摘自windbg,当作调试taeget机器的hello word看吧
来源:互联网 发布:淘宝创建店铺流程 编辑:程序博客网 时间:2024/06/05 22:51
Getting Started with WinDbg (Kernel-Mode)
WinDbg is a kernel-mode and user-mode debugger that is included in Debugging Tools for Windows. Here we provide hands-on exercises that will help you get started using WinDbg as a kernel-mode debugger.
For information about how to get Debugging Tools for Windows, see Debugging Tools for Windows (WinDbg, KD, CDB, NTSD). After you have installed the debugging tools, locate the installation directories for 64-bit (x64) and 32-bit (x86) versions of the tools. For example:
- C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64
- C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86
Set up a kernel-mode debugging
A kernel-mode debugging environment typically has two computers: the host computer and thetarget computer. The debugger runs on the host computer, and the code being debugged runs on the target computer. The host and target are connected by a debug cable.
The Windows debuggers support these types of cables for debugging:
- Ethernet
- USB 2.0
- USB 3.0
- 1394
- Serial (also called null modem)
If your target computer is running Windows 8 or later, you can use any type of debug cable, including Ethernet. This diagram illustrates a host and target computer connected for debugging over Ethernet cable.
If your target computer is running a version of Windows earlier than Window 8, then you cannot use Ethernet for debugging; you must use USB, 1394, or serial. This diagram illustrates a host and target computer connected by a USB, 1394, or serial debug cable.
For details about how to set up the host and target computers, see Setting Up Kernel-Mode Debugging Manually.
Establish a kernel-mode debugging session
After you have set up your host and target computer and connected them with a debug cable, you can establish a kernel-mode debugging session by following the instructions in the same topic that you used for getting set up. For example, if you decided to set up your host and target computers for debugging over Ethernet, you can find instructions for establishing a kernel-mode debugging session is this topic:
- Setting Up Kernel-Mode Debugging over a Network Cable Manually
Likewise, if you decided to set up your host and target computers for debugging over USB 2.0, you can find instructions for establishing a kernel-mode debugging session is this topic:
- Setting Up Kernel-Mode Debugging over a USB 2.0 Cable Manually
Get started using WinDbg
- On the host computer, open WinDbg and establish a kernel-mode debugging session with the target computer.
- In WinDbg, choose Contents from the Help menu. This opens the debugger documentation CHM file. The debugger documentation is also available on linehere.
When you establish a kernel-mode debugging session, WinDbg might break in to the target computer automatically. If WinDbg has not already broken in, chooseBreak from the Debug menu.
Near the bottom of the WinDbg window, in the command line, enter this command:
.sympath srv*
The output is similar to this:
Symbol search path is: srv*Expanded Symbol search path is: cache*;SRV*http://msdl.microsoft.com/download/symbols
The symbol search path tells WinDbg where to look for symbol (PDB) files. The debugger needs symbol files to obtain information about code modules (function names, variable names, and the like).
Enter this command, which tells WinDbg to do its initial finding and loading of symbol files:
.reload
To see a list of loaded modules, enter this command:
lm
The output is similar to this:
0:000>3: kd> lmstart end module namefffff800`00000000 fffff800`00088000 CI (deferred) ... fffff800`01143000 fffff800`01151000 BasicRender (deferred) fffff800`01151000 fffff800`01163000 BasicDisplay (deferred) ... fffff800`02a0e000 fffff800`03191000 nt (pdb symbols) C:\...\ntkrnlmp.pdbfffff800`03191000 fffff800`03200000 hal (deferred) ...
To start target computer running, enter this command:
g
To break in again, choose Break from the Debug menu.
