What next after !analyze -v

NTDEV
1

Hello Experts
As someone who has just started off on developing windows drivers ,I would
like help on how to proceed next after !analyze -v in winDbg
I find myself stumped on what to do next. Although I found some very
useful articles on http://www.osronline.com and in the Windbg help files.
Although I would like to have a formal training but my company will not
send me across half the world for ‘just a training’
My eyes glaze over when I reach the x86 assembly language stuff . Although I
can decipher what each instruction does by using for instance x86
instruction manual but I don’t get the big picture.
Any general ideas on how a comparative newbie can increase his debugging
skills or some tricks/pointers/resources would be welcome.
I understand about using this or Microsoft news groups as a valuable
resource

Warm Regards

2

try reading: http://www.microsoft.com/msj/0298/hood0298.aspx

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of driver developer
Sent: Monday, June 18, 2007 2:57 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] What next after !analyze -v

Hello Experts
As someone who has just started off on developing windows
drivers ,I would like help on how to proceed next after !analyze -v in
winDbg
I find myself stumped on what to do next. Although I found
some very useful articles on http://www.osronline.com
http:</http:> and in the Windbg help files.
Although I would like to have a formal training but my company
will not send me across half the world for ‘just a training’
My eyes glaze over when I reach the x86 assembly language stuff
. Although I can decipher what each instruction does by using for
instance x86 instruction manual but I don’t get the big picture.
Any general ideas on how a comparative newbie can increase his
debugging skills or some tricks/pointers/resources would be welcome.
I understand about using this or Microsoft news groups as a
valuable resource

Warm Regards

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

The next step is, after deciding that you are in need of a clue, to cut
and paste the output from analyze -v (with correct symbols of course)
right here on ntdev. We will then roast you for being a noob, and then
take pity on you, and provide suggestions on getting at a root cause.
You can learn a lot by reading the many responses here to various
postings of the “analyze this” sort. You can do the same over on the
Microsoft newsgroup, although it is mildly annoying to those of us who
respond in both to have to deal with duplicate postings.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of driver developer
Sent: Monday, June 18, 2007 7:57 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] What next after !analyze -v

Hello Experts

As someone who has just started off on developing windows drivers ,I
would like help on how to proceed next after !analyze -v in winDbg

I find myself stumped on what to do next. Although I found some very
useful articles on http://www.osronline.com http:</http:>
and in the Windbg help files.

Although I would like to have a formal training but my company will not
send me across half the world for ‘just a training’

My eyes glaze over when I reach the x86 assembly language stuff .
Although I can decipher what each instruction does by using for instance
x86 instruction manual but I don’t get the big picture.

Any general ideas on how a comparative newbie can increase his debugging
skills or some tricks/pointers/resources would be welcome.

I understand about using this or Microsoft news groups as a valuable
resource

Warm Regards

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

4

well you can listen to music from dumps after analyze -v :slight_smile:

http://www.dumpanalysis.org/blog/index.php/2006/10/22/musical-dumps-dump2wave/

jokes apart explore that site its forums and all old posts there are
lot of good information is out there about analysing crashdump files
by Dmitry Vostokov

On 6/18/07, driver developer wrote:
>
> Hello Experts
> As someone who has just started off on developing windows drivers ,I would
> like help on how to proceed next after !analyze -v in winDbg
> I find myself stumped on what to do next. Although I found some very
> useful articles on http://www.osronline.com and in the Windbg help files.
> Although I would like to have a formal training but my company will not
> send me across half the world for ‘just a training’
> My eyes glaze over when I reach the x86 assembly language stuff . Although I
> can decipher what each instruction does by using for instance x86
> instruction manual but I don’t get the big picture.
> Any general ideas on how a comparative newbie can increase his debugging
> skills or some tricks/pointers/resources would be welcome.
> I understand about using this or Microsoft news groups as a valuable
> resource
>
> Warm Regards
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 To unsubscribe,
> visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

5

driver developer wrote:

As someone who has just started off on developing windows drivers ,I
would like help on how to proceed next after !analyze -v in winDbg
I find myself stumped on what to do next. Although I found some very
useful articles on http://www.osronline.com
http:</http:>and in the Windbg help files.
Although I would like to have a formal training but my company will
not send me across half the world for ‘just a training’

You don’t say what part of the world you are in; the OSR training
classes do occasionally get held in Europe and Asia. Also, if spending
a few weeks’ salary to send you to a class helps you solve a problem in
two weeks instead of six weeks, that’s clearly a net win. The failure
to understand this might explain the sub-par drivers that we see from
certain parts of the world.

