Re[2]: !wlse extension

> So, IIUC, Kdcom.dll runs only in user mode…in other words

Kdcom.dll does not invoke - either directly or indirectly

• any system call (kernel services)…

Corrrection: KDCOM.dll only works in kernel mode.

You don’t need to have a driver in order to send something
over a serial port. In fact, you don’t need a driver to send
data to any device. The only problem is that your code,
using direct I/O port instructions, might be a hardware specific.
Drivers exist only to encapsulate those hardware differences
and give unified interface.

In case of serial port, maybe you remember how it was done in old DOS
times - you wrote a set of functions that used IN/OUT instructions
to configure the serial port and send/receive data (AFAIK there
was also some interrupt involved). Because serial port is standard
for each PC (the same port numbers, the same way to use it),
there is no need for drivers.

L.

sprintf_s(
(char *)PageAllot,
200,
“WsleTestOne Alloted This Page\n”
);
DebugBreak();
VirtualFree(
NULL,
1000,
MEM_RELEASE
);
return 1;
}

run the first app and let it break in kd

when it breaks assemble an infinte jmp (0xeb 0xfe ) at the return
address on stack and hit G
the app will be spinning indefinitely

launch the second executable and let it break in kd

when it broke you will have two executables with just minor
differences and you compare the
pages

since i posted this iwas wondering if there is a neater way to break
two apps simultaneoulsy
in kd ??

i know i can compile
__asm _emit 0xeb __asm _emit 0xfe

instead of DebugBreak();

but that doesnt seem to be proper and also
iirc EBFE makes it 100% cpu usage in task mgr

anyone ?? any tricks ?

On 5/20/12, Ladislav Zezula wrote:
>> So, IIUC, Kdcom.dll runs only in user mode…in other words
>> Kdcom.dll does not invoke - either directly or indirectly
>> - any system call (kernel services)…
>
> Corrrection: KDCOM.dll only works in kernel mode.
>
> You don’t need to have a driver in order to send something
> over a serial port. In fact, you don’t need a driver to send
> data to any device. The only problem is that your code,
> using direct I/O port instructions, might be a hardware specific.
> Drivers exist only to encapsulate those hardware differences
> and give unified interface.
>
> In case of serial port, maybe you remember how it was done in old DOS
> times - you wrote a set of functions that used IN/OUT instructions
> to configure the serial port and send/receive data (AFAIK there
> was also some interrupt involved). Because serial port is standard
> for each PC (the same port numbers, the same way to use it),
> there is no need for drivers.
>
> L.
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

> you wrote a set of functions that used IN/OUT instructions
to configure the serial port and send/receive data (AFAIK there
was also some interrupt involved)

from what are you saying I guess KDCOM.dll (running only in kernel mode) will hook the IDT entry for serial port in order to handle interrupts from serial port itself (I suppose CPU will continue to run in protected mode)…

> when it breaks assemble an infinte jmp (0xeb 0xfe ) at the return
address on stack and hit G
the app will be spinning indefinitely

how can I assemble this jump at the return address on stack ? Thanks

> from what are you saying I guess KDCOM.dll (running only in kernel mode)

will hook the IDT entry for serial port in order to handle interrupts from serial
port itself (I suppose CPU will continue to run in protected mode)…

The KdpReceivePacket debugger API uses KdPortGetByte, which on x86
calls READ_PORT_UCHAR from HAL.dll. I am not an expert for COM
handling, but I’d say it uses the port in polling mode,
so no interrupt is hooked. Also, when you are configuring kernel
debugging for VMWARE, you need to enable the poll mode, which kinda
confirms what I think.

And yes, the CPU keeps running in protected mode, as the “in” and “out”
instructions used in the process work the same way.

L.

kd> g
Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
7c90120e cc int 3

kd> .process /p /r

Implicit process is now ffbaf140
.cache noforcedecodeptes done
Loading User Symbols

…
*** WARNING: Unable to verify checksum for WsleTestOne.exe
kd> kb
ChildEBP RetAddr Args to Child
0012ff6c 0040107c 00350000 0012ffc0 0040153f ntdll!DbgBreakPoint
0012ff78 0040153f 00000001 00332ea8 00332ef8 WsleTestOne!main+0x6c
[c:\documents and settings\admin\my documents\visual studio
2008\projects\wsletestoneandtwo\wsletestone.cpp @ 36]
0012ffc0 7c817067 00380036 00360037 7ffd8000
WsleTestOne!__tmainCRTStartup+0xfb
[f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c @ 266]
0012fff0 00000000 00401596 00000000 78746341 kernel32!BaseProcessStart+0x23

kd> ub 0040107c l2
WsleTestOne!main+0x63 [c:\documents and settings\admin\my
documents\visual studio
2008\projects\wsletestoneandtwo\wsletestone.cpp @ 30]:
00401073 83c40c add esp,0Ch
00401076 ff15e8614200 call dword ptr
[WsleTestOne!_imp__DebugBreak (004261e8)]

kd> u 0040107c l2
WsleTestOne!main+0x6c [c:\documents and settings\admin\my
documents\visual studio
2008\projects\wsletestoneandtwo\wsletestone.cpp @ 36]:
0040107c 6800800000 push 8000h
00401081 68e8030000 push 3E8h

kd> a 0040107c prompt will change to Input

0040107c jmp 0x0040107c
jmp 0x0040107c
0040107e hit enter to get out of input prompt

kd> u 0040107c l2

WsleTestOne!main+0x6c [c:\documents and settings\admin\my
documents\visual studio
2008\projects\wsletestoneandtwo\wsletestone.cpp @ 36]:
0040107c ebfe jmp WsleTestOne!main+0x6c (0040107c) see
the disassembly has changed from previous output