Enter this command to examine the _FILE_OBJECT data type in the nt module:
dt nt!_FILE_OBJECT
The output is similar to this:
0:000>0: kd> dt nt!_FILE_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT +0x010 Vpb : Ptr64 _VPB ... +0x0c0 IrpList : _LIST_ENTRY +0x0d0 FileObjectExtension : Ptr64 Void
Enter this command to examine some of the symbols in the nt module:
x nt!*CreateProcess*
The output is similar to this:
0:000>0: kd> x nt!*CreateProcess*fffff800`030821cc nt!ViCreateProcessCallbackInternal (<no parameter info>)...fffff800`02e03904 nt!MmCreateProcessAddressSpace (<no parameter info>)fffff800`02cece00 nt!PspCreateProcessNotifyRoutine = <no type information>...
Enter this command to put a breakpoint at MmCreateProcessAddressSpace:
bu nt!MmCreateProcessAddressSpace
To verify that the breakpoint is set, enter this command:
bl
The output is similar to this:
0:000>0: kd> bu nt!MmCreateProcessAddressSpace0: kd> bl 0 e fffff800`02e03904 0001 (0001) nt!MmCreateProcessAddressSpace
Enter g to let the target computer run.
If the target computer doesn't break in to the debugger immediately, perform a few actions on the target computer (for example, open Notepad). The target computer will break in to the debugger whenMmCreateProcessAddressSpace is called. To see the stack trace, enter these commands:
.reload
k
The output is similar to this:
0:000>2: kd> kChild-SP RetAddr Call Siteffffd000`224b4c88 fffff800`02d96834 nt!MmCreateProcessAddressSpaceffffd000`224b4c90 fffff800`02dfef17 nt!PspAllocateProcess+0x5d4ffffd000`224b5060 fffff800`02b698b3 nt!NtCreateUserProcess+0x55b...000000d7`4167fbb0 00007ffd`14b064ad KERNEL32!BaseThreadInitThunk+0xd000000d7`4167fbe0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
On the View menu, choose Disassembly.
On the Debug menu, choose Step Over (or pressF10). Enter step commands a few more times as you watch the Disassembly window.
Clear your breakpoint by entering this command:
bc *
Enter g to let the target computer run. Break in again by choosingBreak from the Debug menu or pressing CTRL-Break.
To see a list of all processes, enter this command:
!process 0 0
The output is similar to this:
0:000>0: kd> !process 0 0**** NT ACTIVE PROCESS DUMP ****PROCESS ffffe000002287c0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 001aa000 ObjectTable: ffffc00000003000 HandleCount: <Data Not Accessible> Image: SystemPROCESS ffffe00001e5a900 SessionId: none Cid: 0124 Peb: 7ff7809df000 ParentCid: 0004 DirBase: 100595000 ObjectTable: ffffc000002c5680 HandleCount: <Data Not Accessible> Image: smss.exe...PROCESS ffffe00000d52900 SessionId: 1 Cid: 0910 Peb: 7ff669b8e000 ParentCid: 0a98 DirBase: 3fdba000 ObjectTable: ffffc00007bfd540 HandleCount: <Data Not Accessible> Image: explorer.exe
Copy the address of one process, and enter this command:
!processAddress 2
For example: !process ffffe00000d5290 2
The output shows the threads in the process.
0:000>0:000>0: kd> !process ffffe00000d52900 2PROCESS ffffe00000d52900 SessionId: 1 Cid: 0910 Peb: 7ff669b8e000 ParentCid: 0a98 DirBase: 3fdba000 ObjectTable: ffffc00007bfd540 HandleCount: Image: explorer.exe THREAD ffffe00000a0d880 Cid 0910.090c Teb: 00007ff669b8c000 ffffe00000d57700 SynchronizationEvent THREAD ffffe00000e48880 Cid 0910.0ad8 Teb: 00007ff669b8a000 ffffe00000d8e230 NotificationEvent ffffe00000cf6870 Semaphore Limit 0xffff ffffe000039c48c0 SynchronizationEvent ... THREAD ffffe00000e6d080 Cid 0910.0cc0 Teb: 00007ff669a10000 ffffe0000089a300 QueueObject
Copy the address of one thread, and enter this command:
!threadAddress
For example: !thread ffffe00000e6d080
The output shows information about the individual thread.
