more .kdfiles (really long)

WINDBG
1

Is there an event filter that I could have inadvertently set to a state that
invisibly disables this? I haven’t intentionally changed any event filters
from the defaults, but at this point, I’m looking for any avenue that might
offer a clue…

In my own investigating, I noticed that the “Load module” filter was set to
“output - not handled”. I set it to “enabled - not handled”, and got a
breakpoint on every module loading. That makes sense, in retrospect. So
maybe I can trace up to the loading of the modules I want replaced, then
Ctl+Alt+D, run past the module load, and maybe a clue will be buried in
there.

Maybe the clue is in there, after all? Deep in the bowels of the Ctl+Alt+D
output, I found this:

KdReadVirtual(f92e3628, 80) returns 00000000, 80
disk.sys
nt!DebugService2+e:
8051d57a cc int 3
WRITE: Write type 2 packet id= 80800000.

It’s not stopping here, is this where it should be trying to load the new
driver from the old one?

So here’s how things look, right now:

WinDBG 6.0.0017.0
XP with full Windows Update on both ends, there are no available updates I
haven’t installed on either system.

Target system has WFC fully disabled. Enabled didn’t seem to make any
difference, but maybe I didn’t enable it to the right level?

Mapfile (D:\Projects\Drivers\DriverReplacement.Map):
map
\WINDOWS\System32\Drivers\SeUlator.sys
D:\Projects\Drivers\SeUlator\objchk\i386\SeUlator.sys
map
??\C:\WINDOWS\System32\Drivers\disk.sys
D:\Projects\Drivers\DiskClass\objchk\i386\disk.sys
map
\Systemroot\System32\Drivers\classpnp.sys
D:\Projects\Drivers\ClassPnP\objchk\i386\classpnp.sys

None of the above paths give any different behavior. There just isn’t any
indication in the log below that the debugger is even trying to map the new
files.

Command window log:

Waiting to reconnect…
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is:
srv*c:\windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:

Loading symbols for 804d0000 ntkrnlmp.exe -> ntkrnlmp.exe
ModLoad: 804d0000 806aa000 ntkrnlmp.exe
Windows XP Kernel Version 2600 MP (1 procs) Free x86 compatible
Built by: 2600.xpclnt_qfe.010827-1803
Kernel base = 0x804d0000 PsLoadedModuleList = 0x805450a8
System Uptime: not available
Force unload of ntkrnlmp.exe
ModLoad: 804d0000 806aa000 ntkrnlmp.exe
Loading symbols for 804d0000 ntkrnlmp.exe -> ntkrnlmp.exe
nt!DebugService2+e:
8051d57a cc int 3
kd> .kdfiles D:\Projects\Drivers\DriverReplacement.map
KD file assocations loaded from ‘D:\Projects\Drivers\DriverReplacement.map’
Verbose mode ON.
kd> g
ModLoad: 806aa000 806ca080 halmacpi.dll
Loading symbols for 806aa000 halmacpi.dll -> halmacpi.dll
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f9261000 f926bc80 kd1394.dll
Loading symbols for f9261000 kd1394.dll -> kd1394.dll
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f9671000 f9674000 BOOTVID.dll
Loading symbols for f9671000 BOOTVID.dll -> BOOTVID.dll
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f9214000 f923fc00 ACPI.sys
Loading symbols for f9214000 ACPI.sys -> ACPI.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f9761000 f9762100 WMILIB.SYS
Loading symbols for f9761000 WMILIB.SYS -> WMILIB.SYS
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f9271000 f9280400 pci.sys
Loading symbols for f9271000 pci.sys -> pci.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f9281000 f9289c00 isapnp.sys
Loading symbols for f9281000 isapnp.sys -> isapnp.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f9291000 f929e880 ohci1394.sys
Loading symbols for f9291000 ohci1394.sys -> ohci1394.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f92a1000 f92ad180 1394BUS.SYS
Loading symbols for f92a1000 1394BUS.SYS -> 1394BUS.SYS
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f9763000 f9764200 intelide.sys
Loading symbols for f9763000 intelide.sys -> intelide.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f94e1000 f94e6c80 PCIIDEX.SYS
Loading symbols for f94e1000 PCIIDEX.SYS -> PCIIDEX.SYS
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f92b1000 f92ba280 MountMgr.sys
Loading symbols for f92b1000 MountMgr.sys -> MountMgr.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f91f5000 f9213880 ftdisk.sys
Loading symbols for f91f5000 ftdisk.sys -> ftdisk.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f9765000 f9766700 dmload.sys
Loading symbols for f9765000 dmload.sys -> dmload.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f91d1000 f91f4b80 dmio.sys
Loading symbols for f91d1000 dmio.sys -> dmio.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f94e9000 f94ed900 PartMgr.sys
Loading symbols for f94e9000 PartMgr.sys -> PartMgr.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f92c1000 f92ca280 sbp2port.sys
Loading symbols for f92c1000 sbp2port.sys -> sbp2port.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f92d1000 f92dd000 VolSnap.sys
Loading symbols for f92d1000 VolSnap.sys -> VolSnap.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f91bb000 f91d0280 atapi.sys
Loading symbols for f91bb000 atapi.sys -> atapi.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f91a2000 f91bae00 adpu160m.sys
Loading symbols for f91a2000 adpu160m.sys -> adpu160m.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f918c000 f91a1f80 SCSIPORT.SYS
Loading symbols for f918c000 SCSIPORT.SYS -> SCSIPORT.SYS
nt!DebugService2+e:
8051d57a cc int 3


Loading disk.sys here. Mapping is ??\C:\WINDOWS\System32\Drivers\disk.sys

kd> g
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgKdSetContext returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=8c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgWriteControlSpace returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 7 packet exp id = 80800000
PacketType=7, ByteCount=113, PacketId=0,
READ: Received Type 7 data packet with id = 0 successfully.

READ: Packet type = 7, KdApi64 = 1
ModLoad: f92e1000 f92e9380 disk.sys
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=78, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92e1000, 40) returns 00000000, 40
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3e, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92e10d8, 6) returns 00000000, 6
Loading symbols for f92e1000 disk.sys -> WRITE: Write type 2
packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=12a, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92e10de, f2) returns 00000000, f2
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=178, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92e11d0, 140) returns 00000000, 140
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92e3330, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92e3628, 80) returns 00000000, 80
disk.sys
nt!DebugService2+e:
8051d57a cc int 3
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=304, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgKdGetContext returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=8c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgKdReadControlSpace returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=138, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(8053923c, 100) returns 00000000, 100
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(80518688, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=cfc, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(8053933c, cc4) returns 00000000, cc4
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=594, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(8053a000, 55c) returns 00000000, 55c
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(00000008, 80) returns c0000001, 0
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(805439a4, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(80543bd8, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(805450a8, 80) returns 00000000, 80
X86VtoP: Virt 00000008, pagedir 39000
X86VtoP: PDE 39000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadPhysical(00039000, 4) returns 00000000, 4
X86VtoP: zero PDE
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(00000004, 4) returns c0000001, 0
X86VtoP: Virt 00000004, pagedir 39000
X86VtoP: PDE 39000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadPhysical(00039000, 4) returns 00000000, 4
X86VtoP: zero PDE
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(00000000, 4) returns c0000001, 0
X86VtoP: Virt 00000000, pagedir 39000
X86VtoP: PDE 39000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadPhysical(00039000, 4) returns 00000000, 4
X86VtoP: zero PDE
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(80543a8c, 80) returns 00000000, 80


At this point, esp+0x40 contains \WINDOWS\System32\Drivers\disk.sys. I
haven’t seen any other path since I started trying to use .kdfiles. Is this
the real path from the “Service Control Manager (SCM) database”, as
mentioned in the Mapping Driver Files page in the help file? I assume that
it’s what is sent to the DebugService2 routine, but that may not be a valid
assumption.
Now load classpnp.sys. Mapping is \Systemroot\System32\Drivers\classpnp.sys

kd> g
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgKdSetContext returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=8c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgWriteControlSpace returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 7 packet exp id = 80800000
PacketType=7, ByteCount=117, PacketId=0,
READ: Received Type 7 data packet with id = 0 successfully.