0040107e 800000 add byte ptr [eax],0
kd> g
Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
7c90120e cc int 3
kd> .process /p /r
Implicit process is now 810c14c0
.cache noforcedecodeptes done
Loading User Symbols
…
*** WARNING: Unable to verify checksum for WsleTestTwo.exe

imstead of a and assembling you can do eb 40107c to write raw byte ew to write

you can write float to crash the app and instead of kb you can use
the pseudo register $ra to get the return address on stack

since this throwaway app you are going to kill it anyway
you can even simply do eb eip and assemble the jump in ntdll.dll

kd> ? $ra
Evaluate expression: 4198524 = 0040107c
kd> eb $ra
0040107c eb

kd> ew $ra
0040107c 00eb

kd> ed $ra
0040107c 008000eb

kd> eq $ra
0040107c 03e86800`008000eb

kd> ef $ra
0040107c 1.17553e-038

On 5/20/12, xxxxx@volny.cz wrote:
>> from what are you saying I guess KDCOM.dll (running only in kernel mode)
>> will hook the IDT entry for serial port in order to handle interrupts from
>> serial
>> port itself (I suppose CPU will continue to run in protected mode)…
>
> The KdpReceivePacket debugger API uses KdPortGetByte, which on x86
> calls READ_PORT_UCHAR from HAL.dll. I am not an expert for COM
> handling, but I’d say it uses the port in polling mode,
> so no interrupt is hooked. Also, when you are configuring kernel
> debugging for VMWARE, you need to enable the poll mode, which kinda
> confirms what I think.
>
> And yes, the CPU keeps running in protected mode, as the “in” and “out”
> instructions used in the process work the same way.
>
> L.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

>> when it breaks assemble an infinte jmp (0xeb 0xfe ) at the return

address on stack and hit G
the app will be spinning indefinitely
>

how can I assemble this jump at the return address on stack ? Thanks
****
Determine the location of the return address on the stack.

Put the infinite jmp on the stack (hex codes as shown above)

Change the return address on the stack to point to it.

Assignment statements work well for this purpose.
joe
****

---

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> sprintf_s(

(char *)PageAllot,
****
This cast is silly, gratuitous, and dangerous. If the code doesn’t
compile without the cast, the code is wrong.

DO NOT toss casts in at random. This habit eventually leads to disaster.
There are places where casts are required, and this is not one of them.
Unless PageAllot is not a char *, which then points out that you have
failed to give an actual example, just a piece of an example.
****

200,
****
Where did this magic number come from? Why not sizeof(PageAllot)? I love
how code examples never show the declarations of the variables that are
used, and we are somehow supposed to intuit that they are magically the
correct declarations. A nontrivial number of times, once the declarations
are shown, it is obvious that the declaration is wrong. So why is
“PageAlloc” not shown?
****
“WsleTestOne Alloted This Page\n”
);
DebugBreak();
VirtualFree(
NULL,
****
Why is it you think that VirtualFree allows NULL as the first parameter?
****
1000,
****
What part of the documented API did you miss that says that if the flags
include MEM_RELEASE, this parameter must be 0?

And why do you think 1000 could EVER be a meaningful parameter to
VirtualFree?
****

MEM_RELEASE
);
return 1;
}

run the first app and let it break in kd

when it breaks assemble an infinte jmp (0xeb 0xfe ) at the return
address on stack and hit G
the app will be spinning indefinitely

launch the second executable and let it break in kd

when it broke you will have two executables with just minor
differences and you compare the
pages

since i posted this iwas wondering if there is a neater way to break
two apps simultaneoulsy
in kd ??

i know i can compile
__asm _emit 0xeb __asm _emit 0xfe

instead of DebugBreak();

but that doesnt seem to be proper and also
iirc EBFE makes it 100% cpu usage in task mgr
****
Big surprise! You code an infinite loop and you seem surprised that the
process takes 100% of the CPU?

You COULD have written

while(TRUE);

and gotten the same effect.
****

anyone ?? any tricks ?

On 5/20/12, Ladislav Zezula wrote:
>>> So, IIUC, Kdcom.dll runs only in user mode…in other words
>>> Kdcom.dll does not invoke - either directly or indirectly
>>> - any system call (kernel services)…
>>
>> Corrrection: KDCOM.dll only works in kernel mode.
>>
>> You don’t need to have a driver in order to send something
>> over a serial port. In fact, you don’t need a driver to send
>> data to any device. The only problem is that your code,
>> using direct I/O port instructions, might be a hardware specific.
>> Drivers exist only to encapsulate those hardware differences
>> and give unified interface.
>>
>> In case of serial port, maybe you remember how it was done in old DOS
>> times - you wrote a set of functions that used IN/OUT instructions
>> to configure the serial port and send/receive data (AFAIK there
>> was also some interrupt involved). Because serial port is standard
>> for each PC (the same port numbers, the same way to use it),
>> there is no need for drivers.
>>
>> L.
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

> compile these few lines into two executables by making a difference between them as follows

run the first app and let it break in kd when it breaks assemble an infinte jmp (0xeb 0xfe ) at the return address on stack and hit G the app will be spinning indefinitely

I compiled and run the two executables (compiled using VC 10) on my Win XP laptop…however they break in user windbg debugger (not lkd or kd)…

Can you give me some help ??

Thanks Dr NewComer Your Comments are As usual quiet Right and i agree
i should stop coding assembly styled C infact i posted the whole
snippet a few posts above including declaration for PageAllot which
incidentally was declared as LPVOID PageAllot;

i dont know but i tried while (true) / i tried running the app in a
usermode debugger and trapping it in kd but none of the things shows
the newly alloted page in working set list

let me clarify the whole purpose of the DEMO was to see the results of
the pages allocated by two executables that has minor difference in
them in any possible way (either by hook or crook)

so basically the CONCEPT was to make two exes that each alloted a page
wrote something to that page and broke into debugger using
DebugBreak()

now this posed a problem once the first app broke in KD i couldn’t
execute the second app
so to bypass this problem i assembled an infinite jump let it spin and
executed the second app which again broke in KD

now i could examine both of them side by side in KD

so after the DEMO i was trying to improve the strategy

so i posed the question to the group asking if there is a better way
to break two apps simultaneously in any way possible exactly like
DebugBreak breaks in KD

while i did it with __asm _emit { 0xeb 0xfe } inline in code
instead of DebugBreak()

or some while (true)

or when run in a local debugger and redirecting the output to kd (viz
ntsd -d “mytestapp.exe”

the working set list (dt nt!_MMWSL <_________________> ->wsle) donot
show the PAGE that was alloted

they were visible as posted in an earlier post only immediatly after
DebugBreak In kernel

possibly because of BalanceSetManagers background operation or some
thing which i am not sure of either terminology or logic

just for the sake of referance i am pasting the earlier posts content

well even though the address seem to be same the contents differ based
on process

to confirm compile these few lines into two executables by making a
difference between them as follows

