode
> > > application in x64
> > >
> > >
> > >> Alberto,
> > >>
> > >> PatchGuard protects processor IDT modifications so Visual
> > >> SoftIce causes bugcheck in x64 editions of Windows in
> > >> less
> > >> than tree minutes.
> > >>
> > >> Thanks,
> > >> mK
> > >>
> > >> -----Mensaje original-----
> > >> De: xxxxx@lists.osr.com
> > >> [mailto:xxxxx@lists.osr.com] En nombre de
> > >> Alberto Moreira
> > >> Enviado el: sábado, 18 de junio de 2005 2:05
> > >> Para: Windows System Software Devs Interest List
> > >> Asunto: Re: [ntdev] Kernel debugger debugging user mode
> > >> application in x64
> > >>
> > >> Visual SoftICE ?
> > >>
> > >> ----- Original Message -----
> > >> From: “Peter Wieland” >
> > >> To: “Windows System Software Devs Interest List”
> > >>
> > >> Sent: Thursday, June 16, 2005 10:37 AM
> > >> Subject: RE: [ntdev] Kernel debugger debugging user mode
> > >> application in x64
> > >>
> > >>
> > >> .process /I will run the machine forward until some
> > >> thread in
> > >> the process has been scheduled (I don’t know the exact
> > >> algorithm, but it’s something like that).
> > >>
> > >> Debugging user-mode through the kernel debugger still has
> > >> limitations (data could be paged out for example, though
> > >> probably not what the thread is currently using) but it’s
> > >> not
> > >> too bad.
> > >>
> > >> -p
> > >>
> > >> -----Original Message-----
> > >> From: xxxxx@lists.osr.com
> > >> [mailto:xxxxx@lists.osr.com] On Behalf Of
> > >> Misha
> > >> Karpin
> > >> Sent: Thursday, June 16, 2005 12:49 AM
> > >> To: Windows System Software Devs Interest List
> > >> Subject: [ntdev] Kernel debugger debugging user mode >
> > >> application
> > >> in x64
> > >>
> > >> Hi,
> > >>
> > >> I would like to known whether there is any kernel
> > >> debugger
> > >> able
> > >> to debug a user mode application in x64 editions of
> > >> Windows.
> > >>
> > >> Windbg debug user mode applications stopping only the
> > >> debugged
> > >> thread, not the operating system, and Visual Softice
> > >> simply
> > >> doesn´t work due to PatchGuard protection (processor IDT
> > >> modification causes bugcheck
> > >> CRITICAL_STRUCTURE_CORRUPTION
> > >> (109)).
> > >>
> > >> I prefer kernel mode debugging because the user mode
> > >> application
> > >> is an antivirus engine, and it has some time restrictions
> > >> and
> > >> dependences with other components i need to maintain
> > >> unaltered.
> > >>
> > >> Any idea of another kernel debugger or anyone known how
> > >> to
> > >> disallow Visual Softice patching Processor IDT?
> > >>
> > >> Thank you,
> > >> mK
> > >>
> > >>
> > >> FREE pop-up blocking with the new MSN Toolbar - get it
> > >> now!
> > >> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> > >>
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as:
> > >> xxxxx@windows.microsoft.com To unsubscribe send a
> > >> blank
> > >> email
> > >> to xxxxx@lists.osr.com
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as: unknown lmsubst
> > >> tag
> > >> argument: ‘’
> > >> To unsubscribe send a blank email to
> > >> xxxxx@lists.osr.com
> > >>
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as:
> > >> xxxxx@pandasoftware.es
> > >> To unsubscribe send a blank email to
> > >> xxxxx@lists.osr.com
> > >>
> > >>

> > >> FREE pop-up blocking with the new MSN Toolbar - get it
> > >> now!
> > >> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> > >>
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as:
> > >> xxxxx@ieee.org
> > >> To unsubscribe send a blank email to
> > >> xxxxx@lists.osr.com
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as:
> > > xxxxx@ieee.org
> > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> > xxxxx@upek.com>
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag
> argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com

This reminds me of the old joke: this father found his teenage
daughter having sex with her boyfriend on the family room couch.
So he decided to fix the problem once and for all: he sold the
couch.

