single step exception code

bank_kus · September 29, 2005, 6:39pm

(I d asked this in the ntdev, probably this is a better place for the same)

Where could I look to get more information on what this means:

Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
001b:007ab669 812f00500000 sub dword ptr [edi],0x5000

thanks
banks

Richard_McNally · September 29, 2005, 7:37pm

I think that the only thing of any real interest is the last line.
I’ll break it apart as I understand it.

001b:007ab669: I belive that address of the
instruction that caused the
exception
812f00500000: These are the bytes that make up the
instruction (not
sure what endianess etc…)
sub dword ptr [edi],0x5000: This is the decoded instruction

In this case I would suggest having a look at edi to see if it
contains a valid memory pointer, that seems the most likely error.

Failing that there is also the possiblity of the memory containing the
instruction being invalid. This could happen if the page is in
tranistion and you are running at a raised IRQL.

Richard

On 9/29/05, bank kus wrote:
> (I d asked this in the ntdev, probably this is a better place for the same)
>
> Where could I look to get more information on what this means:
>
> Single step exception - code 80000004 (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> 001b:007ab669 812f00500000 sub dword ptr [edi],0x5000
>
> thanks
> banks
>
>
>
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · September 29, 2005, 7:48pm

What level of detail are you looking for? Single-step exceptions are
triggered when the single-step flag is set or when a debug register
condition is triggered. You can look in Intel manuals for more
information on all of that.

If you want to look at things in the debuggee you can look at
dr0,dr1,dr2,dr3,dr6 and dr7 to see if any of them are triggering the
single-step. Note that in the case of a dr-triggered single-step the
instruction that triggered things is usually the one before the current
eip value (data hits, the common case, are traps whereas execution hits
are faults).

One other possibility if you’re using breakpoints in multi-threaded code
is that it’s a single-step left over from a debugger operation, in which
case it’s ignorable. It’s hard to know for sure if that’s the case, you
can only go through all other possible causes and rule them out, which
can be tedious.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
Sent: Thursday, September 29, 2005 3:39 PM
To: Kernel Debugging Interest List
Subject: [windbg] single step exception code

(I d asked this in the ntdev, probably this is a better place for the
same)

Where could I look to get more information on what this means:

Single step exception - code 80000004 (first chance) First chance
exceptions are reported before any exception handling.
This exception may be expected and handled.
001b:007ab669 812f00500000 sub dword ptr [edi],0x5000

thanks
banks

You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

bank_kus · September 29, 2005, 7:57pm

Drew,
So when I boot to windows using /debug flag, this particular application
starts throwing the exception i mentioned, infinitely. So effectively the
system hangs. If i goto Windbg and in filter events choose IGNORE and NOT
HANDLE (not sure how to do this with the cmd line) single step exceptions,
the application starts.

thanks
banks

“Drew Bliss” wrote in message
news:xxxxx@windbg…
What level of detail are you looking for? Single-step exceptions are
triggered when the single-step flag is set or when a debug register
condition is triggered. You can look in Intel manuals for more
information on all of that.

If you want to look at things in the debuggee you can look at
dr0,dr1,dr2,dr3,dr6 and dr7 to see if any of them are triggering the
single-step. Note that in the case of a dr-triggered single-step the
instruction that triggered things is usually the one before the current
eip value (data hits, the common case, are traps whereas execution hits
are faults).

One other possibility if you’re using breakpoints in multi-threaded code
is that it’s a single-step left over from a debugger operation, in which
case it’s ignorable. It’s hard to know for sure if that’s the case, you
can only go through all other possible causes and rule them out, which
can be tedious.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
Sent: Thursday, September 29, 2005 3:39 PM
To: Kernel Debugging Interest List
Subject: [windbg] single step exception code

(I d asked this in the ntdev, probably this is a better place for the
same)

Where could I look to get more information on what this means:

Single step exception - code 80000004 (first chance) First chance
exceptions are reported before any exception handling.
This exception may be expected and handled.
001b:007ab669 812f00500000 sub dword ptr [edi],0x5000

thanks
banks

—
You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · September 29, 2005, 8:02pm

Does the app have to do with security in some way? What you describe
sounds like behavior common to programs with anti-debugging code in
them. They set up things so that the program breaks continuously to try
and make it more difficult to debug the program.