My eyes glaze over when I reach the x86 assembly language stuff .
Although I can decipher what each instruction does by using for
instance x86 instruction manual but I don’t get the big picture.

In my view, an understanding of x86 assembler is critical in driver
debugging. There was a perfect example of this over the weekend, when
“rjunk007” posted his !analyze -v of his mirror driver crash. The
analyze clearly showed a “rep movsd” instruction, and it clearly showed
that the esi register was 0. That immediately tells me that he passed a
null pointer as the “copy from” parameter to memcpy.

Any general ideas on how a comparative newbie can increase his
debugging skills or some tricks/pointers/resources would be welcome.
I understand about using this or Microsoft news groups as a valuable
resource

!analyze -v gives you a huge number of clues. I think it’s fantastic
that analyze now suggests further “windbg” commands you can execute to
explore the problem in more detail. For me, using the debugger to
single-step through working code is a great way to find out how things
are supposed to be working, but again, that’s quite difficult without a
good understanding of x86 assembler.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

6

I agree with Tim - assembler is a must, and most other things (in
particular, single stepping) are kind of difficult without it. That
being said, single stepping is a great way to learn assembler, because
it will unavoidable highlight the rather small subset of x64/x64
assembler that is actually at all common; there are many, many (easily
most) instructions that you can go years and not see in WinDbg. Also,
if you’re going to look at x64, you might want to check out this
material in the WDK about calling convention
(http://msdn2.microsoft.com/En-US/library/ms794533.aspx) early in the
process, because it is quite different than the (otherwise quite
similar) case of x86.

Hope this help,

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Monday, June 18, 2007 13:00
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] What next after !analyze -v

driver developer wrote:

As someone who has just started off on developing windows drivers ,I
would like help on how to proceed next after !analyze -v in winDbg
I find myself stumped on what to do next. Although I found some very
useful articles on http://www.osronline.com
http:</http:>and in the Windbg help files.
Although I would like to have a formal training but my company will
not send me across half the world for ‘just a training’

You don’t say what part of the world you are in; the OSR training
classes do occasionally get held in Europe and Asia. Also, if spending
a few weeks’ salary to send you to a class helps you solve a problem in
two weeks instead of six weeks, that’s clearly a net win. The failure
to understand this might explain the sub-par drivers that we see from
certain parts of the world.

My eyes glaze over when I reach the x86 assembly language stuff .
Although I can decipher what each instruction does by using for
instance x86 instruction manual but I don’t get the big picture.

In my view, an understanding of x86 assembler is critical in driver
debugging. There was a perfect example of this over the weekend, when
“rjunk007” posted his !analyze -v of his mirror driver crash. The
analyze clearly showed a “rep movsd” instruction, and it clearly showed
that the esi register was 0. That immediately tells me that he passed a
null pointer as the “copy from” parameter to memcpy.

Any general ideas on how a comparative newbie can increase his
debugging skills or some tricks/pointers/resources would be welcome.
I understand about using this or Microsoft news groups as a valuable
resource

!analyze -v gives you a huge number of clues. I think it’s fantastic
that analyze now suggests further “windbg” commands you can execute to
explore the problem in more detail. For me, using the debugger to
single-step through working code is a great way to find out how things
are supposed to be working, but again, that’s quite difficult without a
good understanding of x86 assembler.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

7

Do you know if windbg was able to load the symbols for your driver?