Comparing files WsleTestOne.cpp and WSLETESTTWO.CPP
***** WsleTestOne.cpp
200,
“WsleTestOne Alloted This Page\n”
);
***** WSLETESTTWO.CPP
200,
“WsleTestTwo Alloted This Page\n”
);
*****

#include <windows.h>
#include <stdio.h>
int main(void)
{
printf(
“lets test wsle entries by alloting a page writing to \n”
“that page and checking that page in wsldata as mmwsl* \n”
“for all processes seems to be located at same Address \n”
);
LPVOID PageAllot;
if (( PageAllot = VirtualAlloc(
NULL,
4096,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE
) ) == 0 ) {
printf(
“virtual Alloc Failed\n”
);
return 0;
}
printf (
“Page Allocated at %p\n”,
PageAllot
);
sprintf_s(
(char )PageAllot,
200,
“WsleTestOne Alloted This Page\n”
);
DebugBreak();
VirtualFree(
NULL,
1000,
MEM_RELEASE
);
return 1;
}

run the first app and let it break in kd

when it breaks assemble an infinte jmp (0xeb 0xfe ) at the return
address on stack and hit G
the app will be spinning indefinitely

launch the second executable and let it break in kd

when it broke you will have two executables with just minor
differences and you compare the
pages

even though the address 0xc088 whatever appears to be same
the page contents will definately not be the same

see below an output

kd> !grep -i -b2 -a1 -e “wsle” -c “!process 0 0”
PROCESS ffa21228 SessionId: 0 Cid: 07f0 Peb: 7ffdc000 ParentCid: 0574
DirBase: 0255d000 ObjectTable: e1bf01a0 HandleCount: 7.
Image: WsleTestTwo.exe

PROCESS ff9d4250 SessionId: 0 Cid: 0104 Peb: 7ffd4000 ParentCid: 0574
DirBase: 046bb000 ObjectTable: e1750be0 HandleCount: 7.
Image: WsleTestOne.exe

kd> .process /p ffa21228
Implicit process is now ffa21228
.cache forcedecodeuser done
kd> .shell -ci "r $t0 = 0; .while ( $t0< 0xd3 ) { dc /c 8
(poi(0xc050369c+($t04))&0xfffff000) l 8; r $t0 = $t0+1}" grep -i
“wsle”
00350000 656c7357 74736554 206f7754 6f6c6c41 20646574 73696854
67615020 00000a65 WsleTestTwo Alloted This Page…
.shell: Process exited
kd> .process /p ff9d4250
Implicit process is now ff9d4250
.cache forcedecodeuser done
kd> .shell -ci “r $t0 = 0; .while ( $t0< 0xd3 ) { dc /c 8
(poi(0xc050369c+($t0*4))&0xfffff000) l 8; r $t0 = $t0+1}” grep -i
“wsle”
00350000 656c7357 74736554 20656e4f 6f6c6c41 20646574 73696854
67615020 00000a65 WsleTestOne Alloted This Page…
.shell: Process exited
kd> dt nt!_EPROCESS vm.vmworkingsetlist ffa21228
+0x1f8 Vm :
+0x020 VmWorkingSetList : 0xc0503000 _MMWSL
kd> dt nt!_EPROCESS vm.vmworkingsetlist ff9d4250
+0x1f8 Vm :
+0x020 VmWorkingSetList : 0xc0503000 _MMWSL
kd> dt nt!_EPROCESS vm.vmworkingsetlist->Wsle ffa21228
+0x1f8 Vm :
+0x020 VmWorkingSetList :
+0x014 Wsle : 0xc050369c _MMWSLE
kd> dt nt!_EPROCESS vm.vmworkingsetlist->Wsle ff9d4250
+0x1f8 Vm :
+0x020 VmWorkingSetList :
+0x014 Wsle : 0xc050369c _MMWSLE

On 5/21/12, xxxxx@alice.it wrote:
>> compile these few lines into two executables by making a difference
>> between them as follows
>> run the first app and let it break in kd when it breaks assemble an
>> infinte jmp (0xeb 0xfe ) at the return address on stack and hit G the app
>> will be spinning indefinitely
>
> I compiled and run the two executables (compiled using VC 10) on my Win XP
> laptop…however they break in user windbg debugger (not lkd or kd)…
>
> Can you give me some help ??
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></stdio.h></windows.h>

On 5/21/12, xxxxx@alice.it wrote:

> I compiled and run the two executables (compiled using VC 10) on my Win XP
> laptop…however they break in user windbg debugger (not lkd or kd)…
>
> Can you give me some help ??

i am not sure i understand you so let me ask some obvious questions

1) have you setup kd if so how
1) two machine setup
a) serial
b)1394
c)usb
d)net

2) virtual setup
repaeat

2) if yes are you able to break into kd by pressing ctrl+break in host
(the machine you are running windbg )

or by pressing ctrl+alt+]fnkey]+sysrq or ctrl+alt+[fnkey]+printscreen keys

3) are you able to do !process 0 0 and view the results in kd

4) are you running the executable in target pc (either physical or virtual)

5)if yes can you see the process in kd on the host if you do !process 0 0

lets take on from here for other esoteric causes that may prevent you
from breaking in kd later

PS nothing will break in lkd
lkd is not a debugger per se it is like viewing a crashdump (KIND OF
POST MORTEM REPORTING DO NOT EXPECT THE BODY CALLED DUMP TO SPEAK THEY
WONT ALL YOU CAN DO AT BEST IS DEDUCE SEE THE COLOR OF THE BODY AND
PRONOUNCE POISONED etc etc)

Visual Studio has supported multiprocess debugging for years. So I would
suggest looking into that as a better solution. In my lab exercise, we had
two programs writing to a shared page, and unless there was a breakpoint
set in the receiver, it would continue to run even while I was
single-stepping the sender.

