What is ntdll!DbgBreakPoint?

Sercan_ercan · March 10, 2008, 6:12pm

Hi
I am not experienced with WinDbg and kernel mode programming.

I am trying some debugging and whatever i do, i see(for example attaching notepad.exe) :
ntdll!DbgBreakPoint:
7c901230 cc int 3

I don’t understand what the compiler trying to tell me. Something wrong?
I only want to see what the function notepad is calling. What must i do when i see ntdll!DbgBreakPoint?

My symbol path is:
C:\WINDOWS\symbols;SRV*C:\MyLocalSymbols*http://msdl.microsoft.com/download/symbols
and
0:001> !sym noisy
noisy mode - symbol prompts on

Thanks…

Tim_Roberts · March 10, 2008, 6:28pm

xxxxx@gmail.com wrote:

I am not experienced with WinDbg and kernel mode programming.

I am trying some debugging and whatever i do, i see(for example attaching notepad.exe) :
ntdll!DbgBreakPoint:
7c901230 cc int 3

I don’t understand what the compiler trying to tell me. Something wrong?
I only want to see what the function notepad is calling. What must i do when i see ntdll!DbgBreakPoint?

The “compiler” is not telling you anything.

When you attach to a process, the debugger inserts a new thread into
that process to help with the debugging. The first thing that thread
does is force a breakpoint, so that the debugger gets notified that it
has control. That’s what you’re seeing here. The process is halted
because this thread caused a breakpoint. Perfectly normal.

What do you mean by “the function notepad is calling”? Notepad calls
many thousands of functions. If you can be more specific, we might be
able to provide guidance.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · March 10, 2008, 6:40pm

I’m note really sure what you’re looking to accomplish. If you’re
looking for something a long the liens of a list of all the functions
notepad calls, you might want to give APIMON a try:

http://download.microsoft.com/download/win2000platform/apimon/1.0/nt5/en-us/apimon.exe

This assumes that it still works, which I don’t know, as it is a old
utility that is probably frowned on these days. In the big picture,
it’s not really all that useful in and of itself, buy you seem to be new
to this, and it would be an easier way to get started, that might fit
your immediate wants, or at least be a way to begin experimenting.

That being said, as Tim mentioned, if you have something different in
mind, we might be able to help you with that if you could narrow it down
a little bit.

Good luck,

mm

Tim Roberts wrote:

xxxxx@gmail.com wrote:
> I am not experienced with WinDbg and kernel mode programming.
>
> I am trying some debugging and whatever i do, i see(for example
> attaching notepad.exe) :
> ntdll!DbgBreakPoint:
> 7c901230 cc int 3
>
> I don’t understand what the compiler trying to tell me. Something wrong?
> I only want to see what the function notepad is calling. What must i
> do when i see ntdll!DbgBreakPoint?

The “compiler” is not telling you anything.

When you attach to a process, the debugger inserts a new thread into
that process to help with the debugging. The first thing that thread
does is force a breakpoint, so that the debugger gets notified that it
has control. That’s what you’re seeing here. The process is halted
because this thread caused a breakpoint. Perfectly normal.

What do you mean by “the function notepad is calling”? Notepad calls
many thousands of functions. If you can be more specific, we might be
able to provide guidance.

Sercan_ercan · March 10, 2008, 6:49pm

Thank you for quick answer and sorry for the inattentive question.*

*When I learn that Windbg is kernel-mode “debugger”, I assume that it can
show all the kernel functions that a process calls while working. So i
attached it to notepad.
I wrote !uniqstack
It showed:
ChildEBP RetAddr
0007feb8 77d4919b ntdll!KiFastSystemCallRet
0007fed8 01002a1b USER32!NtUserGetMessage+0xc
0007ff1c 01007511 NOTEPAD!WinMain+0xe5
0007ffc0 7c816d4f NOTEPAD!WinMainCRTStartup+0x174
0007fff0 00000000 kernel32!BaseProcessStart+0x23

. 1 Id: 5f8.e68 Suspend: 1 Teb: 7ffdd000 Unfrozen
Start: ntdll!DbgUiRemoteBreakin (7c95077b)
Priority: 0 Priority class: 32 Affinity: 1
ChildEBP RetAddr
00bfffc8 7c9507a8 ntdll!DbgBreakPoint
00bffff4 00000000 ntdll!DbgUiRemoteBreakin+0x2d

Total threads: 2

I wrote !analyze -v
It showed:
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***

I don’t understand why it says: “Your debugger is not using the correct
symbols”
and only want to learn how can i see all (I hope this is not wrong)kernel-mode
functions that a process calls, with WinDbg.
I hope i can explain.

