Hello
I have been experimenting w/ HEALER sample and came w/ these questions:
- I have adjusted HEALER’s AddBp() to print the address of the added
breakpoint
- I have added some messages to the Breakpoint() when GetVersionbp or
GetversioExbp are reached, such as:
Print(“Breakpoint(): GetVersion() caller return address is: %08X\n”,
(ULONG) ReturnOffset);
Now we are displaying the return address of the caller.
- I created a simple t3.cpp file as:
#include <windows.h>
#include <stdio.h>
#include <conio.h>
int main()
{
printf(“GetVersion()=%08X\n”, GetVersion());
OSVERSIONINFOA ovia = {0};
ovia.dwOSVersionInfoSize = sizeof(ovia);
if (::GetVersionExA(&ovia))
{
printf(“GetVersionEx() -> Build=%08X/%d Major=%d Minor=%d\n”,
ovia.dwBuildNumber,
ovia.dwBuildNumber, ovia.dwMajorVersion, ovia.dwMinorVersion);
}
getch();
return 0;
}
4. I run healer.exe as:
healer.exe -y
srvC:\websymbolshttp://msdl.microsoft.com/download/symbols -v -ver
1.2.3 -plat 1.2.3 C:\Experiments\test1\Debug\t3.exe
5. Now here’s HEALER’s output:
HEALER: Executable ‘t3.exe’ loaded at 400000
HEALER: AddBp(): Added breakpoint for ‘kernel32!GetVersion’ @ 00000000
HEALER: AddBp(): Added breakpoint for ‘kernel32!GetVersionExA’ @ 00000000
HEALER: DLL ‘ntdll.dll’ loaded at 7c900000
HEALER: DLL ‘C:\WINDOWS\system32\kernel32.dll’ loaded at 7c800000
HEALER: breakpoint(): GetVersionEx() caller return address is: 7C816D4F
HEALER: Breakpoint(): GetVersion() caller return address is: 00411EA0
GetVersion()=0A280105
HEALER: breakpoint(): GetVersionEx() caller return address is: 00411EA0
GetVersionEx() -> Build=00000A28/2600 Major=5 Minor=1
HEALER: Breakpoint() at return address of GetVersion(), eip=00411EA0
HEALER: GetVersion returns 80000201
HEALER: GetVersionEx returns 80000201
6.
Do you notice how AddBp() says that the breakpoint address for GetVersion()
is 0x00000000 ? Same for GetVersionExA
7. Notice also how the line:
HEALER: Breakpoint(): GetVersion() caller return address is: 00411EA0
suggests that the caller’s return address is @ 0x411EA0
this return address is the return address of main() and not the caller of
GetVersion()! (if you look at t3.cpp)
8.
Per t3.cpp source code, when the output:
GetVersionEx() -> Build=00000A28/2600 Major=5 Minor=1
is reached this means that GetVersionEx() is already executed and has
returned…
But notice how HEALER reports afterwards:
HEALER: Breakpoint() at return address of GetVersion(), eip=00411EA0
HEALER: GetVersion returns 80000201
HEALER: GetVersionEx returns 80000201
Which suggests that (7) is true, since HEALER thinks that return address of
caller of GetVersion() is main().
Can anyone comment please?
How can I have HEALER compute correct return address of GetVersion() callers
which are: 0x4131AD and 0x413166 in my case?
9. To fix (6) I had to delay the adding of these breakpoints till after
kernel32.dll is loaded…
Notice the new partial output:
HEALER: Executable ‘t3.exe’ loaded at 400000
HEALER: DLL ‘ntdll.dll’ loaded at 7c900000
HEALER: DLL ‘C:\WINDOWS\system32\kernel32.dll’ loaded at 7c800000
HEALER: AddBp(): Added breakpoint for ‘kernel32!GetVersion’ @ 7C8114AB
HEALER: AddBp(): Added breakpoint for ‘kernel32!GetVersionExA’ @ 7C812851
HEALER: ReturnAddress of GetVersionEx() caller is: 7C816D4F
HEALER: ReturnAddress of GetVersion() caller is: 00411EA0
GetVersion()=0A280105
HEALER: ReturnAddress of GetVersionEx() caller is: 00411EA0
GetVersionEx() -> Build=00000A28/2600 Major=5 Minor=1
.
.
.
Regards,
Elias</conio.h></stdio.h></windows.h>
-
When the breakpoints are added the debugger can’t resolve them, thus
they are set as deferred breakpoints. They will not have an address
until they can be resolved, which will be later when kernel32 loads.
This is expected behavior.