It could also just be a faulty program. The interesting instruction to
look at would be whatever executed before the point where this exception
occurred. If that’s something that’s popping flags it may be popping
garbage and thus setting the single-step flag. Also, as I mentioned,
check the dr register values to see if a debug break has been enabled.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
Sent: Thursday, September 29, 2005 4:58 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] single step exception code

Drew,
So when I boot to windows using /debug flag, this particular
application starts throwing the exception i mentioned, infinitely. So
effectively the system hangs. If i goto Windbg and in filter events
choose IGNORE and NOT HANDLE (not sure how to do this with the cmd line)
single step exceptions, the application starts.

thanks
banks

“Drew Bliss” wrote in message
news:xxxxx@windbg…
What level of detail are you looking for? Single-step exceptions are
triggered when the single-step flag is set or when a debug register
condition is triggered. You can look in Intel manuals for more
information on all of that.

If you want to look at things in the debuggee you can look at
dr0,dr1,dr2,dr3,dr6 and dr7 to see if any of them are triggering the
single-step. Note that in the case of a dr-triggered single-step the
instruction that triggered things is usually the one before the current
eip value (data hits, the common case, are traps whereas execution hits
are faults).

One other possibility if you’re using breakpoints in multi-threaded code
is that it’s a single-step left over from a debugger operation, in which
case it’s ignorable. It’s hard to know for sure if that’s the case, you
can only go through all other possible causes and rule them out, which
can be tedious.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
Sent: Thursday, September 29, 2005 3:39 PM
To: Kernel Debugging Interest List
Subject: [windbg] single step exception code

(I d asked this in the ntdev, probably this is a better place for the
same)

Where could I look to get more information on what this means:

Single step exception - code 80000004 (first chance) First chance
exceptions are reported before any exception handling.
This exception may be expected and handled.
001b:007ab669 812f00500000 sub dword ptr [edi],0x5000

thanks
banks

—
You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

bank_kus · September 29, 2005, 8:02pm

As an extension to the above, how would an application be able to throw
single step exceptions using a user mode
win32 api.

“bank kus” wrote in message news:xxxxx@windbg…
> Drew,
> So when I boot to windows using /debug flag, this particular application
> starts throwing the exception i mentioned, infinitely. So effectively the
> system hangs. If i goto Windbg and in filter events choose IGNORE and NOT
> HANDLE (not sure how to do this with the cmd line) single step exceptions,
> the application starts.
>
> thanks
> banks
>
> “Drew Bliss” wrote in message
> news:xxxxx@windbg…
> What level of detail are you looking for? Single-step exceptions are
> triggered when the single-step flag is set or when a debug register
> condition is triggered. You can look in Intel manuals for more
> information on all of that.
>
> If you want to look at things in the debuggee you can look at
> dr0,dr1,dr2,dr3,dr6 and dr7 to see if any of them are triggering the
> single-step. Note that in the case of a dr-triggered single-step the
> instruction that triggered things is usually the one before the current
> eip value (data hits, the common case, are traps whereas execution hits
> are faults).
>
> One other possibility if you’re using breakpoints in multi-threaded code
> is that it’s a single-step left over from a debugger operation, in which
> case it’s ignorable. It’s hard to know for sure if that’s the case, you
> can only go through all other possible causes and rule them out, which
> can be tedious.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
> Sent: Thursday, September 29, 2005 3:39 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] single step exception code
>
> (I d asked this in the ntdev, probably this is a better place for the
> same)
>
> Where could I look to get more information on what this means:
>
> Single step exception - code 80000004 (first chance) First chance
> exceptions are reported before any exception handling.
> This exception may be expected and handled.
> 001b:007ab669 812f00500000 sub dword ptr [edi],0x5000
>
> thanks
> banks
>
>
>
>
> —
> You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

OSR_Community_User · September 29, 2005, 8:08pm

An app can cause single-step exceptions within itself by either setting
the single-step flag directly or by changing the dr register values. An
app can cause exceptions in other code via SetThreadContext to make such
register modifications elsewhere.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
Sent: Thursday, September 29, 2005 5:03 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] single step exception code

As an extension to the above, how would an application be able to throw
single step exceptions using a user mode
win32 api.