READ: Packet type = 7, KdApi64 = 1
ModLoad: f92f1000 f92fbf80 CLASSPNP.SYS
Loading symbols for f92f1000 CLASSPNP.SYS -> WRITE: Write type 2
packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3a, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92f1000, 2) returns 00000000, 2
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=76, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92f1002, 3e) returns 00000000, 3e
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=130, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92f10d8, f8) returns 00000000, f8
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=1a0, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92f11d0, 168) returns 00000000, 168
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92fa400, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92f6c10, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f92f6ee4, 80) returns 00000000, 80
CLASSPNP.SYS
nt!DebugService2+e:
8051d57a cc int 3
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=304, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgKdGetContext returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=8c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgKdReadControlSpace returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=138, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(8053923c, 100) returns 00000000, 100
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(80518688, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=cfc, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(8053933c, cc4) returns 00000000, cc4
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=594, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(8053a000, 55c) returns 00000000, 55c
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(00000008, 80) returns c0000001, 0
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(805439a4, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(80543bd8, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(805450a8, 80) returns 00000000, 80
X86VtoP: Virt 00000008, pagedir 39000
X86VtoP: PDE 39000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadPhysical(00039000, 4) returns 00000000, 4
X86VtoP: zero PDE
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(00000004, 4) returns c0000001, 0
X86VtoP: Virt 00000004, pagedir 39000
X86VtoP: PDE 39000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadPhysical(00039000, 4) returns 00000000, 4
X86VtoP: zero PDE
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(00000000, 4) returns c0000001, 0
X86VtoP: Virt 00000000, pagedir 39000
X86VtoP: PDE 39000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadPhysical(00039000, 4) returns 00000000, 4
X86VtoP: zero PDE
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(80543a8c, 80) returns 00000000, 80


At this point, esp+0x40 contains \WINDOWS\System32\DRIVERS\CLASSPNP.SYS.

kd> g
ModLoad: f917a000 f918b300 sr.sys
Loading symbols for f917a000 sr.sys -> sr.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f9166000 f9179780 KSecDD.sys
Loading symbols for f9166000 KSecDD.sys -> KSecDD.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f90e7000 f9165180 Ntfs.sys
Loading symbols for f90e7000 Ntfs.sys -> Ntfs.sys
nt!DebugService2+e:
8051d57a cc int 3
kd> g
ModLoad: f90bf000 f90e6700 NDIS.sys
Loading symbols for f90bf000 NDIS.sys -> NDIS.sys
nt!DebugService2+e:
8051d57a cc int 3


Load my filter driver. Mapping is \WINDOWS\System32\Drivers\SeUlator.sys

kd> g
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgKdSetContext returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=8c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgWriteControlSpace returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 7 packet exp id = 80800000
PacketType=7, ByteCount=117, PacketId=0,
READ: Received Type 7 data packet with id = 0 successfully.

READ: Packet type = 7, KdApi64 = 1
ModLoad: f9767000 f9768b80 SeUlator.sys
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=78, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f9767000, 40) returns 00000000, 40
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3e, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f97670d0, 6) returns 00000000, 6
Loading symbols for f9767000 SeUlator.sys -> WRITE: Write type 2 packe
t id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=12a, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f97670d6, f2) returns 00000000, f2
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=100, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f97671c8, c8) returns 00000000, c8
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(f9768340, 80) returns 00000000, 80
SeUlator.sys
nt!DebugService2+e:
8051d57a cc int 3
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=304, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgKdGetContext returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=8c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

DbgKdReadControlSpace returns 00000000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=138, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(8053923c, 100) returns 00000000, 100
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(80518688, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=cfc, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(8053933c, cc4) returns 00000000, cc4
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=594, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(8053a000, 55c) returns 00000000, 55c
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(00000008, 80) returns c0000001, 0
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(805439a4, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(80543bd8, 80) returns 00000000, 80
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(805450a8, 80) returns 00000000, 80
X86VtoP: Virt 00000008, pagedir 39000
X86VtoP: PDE 39000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadPhysical(00039000, 4) returns 00000000, 4
X86VtoP: zero PDE
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(00000004, 4) returns c0000001, 0
X86VtoP: Virt 00000004, pagedir 39000
X86VtoP: PDE 39000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadPhysical(00039000, 4) returns 00000000, 4
X86VtoP: zero PDE
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=38, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(00000000, 4) returns c0000001, 0
X86VtoP: Virt 00000000, pagedir 39000
X86VtoP: PDE 39000
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3c, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadPhysical(00039000, 4) returns 00000000, 4
X86VtoP: zero PDE
WRITE: Write type 2 packet id= 80800000.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=b8, PacketId=0,
READ: Received Type 2 data packet with id = 0 successfully.

KdReadVirtual(80543a8c, 80) returns 00000000, 80
kd> g

Done with the drivers I’m trying to map, hence done with the trace of
interest.

Any clues in there?

Phil

Philip D. Barila
Seagate Technology, LLC
(720) 684-1842

2

Phil,
I checked my setup, and the event filters on mine haven’t changed
from the defaults (unless someone else snuck in here and changed them).
I have done this with both the free and checked kernel from a UP machine
to a UP machine, but I don’t have an SMP XP/.Net box setup, so I can’t
try it out on there… are you trying this on an SMP box? Has anyone
else on the list had any luck copying drivers over the debug connection
to an SMP box?