How are you “allocating” a page into both processes?
joe

Thanks Dr NewComer Your Comments are As usual quiet Right and i agree
i should stop coding assembly styled C infact i posted the whole
snippet a few posts above including declaration for PageAllot which
incidentally was declared as LPVOID PageAllot;

i dont know but i tried while (true) / i tried running the app in a
usermode debugger and trapping it in kd but none of the things shows
the newly alloted page in working set list

let me clarify the whole purpose of the DEMO was to see the results of
the pages allocated by two executables that has minor difference in
them in any possible way (either by hook or crook)

so basically the CONCEPT was to make two exes that each alloted a page
wrote something to that page and broke into debugger using
DebugBreak()

now this posed a problem once the first app broke in KD i couldn’t
execute the second app
so to bypass this problem i assembled an infinite jump let it spin and
executed the second app which again broke in KD

now i could examine both of them side by side in KD

so after the DEMO i was trying to improve the strategy

so i posed the question to the group asking if there is a better way
to break two apps simultaneously in any way possible exactly like
DebugBreak breaks in KD

while i did it with __asm _emit { 0xeb 0xfe } inline in code
instead of DebugBreak()

or some while (true)

or when run in a local debugger and redirecting the output to kd (viz
ntsd -d “mytestapp.exe”

the working set list (dt nt!_MMWSL <_________________> ->wsle) donot
show the PAGE that was alloted

they were visible as posted in an earlier post only immediatly after
DebugBreak In kernel

possibly because of BalanceSetManagers background operation or some
thing which i am not sure of either terminology or logic

just for the sake of referance i am pasting the earlier posts content

well even though the address seem to be same the contents differ based
on process

to confirm compile these few lines into two executables by making a
difference between them as follows

Comparing files WsleTestOne.cpp and WSLETESTTWO.CPP
***** WsleTestOne.cpp
200,
“WsleTestOne Alloted This Page\n”
);
***** WSLETESTTWO.CPP
200,
“WsleTestTwo Alloted This Page\n”
);
*****

#include <windows.h>
> #include <stdio.h>
> int main(void)
> {
> printf(
> “lets test wsle entries by alloting a page writing to \n”
> “that page and checking that page in wsldata as mmwsl* \n”
> “for all processes seems to be located at same Address \n”
> );
> LPVOID PageAllot;
> if (( PageAllot = VirtualAlloc(
> NULL,
> 4096,
> MEM_COMMIT | MEM_RESERVE,
> PAGE_EXECUTE_READWRITE
> ) ) == 0 ) {
> printf(
> “virtual Alloc Failed\n”
> );
> return 0;
> }
> printf (
> “Page Allocated at %p\n”,
> PageAllot
> );
> sprintf_s(
> (char )PageAllot,
> 200,
> “WsleTestOne Alloted This Page\n”
> );
> DebugBreak();
> VirtualFree(
> NULL,
> 1000,
> MEM_RELEASE
> );
> return 1;
> }
>
> run the first app and let it break in kd
>
> when it breaks assemble an infinte jmp (0xeb 0xfe ) at the return
> address on stack and hit G
> the app will be spinning indefinitely
>
> launch the second executable and let it break in kd
>
> when it broke you will have two executables with just minor
> differences and you compare the
> pages
>
> even though the address 0xc088 whatever appears to be same
> the page contents will definately not be the same
>
> see below an output
>
> kd> !grep -i -b2 -a1 -e “wsle” -c “!process 0 0”
> PROCESS ffa21228 SessionId: 0 Cid: 07f0 Peb: 7ffdc000 ParentCid:
> 0574
> DirBase: 0255d000 ObjectTable: e1bf01a0 HandleCount: 7.
> Image: WsleTestTwo.exe
>
> PROCESS ff9d4250 SessionId: 0 Cid: 0104 Peb: 7ffd4000 ParentCid:
> 0574
> DirBase: 046bb000 ObjectTable: e1750be0 HandleCount: 7.
> Image: WsleTestOne.exe
>
> kd> .process /p ffa21228
> Implicit process is now ffa21228
> .cache forcedecodeuser done
> kd> .shell -ci "r $t0 = 0; .while ( $t0< 0xd3 ) { dc /c 8
> (poi(0xc050369c+($t04))&0xfffff000) l 8; r $t0 = $t0+1}" grep -i
> “wsle”
> 00350000 656c7357 74736554 206f7754 6f6c6c41 20646574 73696854
> 67615020 00000a65 WsleTestTwo Alloted This Page…
> .shell: Process exited
> kd> .process /p ff9d4250
> Implicit process is now ff9d4250
> .cache forcedecodeuser done
> kd> .shell -ci “r $t0 = 0; .while ( $t0< 0xd3 ) { dc /c 8
> (poi(0xc050369c+($t0*4))&0xfffff000) l 8; r $t0 = $t0+1}” grep -i
> “wsle”
> 00350000 656c7357 74736554 20656e4f 6f6c6c41 20646574 73696854
> 67615020 00000a65 WsleTestOne Alloted This Page…
> .shell: Process exited
> kd> dt nt!_EPROCESS vm.vmworkingsetlist ffa21228
> +0x1f8 Vm :
> +0x020 VmWorkingSetList : 0xc0503000 _MMWSL
> kd> dt nt!_EPROCESS vm.vmworkingsetlist ff9d4250
> +0x1f8 Vm :
> +0x020 VmWorkingSetList : 0xc0503000 _MMWSL
> kd> dt nt!_EPROCESS vm.vmworkingsetlist->Wsle ffa21228
> +0x1f8 Vm :
> +0x020 VmWorkingSetList :
> +0x014 Wsle : 0xc050369c _MMWSLE
> kd> dt nt!_EPROCESS vm.vmworkingsetlist->Wsle ff9d4250
> +0x1f8 Vm :
> +0x020 VmWorkingSetList :
> +0x014 Wsle : 0xc050369c _MMWSLE
>
>
>
>
>
>
> On 5/21/12, xxxxx@alice.it wrote:
>>> compile these few lines into two executables by making a difference
>>> between them as follows
>>> run the first app and let it break in kd when it breaks assemble an
>>> infinte jmp (0xeb 0xfe ) at the return address on stack and hit G the
>>> app
>>> will be spinning indefinitely
>>
>> I compiled and run the two executables (compiled using VC 10) on my Win
>> XP
>> laptop…however they break in user windbg debugger (not lkd or kd)…
>>
>> Can you give me some help ??
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></stdio.h></windows.h>