Alberto.

----- Original Message -----
From: “Michal Vodicka”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, June 22, 2005 12:32 AM
Subject: RE: [ntdev] Kernel debugger debugging user mode
application in x64

Nice:

The x64 versions of Windows also support Microsoft’s PatchGuard
technology that prevents non-Microsoft originated programs from
patching the Windows kernel. This technology, available only on
Windows x64 Editions, prevents kernel mode drivers from
extending or replacing kernel services including system service
dispatch tables, the interrupt descriptor table (IDT), and the
global descriptor table (GDT). Third-party software is also
prevented from allocating kernel stacks or patching any part of
the kernel.

Maybe it’ll finally stop NAV from stack switching. On the other
hand the “non-Microsoft originated programs” part can start next
antimonopoly case :wink:

Can’t it be turned off? For example using boot.ini switch (if
available at x64). For debugger it’d be enough.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Alberto Moreira[SMTP:xxxxx@ieee.org]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, June 22, 2005 5:07 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Kernel debugger debugging user mode
> application in x64
>
> Actually, I’ve read the Microsoft web page on it. Well - you
> get
> what you pay for, and looks like you’re out of luck. Like,
> Windbg or bust ? Wallow in it. Dudes, am I glad I don’t deal
> with that kind of nonsense any longer. But if I were to write
> a
> debugger today, I’d make it run as a virtual machine
> underneath
> Windows: far from the eyes, far from the heart, you can’t
> prevent what you don’t know is going on.
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Alberto Moreira”
> To: “Windows System Software Devs Interest List”
>
> Sent: Tuesday, June 21, 2005 11:00 PM
> Subject: Re: [ntdev] Kernel debugger debugging user mode
> application in x64
>
>
> > Sorry for the ignorance, what’s PatchGuard ?
> >
> > Alberto.
> >
> >
> > ----- Original Message -----
> > From: “Misha Karpin”
> > To: “Windows System Software Devs Interest List”
> >
> > Sent: Tuesday, June 21, 2005 10:12 AM
> > Subject: RE: [ntdev] Kernel debugger debugging user mode
> > application in x64
> >
> >
> >> Alberto,
> >>
> >> PatchGuard protects processor IDT modifications so Visual
> >> SoftIce causes bugcheck in x64 editions of Windows in less
> >> than tree minutes.
> >>
> >> Thanks,
> >> mK
> >>
> >> -----Mensaje original-----
> >> De: xxxxx@lists.osr.com
> >> [mailto:xxxxx@lists.osr.com] En nombre de
> >> Alberto Moreira
> >> Enviado el: sábado, 18 de junio de 2005 2:05
> >> Para: Windows System Software Devs Interest List
> >> Asunto: Re: [ntdev] Kernel debugger debugging user mode
> >> application in x64
> >>
> >> Visual SoftICE ?
> >>
> >> ----- Original Message -----
> >> From: “Peter Wieland”
> >> To: “Windows System Software Devs Interest List”
> >>
> >> Sent: Thursday, June 16, 2005 10:37 AM
> >> Subject: RE: [ntdev] Kernel debugger debugging user mode
> >> application in x64
> >>
> >>
> >> .process /I will run the machine forward until some thread
> >> in
> >> the process has been scheduled (I don’t know the exact
> >> algorithm, but it’s something like that).
> >>
> >> Debugging user-mode through the kernel debugger still has
> >> limitations (data could be paged out for example, though
> >> probably not what the thread is currently using) but it’s
> >> not
> >> too bad.
> >>
> >> -p
> >>
> >> -----Original Message-----
> >> From: xxxxx@lists.osr.com
> >> [mailto:xxxxx@lists.osr.com] On Behalf Of
> >> Misha
> >> Karpin
> >> Sent: Thursday, June 16, 2005 12:49 AM
> >> To: Windows System Software Devs Interest List
> >> Subject: [ntdev] Kernel debugger debugging user mode >
> >> application
> >> in x64
> >>
> >> Hi,
> >>
> >> I would like to known whether there is any kernel debugger
> >> able
> >> to debug a user mode application in x64 editions of
> >> Windows.
> >>
> >> Windbg debug user mode applications stopping only the
> >> debugged
> >> thread, not the operating system, and Visual Softice simply
> >> doesn´t work due to PatchGuard protection (processor IDT
> >> modification causes bugcheck CRITICAL_STRUCTURE_CORRUPTION
> >> (109)).
> >>
> >> I prefer kernel mode debugging because the user mode
> >> application
> >> is an antivirus engine, and it has some time restrictions
> >> and
> >> dependences with other components i need to maintain
> >> unaltered.
> >>
> >> Any idea of another kernel debugger or anyone known how to
> >> disallow Visual Softice patching Processor IDT?
> >>
> >> Thank you,
> >> mK
> >>
> >>
> >> FREE pop-up blocking with the new MSN Toolbar - get it now!
> >> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as:
> >> xxxxx@windows.microsoft.com To unsubscribe send a blank
> >> email
> >> to xxxxx@lists.osr.com
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as: unknown lmsubst
> >> tag
> >> argument: ‘’
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as:
> >> xxxxx@pandasoftware.es
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >>
> >>