0: kd> !thread ffffe00000e6d080THREAD ffffe00000e6d080 Cid 0910.0cc0 Teb: 00007ff669a10000 Win32Thread: 0000000000000000 WAIT: ... ffffe0000089a300 QueueObjectNot impersonatingDeviceMap ffffc000034e7840Owning Process ffffe00000d52900 Image: explorer.exeAttached Process N/A Image: N/AWait Start TickCount 13777 Ticks: 2 (0:00:00:00.031)Context Switch Count 2 IdealProcessor: 1 UserTime 00:00:00.000KernelTime 00:00:00.000Win32 Start Address ntdll!TppWorkerThread (0x00007ffd14ab2850)Stack Init ffffd00021bf1dd0 Current ffffd00021bf1580Base ffffd00021bf2000 Limit ffffd00021bec000 Call 0Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5...
To see all the device nodes in the Plug and Play device tree, enter this command:
!devnode 0 1
0:000>0: kd> !devnode 0 1Dumping IopRootDeviceNode (= 0xffffe000002dbd30)DevNode 0xffffe000002dbd30 for PDO 0xffffe000002dc9e0 InstancePath is "HTREE\ROOT\0" State = DeviceNodeStarted (0x308) Previous State = DeviceNodeEnumerateCompletion (0x30d) DevNode 0xffffe000002d9d30 for PDO 0xffffe000002daa40 InstancePath is "ROOT\volmgr\0000" ServiceName is "volmgr" State = DeviceNodeStarted (0x308) Previous State = DeviceNodeEnumerateCompletion (0x30d) DevNode 0xffffe00001d49290 for PDO 0xffffe000002a9a90 InstancePath is "STORAGE\Volume\{3007dfd3-df8d-11e3-824c-806e6f6e6963}#0000000000100000" ServiceName is "volsnap" TargetDeviceNotify List - f 0xffffc0000031b520 b 0xffffc0000008d0f0 State = DeviceNodeStarted (0x308) Previous State = DeviceNodeStartPostWork (0x307)...
To see the device nodes along with their hardware resources, enter this command:
!devnode 0 9
0:000>... DevNode 0xffffe000010fa770 for PDO 0xffffe000010c2060 InstancePath is "PCI\VEN_8086&DEV_2937&SUBSYS_2819103C&REV_02\3&33fd14ca&0&D0" ServiceName is "usbuhci" State = DeviceNodeStarted (0x308) Previous State = DeviceNodeEnumerateCompletion (0x30d) TranslatedResourceList at 0xffffc00003c78b00 Version 1.1 Interface 0x5 Bus #0 Entry 0 - Port (0x1) Device Exclusive (0x1) Flags (0x131) - PORT_MEMORY PORT_IO 16_BIT_DECODE POSITIVE_DECODE Range starts at 0x3120 for 0x20 bytes Entry 1 - DevicePrivate (0x81) Device Exclusive (0x1) Flags (0000) - Data - {0x00000001, 0x00000004, 0000000000} Entry 2 - Interrupt (0x2) Shared (0x3) Flags (0000) - LEVEL_SENSITIVE Level 0x8, Vector 0x81, Group 0, Affinity 0xf...
To see a device node that has a service name of disk, enter this command:
!devnode 0 1 disk
0: kd> !devnode 0 1 diskDumping IopRootDeviceNode (= 0xffffe000002dbd30)DevNode 0xffffe0000114fd30 for PDO 0xffffe00001159610 InstancePath is "IDE\DiskST3250820AS_____________________________3.CHL___\5&14544e82&0&0.0.0" ServiceName is "disk" State = DeviceNodeStarted (0x308) Previous State = DeviceNodeEnumerateCompletion (0x30d)...