Well Dr NewComer I Am Not Sure If Visual Studio Debugger Can handle parsing

Working Set List Entries

in kernelmode

Pages in Both process are a simple one liner with VirtualAlloc Pasted
below only change is the sprintf_string process 1 has WsleTestOne
process 2 has WsleTestTwo

int main(void)
{
PCHAR PageAllot = (PCHAR) VirtualAlloc(
NULL,
4096,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE
);
if (PageAllot != 0 ) {
sprintf_s(
PageAllot,
200,
“WsleTestOne Alloted This Page @ %p\n”,
PageAllot
);
DebugBreak();
VirtualFree(
PageAllot,
0,
MEM_RELEASE
);
return 0;
}
return 1;
}

and i want to break both these similar process in kernel debugger simultaneously

and want to examine wsle

like below

kd> g
Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
001b:7c90120e cc int 3
kd> .process /p /r
Implicit process is now ffb38ad8
.cache noforcedecodeptes done
Loading User Symbols
…
*** WARNING: Unable to verify checksum for WsleTestModOne.exe
kd> kbL
ChildEBP RetAddr Args to Child
0012ff6c 00401051 00350000 0012ffc0 004013a3 ntdll!DbgBreakPoint
0012ff78 004013a3 00000001 00332ea8 00332ef0 WsleTestModOne!main+0x41
0012ffc0 7c817067 00380036 00360037 7ffdc000
WsleTestModOne!__tmainCRTStartup+0xfb
0012fff0 00000000 004013fa 00000000 78746341 kernel32!BaseProcessStart+0x23

kd> ?? ((((nt!_EPROCESS *)@$proc)->Vm).VmWorkingSetList)->Wsle->u1

union __unnamed
+0x000 VirtualAddress : 0xc0300203 Void
+0x000 Long : 0xc0300203
+0x000 e1 : _MMWSLENTRY

kd> .for( r $t0 =5d ; $t0<61;R $t0 = $t0+1) {da
(poi(0xc050369c+$t0*4)&0xfffff000) l40 }
00413000 “.}.”
7c814000 “torageOnILockBytes”
00350000 "WsleTestOne Alloted This Page @ "
00350020 “00350000.”
00251000 “”

On 5/23/12, xxxxx@flounder.com wrote:
> Visual Studio has supported multiprocess debugging for years. So I would
> suggest looking into that as a better solution. In my lab exercise, we had
> two programs writing to a shared page, and unless there was a breakpoint
> set in the receiver, it would continue to run even while I was
> single-stepping the sender.
>
> How are you “allocating” a page into both processes?
> joe
>
>> Thanks Dr NewComer Your Comments are As usual quiet Right and i agree
>> i should stop coding assembly styled C infact i posted the whole
>> snippet a few posts above including declaration for PageAllot which
>> incidentally was declared as LPVOID PageAllot;
>>
>> i dont know but i tried while (true) / i tried running the app in a
>> usermode debugger and trapping it in kd but none of the things shows
>> the newly alloted page in working set list
>>
>> let me clarify the whole purpose of the DEMO was to see the results of
>> the pages allocated by two executables that has minor difference in
>> them in any possible way (either by hook or crook)
>>
>> so basically the CONCEPT was to make two exes that each alloted a page
>> wrote something to that page and broke into debugger using
>> DebugBreak()
>>
>> now this posed a problem once the first app broke in KD i couldn’t
>> execute the second app
>> so to bypass this problem i assembled an infinite jump let it spin and
>> executed the second app which again broke in KD
>>
>> now i could examine both of them side by side in KD
>>
>> so after the DEMO i was trying to improve the strategy
>>
>> so i posed the question to the group asking if there is a better way
>> to break two apps simultaneously in any way possible exactly like
>> DebugBreak breaks in KD
>>
>> while i did it with asm _emit { 0xeb 0xfe } inline in code
>> instead of DebugBreak()
>>
>> or some while (true)
>>
>> or when run in a local debugger and redirecting the output to kd (viz
>> ntsd -d “mytestapp.exe”
>>
>> the working set list (dt nt!_MMWSL <_______________> ->wsle) donot
>> show the PAGE that was alloted
>>
>> they were visible as posted in an earlier post only immediatly after
>> DebugBreak In kernel
>>
>> possibly because of BalanceSetManagers background operation or some
>> thing which i am not sure of either terminology or logic
>>
>>
>>
>> just for the sake of referance i am pasting the earlier posts content
>>
>>
>> well even though the address seem to be same the contents differ based
>> on process
>>
>> to confirm compile these few lines into two executables by making a
>> difference between them as follows
>>
>> Comparing files WsleTestOne.cpp and WSLETESTTWO.CPP
>> WsleTestOne.cpp
>> 200,
>> “WsleTestOne Alloted This Page\n”
>> );
>> WSLETESTTWO.CPP
>> 200,
>> “WsleTestTwo Alloted This Page\n”
>> );
>> *****
>>
>> #include <windows.h>
>> #include <stdio.h>
>> int main(void)
>> {
>> printf(
>> “lets test wsle entries by alloting a page writing to \n”
>> “that page and checking that page in wsldata as mmwsl* \n”
>> “for all processes seems to be located at same Address \n”
>> );
>> LPVOID PageAllot;
>> if (( PageAllot = VirtualAlloc(
>> NULL,
>> 4096,
>> MEM_COMMIT | MEM_RESERVE,
>> PAGE_EXECUTE_READWRITE
>> ) ) == 0 ) {
>> printf(
>> “virtual Alloc Failed\n”
>> );
>> return 0;
>> }
>> printf (
>> “Page Allocated at %p\n”,
>> PageAllot
>> );
>> sprintf_s(
>> (char )PageAllot,
>> 200,
>> “WsleTestOne Alloted This Page\n”
>> );
>> DebugBreak();
>> VirtualFree(
>> NULL,
>> 1000,
>> MEM_RELEASE
>> );
>> return 1;
>> }
>>
>> run the first app and let it break in kd
>>
>> when it breaks assemble an infinte jmp (0xeb 0xfe ) at the return
>> address on stack and hit G
>> the app will be spinning indefinitely
>>
>> launch the second executable and let it break in kd
>>
>> when it broke you will have two executables with just minor
>> differences and you compare the
>> pages
>>
>> even though the address 0xc088 whatever appears to be same
>> the page contents will definately not be the same
>>
>> see below an output
>>
>> kd> !grep -i -b2 -a1 -e “wsle” -c “!process 0 0”
>> PROCESS ffa21228 SessionId: 0 Cid: 07f0 Peb: 7ffdc000 ParentCid:
>> 0574
>> DirBase: 0255d000 ObjectTable: e1bf01a0 HandleCount: 7.
>> Image: WsleTestTwo.exe
>>
>> PROCESS ff9d4250 SessionId: 0 Cid: 0104 Peb: 7ffd4000 ParentCid:
>> 0574
>> DirBase: 046bb000 ObjectTable: e1750be0 HandleCount: 7.
>> Image: WsleTestOne.exe
>>
>> kd> .process /p ffa21228
>> Implicit process is now ffa21228
>> .cache forcedecodeuser done
>> kd> .shell -ci "r $t0 = 0; .while ( $t0< 0xd3 ) { dc /c 8
>> (poi(0xc050369c+($t04))&0xfffff000) l 8; r $t0 = $t0+1}" grep -i
>> “wsle”
>> 00350000 656c7357 74736554 206f7754 6f6c6c41 20646574 73696854
>> 67615020 00000a65 WsleTestTwo Alloted This Page…
>> .shell: Process exited
>> kd> .process /p ff9d4250
>> Implicit process is now ff9d4250
>> .cache forcedecodeuser done
>> kd> .shell -ci “r $t0 = 0; .while ( $t0< 0xd3 ) { dc /c 8
>> (poi(0xc050369c+($t0*4))&0xfffff000) l 8; r $t0 = $t0+1}” grep -i
>> “wsle”
>> 00350000 656c7357 74736554 20656e4f 6f6c6c41 20646574 73696854
>> 67615020 00000a65 WsleTestOne Alloted This Page…
>> .shell: Process exited
>> kd> dt nt!_EPROCESS vm.vmworkingsetlist ffa21228
>> +0x1f8 Vm :
>> +0x020 VmWorkingSetList : 0xc0503000 _MMWSL
>> kd> dt nt!_EPROCESS vm.vmworkingsetlist ff9d4250
>> +0x1f8 Vm :
>> +0x020 VmWorkingSetList : 0xc0503000 _MMWSL
>> kd> dt nt!_EPROCESS vm.vmworkingsetlist->Wsle ffa21228
>> +0x1f8 Vm :
>> +0x020 VmWorkingSetList :
>> +0x014 Wsle : 0xc050369c _MMWSLE
>> kd> dt nt!_EPROCESS vm.vmworkingsetlist->Wsle ff9d4250
>> +0x1f8 Vm :
>> +0x020 VmWorkingSetList :
>> +0x014 Wsle : 0xc050369c _MMWSLE
>>
>>
>>
>>
>>
>>
>> On 5/21/12, xxxxx@alice.it wrote:
>>>> compile these few lines into two executables by making a difference
>>>> between them as follows
>>>> run the first app and let it break in kd when it breaks assemble an
>>>> infinte jmp (0xeb 0xfe ) at the return address on stack and hit G the
>>>> app
>>>> will be spinning indefinitely
>>>
>>> I compiled and run the two executables (compiled using VC 10) on my Win
>>> XP
>>> laptop…however they break in user windbg debugger (not lkd or kd)…
>>>
>>> Can you give me some help ??
>>>
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></stdio.h></windows.h>