Here is an example of the output of !analyze -v for a driver for which i have the symbols

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ff929144, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: f6617aa8, address which referenced memory

Debugging Details:

WRITE_ADDRESS: ff929144 Nonpaged pool expansion

CURRENT_IRQL: 2

FAULTING_IP:
npf!NPF_tap+26 [d:\cvsroot\release_winpcap_4_0_0_755\winpcap\packetntx\driver\read.c @ 404]
f6617aa8 ff4314 inc dword ptr [ebx+0x14]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f6617aa8 to 804e187f

STACK_TEXT:
f9d56c88 f6617aa8 badb0d00 82614000 825f400e nt!KiTrap0E+0x233
f9d56d2c f95d1ad1 ff928000 f9d56d5c 825f4000 npf!NPF_tap+0x26 [d:\cvsroot\release_winpcap_4_0_0_755\winpcap\packetntx\driver\read.c @ 404]
WARNING: Stack unwind information not available. Following frames may be wrong.
f9d56d74 f95d1e33 f9d56d98 005f4000 0000002a
f9d56dac 8057d0f1 82614000 00000000 00000000
f9d56ddc 804f827a f95d1d70 82614000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
npf!NPF_tap+26 [d:\cvsroot\release_winpcap_4_0_0_755\winpcap\packetntx\driver\read.c @ 404]
f6617aa8 ff4314 inc dword ptr [ebx+0x14]

FAULTING_SOURCE_CODE:
400:
401: Cpu = KeGetCurrentProcessorNumber();
402: LocalData = &Open->CpuData[Cpu];
403:
> 404: LocalData->Received++;
405: IF_LOUD(DbgPrint("Received on CPU %d \t%d\n",Cpu,LocalData->Received):wink:
406: // Open->Received++; // Number of packets received by filter ++
407:
408: NdisAcquireSpinLock(&Open->MachineLock);
409:

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: npf!NPF_tap+26

MODULE_NAME: npf

IMAGE_NAME: npf.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45b8e659

FAILURE_BUCKET_ID: 0xD1_W_npf!NPF_tap+26

BUCKET_ID: 0xD1_W_npf!NPF_tap+26

Followup: MachineOwner
---------

The line "MODULE_NAME" tells me it's my driver (npf)

and FOLLOWUP_IP tells me the line of code where the fault occurred.

You can force windbg to load the proper symbols for your driver (i.e. your pdb file) by using file->symbol file path.
Also, be sure to have the path of the Microsoft symbol server there, so that Windbg is able to automatically download the symbols for the OS binaries. Follow the instructions at
http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx to properly configure windbg for it.

Hope it helps
GV

----- Original Message -----
From: driver developer
To: Windows System Software Devs Interest List
Sent: Monday, June 18, 2007 4:56 AM
Subject: [ntdev] What next after !analyze -v

Hello Experts
As someone who has just started off on developing windows drivers ,I would like help on how to proceed next after !analyze -v in winDbg
I find myself stumped on what to do next. Although I found some very useful articles on http://www.osronline.com and in the Windbg help files.
Although I would like to have a formal training but my company will not send me across half the world for 'just a training'
My eyes glaze over when I reach the x86 assembly language stuff . Although I can decipher what each instruction does by using for instance x86 instruction manual but I don't get the big picture.
Any general ideas on how a comparative newbie can increase his debugging skills or some tricks/pointers/resources would be welcome.
I understand about using this or Microsoft news groups as a valuable resource

Warm Regards

--- Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List Server section of OSR Online at ListServer/Forum

8

If you’re interested in doing assembly level debugging then I’d start by writing some code (any code) then disassembling it and starting to learn how to read it. It’s a very helpful ability. Once you learn the common patterns you will find it even more readable - just like learning any language.

-p

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of driver developer
Sent: Monday, June 18, 2007 4:57 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] What next after !analyze -v

Hello Experts
As someone who has just started off on developing windows drivers ,I would like help on how to proceed next after !analyze -v in winDbg
I find myself stumped on what to do next. Although I found some very useful articles on http://www.osronline.com http:</http:> and in the Windbg help files.
Although I would like to have a formal training but my company will not send me across half the world for ‘just a training’
My eyes glaze over when I reach the x86 assembly language stuff . Although I can decipher what each instruction does by using for instance x86 instruction manual but I don’t get the big picture.
Any general ideas on how a comparative newbie can increase his debugging skills or some tricks/pointers/resources would be welcome.
I understand about using this or Microsoft news groups as a valuable resource

Warm Regards

— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

9

> Thanks everyone for the pointers.

One point that everyone tells me is that I should learn x86/x64 assembly
language.
Apart from the (Intel) manuals are there are books I could use ? Ofcourse
google is always an option.
The difficulty we sometimes face is that we know that crash must have been
due to my driver but the actual crash occurs in say usbhub.sys due to
some issue in my driver.So doing a back trace in assembly upto my driver
seems very difficult.