> >> FREE pop-up blocking with the new MSN Toolbar - get it now!
> >> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as: xxxxx@ieee.org
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@ieee.org
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@upek.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com

Yep, he should shoot her boyfriend instead. What should MS do is obvious :wink:

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]


From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Alberto Moreira[SMTP:xxxxx@ieee.org]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, June 23, 2005 3:16 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel debugger debugging user mode application in x64

This reminds me of the old joke: this father found his teenage
daughter having sex with her boyfriend on the family room couch.
So he decided to fix the problem once and for all: he sold the
couch.

Alberto.

----- Original Message -----
From: “Michal Vodicka”
> To: “Windows System Software Devs Interest List”
>
> Sent: Wednesday, June 22, 2005 12:32 AM
> Subject: RE: [ntdev] Kernel debugger debugging user mode
> application in x64
>
>
> Nice:
>
> The x64 versions of Windows also support Microsoft’s PatchGuard
> technology that prevents non-Microsoft originated programs from
> patching the Windows kernel. This technology, available only on
> Windows x64 Editions, prevents kernel mode drivers from
> extending or replacing kernel services including system service
> dispatch tables, the interrupt descriptor table (IDT), and the
> global descriptor table (GDT). Third-party software is also
> prevented from allocating kernel stacks or patching any part of
> the kernel.
>
> Maybe it’ll finally stop NAV from stack switching. On the other
> hand the “non-Microsoft originated programs” part can start next
> antimonopoly case :wink:
>
> Can’t it be turned off? For example using boot.ini switch (if
> available at x64). For debugger it’d be enough.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Alberto Moreira[SMTP:xxxxx@ieee.org]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, June 22, 2005 5:07 AM
> > To: Windows System Software Devs Interest List
> > Subject: Re: [ntdev] Kernel debugger debugging user mode
> > application in x64
> >
> > Actually, I’ve read the Microsoft web page on it. Well - you
> > get
> > what you pay for, and looks like you’re out of luck. Like,
> > Windbg or bust ? Wallow in it. Dudes, am I glad I don’t deal
> > with that kind of nonsense any longer. But if I were to write
> > a
> > debugger today, I’d make it run as a virtual machine
> > underneath
> > Windows: far from the eyes, far from the heart, you can’t
> > prevent what you don’t know is going on.
> >
> > Alberto.
> >
> >
> > ----- Original Message -----
> > From: “Alberto Moreira”
> > To: “Windows System Software Devs Interest List”
> >
> > Sent: Tuesday, June 21, 2005 11:00 PM
> > Subject: Re: [ntdev] Kernel debugger debugging user mode
> > application in x64
> >
> >
> > > Sorry for the ignorance, what’s PatchGuard ?
> > >
> > > Alberto.
> > >
> > >
> > > ----- Original Message -----
> > > From: “Misha Karpin”
> > > To: “Windows System Software Devs Interest List”
> > >
> > > Sent: Tuesday, June 21, 2005 10:12 AM
> > > Subject: RE: [ntdev] Kernel debugger debugging user mode
> > > application in x64
> > >
> > >
> > >> Alberto,
> > >>
> > >> PatchGuard protects processor IDT modifications so Visual
> > >> SoftIce causes bugcheck in x64 editions of Windows in less
> > >> than tree minutes.
> > >>
> > >> Thanks,
> > >> mK
> > >>
> > >> -----Mensaje original-----
