rep: How to debug/set break point when driver starts

Looks like that it’s not an image file for WDM driver and driver loader
failed to get the correct entry-point. Make sure you have a DriverEntry
function defined.


Have you built this driver with the normal WDK environment,
or with something else (Visual C, makefile etc) ?
–pa

On 15-Aug-2011 21:32, xxxxx@hotmail.com wrote:

OK I have a breakpoint at my driver entry. I also have an event on load
module:
Load module cspdrv.sys - enabled - not handled

I proceed with the install of my driver and first break point is at

nt!DebugService2+0x10:
8052e4f4 cc int 3

presumibly thats the Load module event?

then I check to see if my driver is loaded which it is ( both by module
list and disassembly of it)
then I make sure that a breakpoint is set at my driver entry

and then hit go and I get this:

kd> g

*** Fatal System Error: 0x0000007e
(0xC0000005,0x805A3271,0xF7A4C9F8,0xF7A4C6F4)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Mon Aug 15
14:20:48.347 2011 (UTC - 4:00)), ptr64 FALSE
Loading Kernel Symbols


Loading User Symbols

Loading unloaded module list

****************************************************************************
***

*
*
* Bugcheck Analysis
*
*
*

****************************************************************************
***

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, 805a3271, f7a4c9f8, f7a4c6f4}

Probably caused by : memory_corruption ( nt!MiEnablePagingOfDriver+27 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
80527c0c cc int 3

kd> !analyze -v

****************************************************************************
***

*
*
* Bugcheck Analysis
*
*
*

****************************************************************************
***

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805a3271, The address that the exception occurred at
Arg3: f7a4c9f8, Exception Record Address
Arg4: f7a4c6f4, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!MiEnablePagingOfDriver+27
805a3271 0fb74314 movzx eax,word ptr [ebx+14h]

EXCEPTION_RECORD: f7a4c9f8 – (.exr 0xfffffffff7a4c9f8)
ExceptionAddress: 805a3271 (nt!MiEnablePagingOfDriver+0x00000027)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000014
Attempt to read from address 00000014

CONTEXT: f7a4c6f4 – (.cxr 0xfffffffff7a4c6f4)
eax=00000000 ebx=00000000 ecx=f7a4cb3c edx=edcd4000 esi=00000000
edi=f7a4ccdc
eip=805a3271 esp=f7a4cac0 ebp=f7a4cad0 iopl=0 nv up ei pl nz ac po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010212
nt!MiEnablePagingOfDriver+0x27:
805a3271 0fb74314 movzx eax,word ptr [ebx+14h]
ds:0023:00000014=???
Resetting default scope

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000014

READ_ADDRESS: 00000014

FOLLOWUP_IP:
nt!MiEnablePagingOfDriver+27
805a3271 0fb74314 movzx eax,word ptr [ebx+14h]

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from 805a4366 to 805a3271

STACK_TEXT:
f7a4cad0 805a4366 edcd4000 805540c0 805540e0
nt!MiEnablePagingOfDriver+0x27
f7a4cc6c 80576595 f7a4ccf0 00000000 00000000 nt!MmLoadSystemImage+0xaae
f7a4cd4c 805769a1 80000924 00000001 00000000 nt!IopLoadDriver+0x371
f7a4cd74 80534ca0 80000924 00000000 867c4640 nt!IopLoadUnloadDriver+0x45
f7a4cdac 805c62c2 f70becf4 00000000 00000000 nt!ExpWorkerThread+0x100
f7a4cddc 80541e82 80534ba0 00000001 00000000
nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!MiEnablePagingOfDriver+27

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 4d00d46f

STACK_COMMAND: .cxr 0xfffffffff7a4c6f4 ; kb

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0x7E_nt!MiEnablePagingOfDriver+27

BUCKET_ID: 0x7E_nt!MiEnablePagingOfDriver+27

Followup: MachineOwner

I know it has to be my driver yet the driverentry point never get’s hit.
Any ideas on how to interpret this?

Bernie


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer