well this is my first real touch with kernel debugging
so sorry if the questions sound naive or lame
i installed microsoft vpc 2004 sp1 and installed a guest os w2k sp4 host is
xp-sp2
total ram available in physical machine = 128 mb
vpc allocated 48 mb ram
set up the vpc as per the white paper from vpc team for kernel debugging
using named pipe at com1 \.\pipe\debugpipe
added the /debug switch and debug port=com1 to boot .ini in vpc
started up windbg in host
rebooted the vpc it got connected and all was fine
now i set a bu Winmine.!winmain
hit g
hoping kd would break when winmine starts up in vpc
it didnt break tried setting breaks at CreateWindow etc nothing did really
break
so was looking at documentation found a .breakin and i guessed that could do
the trick
so copied the installer to vpc installed windbg in vpc
fired windbg inside vpc and ran winmine inside it
and tried .breakin
there werent symbols in vpc so i shared the symbols folder
,breakin does break in host windbg
but the process is set to windbg not my target application (yes
documentation says that implicit process would be user mode debugger not
target application)
so was just hitting t through and stepping around to see and get a feel of
how it is supposed to work
so my question is how can i seamlessly step through both user mode code and
kernel mode code
for example i want to get into kerneldebugger when i step into int 2e
and return back to user mode code when systemservice call gets completed
also i had a problem after i randomly stepped with t i did a g (go) in host
and the windbg in vpc is crashing (possibly its related to symbols)
event viewer details
The application, , generated an application error The error occurred on
09/10/2006 @ 05:06:40.356 The exception generated was c0000005 at address
02182BEB ()
crash dump loaded in windbg
FAULTING_IP:
dbgeng!ProcessCommandsAndCatch+10b
02182beb 64890d00000000 mov dword ptr fs:[0],ecx
EXCEPTION_RECORD: ffffffff – (.exr ffffffffffffffff)
ExceptionAddress: 02182beb (dbgeng!ProcessCommandsAndCatch+0x0000010b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: ffffffff
Attempt to read from address ffffffff
FAULTING_THREAD: 000001a0
DEFAULT_BUCKET_ID: APPLICATION_FAULT
PROCESS_NAME: windbg.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced
memory at “0x%08lx”. The memory could not be “%s”.
READ_ADDRESS: ffffffff
BUGCHECK_STR: ACCESS_VIOLATION
LAST_CONTROL_TRANSFER: from 020c9049 to 02182beb
STACK_TEXT:
02c4da1c 020c9049 00239a28 00000000 00000000
dbgeng!ProcessCommandsAndCatch+0x10b
02c4deb4 020c92aa 00239a28 02c4df98 00000002 dbgeng!Execute+0x2b9
02c4dee4 010283bf 00239a30 00000001 02c4df98
dbgeng!DebugClient::ExecuteWide+0x6a
WARNING: Stack unwind information not available. Following frames may be
wrong.
02c4df84 0102883b 02c4df90 00000000 00000020 windbg+0x283bf
02c4ffa0 0102aabc 00000000 00000000 00000000 windbg+0x2883b
02c4ffb4 7c4e987c 00000000 00000011 510402b5 windbg+0x2aabc
02c4ffec 00000000 0102a6e0 00000000 00000000 KERNEL32!BaseThreadStart+0x52
hope i am making sense
regards
raj