stepping inside sysenter int2e

well this is my first real touch with kernel debugging
so sorry if the questions sound naive or lame

i installed microsoft vpc 2004 sp1 and installed a guest os w2k sp4 host is
xp-sp2

total ram available in physical machine = 128 mb
vpc allocated 48 mb ram

set up the vpc as per the white paper from vpc team for kernel debugging
using named pipe at com1 \.\pipe\debugpipe

added the /debug switch and debug port=com1 to boot .ini in vpc

started up windbg in host

rebooted the vpc it got connected and all was fine

now i set a bu Winmine.!winmain

hit g

hoping kd would break when winmine starts up in vpc

it didnt break tried setting breaks at CreateWindow etc nothing did really
break

so was looking at documentation found a .breakin and i guessed that could do
the trick

so copied the installer to vpc installed windbg in vpc

fired windbg inside vpc and ran winmine inside it

and tried .breakin

there werent symbols in vpc so i shared the symbols folder

,breakin does break in host windbg

but the process is set to windbg not my target application (yes
documentation says that implicit process would be user mode debugger not
target application)

so was just hitting t through and stepping around to see and get a feel of
how it is supposed to work

so my question is how can i seamlessly step through both user mode code and
kernel mode code

for example i want to get into kerneldebugger when i step into int 2e
and return back to user mode code when systemservice call gets completed

also i had a problem after i randomly stepped with t i did a g (go) in host
and the windbg in vpc is crashing (possibly its related to symbols)

event viewer details
The application, , generated an application error The error occurred on
09/10/2006 @ 05:06:40.356 The exception generated was c0000005 at address
02182BEB ()

crash dump loaded in windbg

FAULTING_IP:
dbgeng!ProcessCommandsAndCatch+10b
02182beb 64890d00000000 mov dword ptr fs:[0],ecx

EXCEPTION_RECORD: ffffffff – (.exr ffffffffffffffff)
ExceptionAddress: 02182beb (dbgeng!ProcessCommandsAndCatch+0x0000010b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: ffffffff
Attempt to read from address ffffffff

FAULTING_THREAD: 000001a0

DEFAULT_BUCKET_ID: APPLICATION_FAULT

PROCESS_NAME: windbg.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced
memory at “0x%08lx”. The memory could not be “%s”.

READ_ADDRESS: ffffffff

BUGCHECK_STR: ACCESS_VIOLATION

LAST_CONTROL_TRANSFER: from 020c9049 to 02182beb

STACK_TEXT:
02c4da1c 020c9049 00239a28 00000000 00000000
dbgeng!ProcessCommandsAndCatch+0x10b
02c4deb4 020c92aa 00239a28 02c4df98 00000002 dbgeng!Execute+0x2b9
02c4dee4 010283bf 00239a30 00000001 02c4df98
dbgeng!DebugClient::ExecuteWide+0x6a
WARNING: Stack unwind information not available. Following frames may be
wrong.
02c4df84 0102883b 02c4df90 00000000 00000020 windbg+0x283bf
02c4ffa0 0102aabc 00000000 00000000 00000000 windbg+0x2883b
02c4ffb4 7c4e987c 00000000 00000011 510402b5 windbg+0x2aabc
02c4ffec 00000000 0102a6e0 00000000 00000000 KERNEL32!BaseThreadStart+0x52

hope i am making sense

regards

raj

In order to watch both user and kernel execution in a single debugger
you have to use a kernel, in which case your user-mode debugging
experience is going to be constrained by the limitations of the kernel
debugger (you have to manage process context, deal with paged-out
memory, etc.). It’s usually simpler to have both a user-mode debugger
and a kernel-mode debugger. You set breakpoints on the system routine
that you want to watch on the kernel side in the kernel debugger and do
normal user-mode debugging when the kernel debugger isn’t active.

If you really want to watch kernel/user transitions in the kernel
debugger you have to do extra work since those transitions involve
resetting context state and such (it’s easy to cause problems by
stepping through the transition code). Again, it’s simpler to just set
breakpoints on the kernel routines you’re interested in and let them hit
instead of stepping through all the transition logic.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Sunday, September 10, 2006 11:43 AM
To: Kernel Debugging Interest List
Subject: [windbg] stepping inside sysenter int2e

well this is my first real touch with kernel debugging
so sorry if the questions sound naive or lame

i installed microsoft vpc 2004 sp1 and installed a guest os w2k sp4
host is xp-sp2

total ram available in physical machine = 128 mb
vpc allocated 48 mb ram

set up the vpc as per the white paper from vpc team for kernel debugging

using named pipe at com1 \.\pipe\debugpipe

added the /debug switch and debug port=com1 to boot .ini in vpc

started up windbg in host

rebooted the vpc it got connected and all was fine

now i set a bu Winmine.!winmain

hit g

hoping kd would break when winmine starts up in vpc

it didnt break tried setting breaks at CreateWindow etc nothing did
really break

so was looking at documentation found a .breakin and i guessed that
could do the trick

so copied the installer to vpc installed windbg in vpc

fired windbg inside vpc and ran winmine inside it

and tried .breakin

there werent symbols in vpc so i shared the symbols folder

,breakin does break in host windbg

but the process is set to windbg not my target application (yes
documentation says that implicit process would be user mode debugger not
target application)

so was just hitting t through and stepping around to see and get a feel
of how it is supposed to work

so my question is how can i seamlessly step through both user mode code
and kernel mode code

for example i want to get into kerneldebugger when i step into int 2e
and return back to user mode code when systemservice call gets completed

also i had a problem after i randomly stepped with t i did a g (go) in
host and the windbg in vpc is crashing (possibly its related to symbols)

event viewer details
The application, , generated an application error The error occurred on
09/10/2006 @ 05:06:40.356 The exception generated was c0000005 at
address 02182BEB ()

crash dump loaded in windbg

FAULTING_IP:
dbgeng!ProcessCommandsAndCatch+10b
02182beb 64890d00000000 mov dword ptr fs:[0],ecx

EXCEPTION_RECORD: ffffffff – (.exr ffffffffffffffff)
ExceptionAddress: 02182beb (dbgeng!ProcessCommandsAndCatch+0x0000010b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: ffffffff
Attempt to read from address ffffffff