“bank kus” wrote in message news:xxxxx@windbg…
> Drew,
> So when I boot to windows using /debug flag, this particular
> application starts throwing the exception i mentioned, infinitely. So
> effectively the system hangs. If i goto Windbg and in filter events
> choose IGNORE and NOT HANDLE (not sure how to do this with the cmd
> line) single step exceptions, the application starts.
>
> thanks
> banks
>
> “Drew Bliss” wrote in message
> news:xxxxx@windbg…
> What level of detail are you looking for? Single-step exceptions are
> triggered when the single-step flag is set or when a debug register
> condition is triggered. You can look in Intel manuals for more
> information on all of that.
>
> If you want to look at things in the debuggee you can look at
> dr0,dr1,dr2,dr3,dr6 and dr7 to see if any of them are triggering the
> single-step. Note that in the case of a dr-triggered single-step the
> instruction that triggered things is usually the one before the
> current eip value (data hits, the common case, are traps whereas
> execution hits are faults).
>
> One other possibility if you’re using breakpoints in multi-threaded
> code is that it’s a single-step left over from a debugger operation,
> in which case it’s ignorable. It’s hard to know for sure if that’s
> the case, you can only go through all other possible causes and rule
> them out, which can be tedious.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
> Sent: Thursday, September 29, 2005 3:39 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] single step exception code
>
> (I d asked this in the ntdev, probably this is a better place for the
> same)
>
> Where could I look to get more information on what this means:
>
> Single step exception - code 80000004 (first chance) First chance
> exceptions are reported before any exception handling.
> This exception may be expected and handled.
> 001b:007ab669 812f00500000 sub dword ptr [edi],0x5000
>
> thanks
> banks
>
>
>
>
> —
> You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

—
You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

bank_kus · September 30, 2005, 3:32am

Drew,
So an application that deliberately sets a single step exception on a
system where there is no post mortem user mode debugger neither a kernel
mode debugger attached would ideally put the system in a hang state correct?
Thats what I am seeing wiht this application, if I have windbg attached and
I say ignore and dont handle single step exception, the debugger moves on so
does the application. But if no debugger is attached, say for example in the
non debug build, then starting this application simply hangs the system.
Could you elaborate on that.

thanks
banks

“Drew Bliss” wrote in message
news:xxxxx@windbg…
An app can cause single-step exceptions within itself by either setting
the single-step flag directly or by changing the dr register values. An
app can cause exceptions in other code via SetThreadContext to make such
register modifications elsewhere.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
Sent: Thursday, September 29, 2005 5:03 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] single step exception code

As an extension to the above, how would an application be able to throw
single step exceptions using a user mode
win32 api.

“bank kus” wrote in message news:xxxxx@windbg…
> Drew,
> So when I boot to windows using /debug flag, this particular
> application starts throwing the exception i mentioned, infinitely. So
> effectively the system hangs. If i goto Windbg and in filter events
> choose IGNORE and NOT HANDLE (not sure how to do this with the cmd
> line) single step exceptions, the application starts.
>
> thanks
> banks
>
> “Drew Bliss” wrote in message
> news:xxxxx@windbg…
> What level of detail are you looking for? Single-step exceptions are
> triggered when the single-step flag is set or when a debug register
> condition is triggered. You can look in Intel manuals for more
> information on all of that.
>
> If you want to look at things in the debuggee you can look at
> dr0,dr1,dr2,dr3,dr6 and dr7 to see if any of them are triggering the
> single-step. Note that in the case of a dr-triggered single-step the
> instruction that triggered things is usually the one before the
> current eip value (data hits, the common case, are traps whereas
> execution hits are faults).
>
> One other possibility if you’re using breakpoints in multi-threaded
> code is that it’s a single-step left over from a debugger operation,
> in which case it’s ignorable. It’s hard to know for sure if that’s
> the case, you can only go through all other possible causes and rule
> them out, which can be tedious.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
> Sent: Thursday, September 29, 2005 3:39 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] single step exception code
>
> (I d asked this in the ntdev, probably this is a better place for the
> same)
>
> Where could I look to get more information on what this means:
>
> Single step exception - code 80000004 (first chance) First chance
> exceptions are reported before any exception handling.
> This exception may be expected and handled.
> 001b:007ab669 812f00500000 sub dword ptr [edi],0x5000
>
> thanks
> banks
>
>
>
>
> —
> You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