The output of !devnode 0 1 displays the address of the physical device object (PDO) for the node. Copy the address of a physical device object (PDO), and enter this command:
!devstackPdoAddress
For example: PdoAddress!devstack 0xffffe00001159610
0:000>0: kd> !devstack 0xffffe00001159610 !DevObj !DrvObj !DevExt ObjectName ffffe00001d50040 \Driver\partmgr ffffe00001d50190 ffffe00001d51450 \Driver\disk ffffe00001d515a0 DR0 ffffe00001156e50 \Driver\ACPI ffffe000010d8bf0
To get information about the driver disk.sys, enter this command:
!drvobj disk 2
0:000>0: kd> !drvobj disk 2Driver object (ffffe00001d52680) is for: \Driver\diskDriverEntry: fffff800006b1270disk!GsDriverEntryDriverStartIo: 00000000DriverUnload: fffff800010b0b5cCLASSPNP!ClassUnloadAddDevice: fffff800010aa110CLASSPNP!ClassAddDeviceDispatch routines:[00] IRP_MJ_CREATE fffff8000106d160CLASSPNP!ClassGlobalDispatch[01] IRP_MJ_CREATE_NAMED_PIPE fffff80002b0ab24nt!IopInvalidDeviceRequest[02] IRP_MJ_CLOSE fffff8000106d160CLASSPNP!ClassGlobalDispatch[03] IRP_MJ_READ fffff8000106d160CLASSPNP!ClassGlobalDispatch...[1b] IRP_MJ_PNP fffff8000106d160CLASSPNP!ClassGlobalDispatch
The output of !drvobj displays addresses of dispatch routines: for example, CLASSPNP!ClassGlobalDispatch. To set and verify a breakpoint at ClassGlobalDispatch, enter these commands:
bu CLASSPNP!ClassGlobalDispatch
bl
Enter g to let the target computer run.
If the target computer doesn't break in to the debugger immediately, perform a few actions on the target computer (for example, open Notepad and save a file). The target computer will break in to the debugger whenClassGlobalDispatch is called. To see the stack trace, enter these commands:
.reload
k
The output is similar to this:
2: kd> kChild-SP RetAddr Call Siteffffd000`21d06cf8 fffff800`0056c14e CLASSPNP!ClassGlobalDispatchffffd000`21d06d00 fffff800`00f2c31d volmgr!VmReadWrite+0x13effffd000`21d06d40 fffff800`0064515d fvevol!FveFilterRundownReadWrite+0x28dffffd000`21d06e20 fffff800`0064578b rdyboost!SmdProcessReadWrite+0x14dffffd000`21d06ef0 fffff800`00fb06ad rdyboost!SmdDispatchReadWrite+0x8bffffd000`21d06f20 fffff800`0085cef5 volsnap!VolSnapReadFilter+0x5dffffd000`21d06f50 fffff800`02b619f7 Ntfs!NtfsStorageDriverCallout+0x16...
To end your debugging session, enter this command:
qd
- 摘自windbg,当作调试taeget机器的hello word看吧
- Windbg 的 即时调试
- WinDbg调试的前因后果
- hibernate的hello word
- QT的"hello word"
- android的Hello word
- python的Hello Word
- python的Hello Word
- Struts2的Hello Word
- WINDBG 调试VMWARE的注意事项
- WinDbg 调试工具的使用
- WinDBG调试asp的Dump
- WinDbg 调试工具的使用
- 机器学习的Hello Word——Softmax Regression识别手写数字
- 驱动程序的调试(windbg双机调试)
- Windbg调试----Windbg入门
- Windbg调试----Windbg入门
- 如何使用windbg看eprocess的结构
- JSP学习(二)------JSP基础知识详解
- python语言学习函数与变量作用域
- docker下的swagger-ui动态一个地址展示多个文档
- 导入文本内容到list control
- Swift版找字体名字
- 摘自windbg,当作调试taeget机器的hello word看吧
- PHP实现多图上传预览~(仿微信)
- 酷划锁屏手机赚钱APP的使用经验分享
- SYBASE 常用 sp_configure
- dfs走迷宫
- Android通讯录、城市选择器列表的实现
- HDU 6199 DP
- Centos7 ffmpeg
- 将hdfs上的数据通过MapReduce上传到hbase上