WinDbg usage - setting breakpoints on API calls

NTDEV
1

Hello everybody,

I’m still very new to kernel-mode programming and debugging, so this may be
a stupid question. But here goes…

I have setup a VMware virtual machine with Windows XP running on my own
Windows XP box. This VM has a virtual COM1 port configured so that I can
connect to it using a named pipe on the host machine.

The virtual Windows XP is booted with the following options in boot.ini:
/noexecute=optin /fastdetect /debugport=com1 /baudrate=115200

I’m able to connect WinDbg to this VM in kernel-mode fine. I can break into
the debugger, step through the code, watch areas of memory, etc.

The day before yesterday, I was also able to break on API calls, for example
by typing “bp CreateProcessW”. However, when I try that now, I get the
following message: Bp expression ‘CreateProcessW’ could not be resolved,
adding deferred bp. This has the same effect as if I have typed “bu” instead
of “bp”. However, I could create processes on the virtual machine until hell
freezes over, but it just never breaks into the debugger…

The symbol filepath is set to SRV*C:\Symbols*
http://msdl.microsoft.com/download/symbols, and when I take a look in the
C:\Symbols folder, I can indeed find symbol files for kernel32.dll, etc.
When I type “.reload”, the following happens:

kd> .reload
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols

Loading User Symbols

Loading unloaded module list

*** WARNING: Unable to verify timestamp for vmx_fb.dll
*** ERROR: Module load completed but symbols could not be loaded for
vmx_fb.dll
*** ERROR: Module load completed but symbols could not be loaded for
hgfs.sys
*** ERROR: Module load completed but symbols could not be loaded for
vmx_svga.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
drmk.sys -
*** ERROR: Module load completed but symbols could not be loaded for
vmxnet.sys
*** ERROR: Module load completed but symbols could not be loaded for
lgtosync.sys
*** ERROR: Module load completed but symbols could not be loaded for
vmmemctl.sys
*** ERROR: Module load completed but symbols could not be loaded for
vmscsi.sys
*** ERROR: Module load completed but symbols could not be loaded for
vmmouse.sys

It’s logical that it can’t find symbols for the VM’s drivers, but notice how
there are no dots under the line “Loading User Symbols”… It’s like it’s
not even trying to load them. When I specifically tell it to load the user
symbols by typing “.reload /user” the same thing happens; It prints “Loading
User Symbols”, is *BUSY* for not even a second, and then just prints an
empty line.

I had so much fun poking around under the hood of Windows XP a few days ago,
and now it won’t work anymore! :frowning: Who can tell me what I am doing wrong?

Thanks in advance,

~ Gerard

2

CreateProcessW is a routine in a user mode DLL, so you can’t just set a
universal breakpoint in it when you’re hooked up via the kernel debug
connection. You have two choices:

  1. Set a breakpoint in an equivalent kernel function (in this case maybe
    nt!NtCreateProcess). This will cause your breakpoint to be hit whenever any
    process calls NtCreateProcess

  2. If you know which particular process calling CreateProcessW you want your
    breakpoint in, you can force WinDBG into that process context and set your
    breakpoint. For example:

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****

PROCESS 85bb38e0 SessionId: 0 Cid: 0398 Peb: 7ffdf000 ParentCid: 0308
DirBase: 0c96a000 ObjectTable: 85c6c7e8 TableSize: 319.
Image: explorer.exe

kd> .process /r /p 85bb38e0
Implicit process is now 85bb38e0
.cache forcedecodeuser done
Loading User Symbols

kd> bp kernel32!createprocessw “du poi(@esp+8)”
kd> g
00112a40 "“C:\Program Files\Internet Explo”
00112a80 “rer\IEXPLORE.EXE” "
KERNEL32!CreateProcessW:
001b:7c4eb252 55 push ebp

-scott


Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Jehjoa” wrote in message news:xxxxx@ntdev…
Hello everybody,

I’m still very new to kernel-mode programming and debugging, so this may be
a stupid question. But here goes…

I have setup a VMware virtual machine with Windows XP running on my own
Windows XP box. This VM has a virtual COM1 port configured so that I can
connect to it using a named pipe on the host machine.

The virtual Windows XP is booted with the following options in boot.ini:
/noexecute=optin /fastdetect /debugport=com1 /baudrate=115200

I’m able to connect WinDbg to this VM in kernel-mode fine. I can break into
the debugger, step through the code, watch areas of memory, etc.