I use a virtual setup (a VPC instance running the target XP 32-bit client). It also break into kd (windbg kd) when WsleTestOne (WSLW.exe) runs on the target

Break instruction exception - code 80000003 (first chance)
001b:77f6f570 cc int 3
kd> .process /p /r
Implicit process is now 812d7020
.cache noforcedecodeptes done
Loading User Symbols
…
*** ERROR: Module load completed but symbols could not be loaded for ntdll.dll
kd> kbL
*** WARNING: Unable to verify checksum for WSLW.exe
*** ERROR: Module load completed but symbols could not be loaded for WSLW.exe
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ff80 00401235 00000001 00420250 004202c0 ntdll+0x2f570
*** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll -
0012ffc0 77e5eb69 00000000 00000001 7ffdf000 WSLW+0x1235
0012fff0 00000000 00401130 00000000 78746341 kernel32!CreateProcessInternalW+0x1177

Anyway I’ve an issue with ntdll symbols…

SYMSRV: c:\Programmi\Debugging Tools for Windows\websymbols\ntdll.dll\3B8EB869af000\ntdll.dll not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntdll.dll/3B8EB869af000/ntdll.dll not found
DBGENG: C:\WINDOWS\System32\ntdll.dll image header does not match memory image header.
DBGENG: C:\WINDOWS\System32\ntdll.dll - Couldn’t map image from disk.
DBGHELP: No debug info for ntdll.dll. Searching for dbg file
SYMSRV: c:\programmi\debugging tools for windows\websymbols\ntdll.dbg\3B8EB869af000\ntdll.dbg not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntdll.dbg/3B8EB869af000/ntdll.dbg not found
DBGHELP: .\ntdll.dbg - file not found
DBGHELP: .\dll\ntdll.dbg - path not found
DBGHELP: .\symbols\dll\ntdll.dbg - path not found
DBGHELP: ntdll.dll missing debug info. Searching for pdb anyway
DBGHELP: Can’t use symbol server for ntdll.pdb - no header information available
DBGHELP: ntdll.pdb - file not found
*** ERROR: Module load completed but symbols could not be loaded for ntdll.dll
DBGHELP: ntdll - no symbols loaded

Do you think ntdll version installed on my target is not available on Microsoft symbol server ?

thanks

well one small thing i note atm is your path has a space in programmi

i cant say if it is a problem but as a rule of thumb always try to
avoid any path with spaces

i would suggest to create a directory in root like f:\symbols and make
it your cache

many a times the cryptic error messages are manifested solely because
you have a space in the path (infact i dont download anything
(especially msi’s to %userprofile%\desktop , \ Mydocuments
%users%\Desktop etc

to quote a recent incident i downloaded the logparser.msi (to try and
decipher some etl files)
to my desktop and double clicked it and the error message is

error reading from file c:\documents and settings\admin\desktop\logparse.msi

see how the error message shows the full path and of course the file exists

i can see
0007daa8 01008c18 0007e4e8 010013ac 00000005 msiexec!DoInstallPackage+0x16c

0:005> du /c 40 0007e4e8
0007e4e8 “C:\Documents and Settings\Admin\Desktop\LogParser.msi”