FAULTING_THREAD: 000001a0

DEFAULT_BUCKET_ID: APPLICATION_FAULT

PROCESS_NAME: windbg.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

READ_ADDRESS: ffffffff

BUGCHECK_STR: ACCESS_VIOLATION

LAST_CONTROL_TRANSFER: from 020c9049 to 02182beb

STACK_TEXT:
02c4da1c 020c9049 00239a28 00000000 00000000
dbgeng!ProcessCommandsAndCatch+0x10b
02c4deb4 020c92aa 00239a28 02c4df98 00000002 dbgeng!Execute+0x2b9
02c4dee4 010283bf 00239a30 00000001 02c4df98
dbgeng!DebugClient::ExecuteWide+0x6a
WARNING: Stack unwind information not available. Following frames may be
wrong.
02c4df84 0102883b 02c4df90 00000000 00000020 windbg+0x283bf
02c4ffa0 0102aabc 00000000 00000000 00000000 windbg+0x2883b
02c4ffb4 7c4e987c 00000000 00000011 510402b5 windbg+0x2aabc
02c4ffec 00000000 0102a6e0 00000000 00000000
KERNEL32!BaseThreadStart+0x52

hope i am making sense

regards

raj

— You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

On 9/11/06, Drew Bliss wrote:
>
> In order to watch both user and kernel execution in a single debugger you
> have to use a kernel, in which case your user-mode debugging experience is
> going to be constrained by the limitations of the kernel debugger (you have
> to manage process context, deal with paged-out memory, etc.).
>

basically i am not that much interested in seeing user mode code at all
i was wanting to step into the transition logic (i have used the erstwhile
softice some long time back (siwnt4.05 in w2k for a few hours)
i was looking too see almost similar stepping experience

for example if i single stepped inside int 2e(there wasn’t a sysenter then)
softice would hoop me thorough nt,hal,and whatever and then get me back to
some where when it hits iretd (for example if i set a bp
TranslateMessageA) though it will get hit innumerable times i can zero in
when it was hit by my application ( i think it would show me the name of the
app or context don’t remember well but i believe i have stepped through this
transition logic earlier)

i was really wanting to get a similar experience with windbg

It’s usually simpler to have both a user-mode debugger and a kernel-mode
> debugger. You set breakpoints on the system routine that you want to watch
> on the kernel side in the kernel debugger and do normal user-mode debugging
> when the kernel debugger isn’t active.
>

does that mean i run user mode debugger inside vpc and kernel mode
debugger in host ??
if so i should have to set up a copy of symbols for guest os inside vpc too
??

yeah i tried setting break on nt!PspCreateProcess in host and running
winmine under a debugger on vpc and host kd broke promptly

i did k and i saw ntdll!ZwCreateProcess in the stack

but setting a break on it in kd didn’t break

could you please elaborate a little on how could i do it ?

> If you really want to watch kernel/user transitions in the kernel
> debugger you have to do extra work since those transitions involve resetting
> context state and such (it’s easy to cause problems by stepping through the
> transition code).
>

extra work no problem i am not bound by some time constraints to get this
all done by day before yesterday and ship it yesterday
ive got all night to do and vpc can save the state so i can continue
from where i left even after a few days of interval i think
so is it possible that i get a few pointers on a straight simple

masm snippet that has

set up stack
mov eax,Servivce Number
mov edx,stack
int 2e
db 0xeb
db 0xfe

and stepping through it in both user mode as well as kernel mode

i should start at mov eax,service number
and end at the infinite loop back in user mode
all single stepped not run

Again, it’s simpler to just set breakpoints on the kernel routines you’re
> interested in and let them hit instead of stepping through all the
> transition logic.
>

simpler doesn’t always attract bees and ants

and thanks a lot for your reply though i can understand and possibly stare
at the enormity of the task which you are trying to stress
i would like to attempt it in spite of the risks

thanks and regards

raj

There are many special cases, and behavior varies from Windows version
to Windows version, but in general you can’t just step into a system
call with kd. On x86 the debugger uses the single-step flag for
stepping and the kernel will turn off that flag on the system service
transition (otherwise there would be a way to disturb the kernel from
user-mode). SoftIce took over certain low-level dispatching and I
assume that’s how they got around this; kd does not do anything like
that and cannot provide the same behavior.

That means you have to fall back on setting breakpoints. You can set
breakpoints in the system service dispatch routines, but you have to be
extremely careful. I can’t give you full details on the operation of
system service dispatch, but I believe if you search around on the Web
you can probably find detailed discussions.

From kd you would set breakpoints in the kernel routines, not in ntdll.
For example, if your application is calling CreateFile you would set a
kernel breakpoint on nt!NtCreateFile to see the call once it reached the
kernel (post system-service dispatch).

If you run a user-mode debugger in the VPC you will need symbols
accessible from in the VPC for that debugger.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Sunday, September 10, 2006 11:56 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] stepping inside sysenter int2e

On 9/11/06, Drew Bliss wrote:

In order to watch both user and kernel execution in a single
debugger you have to use a kernel, in which case your user-mode
debugging experience is going to be constrained by the limitations of
the kernel debugger (you have to manage process context, deal with
paged-out memory, etc.).

basically i am not that much interested in seeing user mode code at all
i was wanting to step into the transition logic (i have used the
erstwhile softice some long time back (siwnt4.05 in w2k for a few hours)

i was looking too see almost similar stepping experience

for example if i single stepped inside int 2e(there wasn’t a sysenter
then)
softice would hoop me thorough nt,hal,and whatever and then get me back
to some where when it hits iretd (for example if i set a bp
TranslateMessageA) though it will get hit innumerable times i can zero
in when it was hit by my application ( i think it would show me the name
of the app or context don’t remember well but i believe i have stepped
through this transition logic earlier)

i was really wanting to get a similar experience with windbg

It’s usually simpler to have both a user-mode debugger and a
kernel-mode debugger. You set breakpoints on the system routine that
you want to watch on the kernel side in the kernel debugger and do
normal user-mode debugging when the kernel debugger isn’t active.

does that mean i run user mode debugger inside vpc and kernel mode
debugger in host ??
if so i should have to set up a copy of symbols for guest os inside vpc
too ??

yeah i tried setting break on nt!PspCreateProcess in host and running
winmine under a debugger on vpc and host kd broke promptly

i did k and i saw ntdll!ZwCreateProcess in the stack

but setting a break on it in kd didn’t break

could you please elaborate a little on how could i do it ?

