Process Internals

hello experts,

I was reading through win internals book and doing the lab side by.
I have created a win32 application which has one parent process

I have attached my exe to windbg and put a break point at one of the function.
Now i want to analyze the process activity, i used |* to know the number of processes and it returned one which is expected.

Now i want to read Virtual address space, Thread , pid from “user mode” , is this possible

can i use
dt nt!_eprocess
or
dt nt!_eprocess

or should i need to analyze these only in kernel mode , if so what are the steps ?

In a user-level process, your debugger is not acting as a kernel debugger,
unless you should single-step into the kernel. I know I used to do this a
lot in Soft-ICE, but I’ve never tried to do hybrid user/kernel debugging in
WinDbg, so someone else will have to answer this.

Therefore, the kernel symbols are not available when you are in the user
space context.

The concept of “parent process” only barely exists in Windows (this is a
concept in linux, but you have to work at getting it as something in
Windows, look up “process group”. If you have not created a process group,
a process has no parent).

In user space, GetCurrentProcessId() and GetModuleName(NULL,…) will give
you what you need, but I don’t know how to ask those questions from the
debugger. Virtual address space is rarely interesting to examine,but there
are APIs that do it; I’d have to look them up but there are APIs that give
lots of interesting information about pages, including which NUMA node the
memory belongs to (look in the NUMA support APIs). You can find the usage
of some of these in my NUMA Explorer, downloadable from my MVP Tips site
www.flounder.com/mvp_tips.htm (because of the automatic highlighting of
hyperlinks, that may be ambiguous to read; it is mvp_tips.htm, not “mvp
tips.htm”)
joe

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@live.com
Sent: Sunday, November 28, 2010 9:28 PM
To: Kernel Debugging Interest List
Subject: [windbg] Process Internals

hello experts,

I was reading through win internals book and doing the lab side by.
I have created a win32 application which has one parent process

I have attached my exe to windbg and put a break point at one of the
function.
Now i want to analyze the process activity, i used |* to know the number of
processes and it returned one which is expected.

Now i want to read Virtual address space, Thread , pid from “user mode” , is
this possible

can i use
dt nt!_eprocess
or
dt nt!_eprocess

or should i need to analyze these only in kernel mode , if so what are the
steps ?

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

–
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

hi Joe,

Thanks for your response and suggestions.

I want to analyze process –> thread life cycle from the user mode loading till the allocations etc.
but i am unable to get it.
In kernel mode i use !process , later run !object etc…

also from user mode if i hit .breakin, i get error
.breakin failed, 0xC0000001

In order to view both user mode and kernle mode data of my process ( applicaiton) , i am launching 2 windbg sessions
a) one with local KD
b) other performing debugging

but i donno is this the way ??

* what i am trying to achieve ?
i want to analyze the PEB, EPROCESS block , Ethread block for my understanding purposes, i have theory knowledge but not practicle.

I’m pretty sure that .breakin won’t work with local KD. What I would
suggest to run livekd
(http://technet.microsoft.com/en-us/sysinternals/bb897415.aspx) or
play with live kernel debugging (where you separated host and target).
For live kernel debugging you can always use VM to run target system.
To dump EPROCESS you need to first EPROCESS address of the process you
are interested in:
!process 0 0 <process_name>
Now you can do:
dt nt!_EPROCESS

In order to examine PEB you need to switch process context (using
EPROCESS address from previous command):
.process
Now you can dump PEB with either !peb <peb_address> or dt nt!_PEB
<peb_address> commands.

Kris

On Mon, Nov 29, 2010 at 5:17 AM, wrote:
>
> hi Joe,
>
> Thanks for your response and suggestions.
>
> I want to analyze process –> thread life cycle from the user mode loading till the allocations etc.
> but i am unable to get it.
> In kernel mode i use !process , later run !object etc…
>
> also from user mode if i hit .breakin, i get error
> .breakin failed, 0xC0000001
>
> In order to view both user mode and kernle mode data of my process ( applicaiton) , i am launching 2 windbg sessions
> a) one with local KD
> b) other performing debugging
>
> but i donno is this the way ??
>
> * what i am trying to achieve ?
> i want to analyze the PEB, EPROCESS block , Ethread block for my understanding purposes, i have theory knowledge but not practicle.
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</peb_address></peb_address></process_name>

Indeed, ‘.breakin’ won’t work under local KD. Very little will.

Unfortunately you will need to do what you are already doing - two
debuggers. There is no SoftICEish user/kernel stepping in windbg. That was
a really excellent feature of SI, though one that was surrounded by a number
of less than excellent features.

In any case, based on what you’ve posted, you may already know this (not
sure), but if you haven’t already read it, I would suggest that you read
about ‘Controlling the User Mode Debugger from the Kernel Debugger:’

http://msdn.microsoft.com/en-us/library/ff539298(VS.85).aspx

In particular, I would consider using NTSD instead of windbg.

Good luck,

mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Krzysztof Uchronski
Sent: Monday, November 29, 2010 5:15 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Process Internals

I’m pretty sure that .breakin won’t work with local KD. What I would
suggest to run livekd
(http://technet.microsoft.com/en-us/sysinternals/bb897415.aspx) or
play with live kernel debugging (where you separated host and target).
For live kernel debugging you can always use VM to run target system.
To dump EPROCESS you need to first EPROCESS address of the process you
are interested in:
!process 0 0 <process_name>
Now you can do:
dt nt!_EPROCESS

In order to examine PEB you need to switch process context (using
EPROCESS address from previous command):
.process
Now you can dump PEB with either !peb <peb_address> or dt nt!_PEB
<peb_address> commands.

Kris

On Mon, Nov 29, 2010 at 5:17 AM, wrote:
>
> hi Joe,
>
> Thanks for your response and suggestions.
>
> I want to analyze process –> thread life cycle from the user mode loading
till the allocations etc.
> but i am unable to get it.
> In kernel mode i use !process , later run !object etc…
>
> also from user mode if i hit .breakin, i get error
> .breakin failed, 0xC0000001
>
> In order to view both user mode and kernle mode data of my process (
applicaiton) , i am launching 2 windbg sessions
> a) one with local KD
> b) other performing debugging
>
> but i donno is this the way ??
>
> * what i am trying to achieve ?
> i want to analyze the PEB, EPROCESS block , Ethread block for my
understanding purposes, i have theory knowledge but not practicle.
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</peb_address></peb_address></process_name>