—
You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · September 30, 2005, 1:11pm

A user-mode application causing single-step exceptions on a system with
no debuggers will not cause a problem. The normal exception processing
will occur, leading either to the app handling the exception or
terminating.

If the system has a kernel debugger but the process does not have a
user-mode debugger then the exception will be reported via the kernel
debugger, which will pause the machine until the kernel debugger
responds. If the system is not booted with /debug this will not occur.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
Sent: Friday, September 30, 2005 12:32 AM
To: Kernel Debugging Interest List
Subject: Re:[windbg] single step exception code

Drew,
So an application that deliberately sets a single step exception on a
system where there is no post mortem user mode debugger neither a kernel
mode debugger attached would ideally put the system in a hang state
correct?
Thats what I am seeing wiht this application, if I have windbg attached
and I say ignore and dont handle single step exception, the debugger
moves on so does the application. But if no debugger is attached, say
for example in the non debug build, then starting this application
simply hangs the system.
Could you elaborate on that.

thanks
banks

“Drew Bliss” wrote in message
news:xxxxx@windbg…
An app can cause single-step exceptions within itself by either setting
the single-step flag directly or by changing the dr register values. An
app can cause exceptions in other code via SetThreadContext to make such
register modifications elsewhere.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
Sent: Thursday, September 29, 2005 5:03 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] single step exception code

As an extension to the above, how would an application be able to throw
single step exceptions using a user mode
win32 api.

“bank kus” wrote in message news:xxxxx@windbg…
> Drew,
> So when I boot to windows using /debug flag, this particular
> application starts throwing the exception i mentioned, infinitely. So
> effectively the system hangs. If i goto Windbg and in filter events
> choose IGNORE and NOT HANDLE (not sure how to do this with the cmd
> line) single step exceptions, the application starts.
>
> thanks
> banks
>
> “Drew Bliss” wrote in message
> news:xxxxx@windbg…
> What level of detail are you looking for? Single-step exceptions are
> triggered when the single-step flag is set or when a debug register
> condition is triggered. You can look in Intel manuals for more
> information on all of that.
>
> If you want to look at things in the debuggee you can look at
> dr0,dr1,dr2,dr3,dr6 and dr7 to see if any of them are triggering the
> single-step. Note that in the case of a dr-triggered single-step the
> instruction that triggered things is usually the one before the
> current eip value (data hits, the common case, are traps whereas
> execution hits are faults).
>
> One other possibility if you’re using breakpoints in multi-threaded
> code is that it’s a single-step left over from a debugger operation,
> in which case it’s ignorable. It’s hard to know for sure if that’s
> the case, you can only go through all other possible causes and rule
> them out, which can be tedious.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of bank kus
> Sent: Thursday, September 29, 2005 3:39 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] single step exception code
>
> (I d asked this in the ntdev, probably this is a better place for the
> same)
>
> Where could I look to get more information on what this means:
>
> Single step exception - code 80000004 (first chance) First chance
> exceptions are reported before any exception handling.
> This exception may be expected and handled.
> 001b:007ab669 812f00500000 sub dword ptr [edi],0x5000
>
> thanks
> banks
>
>
>
>
> —
> You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

—
You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com