WinDbg extension question

Hi everyone!

I want to implement collection of the real time execution trace of a program. For that I would
like to be able to set a breakpoint at entry point of every function in the program.
Can somebody please give an advice and may be a code sample on how it can be done in
WinDbg extension.
My intention was to traverse the symbol table and for every symbol which is in the .text
section I would get an address of the symbol. Obviously this would be an address of the
first instruction of the function. After that all I need to do is to insert a breakpoint at that
address. Unfortunately I could not find proper facilities offered by WinDbg extensions to be
able that (except setting breakpoint at address - that is available).
Does anybody has any idea on how it can be done?

Every bit of help will be greatly appreciated.
Thanks

You might want to exercise caution while adding breakpoints by enumerating symbols. If you inadvertently insert breakpoint on thunks or data, you could bring down the process. Anyway, you might have already given this some thought.

I would suggest http://debuginfo.com website in general and http://debuginfo.com/examples/src/EnumSymbols.cpp link in particular as a reference. Also, if it is feasible for you to add this instrumentation at compile time, I think newer versions of visual studio compilers provide an option to add prolog and epilog instrumentaion (You could add a build configuration that would include this compile time option). In my opinion that is the easiest way to add execution tracing to a program.

Kamala
-------------- Original message --------------
From: Yan Brenman

Hi everyone!

I want to implement collection of the real time execution trace of a program. For that I would
like to be able to set a breakpoint at entry point of every function in the program.
Can somebody please give an advice and may be a code sample on how it can be done in
WinDbg extension.
My intention was to traverse the symbol table and for every symbol which is in the .text
section I would get an address of the symbol. Obviously this would be an address of the
first instruction of the function. After that all I need to do is to insert a breakpoint at that
address. Unfortunately I could not find proper facilities offered by WinDbg extensions to be
able that (except setting breakpoint at address - that is available).
Does anybody has any idea on how it can be done?

Every bit of help will be greatly appreciated.
Thanks
— You are currently subscribed to windbg as: xxxxx@comcast.net To unsubscribe send a blank email to xxxxx@lists.osr.com

I would concur with Kamala about doing this either at build time (-Gh (_penter); -GH (_pexit)), or otherwise perhaps by instrumenting the code itself with some macros. In both cases, I would probably add a global variable to enable or disable tracing, and this could be set either by conditional compilation, and/or by WinDbg. What you are trying to do with symbol enumeration will not work unless you disambiguate function and data. This is a lot of work; build time instrumentation is much, much easier, and achieves, I think, the same effect.

-Gh is semi-documented, but all it does is call a function named _penter (that you must supply) immediately upon entry to every function; -GH calls _pexit just prior to returning from a function. In the case of _penter, keep in mind that is really is called right away, before normal prolog code, so you have to account for this, depending on what you do. If all you want is a break point, then you could call the __debugbreak intrinsic. The potential issue here is what this very nonstandard stack frame might do to confuse WinDbg; I don’t know. Also, you must preserve and restore and registers that you use so that the normal prolog code, which will be called after _penter returns, finds what it is expecting.

-Gh/-GH can get quite messy at times, mostly due to the interaction with the normal prolog. If you don’t wish to use this approach, then a similar effect can be achieved by inserting a suitable macro as the first statement in a function; in this case, however, the expansion of the macro will execute after the prolog.

If you wish to go the symbol route, then you will want to look at IDebugSymbols in the WinDbg documentation. Note that this documentation is quite incomplete, fairly unclear, and parts of it just do not function as one might expect. In particular, I do not know how much there is in the way of accessible information about symbol type from the IDebugSymbols point of view. Actually, I’m sure it’s there, but if I recall correctly, it is returned in the form of some packed string separated by ‘*,’ and it’s not documented. In general, the DbgEng interfaces, while very powerful, would fairly be described, based on the documentation, as quirky and incomplete.

mm

===
You might want to exercise caution while adding breakpoints by enumerating symbols. If you inadvertently insert breakpoint on thunks or data, you could bring down the process. Anyway, you might have already given this some thought.

I would suggest http://debuginfo.com http:</http:> website in general and http://debuginfo.com/examples/src/EnumSymbols.cpp http: link in particular as a reference. Also, if it is feasible for you to add this instrumentation at compile time, I think newer versions of visual studio compilers provide an option to add prolog and epilog instrumentaion (You could add a build configuration that would include this compile time option). In my opinion that is the easiest way to add execution tracing to a program.

Kamala

-------------- Original message --------------

From: Yan Brenman

Hi everyone!

I want to implement collection of the real time execution trace of a program. For that I would

like to be able to set a breakpoint at entry point of every function in the program.

Can somebody please give an advice and may be a code sample on how it can be done in

WinDbg extension.