For the record, here’s a log of my boot with CTRL-ALT-D turned on:

Shutdown occurred…unloading all symbol tables.
Waiting to reconnect…
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested)
Symbol search path is:
symsrv*symsrv.dll*\jackson\wintools\symsrv;srv*\jackson\wintools\downloadstore*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 MP (1 procs) Checked x86 compatible
Built by: 2600.xpclient.010817-1148
Kernel base = 0x80a02000 PsLoadedModuleList = 0x80ae4150
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
80aabb54 cc int 3
kd> .kdfiles d:\drvmap.ini
KD file assocations loaded from ‘d:\drvmap.ini’
kd> sxe ld:phmdisp.dll
kd> g
WRITE: Write type 2 packet id= 80800000.

---- skipping to loading my driver ----
---- (I don’t know the protocol, so I am including some packets prior to
the loading) ----
READ: Packet type = 7, KdApi64 = 1
WRITE: Write type 2 packet id= 80800000.
READ: Wait for ACK packet with id = 80800000
PacketType=4, ByteCount=0, PacketId=80800000,
READ: Received correct ACK packet.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=78, PacketId=80800000,
READ: Received Type 2 data packet with id = 80800000 successfully.

KdReadVirtual(750d0000, 40) returns 00000000, 40
WRITE: Write type 2 packet id= 80800001.
READ: Wait for ACK packet with id = 80800001
PacketType=4, ByteCount=0, PacketId=80800001,
READ: Received correct ACK packet.
READ: Wait for type 2 packet exp id = 80800001
PacketType=2, ByteCount=3e, PacketId=80800001,
READ: Received Type 2 data packet with id = 80800001 successfully.

KdReadVirtual(750d00e0, 6) returns 00000000, 6
WRITE: Write type 2 packet id= 80800000.
READ: Wait for ACK packet with id = 80800000
PacketType=4, ByteCount=0, PacketId=80800000,
READ: Received correct ACK packet.
READ: Wait for type 7 packet exp id = 80800000
PacketType=7, ByteCount=122, PacketId=80800000,
READ: Received Type 7 data packet with id = 80800000 successfully.

READ: Packet type = 7, KdApi64 = 1
WRITE: Write type 2 packet id= 80800001.
READ: Wait for ACK packet with id = 80800001
PacketType=4, ByteCount=0, PacketId=80800001,
READ: Received correct ACK packet.
READ: Wait for type 2 packet exp id = 80800001
PacketType=2, ByteCount=78, PacketId=80800001,
READ: Received Type 2 data packet with id = 80800001 successfully.

KdReadVirtual(60000000, 40) returns 00000000, 40
WRITE: Write type 2 packet id= 80800000.
READ: Wait for ACK packet with id = 80800000
PacketType=4, ByteCount=0, PacketId=80800000,
READ: Received correct ACK packet.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3e, PacketId=80800000,
READ: Received Type 2 data packet with id = 80800000 successfully.

KdReadVirtual(60000118, 6) returns 00000000, 6
WRITE: Write type 2 packet id= 80800001.
READ: Wait for ACK packet with id = 80800001
PacketType=4, ByteCount=0, PacketId=80800001,
READ: Received correct ACK packet.
READ: Wait for type 7 packet exp id = 80800001
PacketType=7, ByteCount=122, PacketId=80800001,
READ: Received Type 7 data packet with id = 80800001 successfully.

READ: Packet type = 7, KdApi64 = 1
WRITE: Write type 2 packet id= 80800000.
READ: Wait for ACK packet with id = 80800000
PacketType=4, ByteCount=0, PacketId=80800000,
READ: Received correct ACK packet.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=78, PacketId=80800000,
READ: Received Type 2 data packet with id = 80800000 successfully.

KdReadVirtual(60100000, 40) returns 00000000, 40
WRITE: Write type 2 packet id= 80800001.
READ: Wait for ACK packet with id = 80800001
PacketType=4, ByteCount=0, PacketId=80800001,
READ: Received correct ACK packet.
READ: Wait for type 2 packet exp id = 80800001
PacketType=2, ByteCount=3e, PacketId=80800001,
READ: Received Type 2 data packet with id = 80800001 successfully.

KdReadVirtual(60100110, 6) returns 00000000, 6
WRITE: Write type 2 packet id= 80800000.
READ: Wait for ACK packet with id = 80800000
PacketType=4, ByteCount=0, PacketId=80800000,
READ: Received correct ACK packet.
READ: Wait for type 7 packet exp id = 80800000
PacketType=7, ByteCount=125, PacketId=80800000,
READ: Received Type 7 data packet with id = 80800000 successfully.