> > >> De: xxxxx@lists.osr.com
> > >> [mailto:xxxxx@lists.osr.com] En nombre de
> > >> Alberto Moreira>
> > >> Enviado el: s?bado, 18 de junio de 2005 2:05
> > >> Para: Windows System Software Devs Interest List
> > >> Asunto: Re: [ntdev] Kernel debugger debugging user mode
> > >> application in x64
> > >>
> > >> Visual SoftICE ?
> > >>
> > >> ----- Original Message -----
> > >> From: “Peter Wieland”
> > >> To: “Windows System Software Devs Interest List”
> > >>
> > >> Sent: Thursday, June 16, 2005 10:37 AM
> > >> Subject: RE: [ntdev] Kernel debugger debugging user mode
> > >> application in x64
> > >>
> > >>
> > >> .process /I will run the machine forward until some thread
> > >> in
> > >> the process has been scheduled (I don’t know the exact
> > >> algorithm, but it’s something like that).
> > >>
> > >> Debugging user-mode through the kernel debugger still has
> > >> limitations (data could be paged out for example, though
> > >> probably not what the thread is currently using) but it’s
> > >> not
> > >> too bad.
> > >>
> > >> -p
> > >>
> > >> -----Original Message-----
> > >> From: xxxxx@lists.osr.com
> > >> [mailto:xxxxx@lists.osr.com] On Behalf Of
> > >> Misha
> > >> Karpin
> > >> Sent: Thursday, June 16, 2005 12:49 AM
> > >> To: Windows System Software Devs Interest List
> > >> Subject: [ntdev] Kernel debugger debugging user mode >
> > >> application
> > >> in x64
> > >>
> > >> Hi,
> > >>
> > >> I would like to known whether there is any kernel debugger
> > >> able
> > >> to debug a user mode application in x64 editions of
> > >> Windows.
> > >>
> > >> Windbg debug user mode applications stopping only the
> > >> debugged
> > >> thread, not the operating system, and Visual Softice simply
> > >> doesn?t work due to PatchGuard protection (processor IDT
> > >> modification causes bugcheck CRITICAL_STRUCTURE_CORRUPTION
> > >> (109)).
> > >>
> > >> I prefer kernel mode debugging because the user mode
> > >> application
> > >> is an antivirus engine, and it has some time restrictions
> > >> and
> > >> dependences with other components i need to maintain
> > >> unaltered.
> > >>
> > >> Any idea of another kernel debugger or anyone known how to
> > >> disallow Visual Softice patching Processor IDT?
> > >>
> > >> Thank you,
> > >> mK
> > >>
> > >>
> > >> FREE pop-up blocking with the new MSN Toolbar - get it now!
> > >> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> > >>
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as:
> > >> xxxxx@windows.microsoft.com To unsubscribe send a blank
> > >> email
> > >> to xxxxx@lists.osr.com
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as: unknown lmsubst
> > >> tag
> > >> argument: ‘’
> > >> To unsubscribe send a blank email to
> > >> xxxxx@lists.osr.com
> > >>
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as:
> > >> xxxxx@pandasoftware.es
> > >> To unsubscribe send a blank email to
> > >> xxxxx@lists.osr.com
> > >>
> > >>

> > >> FREE pop-up blocking with the new MSN Toolbar - get it now!
> > >> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> > >>
> > >>
> > >> —
> > >> Questions? First check the Kernel Driver FAQ at
> > >> http://www.osronline.com/article.cfm?id=256
> > >>
> > >> You are currently subscribed to ntdev as: xxxxx@ieee.org
> > >> To unsubscribe send a blank email to
> > >> xxxxx@lists.osr.com
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at>
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@ieee.org
> > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> > xxxxx@upek.com
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag
> argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>