My intention was to traverse the symbol table and for every symbol which is in the .text

section I would get an address of the symbol. Obviously this would be an address of the

first instruction of the function. After that all I need to do is to insert a breakpoint at that

address. Unfortunately I could not find proper facilities offered by WinDbg extensions to be

able that (except setting breakpoint at address - that is available).

Does anybody has any idea on how it can be done?

Every bit of help will be greatly appreciated.

Thanks

— You are currently subscribed to windbg as: xxxxx@comcast.net To unsubscribe send a blank email to xxxxx@lists.osr.com

—

You are currently subscribed to windbg as: xxxxx@evitechnology.com To unsubscribe send a blank email to xxxxx@lists.osr.com</http:>

if you are planning on windbg dependent analysis
check out if
pc,pct,ph,pt,tb,tc,tct,th,tt,wt extension are of any use to you they
are all conditional stepping and almost every one of them inserts
temporary one shot break points that are deleted when hit (be aware
that this can be a crawling tortoise experiment)
pc = step till next call
pct = step till next call or till next return
ph = step till next branching instruction viz ja jae jne jnz jmp jecxz etc
and so on

you can script too with these commands and pass counts to each of them

since you are talking about symbols in .text area i assume you are
meaning only export symbols

if that is the case you could try bm * (do not load pdb symbols use
-sins commandline parameter if you have _NT_SYMBOL_PATH set

i believe someone from windbg team mentioned some constraints about
the maximum number of breakpoints that could be set with bm is limited
to a miniscule nos (20 max i believe in kernel mode)

but i have set about ~4000 breakpoints in user mode and it used to
work the few times i had the need for such brainless brawn tracing

an example below on cdb -sins cdb

3282 e 7807dc00 0001 (0001) 0:**** RPCRT4!NdrServerCall
3283 e 7807f29c 0001 (0001) 0:**** RPCRT4!pfnSizeRoutines
3284 e 7807f2a0 0001 (0001) 0:**** RPCRT4!pfnFreeRoutines
3285 e 7807f2a4 0001 (0001) 0:**** RPCRT4!pfnMarshallRoutines
3286 e 7807f2a8 0001 (0001) 0:**** RPCRT4!pfnUnmarshallRoutines
0:000> g
Breakpoint 677 hit
eax=0006fab8 ebx=7ffdf000 ecx=00000004 edx=77f6eb10 esi=7ffdf000 edi=00000000
eip=77f76836 esp=0006f990 ebp=0006fb2c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlInitUnicodeString:
77f76836 57 push edi
0:000> g
Breakpoint 69 hit
eax=0006fab8 ebx=7ffdf000 ecx=0000001e edx=0006fab8 esi=7ffdf000 edi=00000000
eip=77f5419e esp=0006f98c ebp=0006fb2c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
ntdll!RtlQueryEnvironmentVariable_U:
77f5419e 6a34 push 34h

and you could disable register display and add commandline strings
for example -x “g;”

do a .logopen c:\foo.txt and go away to another computer and do some other work
and come back after some time and view the log file for a nice traced aoutput
call wise

see a .prompt_allow display of break points hit

0:000> g
Breakpoint 47 hit
0:000> g
Breakpoint 47 hit
0:000> g
Breakpoint 47 hit
0:000> g
Breakpoint 47 hit
0:000> .prompt_allow -reg -dis +sym
Allow the following information to be displayed at the prompt:
(Other settings can affect whether the information is actually displayed)
sym - Symbol for current instruction
ea - Effective address for current instruction
src - Source info for current instruction
Do not allow the following information to be displayed at the prompt:
dis - Disassembly of current instruction
reg - Register state
0:000> g
Breakpoint 47 hit
ntdll!RtlEqualUnicodeString:

and so on

regards

raj_r

On 9/14/07, Yan Brenman wrote:
> Hi everyone!
>
> I want to implement collection of the real time execution trace of a
> program. For that I would
> like to be able to set a breakpoint at entry point of every function in the
> program.
> Can somebody please give an advice and may be a code sample on how it can be
> done in
> WinDbg extension.
> My intention was to traverse the symbol table and for every symbol which is
> in the .text
> section I would get an address of the symbol. Obviously this would be an
> address of the
> first instruction of the function. After that all I need to do is to insert
> a breakpoint at that
> address. Unfortunately I could not find proper facilities offered by WinDbg
> extensions to be
> able that (except setting breakpoint at address - that is available).
> Does anybody has any idea on how it can be done?
>
> Every bit of help will be greatly appreciated.
> Thanks — You are currently subscribed to windbg as:
> xxxxx@gmail.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com

If you want a lib and sample code for reading symbols, get a copy of “Debugging Applications” by John Robbins .
I have the second edition, but it looks like the third edition includes this as well.
There is even source code for a mini debugger.
It can be had used for about 30.00 on Amazon. There is even a chapter on Windbg, but it is for user mode.