READ: Packet type = 7, KdApi64 = 1
WRITE: Write type 2 packet id= 80800001.
READ: Wait for ACK packet with id = 80800001
PacketType=4, ByteCount=0, PacketId=80800001,
READ: Received correct ACK packet.
READ: Wait for type 2 packet exp id = 80800001
PacketType=2, ByteCount=78, PacketId=80800001,
READ: Received Type 2 data packet with id = 80800001 successfully.

KdReadVirtual(5e000000, 40) returns 00000000, 40
WRITE: Write type 2 packet id= 80800000.
READ: Wait for ACK packet with id = 80800000
PacketType=4, ByteCount=0, PacketId=80800000,
READ: Received correct ACK packet.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=3e, PacketId=80800000,
READ: Received Type 2 data packet with id = 80800000 successfully.

KdReadVirtual(5e000120, 6) returns 00000000, 6
WRITE: Write type 2 packet id= 80800001.
READ: Wait for ACK packet with id = 80800001
PacketType=4, ByteCount=0, PacketId=80800001,
READ: Received correct ACK packet.
READ: Wait for type 7 packet exp id = 80800001
PacketType=7, ByteCount=124, PacketId=80800001,
READ: Received Type 7 data packet with id = 80800001 successfully.

READ: Packet type = 7, KdApi64 = 1
WRITE: Write type 2 packet id= 80800000.
READ: Wait for ACK packet with id = 80800000
PacketType=4, ByteCount=0, PacketId=80800000,
READ: Received correct ACK packet.
READ: Wait for type 2 packet exp id = 80800000
PacketType=2, ByteCount=78, PacketId=80800000,
READ: Received Type 2 data packet with id = 80800000 successfully.

KdReadVirtual(64000000, 40) returns 00000000, 40
WRITE: Write type 2 packet id= 80800001.
READ: Wait for ACK packet with id = 80800001
PacketType=4, ByteCount=0, PacketId=80800001,
READ: Received correct ACK packet.
READ: Wait for type 2 packet exp id = 80800001
PacketType=2, ByteCount=3e, PacketId=80800001,
READ: Received Type 2 data packet with id = 80800001 successfully.

KdReadVirtual(64000120, 6) returns 00000000, 6
WRITE: Write type 2 packet id= 80800000.
READ: Wait for ACK packet with id = 80800000
PacketType=4, ByteCount=0, PacketId=80800000,
READ: Received correct ACK packet.
READ: Wait for type 7 packet exp id = 80800000
PacketType=b, ByteCount=82, PacketId=80800000,
READ: Received Type b data packet with id = 80800000 successfully.

KD: Accessing ‘D:\Host\kernel\build\chk_w2k\i386\phmdisp.dll’
(\SystemRoot\System32\phmdisp.dll)
File size 128KKdFile request for ‘\SystemRoot\System32\phmdisp.dll’
returns 00000000
WRITE: Write type b packet id= 80800001.
READ: Wait for ACK packet with id = 80800001
PacketType=4, ByteCount=0, PacketId=80800001,
READ: Received correct ACK packet.
PacketType=b, ByteCount=40, PacketId=80800001,
READ: Received Type b data packet with id = 80800001 successfully.

WRITE: Write type b packet id= 80800000.
READ: Wait for ACK packet with id = 80800000
PacketType=4, ByteCount=0, PacketId=80800000,
READ: Received correct ACK packet.
PacketType=b, ByteCount=40, PacketId=80800000,
READ: Received Type b data packet with id = 80800000 successfully.

.WRITE: Write type b packet id= 80800001.

At this point, it’s copying the driver (hence the “.” before the
“WRITE:” debug message).
I don’t get any break before the module loads (nor do I know how I can
tell WinDBG to break in before it checks to see if the file is mapped or
not).

sean

3

I just got a mail from a co-worker here who verified that he had done it
from a UP box to a SMP box with no probs… so that probably isn’t the
place to look. :\

sean

Sean Bullington wrote:

Phil,
I checked my setup, and the event filters on mine haven’t changed
from the defaults (unless someone else snuck in here and changed them).
I have done this with both the free and checked kernel from a UP
machine to a UP machine, but I don’t have an SMP XP/.Net box setup, so
I can’t try it out on there… are you trying this on an SMP box? Has
anyone else on the list had any luck copying drivers over the debug
connection to an SMP box?