If you really want to watch kernel/user transitions in the
kernel debugger you have to do extra work since those transitions
involve resetting context state and such (it’s easy to cause problems by
stepping through the transition code).

extra work no problem i am not bound by some time constraints to get
this all done by day before yesterday and ship it yesterday
ive got all night to do and vpc can save the state so i can continue
from where i left even after a few days of interval i think
so is it possible that i get a few pointers on a straight simple

masm snippet that has

set up stack
mov eax,Servivce Number
mov edx,stack
int 2e
db 0xeb
db 0xfe

and stepping through it in both user mode as well as kernel mode

i should start at mov eax,service number
and end at the infinite loop back in user mode
all single stepped not run

Again, it’s simpler to just set breakpoints on the kernel
routines you’re interested in and let them hit instead of stepping
through all the transition logic.

simpler doesn’t always attract bees and ants

and thanks a lot for your reply though i can understand and possibly
stare at the enormity of the task which you are trying to stress
i would like to attempt it in spite of the risks

thanks and regards

raj

— You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The real problem is this.

Windbg can’t step into/thru or in anyway activly “debug” kernel mode code on
the same box. I supposed looking at stuff is a form of debugging and it can do
that in the local kernel debug mode. And that’s about ALL you can do other
than monkey with memory values.

Did you ever wonder why softice always had a dos text mode display? You can’t
have a gui while the kernel is halted and since the kernel is one process, you
pretty much have to freeze the whole thing while debugging.
All of the display code for softice was contained in softice…

Did you ever use the GUI version of softice ? Visual Softice - guess what only
worked on a link. And wouldn’t ya know their link could be tricky to set up too.

Since winbdg can’t debug a user mode process on the kernel link, your out of
luck there too.

Jim Donelson

On 9/12/06, Drew Bliss wrote:

> There are many special cases, and behavior varies from Windows version to
> Windows version, but in general you can’t just step into a system call with
> kd. On x86 the debugger uses the single-step flag for stepping and the
> kernel will turn off that flag on the system service transition (otherwise
> there would be a way to disturb the kernel from user-mode). SoftIce took
> over certain low-level dispatching and I assume that’s how they got around
> this; kd does not do anything like that and cannot provide the same
> behavior.
>

thanks for the explanation i was believing kernel debugging means stepping
through everything in sight and some things that are invisible just like
you step through an application with an user mode debugger

>
> That means you have to fall back on setting breakpoints. You can set
> breakpoints in the system service dispatch routines, but you have to be
> extremely careful. I can’t give you full details on the operation of system
> service dispatch, but I believe if you search around on the Web you can
> probably find detailed discussions.
>

so basically i need to know what could happen and plan to those events
and i really cant know what would/could happen because i don’t know what
exists in the path and have no way knowing them by experimenting basically i
cant run blind i would have liked to run blind any way gotta live with
it it seems)

just out of curiosity i did
bp nt!pspCreateProcess
and then when kd broke did a wt (watch) oh boy it never stops
it just keeps on spitting nt!ExDupHandle ,nt!ExLookupableEntry
doesn’t respond to ctrl+break cant do nothing had to crash it

so i should know that nt!PspCreateProcess will some time may give Control to
nt!NtCreateProcess and should set up an advance break
on the return so that i can possibly expect a break so its back to dis
assembly and guesswork

> From kd you would set breakpoints in the kernel routines, not in ntdll.
> For example, if your application is calling CreateFile you would set a
> kernel breakpoint on nt!NtCreateFile to see the call once it reached the
> kernel (post system-service dispatch).
>

yep i can find details about system service dispatch
in fact i already broke on nt!KiSystemService several times and has crashed
the windbg ,explorer etc in vpc trying to find information on setting
conditional breakpoints if it is possible
like break if readmem at pointer stack points to < strnicmp (.printf
“%y\n”,poi (esp+ ##) ,“myrequired unicode string”)

> If you run a user-mode debugger in the VPC you will need symbols
> accessible from in the VPC for that debugger.
>

yep shared the folder in host pc via mapping

i run host kd with windbg -y d:\fooomsdl.…\ -k
in vpc i have shared the d:\folder to Z:<br>and set up _NT_SYMBOL_PATH variable pointing to z:\fooomsdl.…<br>
ok back to topic

i do this in kd on host

!process 0 0 winmine.exe

.process /p /r ffde#####

results in
implicit process now set to
cacheforceduser done
loading user symbols
…
kd> now looking for winmine functions with
x winmine!* displays a list of functions

setting a bp like
bp winmine!TrackMouse
(just an example i am setting a break on code that i know is part of msgloop
and being hit continuously)
doesn’t lead to any misbehaviour’s

looking if the bp exists with bl
shows me
0 E ##### (0x12345678)winmine!..

i hit g and kd runs with busy prompt

now is this break active ? where will it get stopped ?
will it require me to set up an AeDebug Entry inside vpc ?
so that windbg inside vpc will catch it ?

if i had actually run this winmine inside vpc’s windbg
and had issued a .breakin to break into kd
will/should the windbg insde guest break on resuming the target
with g
and break on the break point set up by kd ?