Thanks again…

*
*
2008/3/11, Tim Roberts :
>
> xxxxx@gmail.com wrote:
> > I am not experienced with WinDbg and kernel mode programming.
> >
> > I am trying some debugging and whatever i do, i see(for example
> attaching notepad.exe) :
> > ntdll!DbgBreakPoint:
> > 7c901230 cc int 3
> >
> > I don’t understand what the compiler trying to tell me. Something wrong?
> > I only want to see what the function notepad is calling. What must i do
> when i see ntdll!DbgBreakPoint?
>
>
> The “compiler” is not telling you anything.
>
> When you attach to a process, the debugger inserts a new thread into
> that process to help with the debugging. The first thing that thread
> does is force a breakpoint, so that the debugger gets notified that it
> has control. That’s what you’re seeing here. The process is halted
> because this thread caused a breakpoint. Perfectly normal.
>
> What do you mean by “the function notepad is calling”? Notepad calls
> many thousands of functions. If you can be more specific, we might be
> able to provide guidance.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Jen-Lung_Chiu-2 · March 10, 2008, 7:05pm

When you attach windbg.exe to user-mode process (here notepad.exe), it acts as user-mode debugger, so you could not track the kernel functions.

You need to check with debugger document to find out how to setup kernel debugging, you could use windbg.exe or kd.exe as the host kernel debugger.

Thanks,

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of serimc
Sent: Monday, March 10, 2008 03:49 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] What is ntdll!DbgBreakPoint?

Thank you for quick answer and sorry for the inattentive question.

When I learn that Windbg is kernel-mode “debugger”, I assume that it can show all the kernel functions that a process calls while working. So i attached it to notepad.
I wrote !uniqstack
It showed:
ChildEBP RetAddr
0007feb8 77d4919b ntdll!KiFastSystemCallRet
0007fed8 01002a1b USER32!NtUserGetMessage+0xc
0007ff1c 01007511 NOTEPAD!WinMain+0xe5
0007ffc0 7c816d4f NOTEPAD!WinMainCRTStartup+0x174
0007fff0 00000000 kernel32!BaseProcessStart+0x23

. 1 Id: 5f8.e68 Suspend: 1 Teb: 7ffdd000 Unfrozen
Start: ntdll!DbgUiRemoteBreakin (7c95077b)
Priority: 0 Priority class: 32 Affinity: 1
ChildEBP RetAddr
00bfffc8 7c9507a8 ntdll!DbgBreakPoint
00bffff4 00000000 ntdll!DbgUiRemoteBreakin+0x2d

Total threads: 2

I wrote !analyze -v
It showed:
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***

I don’t understand why it says: “Your debugger is not using the correct symbols”
and only want to learn how can i see all (I hope this is not wrong)kernel-mode functions that a process calls, with WinDbg.
I hope i can explain.

Thanks again…

2008/3/11, Tim Roberts >:
xxxxx@gmail.com mailto:xxxxx wrote:
> I am not experienced with WinDbg and kernel mode programming.
>
> I am trying some debugging and whatever i do, i see(for example attaching notepad.exe) :
> ntdll!DbgBreakPoint:
> 7c901230 cc int 3
>
> I don’t understand what the compiler trying to tell me. Something wrong?
> I only want to see what the function notepad is calling. What must i do when i see ntdll!DbgBreakPoint?

The “compiler” is not telling you anything.

When you attach to a process, the debugger inserts a new thread into
that process to help with the debugging. The first thing that thread
does is force a breakpoint, so that the debugger gets notified that it
has control. That’s what you’re seeing here. The process is halted
because this thread caused a breakpoint. Perfectly normal.

What do you mean by “the function notepad is calling”? Notepad calls
many thousands of functions. If you can be more specific, we might be
able to provide guidance.