Tim I am in India and I have not noticed any windows driver training by OSR
and others.
There is a business opportunity for OSR folks in India but they will have
to price it differently here .The companies will not pay say 2500 $ for
training because that is 3 to 4 times the monthly salary of a developer and
windows drivers is just another line of work to them .
Can Indian readers tell me how good this training is ?
http://www.kicit.com/onlinecourses/drivers/ddcontents.asp

Warm Regards

----- Original Message -----
*From:* driver developer
> To: Windows System Software Devs Interest List
> Sent: Monday, June 18, 2007 4:56 AM
> Subject: [ntdev] What next after !analyze -v
>
>
>
> Hello Experts
> As someone who has just started off on developing windows drivers ,I
> would like help on how to proceed next after !analyze -v in winDbg
> I find myself stumped on what to do next. Although I found some very
> useful articles on http://www.osronline.com and in the Windbg help files.
> Although I would like to have a formal training but my company will not
> send me across half the world for ‘just a training’
> My eyes glaze over when I reach the x86 assembly language stuff . Although
> I can decipher what each instruction does by using for instance x86
> instruction manual but I don’t get the big picture.
> Any general ideas on how a comparative newbie can increase his debugging
> skills or some tricks/pointers/resources would be welcome.
> I understand about using this or Microsoft news groups as a valuable
> resource
>
> Warm Regards
>
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
> Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

10

> There is a business opportunity for OSR folks in India but they will have

to price it differently here .The companies will not pay say 2500 $ for
training because that is 3 to 4 times the monthly salary of a developer and
windows drivers is just another line of work to them .

This means - no business opportunity. Lowering the training costs will result
in airline travelling to be more then the revenues :slight_smile:


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

11

I think it was Peter who mentioned something along the lines of writing
something (anything) and then disassembling it. I concur on this as the
best way to start to learn x86/x64 assembler. There may be books out
there; there very well may not be any that are actually in print; I
really don’t know. In any case, as I seriously doubt that the one that
Peter Norton wrote is still kicking, I don’t have anything else to tell
you.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of driver developer
Sent: Tuesday, June 19, 2007 06:40
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] What next after !analyze -v

Thanks everyone for the pointers.

One point that everyone tells me is that I should learn x86/x64 assembly
language.

Apart from the (Intel) manuals are there are books I could use ?
Ofcourse google is always an option.

The difficulty we sometimes face is that we know that crash must have
been due to my driver but the actual crash occurs in say usbhub.sys due
to some issue in my driver.So doing a back trace in assembly upto my
driver seems very difficult.

Tim I am in India and I have not noticed any windows driver training by
OSR and others.

There is a business opportunity for OSR folks in India but they will
have to price it differently here .The companies will not pay say 2500
$ for training because that is 3 to 4 times the monthly salary of a
developer and windows drivers is just another line of work to them .

Can Indian readers tell me how good this training is ?

http://www.kicit.com/onlinecourses/drivers/ddcontents.asp

Warm Regards

----- Original Message -----

From: driver developer
mailto:xxxxx

To: Windows System Software Devs Interest List
mailto:xxxxx

Sent: Monday, June 18, 2007 4:56 AM

Subject: [ntdev] What next after !analyze -v

Hello Experts

As someone who has just started off on developing
windows drivers ,I would like help on how to proceed next after !analyze
-v in winDbg

I find myself stumped on what to do next. Although I
found some very useful articles on http://www.osronline.com and in the
Windbg help files.

Although I would like to have a formal training but my
company will not send me across half the world for ‘just a training’

My eyes glaze over when I reach the x86 assembly
language stuff . Although I can decipher what each instruction does by
using for instance x86 instruction manual but I don’t get the big
picture.

Any general ideas on how a comparative newbie can
increase his debugging skills or some tricks/pointers/resources would be
welcome.

I understand about using this or Microsoft news groups
as a valuable resource

Warm Regards

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

12

driverdeveloper1 wrote:

There is a business opportunity for OSR folks in India but they
will have to price it differently here .The companies will not
pay say 2500 $ for training because that is 3 to 4 times the
monthly salary of a developer and windows drivers is just
another line of work to them .

The real opportunity, then, is back here in the states where properly trained developers can bid on projects to rewrite malfunctioning drivers which were written by people working for $625 a month.