it looks like i am starting to annoy you all with these inane questions
but i really cant find someone or something that’s really authoritative on
these subjects apart from this forum (anyone who talks about windbg in net
simply parrots whats available in help with a few twisted words of his own
or simply delves into driver debugging with source bp mydriver!DriverEntry
and i am not up to that class yet i am simply trying to understand how i can
do a sourceless symbol less debugging from kernel mode using either kd or
windbg or ntsd or cdb )

thanks a lot for your time and clear answers

hope i am not annoying those who are spending their time reading these posts

regards

raj_r

Jim Donelson

no i haven’t used visual softice the only softice i ever used was
siwnt4.05 in w2k like i stated and i really didn’t like it either
as i discovered ollydbg while i was playing around and has
stuck with it till date (mostly user mode application debugging like ripping
out malwares ,unpacking etc ) for which ollydbg more than meets my
requirements and i do believe i have a good understanding of ollydbg
and can make it dance to my tunes

yes i am a wee bit aware that sice has its own display ?? system
drivers. freezes system does some things invasive and that’s not possible
with kd

just wanting to find some way out and trying to elicit responses which
could help me clear the cobwebs that’s etched back in my memory

thanks for taking time to reply back

regards

raj_r

A kernel debugger such as windbg can debug user-mode code.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jimosr
Sent: Monday, September 11, 2006 7:05 PM
To: Kernel Debugging Interest List
Subject: Re: Re: [windbg] stepping inside sysenter int2e

The real problem is this.

Windbg can’t step into/thru or in anyway activly “debug” kernel mode
code on the same box. I supposed looking at stuff is a form of debugging
and it can do that in the local kernel debug mode. And that’s about ALL
you can do other than monkey with memory values.

Did you ever wonder why softice always had a dos text mode display? You
can’t have a gui while the kernel is halted and since the kernel is one
process, you pretty much have to freeze the whole thing while debugging.
All of the display code for softice was contained in softice…

Did you ever use the GUI version of softice ? Visual Softice - guess
what only worked on a link. And wouldn’t ya know their link could be
tricky to set up too.

Since winbdg can’t debug a user mode process on the kernel link, your
out of luck there too.

Jim Donelson

You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Drew Bliss wrote:

A kernel debugger such as windbg can debug user-mode code.

That’s true, but it’s not nearly as clean and seamless as it was in
SoftIce, may it rest in peace. Crossing the UM/KM boundary in SoftIce
was just as smooth and painless as stepping into a function call.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Yes, it can but not over the *kernel link* (not to be confused with remote
debugging over a tcp connection - which is only good for user mode) where you
are doing the kernel debugging, meaning you can’t step from user mode to
kernel mode on the kernel connection.

Since winbdg can’t debug a user mode process on the **kernel link**, your
out of luck there too.

On Tue, 12 Sep 2006 09:02:38 -0700, Drew Bliss wrote

A kernel debugger such as windbg can debug user-mode code.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jimosr
Sent: Monday, September 11, 2006 7:05 PM
To: Kernel Debugging Interest List
Subject: Re: Re: [windbg] stepping inside sysenter int2e

The real problem is this.

Windbg can’t step into/thru or in anyway activly “debug” kernel mode
code on the same box. I supposed looking at stuff is a form of debugging
and it can do that in the local kernel debug mode. And that’s about ALL
you can do other than monkey with memory values.

Did you ever wonder why softice always had a dos text mode display? You
can’t have a gui while the kernel is halted and since the kernel is one
process, you pretty much have to freeze the whole thing while debugging.
All of the display code for softice was contained in softice…

Did you ever use the GUI version of softice ? Visual Softice - guess
what only worked on a link. And wouldn’t ya know their link could be
tricky to set up too.

Since winbdg can’t debug a user mode process on the kernel link, your
out of luck there too.

Jim Donelson

---

You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---

You are currently subscribed to windbg as: unknown lmsubst tag
argument: ‘’ To unsubscribe send a blank email to
xxxxx@lists.osr.com

Jim Donelson

“Jimosr” wrote in message news:xxxxx@windbg…
> Yes, it can but not over the kernel link (not to be confused with remote
> debugging over a tcp connection - which is only good for user mode) where
> you
> are doing the kernel debugging, meaning you can’t step from user mode to
> kernel mode on the kernel connection.
>
Sorry, you are incorrect, I have done this for years debugging a service and
the driver for the service. It absolutely has worked with no problems,
though I normally just step to the Win32 call then have a breakpoint on the
driver in question.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply

“Tim Roberts” wrote in message news:xxxxx@windbg…
> That’s true, but it’s not nearly as clean and seamless as it was in
> SoftIce, may it rest in peace. Crossing the UM/KM boundary in SoftIce
> was just as smooth and painless as stepping into a function call.

Tim,

It may have been smooth but the number of BSOD’s caused by SoftIce that
I filed bugs on makes me take strong exception that it was painless. Sorry,
but back in the early days when SoftIce was worked on by good people, and
WinDbg was an unwanted child the praise for SoftIce may have been warranted.
But in the last 4 years or more, SoftIce was a bigger piece of crap than any
other debugger I have ever encountered, GGOD RIDDANCE!!

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply

You can debug user-mode code fine using kd and a traditional two-machine
kernel debugging setup. No user-mode debugger is required.

You can’t step directly from user-mode to kernel-mode, true, but you can
certainly do user-mode code debugging.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jimosr
Sent: Tuesday, September 12, 2006 9:33 AM
To: Kernel Debugging Interest List
Subject: RE: Re: [windbg] stepping inside sysenter int2e

Yes, it can but not over the *kernel link* (not to be confused with
remote debugging over a tcp connection - which is only good for user
mode) where you are doing the kernel debugging, meaning you can’t step
from user mode to kernel mode on the kernel connection.

Since winbdg can’t debug a user mode process on the **kernel link**,
your out of luck there too.

On Tue, 12 Sep 2006 09:02:38 -0700, Drew Bliss wrote

A kernel debugger such as windbg can debug user-mode code.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jimosr
Sent: Monday, September 11, 2006 7:05 PM
To: Kernel Debugging Interest List
Subject: Re: Re: [windbg] stepping inside sysenter int2e

The real problem is this.

Windbg can’t step into/thru or in anyway activly “debug” kernel mode
code on the same box. I supposed looking at stuff is a form of
debugging and it can do that in the local kernel debug mode. And
that’s about ALL you can do other than monkey with memory values.

Did you ever wonder why softice always had a dos text mode display?
You can’t have a gui while the kernel is halted and since the kernel
is one process, you pretty much have to freeze the whole thing while
debugging.
All of the display code for softice was contained in softice…

Did you ever use the GUI version of softice ? Visual Softice - guess
what only worked on a link. And wouldn’t ya know their link could be
tricky to set up too.