–
Tim Roberts, xxxxx@probo.com mailto:xxxxx
Providenza & Boekelheide, Inc.

—
You are currently subscribed to windbg as: xxxxx@gmail.com mailto:xxxxx

To unsubscribe send a blank email to xxxxx@lists.osr.com mailto:xxxxx

— You are currently subscribed to windbg as: xxxxx@microsoft.com To unsubscribe send a blank email to xxxxx@lists.osr.com</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

Tim_Roberts · March 10, 2008, 7:22pm

serimc wrote:

*
*When I learn that Windbg is kernel-mode “debugger”, I assume that it
can show all the kernel functions that a process calls while working.
So i attached it to notepad.

Windbg CAN be used as a kernel-mode debugger. Here, however, you are
using it as a user-mode debugger. To set breakpoints and do
single-stepping in kernel code, you have to use Windbg from another
computer.

Further, even when doing kernel debugging, it doesn’t show “all the
kernel functions that a process calls while it is working”. That’s not
what a debugger does. You can set a breakpoint to have the system stop
when a particular function is called, but that’s as close as you can get.

I’m guessing you might be more interested in using “Process Monitor”,
the old SysInternals tool. If you Google for it, it’s the first hit.

I wrote !analyze -v
It showed:
*** Your debugger is not using the correct symbols ***
…
I don’t understand why it says: “Your debugger is not using the
correct symbols”

Because Windbg is debugging a user-mode process. To do “analyze -v”, it
needs to access kernel data structures, and to find those, it needs to
be doing kernel debugging.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · March 10, 2008, 7:25pm

Much better idea than APIMON. I always forget about this one.

mm

Tim Roberts wrote:

serimc wrote:
> *
> *When I learn that Windbg is kernel-mode “debugger”, I assume that it
> can show all the kernel functions that a process calls while working.
> So i attached it to notepad.

Windbg CAN be used as a kernel-mode debugger. Here, however, you are
using it as a user-mode debugger. To set breakpoints and do
single-stepping in kernel code, you have to use Windbg from another
computer.

Further, even when doing kernel debugging, it doesn’t show “all the
kernel functions that a process calls while it is working”. That’s not
what a debugger does. You can set a breakpoint to have the system stop
when a particular function is called, but that’s as close as you can get.

I’m guessing you might be more interested in using “Process Monitor”,
the old SysInternals tool. If you Google for it, it’s the first hit.

> I wrote !analyze -v
> It showed:
> *** Your debugger is not using the correct symbols ***
> …
> I don’t understand why it says: “Your debugger is not using the
> correct symbols”

Because Windbg is debugging a user-mode process. To do “analyze -v”, it
needs to access kernel data structures, and to find those, it needs to
be doing kernel debugging.

Sercan_ercan · March 10, 2008, 7:35pm

Thanks for all answers.
Understood…

2008/3/11, Martin O’Brien :
>
> Much better idea than APIMON. I always forget about this one.
>
> mm
>
> Tim Roberts wrote:
> > serimc wrote:
> >> *
> >> *When I learn that Windbg is kernel-mode “debugger”, I assume that it
>
> >> can show all the kernel functions that a process calls while working.
> >> So i attached it to notepad.
> >
>
> > Windbg CAN be used as a kernel-mode debugger. Here, however, you are
> > using it as a user-mode debugger. To set breakpoints and do
> > single-stepping in kernel code, you have to use Windbg from another
> > computer.
> >
> > Further, even when doing kernel debugging, it doesn’t show “all the
> > kernel functions that a process calls while it is working”. That’s not
> > what a debugger does. You can set a breakpoint to have the system stop
> > when a particular function is called, but that’s as close as you can
> get.
> >
> > I’m guessing you might be more interested in using “Process Monitor”,
> > the old SysInternals tool. If you Google for it, it’s the first hit.
> >
> >
>
> >> I wrote !analyze -v
> >> It showed:
> >> Your debugger is not using the correct symbols
>
>
> >> …
>
> >> I don’t understand why it says: “Your debugger is not using the
> >> correct symbols”
> >
>
> > Because Windbg is debugging a user-mode process. To do “analyze -v”, it
> > needs to access kernel data structures, and to find those, it needs to
> > be doing kernel debugging.
> >
>
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>