The day before yesterday, I was also able to break on API calls, for example
by typing “bp CreateProcessW”. However, when I try that now, I get the
following message: Bp expression ‘CreateProcessW’ could not be resolved,
adding deferred bp. This has the same effect as if I have typed “bu” instead
of “bp”. However, I could create processes on the virtual machine until hell
freezes over, but it just never breaks into the debugger…

The symbol filepath is set to
SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols, and when I take a
look in the C:\Symbols folder, I can indeed find symbol files for
kernel32.dll, etc. When I type “.reload”, the following happens:

kd> .reload
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols

Loading User Symbols

Loading unloaded module list

WARNING: Unable to verify timestamp for vmx_fb.dll
 ERROR: Module load completed but symbols could not be loaded for
vmx_fb.dll
ERROR: Module load completed but symbols could not be loaded for
hgfs.sys
 ERROR: Module load completed but symbols could not be loaded for
vmx_svga.sys
ERROR: Symbol file could not be found. Defaulted to export symbols for
drmk.sys -
 ERROR: Module load completed but symbols could not be loaded for
vmxnet.sys
ERROR: Module load completed but symbols could not be loaded for
lgtosync.sys
 ERROR: Module load completed but symbols could not be loaded for
vmmemctl.sys
ERROR: Module load completed but symbols could not be loaded for
vmscsi.sys
 ERROR: Module load completed but symbols could not be loaded for
vmmouse.sys

It’s logical that it can’t find symbols for the VM’s drivers, but notice how
there are no dots under the line “Loading User Symbols”… It’s like it’s
not even trying to load them. When I specifically tell it to load the user
symbols by typing “.reload /user” the same thing happens; It prints “Loading
User Symbols”, is BUSY for not even a second, and then just prints an
empty line.

I had so much fun poking around under the hood of Windows XP a few days ago,
and now it won’t work anymore! :frowning: Who can tell me what I am doing wrong?

Thanks in advance,

~ Gerard

3

CreateProcess is a user-mode function, use !bpu for it.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

“Jehjoa” wrote in message news:xxxxx@ntdev…
> Hello everybody,
>
> I’m still very new to kernel-mode programming and debugging, so this may be
> a stupid question. But here goes…
>
> I have setup a VMware virtual machine with Windows XP running on my own
> Windows XP box. This VM has a virtual COM1 port configured so that I can
> connect to it using a named pipe on the host machine.
>
> The virtual Windows XP is booted with the following options in boot.ini:
> /noexecute=optin /fastdetect /debugport=com1 /baudrate=115200
>
> I’m able to connect WinDbg to this VM in kernel-mode fine. I can break into
> the debugger, step through the code, watch areas of memory, etc.
>
> The day before yesterday, I was also able to break on API calls, for example
> by typing “bp CreateProcessW”. However, when I try that now, I get the
> following message: Bp expression ‘CreateProcessW’ could not be resolved,
> adding deferred bp. This has the same effect as if I have typed “bu” instead
> of “bp”. However, I could create processes on the virtual machine until hell
> freezes over, but it just never breaks into the debugger…
>
> The symbol filepath is set to SRVC:\Symbols
> http://msdl.microsoft.com/download/symbols, and when I take a look in the
> C:\Symbols folder, I can indeed find symbol files for kernel32.dll, etc.
> When I type “.reload”, the following happens:
>
> kd> .reload
> Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
> Loading Kernel Symbols
>


> Loading User Symbols
>
> Loading unloaded module list
> …
> WARNING: Unable to verify timestamp for vmx_fb.dll
> ERROR: Module load completed but symbols could not be loaded for
> vmx_fb.dll
> ERROR: Module load completed but symbols could not be loaded for
> hgfs.sys
> ERROR: Module load completed but symbols could not be loaded for
> vmx_svga.sys
> ERROR: Symbol file could not be found. Defaulted to export symbols for
> drmk.sys -
> ERROR: Module load completed but symbols could not be loaded for
> vmxnet.sys
> ERROR: Module load completed but symbols could not be loaded for
> lgtosync.sys
> ERROR: Module load completed but symbols could not be loaded for
> vmmemctl.sys
> ERROR: Module load completed but symbols could not be loaded for
> vmscsi.sys
> ERROR: Module load completed but symbols could not be loaded for
> vmmouse.sys
>
> It’s logical that it can’t find symbols for the VM’s drivers, but notice how
> there are no dots under the line “Loading User Symbols”… It’s like it’s
> not even trying to load them. When I specifically tell it to load the user
> symbols by typing “.reload /user” the same thing happens; It prints “Loading
> User Symbols”, is BUSY for not even a second, and then just prints an
> empty line.
>
> I had so much fun poking around under the hood of Windows XP a few days ago,
> and now it won’t work anymore! :frowning: Who can tell me what I am doing wrong?
>
> Thanks in advance,
>
> ~ Gerard
>