Since winbdg can’t debug a user mode process on the kernel link, your
out of luck there too.

Jim Donelson

---

You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---

You are currently subscribed to windbg as: unknown lmsubst tag
argument: ‘’ To unsubscribe send a blank email to
xxxxx@lists.osr.com

Jim Donelson

You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I’m losing track of what’s a question and what isn’t among the below,
sorry if I missed some here.

For your question on breakpoints, when you set a user-mode breakpoint
the target (not just the debugger) has to be in the right process
context. In other words, you need to get the target into the process
context where you want to set the breakpoint prior to setting the
breakpoint. You can do this with judicious breakpoints or you can try
.process /i or .pagein /p. !process -1 0 will tell you what process
context the target is in.

For your question on string-based conditionals, you need to use aliases
to do string compares.

as $strlit mystringtext

You can also use as /mu and such to read strings from memory. Then do
the compare with $scmp/$sicmp/$spat.

.if ($scmp(“${$strtotest}”, “strliteral_or_alias”)) { do whatever }
.else { g }

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Tuesday, September 12, 2006 2:07 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] stepping inside sysenter int2e

On 9/12/06, Drew Bliss wrote:

There are many special cases, and behavior varies from Windows
version to Windows version, but in general you can’t just step into a
system call with kd. On x86 the debugger uses the single-step flag for
stepping and the kernel will turn off that flag on the system service
transition (otherwise there would be a way to disturb the kernel from
user-mode). SoftIce took over certain low-level dispatching and I
assume that’s how they got around this; kd does not do anything like
that and cannot provide the same behavior.

thanks for the explanation i was believing kernel debugging means
stepping through everything in sight and some things that are
invisible just like you step through an application with an user mode
debugger

That means you have to fall back on setting breakpoints. You
can set breakpoints in the system service dispatch routines, but you
have to be extremely careful. I can’t give you full details on the
operation of system service dispatch, but I believe if you search around
on the Web you can probably find detailed discussions.

so basically i need to know what could happen and plan to those events
and i really cant know what would/could happen because i don’t know what
exists in the path and have no way knowing them by experimenting
basically i cant run blind i would have liked to run blind any way
gotta live with it it seems)

just out of curiosity i did
bp nt!pspCreateProcess
and then when kd broke did a wt (watch) oh boy it never stops
it just keeps on spitting nt!ExDupHandle ,nt!ExLookupableEntry
doesn’t respond to ctrl+break cant do nothing had to crash it

so i should know that nt!PspCreateProcess will some time may give
Control to nt!NtCreateProcess and should set up an advance break
on the return so that i can possibly expect a break so its back to dis
assembly and guesswork

From kd you would set breakpoints in the kernel routines, not in
ntdll. For example, if your application is calling CreateFile you would
set a kernel breakpoint on nt!NtCreateFile to see the call once it
reached the kernel (post system-service dispatch).

yep i can find details about system service dispatch
in fact i already broke on nt!KiSystemService several times and has
crashed the windbg ,explorer etc in vpc trying to find information on
setting conditional breakpoints if it is possible
like break if readmem at pointer stack points to < strnicmp (.printf
“%y\n”,poi (esp+ ##) ,“myrequired unicode string”)

If you run a user-mode debugger in the VPC you will need symbols
accessible from in the VPC for that debugger.

yep shared the folder in host pc via mapping

i run host kd with windbg -y d:\fooomsdl.…\ -k
in vpc i have shared the d:\folder to Z:<br>and set up _NT_SYMBOL_PATH variable pointing to z:\fooomsdl.…<br>
ok back to topic

i do this in kd on host

!process 0 0 winmine.exe

.process /p /r ffde#####

results in
implicit process now set to
cacheforceduser done
loading user symbols
…
kd> now looking for winmine functions with
x winmine!* displays a list of functions

setting a bp like
bp winmine!TrackMouse
(just an example i am setting a break on code that i know is part of
msgloop and being hit continuously)
doesn’t lead to any misbehaviour’s

looking if the bp exists with bl
shows me
0 E ##### (0x12345678)winmine!..

i hit g and kd runs with busy prompt

now is this break active ? where will it get stopped ?
will it require me to set up an AeDebug Entry inside vpc ?
so that windbg inside vpc will catch it ?

if i had actually run this winmine inside vpc’s windbg
and had issued a .breakin to break into kd
will/should the windbg insde guest break on resuming the target
with g
and break on the break point set up by kd ?

it looks like i am starting to annoy you all with these inane questions
but i really cant find someone or something that’s really authoritative
on these subjects apart from this forum (anyone who talks about windbg
in net simply parrots whats available in help with a few twisted words
of his own or simply delves into driver debugging with source bp
mydriver!DriverEntry and i am not up to that class yet i am simply
trying to understand how i can do a sourceless symbol less debugging
from kernel mode using either kd or windbg or ntsd or cdb )

thanks a lot for your time and clear answers

hope i am not annoying those who are spending their time reading these
posts

regards

raj_r

Jim Donelson

no i haven’t used visual softice the only softice i ever used was
siwnt4.05 in w2k like i stated and i really didn’t like it either
as i discovered ollydbg while i was playing around and has
stuck with it till date (mostly user mode application debugging like
ripping out malwares ,unpacking etc ) for which ollydbg more than meets
my requirements and i do believe i have a good understanding of ollydbg
and can make it dance to my tunes

yes i am a wee bit aware that sice has its own display ?? system
drivers. freezes system does some things invasive and that’s not
possible with kd

just wanting to find some way out and trying to elicit responses which
could help me clear the cobwebs that’s etched back in my memory

thanks for taking time to reply back

regards

raj_r

— You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Yes, it *can* debug a UM application over the *kernel mode* link.

It’s not difficult.

First, you have to get the kernel mode connection working.

Then build your app, and make sure that Windbg can find the pdb that goes
with it.

Launch your app on the target.

Break into KM and switch to a thread that has your app in the stack. The
most convenient way to do this is put a BP in your driver’s IO path the app
is exercising.