C:\Documents and Settings\Admin\Desktop>dir /b /s *.msi
C:\Documents and Settings\Admin\Desktop\LogParser.msi

C:\Documents and Settings\Admin\Desktop>

still the error

0:000> !hwnd
Window 000a02a2
Name
Class tooltips_class32
Window 000a02a4
Name Installer Information
Class MsiDialogCloseClass
ChildWindow 000902a0
Name &Retry
Class Button
ChildWindow 00070268
Name Cancel
Class Button
ChildWindow 00050286
Name Error reading from file C:\Documents and
Settings\Admin\Desktop\LogParser.msi. Verify that the file exists and
that you can access it.
Class Static

On 5/25/12, xxxxx@alice.it wrote:
> I use a virtual setup (a VPC instance running the target XP 32-bit client).
> It also break into kd (windbg kd) when WsleTestOne (WSLW.exe) runs on the
> target
>
> Break instruction exception - code 80000003 (first chance)
> 001b:77f6f570 cc int 3
> kd> .process /p /r
> Implicit process is now 812d7020
> .cache noforcedecodeptes done
> Loading User Symbols
> …
> ERROR: Module load completed but symbols could not be loaded for
> ntdll.dll
> kd> kbL
> WARNING: Unable to verify checksum for WSLW.exe
> ERROR: Module load completed but symbols could not be loaded for
> WSLW.exe
> ChildEBP RetAddr Args to Child
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 0012ff80 00401235 00000001 00420250 004202c0 ntdll+0x2f570
> ERROR: Symbol file could not be found. Defaulted to export symbols for
> kernel32.dll -
> 0012ffc0 77e5eb69 00000000 00000001 7ffdf000 WSLW+0x1235
> 0012fff0 00000000 00401130 00000000 78746341
> kernel32!CreateProcessInternalW+0x1177
>
> Anyway I’ve an issue with ntdll symbols…
>
> SYMSRV: c:\Programmi\Debugging Tools for
> Windows\websymbols\ntdll.dll\3B8EB869af000\ntdll.dll not found
> SYMSRV:
> http://msdl.microsoft.com/download/symbols/ntdll.dll/3B8EB869af000/ntdll.dll
> not found
> DBGENG: C:\WINDOWS\System32\ntdll.dll image header does not match memory
> image header.
> DBGENG: C:\WINDOWS\System32\ntdll.dll - Couldn’t map image from disk.
> DBGHELP: No debug info for ntdll.dll. Searching for dbg file
> SYMSRV: c:\programmi\debugging tools for
> windows\websymbols\ntdll.dbg\3B8EB869af000\ntdll.dbg not found
> SYMSRV:
> http://msdl.microsoft.com/download/symbols/ntdll.dbg/3B8EB869af000/ntdll.dbg
> not found
> DBGHELP: .\ntdll.dbg - file not found
> DBGHELP: .\dll\ntdll.dbg - path not found
> DBGHELP: .\symbols\dll\ntdll.dbg - path not found
> DBGHELP: ntdll.dll missing debug info. Searching for pdb anyway
> DBGHELP: Can’t use symbol server for ntdll.pdb - no header information
> available
> DBGHELP: ntdll.pdb - file not found
> *** ERROR: Module load completed but symbols could not be loaded for
> ntdll.dll
> DBGHELP: ntdll - no symbols loaded
>
> Do you think ntdll version installed on my target is not available on
> Microsoft symbol server ?
>
> thanks
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

You’re probably hitting the issue discussed here:

http://www.osronline.com/ShowThread.cfm?link=195224

-scott

–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@windbg…

I use a virtual setup (a VPC instance running the target XP 32-bit client).
It also break into kd (windbg kd) when WsleTestOne (WSLW.exe) runs on the
target

Break instruction exception - code 80000003 (first chance)
001b:77f6f570 cc int 3
kd> .process /p /r
Implicit process is now 812d7020
.cache noforcedecodeptes done
Loading User Symbols
…
*** ERROR: Module load completed but symbols could not be loaded for
ntdll.dll
kd> kbL
*** WARNING: Unable to verify checksum for WSLW.exe
*** ERROR: Module load completed but symbols could not be loaded for
WSLW.exe
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be
wrong.
0012ff80 00401235 00000001 00420250 004202c0 ntdll+0x2f570
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
kernel32.dll -
0012ffc0 77e5eb69 00000000 00000001 7ffdf000 WSLW+0x1235
0012fff0 00000000 00401130 00000000 78746341
kernel32!CreateProcessInternalW+0x1177

Anyway I’ve an issue with ntdll symbols…

SYMSRV: c:\Programmi\Debugging Tools for
Windows\websymbols\ntdll.dll\3B8EB869af000\ntdll.dll not found
SYMSRV:
http://msdl.microsoft.com/download/symbols/ntdll.dll/3B8EB869af000/ntdll.dll
not found
DBGENG: C:\WINDOWS\System32\ntdll.dll image header does not match memory
image header.
DBGENG: C:\WINDOWS\System32\ntdll.dll - Couldn’t map image from disk.
DBGHELP: No debug info for ntdll.dll. Searching for dbg file
SYMSRV: c:\programmi\debugging tools for
windows\websymbols\ntdll.dbg\3B8EB869af000\ntdll.dbg not found
SYMSRV:
http://msdl.microsoft.com/download/symbols/ntdll.dbg/3B8EB869af000/ntdll.dbg
not found
DBGHELP: .\ntdll.dbg - file not found
DBGHELP: .\dll\ntdll.dbg - path not found
DBGHELP: .\symbols\dll\ntdll.dbg - path not found
DBGHELP: ntdll.dll missing debug info. Searching for pdb anyway
DBGHELP: Can’t use symbol server for ntdll.pdb - no header information
available
DBGHELP: ntdll.pdb - file not found
*** ERROR: Module load completed but symbols could not be loaded for
ntdll.dll
DBGHELP: ntdll - no symbols loaded

Do you think ntdll version installed on my target is not available on
Microsoft symbol server ?