-
It’s most likely that the stack trace is skipping a frame. The
simplest way to check this is to run your app with the full debugger and
set a breakpoint on GetVersionExA. See what ‘k’ says when that
breakpoint is hit. If it’s also missing a frame try stepping through
the prologue and then doing a ‘k’. It’ll probably be correct then. You
could modify healer to do these steps if it matters enough.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lallous
Sent: Tuesday, November 08, 2005 7:49 AM
To: Kernel Debugging Interest List
Subject: [windbg] Windbg samples and HEALER problems?
Hello
I have been experimenting w/ HEALER sample and came w/ these questions:
- I have adjusted HEALER’s AddBp() to print the address of the added
breakpoint 2. I have added some messages to the Breakpoint() when
GetVersionbp or GetversioExbp are reached, such as:
Print(“Breakpoint(): GetVersion() caller return address is: %08X\n”,
(ULONG) ReturnOffset);
Now we are displaying the return address of the caller.
- I created a simple t3.cpp file as:
#include <windows.h>
#include <stdio.h>
#include <conio.h>
int main()
{
printf(“GetVersion()=%08X\n”, GetVersion());
OSVERSIONINFOA ovia = {0};
ovia.dwOSVersionInfoSize = sizeof(ovia);
if (::GetVersionExA(&ovia))
{
printf(“GetVersionEx() -> Build=%08X/%d Major=%d Minor=%d\n”,
ovia.dwBuildNumber,
ovia.dwBuildNumber, ovia.dwMajorVersion, ovia.dwMinorVersion);
}
getch();
return 0;
}
4. I run healer.exe as:
healer.exe -y
srvC:\websymbolshttp://msdl.microsoft.com/download/symbols -v -ver
1.2.3 -plat 1.2.3 C:\Experiments\test1\Debug\t3.exe
5. Now here’s HEALER’s output:
HEALER: Executable ‘t3.exe’ loaded at 400000
HEALER: AddBp(): Added breakpoint for ‘kernel32!GetVersion’ @ 00000000
HEALER: AddBp(): Added breakpoint for ‘kernel32!GetVersionExA’ @
00000000
HEALER: DLL ‘ntdll.dll’ loaded at 7c900000
HEALER: DLL ‘C:\WINDOWS\system32\kernel32.dll’ loaded at 7c800000
HEALER: breakpoint(): GetVersionEx() caller return address is: 7C816D4F
HEALER: Breakpoint(): GetVersion() caller return address is: 00411EA0
GetVersion()=0A280105
HEALER: breakpoint(): GetVersionEx() caller return address is: 00411EA0
GetVersionEx() -> Build=00000A28/2600 Major=5 Minor=1
HEALER: Breakpoint() at return address of GetVersion(), eip=00411EA0
HEALER: GetVersion returns 80000201
HEALER: GetVersionEx returns 80000201
6.
Do you notice how AddBp() says that the breakpoint address for
GetVersion() is 0x00000000 ? Same for GetVersionExA
7. Notice also how the line:
HEALER: Breakpoint(): GetVersion() caller return address is: 00411EA0
suggests that the caller’s return address is @ 0x411EA0 this return
address is the return address of main() and not the caller of
GetVersion()! (if you look at t3.cpp)
8.
Per t3.cpp source code, when the output:
GetVersionEx() -> Build=00000A28/2600 Major=5 Minor=1 is reached this
means that GetVersionEx() is already executed and has returned…
But notice how HEALER reports afterwards:
HEALER: Breakpoint() at return address of GetVersion(), eip=00411EA0
HEALER: GetVersion returns 80000201
HEALER: GetVersionEx returns 80000201
Which suggests that (7) is true, since HEALER thinks that return address
of caller of GetVersion() is main().
Can anyone comment please?
How can I have HEALER compute correct return address of GetVersion()
callers which are: 0x4131AD and 0x413166 in my case?
9. To fix (6) I had to delay the adding of these breakpoints till after
kernel32.dll is loaded…
Notice the new partial output:
HEALER: Executable ‘t3.exe’ loaded at 400000
HEALER: DLL ‘ntdll.dll’ loaded at 7c900000
HEALER: DLL ‘C:\WINDOWS\system32\kernel32.dll’ loaded at 7c800000
HEALER: AddBp(): Added breakpoint for ‘kernel32!GetVersion’ @ 7C8114AB
HEALER: AddBp(): Added breakpoint for ‘kernel32!GetVersionExA’ @
7C812851
HEALER: ReturnAddress of GetVersionEx() caller is: 7C816D4F
HEALER: ReturnAddress of GetVersion() caller is: 00411EA0
GetVersion()=0A280105
HEALER: ReturnAddress of GetVersionEx() caller is: 00411EA0
GetVersionEx() -> Build=00000A28/2600 Major=5 Minor=1 .
.
.
Regards,
Elias
—
You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com</conio.h></stdio.h></windows.h>