.reload /f or /reload /u, or .reload /u app.exe. This will load the UM app
symbols.

Now you can use the debugger to operate on your UM code just like you do on
KM code.

Philip D. Barila

Seagate Technology LLC

(720) 684-1842

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jimosr


Sent: Tuesday, September 12, 2006 10:33 AM

To: “Kernel Debugging Interest List”

Subject: RE: Re: [windbg] stepping inside sysenter int2e

Yes, it can but not over the kernel link (not to be confused with remote

debugging over a tcp connection - which is only good for user mode) where
you

are doing the kernel debugging, meaning you can’t step from user mode to

kernel mode on the kernel connection.

thanks Drew for filtering out and answering the questions

i was thinking this thread was going to become another classic sice versus
windbg and didnt reply back earlier

.process /i was the first thing i tried but it was erring and running
through the document it said it was for xp and later my guest os is w2ksp4
so i think thats not going to work

kd> !process 0 0 winmine.exe
PROCESS ffb225a0 SessionId: 0 Cid: 03ac Peb: 7ffdf000 ParentCid: 0334
DirBase: 00fb7000 ObjectTable: ffaeac68 TableSize: 22.
Image: winmine.exe

kd> lml
start end module name
01000000 0101a000 winmine (pdb symbols)
D:\Borland\debugsymbols\winmine.pdb\37F045DF1\winmine.pdb
77f80000 77ffb000 ntdll (pdb symbols)
D:\Borland\debugsymbols\ntdll.pdb\3E5265273\ntdll.pdb
80400000 805a3a00 nt (pdb symbols)
D:\Borland\debugsymbols\ntoskrnl.pdb\3EE650B31\ntoskrnl.pdb
kd> .process /i ffb225a0
Symbols are wrong or this version of the operating system does not support
this command <---------
kd> .process /p /r ffb225a0
Implicit process is now ffb225a0
.cache forcedecodeuser done
Loading User Symbols
…

am i in the right process context after i have done a .process /p /r
ffb225a0 ??

i hope so if i ask kd to examine symbols with

x winmine!WinMain it is able to do it

so i hope my break point somewhere in the msgloop of the target should cause
a break

but that doesnt look like it is happening

dont know how to explain

ill try playing with your conditionals first before coming back

regards

Wow, that would be cool. I’ll have to try it out.
If there was no driver, couldn’t I just break the debugger and find a thread
in the process?

On Tue, 12 Sep 2006 12:01:09 -0600, Philip.D.Barila wrote

Yes, it *can* debug a UM application over the *kernel mode* link.

It’s not difficult.

First, you have to get the kernel mode connection working.

Then build your app, and make sure that Windbg can find the pdb that
goes with it.

Launch your app on the target.

Break into KM and switch to a thread that has your app in the stack.
The most convenient way to do this is put a BP in your driver’s IO
path the app is exercising.

.reload /f or /reload /u, or .reload /u app.exe. This will load the
UM app symbols.

Now you can use the debugger to operate on your UM code just like
you do on KM code.

Philip D. Barila

Seagate Technology LLC

(720) 684-1842

---

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jimosr

>
> Sent: Tuesday, September 12, 2006 10:33 AM
>
> To: “Kernel Debugging Interest List”
>
> Subject: RE: Re: [windbg] stepping inside sysenter int2e
>
> Yes, it can but not over the kernel link (not to be confused with remote
>
> debugging over a tcp connection - which is only good for user mode) where
> you
>
> are doing the kernel debugging, meaning you can’t step from user
> mode to
>
> kernel mode on the kernel connection.
>
> —
> You are currently subscribed to windbg as: xxxxx@jimdonelson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Jim Donelson

.process /p only changes your debugger-side view of things, it doesn’t
change the process context on the target. The target implements the
actual breakpoint behavior so if you set a breakpoint the target itself
has to be in the right process context.

You’re right that Windows 2000 doesn’t support .pagein nor .process /i,
so you’ll have to set a breakpoint and have it hit in the right process.
If you own the UM code you can put a hard break in it to cause the right
kind of break. Otherwise set a kernel breakpoint on a system service
that’s called by the debuggee, the more unique the better, and wait for
a hit in the right context.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Tuesday, September 12, 2006 1:05 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] stepping inside sysenter int2e

thanks Drew for filtering out and answering the questions

i was thinking this thread was going to become another classic sice
versus windbg and didnt reply back earlier

.process /i was the first thing i tried but it was erring and running
through the document it said it was for xp and later my guest os is
w2ksp4 so i think thats not going to work

kd> !process 0 0 winmine.exe
PROCESS ffb225a0 SessionId: 0 Cid: 03ac Peb: 7ffdf000 ParentCid:
0334
DirBase: 00fb7000 ObjectTable: ffaeac68 TableSize: 22.
Image: winmine.exe

kd> lml
start end module name
01000000 0101a000 winmine (pdb symbols)
D:\Borland\debugsymbols\winmine.pdb\37F045DF1\winmine.pdb
77f80000 77ffb000 ntdll (pdb symbols)
D:\Borland\debugsymbols\ntdll.pdb\3E5265273\ntdll.pdb
80400000 805a3a00 nt (pdb symbols)
D:\Borland\debugsymbols\ntoskrnl.pdb\3EE650B31\ntoskrnl.pdb
kd> .process /i ffb225a0
Symbols are wrong or this version of the operating system does not
support this command <---------
kd> .process /p /r ffb225a0
Implicit process is now ffb225a0
.cache forcedecodeuser done
Loading User Symbols
…

am i in the right process context after i have done a .process /p /r
ffb225a0 ??