thanks

I’ve installed SP2 on my (virtual) target XP client . Now it seem good…

kd> kbL
ChildEBP RetAddr Args to Child
0012ff74 00401066 00330000 0012ffc0 00401235 ntdll!DbgBreakPoint
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ff80 00401235 00000001 00420250 004202c0 WSLW+0x1066
0012ffc0 7c816d4f 0160d728 7c91e1fe 7ffdf000 WSLW+0x1235
0012fff0 00000000 00401130 00000000 78746341 kernel32!BaseProcessStart+0x23

ok i was going to post that the specified dll doesnt seem to exist in
ms symbol server
but since you have moved on that shouldn’t matter

ill just make a note in addition to what scott noone posted
if you have to do it standalone

use dumpbin on the component that is failing then use curl to try fetching it

C:\>dumpbin /headers c:\WINDOWS\system32\ntdll.dll | grep -i -E “time|size of im
age”
49901D48 time date stamp Mon Feb 09 17:40:48 2009
B2000 size of image
Time Type Size RVA Pointer

C:\>c:\Mybattools\fetch_symbol.bat ntdll dll 49901d48b2000 dl_

in your case the dll didnt seem to be available for your
in mssymbolserver

though i could find it mentioned in google

C:\WINDOWS\System32\ntdll.dll, loaded at 0x77f40000 - 695808 bytes -
3b8eb869 - file date is 8/31/2001 12:00:00

Operating System: Windows XP Professional (5.1, Build 2600)
(2600.xpclnt_qfe.010827-1803)
Language: Italian (Regional Setting: Italian)

On 5/25/12, xxxxx@alice.it wrote:
> I’ve installed SP2 on my (virtual) target XP client . Now it seem good…
>
> kd> kbL
> ChildEBP RetAddr Args to Child
> 0012ff74 00401066 00330000 0012ffc0 00401235 ntdll!DbgBreakPoint
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 0012ff80 00401235 00000001 00420250 004202c0 WSLW+0x1066
> 0012ffc0 7c816d4f 0160d728 7c91e1fe 7ffdf000 WSLW+0x1235
> 0012fff0 00000000 00401130 00000000 78746341 kernel32!BaseProcessStart+0x23
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Thanks raj…

I compiled WlseTestOne.exe on target machine itself using MS VC++ as a Debug project (AFAIK compiler should insert in the executable itself debugging info)

Anyway as you can see on the host (where windbg runs) it seem these debugging info are not available…how can i fix this ?

normal practice that should be followed is to compile on host (the
machine that runs debugger also called as development machine ) and
experiment in target viz the vpc you are using

this is recommended because if and when you graduate to a level of
writing critical system drivers that can potentially hose the
operating system you will not be left with ashes instead of your
source code

make it a habit to follow recommended practices learn the rules well
so you know how to break them properly

my normal setup is like this

i make a directory called symbols in some root directory like f:\symbols

i point that directory to Symbol Server via _NT_SYMBOL_PATH

C:\>set _nt_sy
_NT_SYMBOL_PATH=SRV*F:\symbols*http://msdl.microsoft.com/download/symbols

this is for host

in the target if vpc i share the folder f:\symbols and
one more folder say c:\sharedwithvm where i tend to copy the compiled stuff

C:\>wmic logicaldisk get providername , caption /format:list

Caption=Z:
ProviderName=\F:\SYMBOLS

and set the local _nt_symbol path in vpc

C:\>set _nt_sy
_NT_SYMBOL_PATH=SRV*Z:\ (no network access)

some times for os for which i dont have symbols cached in f:\symbols i
set _nt_symbol_path like below so that if i run a lkd session inside
vpc host automatically fetches symbols

C:\>set nt
_NT_SYMBOL_PATH=SRV*Z:*http://msdl.microsoft.com/download/symbols

this probably entails that f:\symbols in host has write access from
virtual environment
which might introduce a security hole so use it with caution

C:\>copy con z:\cianf.txt
hello cianf
^Z
1 file(s) copied.

C:\>

C:\>type f:\SYMBOLS\cianf.txt
hello cianf

C:\>

now when compiling i normally do not use vs projects and go for
compiling and linking with

cl directly by giving args as needed

C:\Documents and Settings\Admin\My Documents\Visual Studio 2008\Projects\WsleTes
tOneAndTwo>cl /Zi WsleTestModOne.cpp /link /release
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

WsleTestModOne.cpp
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.

/out:WsleTestModOne.exe
/debug
/release
WsleTestModOne.obj

C:\Documents and Settings\Admin\My Documents\Visual Studio 2008\Projects\WsleTes
tOneAndTwo>

now i either drag drop the exe to vpc or copy the exe to
c:\sharewithvm and in vpc

why share when i can drag drop ?? it is because when i need to use the
same exe on several os / vm / service packs / either serially are
running parallelly i can simply use one path

C:\Documents and Settings\Admin\My Documents\Visual Studio 2008\Projects\WsleTes
tOneAndTwo>copy WsleTestModOne.exe c:\sharedwithvm. /y
1 file(s) copied.

C:\Documents and Settings\Admin\My Documents\Visual Studio 2008\Projects\WsleTes
tOneAndTwo>

run the executable directly from network share like y:\compiled.exe

kd> g
SXS: BasepSxsCreateFileStream()
NtOpenFile(??\y:\WsleTestModOne.exe.Manifest) failed
Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
001b:7c90120e cc int 3
kd> .process /p /r
Implicit process is now ffb1f020
.cache noforcedecodeptes done
Loading User Symbols
…
kd> kb
ChildEBP RetAddr Args to Child
0012ff6c 00401041 00350000 0012ffc0 0040137c ntdll!DbgBreakPoint
0012ff78 0040137c 00000001 00332ee0 00332f08 WsleTestModOne!main+0x41
[c:\documents and settings\admin\my documents\visual studio
2008\projects\wsletestoneandtwo\wsletestmodone.cpp @ 23]
0012ffc0 7c817067 0000000a 0013f918 7ffdf000
WsleTestModOne!__tmainCRTStartup+0xfb
[f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c @ 266]
0012fff0 00000000 004013d3 00000000 78746341 kernel32!BaseProcessStart+0x23

beware these practices may not be secure enough

On 5/25/12, xxxxx@alice.it wrote:
> Thanks raj…
>
> I compiled WlseTestOne.exe on target machine itself using MS VC++ as a Debug
> project (AFAIK compiler should insert in the executable itself debugging
> info)
>
> Anyway as you can see on the host (where windbg runs) it seem these
> debugging info are not available…how can i fix this ?
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>