i hope so if i ask kd to examine symbols with

x winmine!WinMain it is able to do it

so i hope my break point somewhere in the msgloop of the target should
cause a break

but that doesnt look like it is happening

dont know how to explain

ill try playing with your conditionals first before coming back

regards

— You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

On 9/13/06, Drew Bliss wrote:
>
> If you own the UM code you can put a hard break in it to cause the right
> kind of break. Otherwise set a kernel breakpoint on a system service that’s
> called by the debuggee, the more unique the better, and wait for a hit in
> the right context.
>

well i dont own the um code but forcing a hard break does make it work
at least i can make it break on winmain from winmainCrtStrartup from kd

so to do anything i have to embed hardbreaks remember what i changed turn it
back on when its hit

thanks for letting me get my first break in kd

i would have loved if there were simpler ways to do things

regards

raj

kd> g
Break instruction exception - code 80000003 (first chance)
winminemod+0x3dd0:
01003dd0 cc int 3
kd> e eip 55
kd> u eip
winminemod+0x3dd0:
01003dd0 55 push ebp
01003dd1 8bec mov ebp,esp
01003dd3 6aff push 0FFFFFFFFh
01003dd5 68c0130001 push offset winminemod+0x13c0 (010013c0)
01003dda 68d03f0001 push offset winminemod+0x3fd0 (01003fd0)
01003ddf 64a100000000 mov eax,dword ptr fs:[00000000h]
01003de5 50 push eax
01003de6 64892500000000 mov dword ptr fs:[0],esp
kd> .relaod /i winmine.exe 1000000
^ Syntax error in ‘.relaod /i
winmine.exe1000000’
kd> .reload /i winmine.exe 1000000

^ Extra character error in ‘.reload /i
winmine.exe 1000000’
kd> .reload /i winmine.exe=1000000
kd> lml
start end module name
01000000 0101a000 winmine (pdb symbols)
D:\Borland\debugsymbols\winmine.pdb\37F045DF1\winmine.pdb
77570000 775a0000 WINMM (pdb symbols)
D:\Borland\debugsymbols\winmm.pdb\3812268F1\winmm.pdb
77b50000 77bd9000 COMCTL32 (pdb symbols)
D:\Borland\debugsymbols\comctl32.pdb\3D5CF0B52\comctl32.pdb
77c70000 77cba000 SHLWAPI (pdb symbols)
D:\Borland\debugsymbols\shlwapi.pdb\3D5CF0C52\shlwapi.pdb
77d30000 77da1000 RPCRT4 (pdb symbols)
D:\Borland\debugsymbols\rpcrt4.pdb\3E77A8A64\rpcrt4.pdb
77f80000 77ffb000 ntdll (pdb symbols)
D:\Borland\debugsymbols\ntdll.pdb\3E5265273\ntdll.pdb
80400000 805a3a00 nt (pdb symbols)
D:\Borland\debugsymbols\ntoskrnl.pdb\3EE650B31\ntoskrnl.pdb
kd> bp winmine!WinMain
kd> bl
0 e 01001420 0001 (0001) winmine!WinMain

kd> g
Breakpoint 0 hit
winmine!WinMain:
01001420 55 push ebp
kd> |.
^ Extra character error in ‘|.’
kd> |
kd> ~
^ Syntax error in ‘~’
kd> .context
User-mode page directory base is 0
kd> .process
Implicit process is now ffab8d60
kd> !process 0 0 winminemod.exe
kd> !process 0 0 winmine.exe
PROCESS ffab8d60 SessionId: 0 Cid: 0138 Peb: 7ffdf000 ParentCid: 0324
DirBase: 0171b000 ObjectTable: fea38bc8 TableSize: 22.
Image: winmine.exe

kd> x winmine!WinMainCRTStartup
01003dd0 winmine!WinMainCRTStartup =
kd> x winmine!WinMain
01001420 winmine!WinMain =

In fairness to windbg, this is a developers tool, not a reverse engineering tool.
The design goal was for devs that have the source code…
“raj_r” wrote in message news:xxxxx@windbg…

On 9/13/06, Drew Bliss wrote:
If you own the UM code you can put a hard break in it to cause the right kind of break. Otherwise set a kernel breakpoint on a system service that’s called by the debuggee, the more unique the better, and wait for a hit in the right context.

well i dont own the um code but forcing a hard break does make it work
at least i can make it break on winmain from winmainCrtStrartup from kd

so to do anything i have to embed hardbreaks remember what i changed turn it back on when its hit

thanks for letting me get my first break in kd

i would have loved if there were simpler ways to do things

regards

raj

kd> g
Break instruction exception - code 80000003 (first chance)
winminemod+0x3dd0:
01003dd0 cc int 3
kd> e eip 55
kd> u eip
winminemod+0x3dd0:
01003dd0 55 push ebp
01003dd1 8bec mov ebp,esp
01003dd3 6aff push 0FFFFFFFFh
01003dd5 68c0130001 push offset winminemod+0x13c0 (010013c0)
01003dda 68d03f0001 push offset winminemod+0x3fd0 (01003fd0)
01003ddf 64a100000000 mov eax,dword ptr fs:[00000000h]
01003de5 50 push eax
01003de6 64892500000000 mov dword ptr fs:[0],esp
kd> .relaod /i winmine.exe 1000000
^ Syntax error in ‘.relaod /i winmine.exe 1000000’
kd> .reload /i winmine.exe 1000000

^ Extra character error in ‘.reload /i winmine.exe 1000000’
kd> .reload /i winmine.exe=1000000
kd> lml
start end module name
01000000 0101a000 winmine (pdb symbols) D:\Borland\debugsymbols\winmine.pdb\37F045DF1\winmine.pdb
77570000 775a0000 WINMM (pdb symbols) D:\Borland\debugsymbols\winmm.pdb\3812268F1\winmm.pdb
77b50000 77bd9000 COMCTL32 (pdb symbols) D:\Borland\debugsymbols\comctl32.pdb\3D5CF0B52\comctl32.pdb
77c70000 77cba000 SHLWAPI (pdb symbols) D:\Borland\debugsymbols\shlwapi.pdb\3D5CF0C52\shlwapi.pdb
77d30000 77da1000 RPCRT4 (pdb symbols) D:\Borland\debugsymbols\rpcrt4.pdb\3E77A8A64\rpcrt4.pdb
77f80000 77ffb000 ntdll (pdb symbols) D:\Borland\debugsymbols\ntdll.pdb\3E5265273\ntdll.pdb
80400000 805a3a00 nt (pdb symbols) D:\Borland\debugsymbols\ntoskrnl.pdb\3EE650B31\ntoskrnl.pdb
kd> bp winmine!WinMain
kd> bl
0 e 01001420 0001 (0001) winmine!WinMain

kd> g
Breakpoint 0 hit
winmine!WinMain:
01001420 55 push ebp
kd> |.
^ Extra character error in ‘|.’
kd> |
kd> ~
^ Syntax error in ‘~’
kd> .context
User-mode page directory base is 0
kd> .process
Implicit process is now ffab8d60
kd> !process 0 0 winminemod.exe
kd> !process 0 0 winmine.exe
PROCESS ffab8d60 SessionId: 0 Cid: 0138 Peb: 7ffdf000 ParentCid: 0324
DirBase: 0171b000 ObjectTable: fea38bc8 TableSize: 22.
Image: winmine.exe

kd> x winmine!WinMainCRTStartup
01003dd0 winmine!WinMainCRTStartup =
kd> x winmine!WinMain
01001420 winmine!WinMain =

I think it has already been mentioned, but, if you have the means and
can actually still get your hands on a copy of SoftICE (either local or
remote), you will easily be able to do this. I use both WinDbg and
SoftICE, and this is one the few reasons that I still keep SoftICE
around, and WinDbg does not provide an means of doing this in any want
that really matters. That being said, it is much better at most
everything else, and, of course, SoftICE is no more.

MM

>> xxxxx@gmail.com 2006-09-12 05:07 >>>
On 9/12/06, Drew Bliss wrote:

> There are many special cases, and behavior varies from Windows
version to
> Windows version, but in general you can’t just step into a system
call with
> kd. On x86 the debugger uses the single-step flag for stepping and
the
> kernel will turn off that flag on the system service transition
(otherwise
> there would be a way to disturb the kernel from user-mode). SoftIce
took
> over certain low-level dispatching and I assume that’s how they got
around
> this; kd does not do anything like that and cannot provide the same
> behavior.
>

thanks for the explanation i was believing kernel debugging means
stepping
through everything in sight and some things that are invisible just
like
you step through an application with an user mode debugger

>
> That means you have to fall back on setting breakpoints. You can
set
> breakpoints in the system service dispatch routines, but you have to
be
> extremely careful. I can’t give you full details on the operation of
system
> service dispatch, but I believe if you search around on the Web you
can
> probably find detailed discussions.
>

so basically i need to know what could happen and plan to those events
and i really cant know what would/could happen because i don’t know
what
exists in the path and have no way knowing them by experimenting
basically i
cant run blind i would have liked to run blind any way gotta live
with
it it seems)

just out of curiosity i did
bp nt!pspCreateProcess
and then when kd broke did a wt (watch) oh boy it never stops
it just keeps on spitting nt!ExDupHandle ,nt!ExLookupableEntry
doesn’t respond to ctrl+break cant do nothing had to crash it

so i should know that nt!PspCreateProcess will some time may give
Control to
nt!NtCreateProcess and should set up an advance break
on the return so that i can possibly expect a break so its back to
dis
assembly and guesswork

> From kd you would set breakpoints in the kernel routines, not in
ntdll.
> For example, if your application is calling CreateFile you would set
a
> kernel breakpoint on nt!NtCreateFile to see the call once it reached
the
> kernel (post system-service dispatch).
>

yep i can find details about system service dispatch
in fact i already broke on nt!KiSystemService several times and has
crashed
the windbg ,explorer etc in vpc trying to find information on
setting
conditional breakpoints if it is possible
like break if readmem at pointer stack points to < strnicmp (.printf
“%y\n”,poi (esp+ ##) ,“myrequired unicode string”)

> If you run a user-mode debugger in the VPC you will need symbols
> accessible from in the VPC for that debugger.
>

yep shared the folder in host pc via mapping

i run host kd with windbg -y d:\fooomsdl.…\ -k
in vpc i have shared the d:\folder to Z:<br>and set up _NT_SYMBOL_PATH variable pointing to z:\fooomsdl.…<br>
ok back to topic

i do this in kd on host

!process 0 0 winmine.exe

.process /p /r ffde#####

results in
implicit process now set to
cacheforceduser done
loading user symbols
…
kd> now looking for winmine functions with
x winmine!* displays a list of functions

setting a bp like
bp winmine!TrackMouse
(just an example i am setting a break on code that i know is part of
msgloop
and being hit continuously)
doesn’t lead to any misbehaviour’s

looking if the bp exists with bl
shows me
0 E ##### (0x12345678)winmine!..

i hit g and kd runs with busy prompt

now is this break active ? where will it get stopped ?
will it require me to set up an AeDebug Entry inside vpc ?
so that windbg inside vpc will catch it ?

if i had actually run this winmine inside vpc’s windbg
and had issued a .breakin to break into kd
will/should the windbg insde guest break on resuming the target
with g
and break on the break point set up by kd ?

it looks like i am starting to annoy you all with these inane
questions
but i really cant find someone or something that’s really authoritative
on
these subjects apart from this forum (anyone who talks about windbg in
net
simply parrots whats available in help with a few twisted words of his
own
or simply delves into driver debugging with source bp
mydriver!DriverEntry
and i am not up to that class yet i am simply trying to understand how
i can
do a sourceless symbol less debugging from kernel mode using either kd
or
windbg or ntsd or cdb )

thanks a lot for your time and clear answers

hope i am not annoying those who are spending their time reading these
posts

regards

raj_r

Jim Donelson

no i haven’t used visual softice the only softice i ever used was
siwnt4.05 in w2k like i stated and i really didn’t like it either
as i discovered ollydbg while i was playing around and has
stuck with it till date (mostly user mode application debugging like
ripping
out malwares ,unpacking etc ) for which ollydbg more than meets my
requirements and i do believe i have a good understanding of ollydbg
and can make it dance to my tunes

yes i am a wee bit aware that sice has its own display ?? system
drivers. freezes system does some things invasive and that’s not
possible
with kd

just wanting to find some way out and trying to elicit responses
which
could help me clear the cobwebs that’s etched back in my memory

thanks for taking time to reply back

regards

raj_r

—
You are currently subscribed to windbg as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com