I am working on an ARMv7 system which has cortex-A7 cores.
With Jlink (via JTAG interface) I can see the ROMTable dumped when started JLinkExe as follows,
AP[1]: APB-AP found
ROMTbl[0][0]: CompAddr: 80050000 CID: B105900D, PID: 004BB906 CTI
ROMTbl[0][1]: CompAddr: 81000000 CID: B105100D, PID: 00A9CC32 ROM Table
ROMTbl[1][0]: CompAddr: 81010000 CID: 00000000, PID: 00000000 ???
ROMTbl[1][1]: CompAddr: 81020000 CID: 00000000, PID: 00000000 ???
ROMTbl[1][2]: CompAddr: 81400000 CID: B105100D, PID: 000BB4A7 ROM Table
ROMTbl[2][0]: CompAddr: 81410000 CID: B105900D, PID: 005BBC07 Cortex-A7
Found Cortex-A7 r0p5
By reading the ARMv7 spec, I found the base address of ROM Table can be read out from DBGDRAR. So I tried that in software. Then I also tried dumping the whole ROM Table from software by reading the physical address of ROM Table, but I got a data abort exception, seemed that the address is NOT accessible.
If it is not accessible, how can I read the ROMTable, or how does JLinkExe get the ROMTable?
Thanks,
Related
I'm trying to pack my Windows Toolchain into a container image. For that, I use WSL2 and Docker. To run Windows binaries, I use Wine. This works for many Windows tools, but unfortunately, gcc does not work:
# in WSL2, Ubuntu 20.04 LTS
jan#host:/mnt/e/gcc-arm-11.2-2022.02-mingw-w64-i686-arm-none-eabi/bin$ wine arm-none-eabi-gcc.exe -v
wine: Unhandled page fault on execute access to 004B3000 at address 004B3000 (thread 0009), starting debugger...
Debug messages:
Unhandled exception: page fault on execute access to 0x004b3000 in 32-bit code (0x004b3000).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:006b GS:0063
EIP:004b3000 ESP:012fff24 EBP:012fff48 EFLAGS:00010206( R- -- I - -P- )
EAX:3fff8000 EBX:3ffff000 ECX:012fff74 EDX:012fff74
ESI:00000000 EDI:00000000
Stack dump:
0x012fff24: 004014f2 00000000 c1aacd00 012fff50
0x012fff34: 7b454882 3ffff000 7b454cfc 7b454cfc
0x012fff44: 7b454cfc 012fffd8 7b454cfc 3ffff000
0x012fff54: 004014e0 012fff74 012fff74 00000000
0x012fff64: 00000000 004014e0 3ffff000 00000000
0x012fff74: ffffffff 7b46d850 7b434568 00000000
Backtrace:
=>0 0x004b3000 in arm-none-eabi-gcc (+0xb3000) (0x012fff48)
1 0x7b454cfc in kernel32 (+0x34cfb) (0x012fffd8)
2 0x7b45488e in kernel32 (+0x3488d) (0x012fffec)
0x004b3000: orb 0x0(%eax),%al
Modules:
Module Address Debug info Name (10 modules)
PE 400000- 6fc000 Dwarf arm-none-eabi-gcc
PE 7b020000-7b023000 Deferred kernelbase
PE 7b420000-7b5db000 Export kernel32
PE 7bc30000-7bc34000 Deferred ntdll
PE 7f3e0000-7f3e4000 Deferred imm32
PE 7f610000-7f614000 Deferred version
PE 7f640000-7f644000 Deferred advapi32
PE 7f6d0000-7f6d7000 Deferred gdi32
PE 7f840000-7f928000 Deferred user32
PE 7fa70000-7fa74000 Deferred msvcrt
Threads:
process tid prio (all id:s are in hex)
00000008 (D) Z:\mnt\e\gcc-arm-11.2-2022.02-mingw-w64-i686-arm-none-eabi\bin\arm-none-eabi-gcc.exe
00000029 0
00000009 0 <==
0000000e services.exe
00000023 0
0000001c 0
00000015 0
00000010 0
0000000f 0
00000011 plugplay.exe
00000019 0
00000018 0
00000012 0
00000013 explorer.exe
00000030 0
0000002f 0
0000002c 0
00000014 0
0000001a winedevice.exe
00000020 0
0000001f 0
0000001e 0
0000001d 0
0000001b 0
00000021 winedevice.exe
00000025 0
00000024 0
00000022 0
System information:
Wine build: wine-5.0 (Ubuntu 5.0-3ubuntu1)
Platform: i386
Version: Windows 7
Host system: Linux
Host version: 5.10.60.1-microsoft-standard-WSL2
GCC is from here: https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/downloads-1
Other tools in the directory, like gcov, readelf, etc. don't work either.
Is there anything I can do to track down the issue or is nearly impossible to run a toolchain in Wine?
The reason I have to to use the Windows Version instead the Linux version is that the toolchain is slightly modified by our supplier and Windows only :( But I'd like to avoid to run a Windows Docker Server for one image only, therefore the Wine approach.
I want to get information on a process from Sysinternals' livekd using its process ID. How do I do this?
The documentation for WinDBG's !process command on MSDN (https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/-process) says,
!process [/s Session] [/m Module] [Process [Flags]]
gives information about the process specified by "Process". The documentation further says,
Process - Specifies the hexadecimal address or the process ID of the process on the target computer.
But try as I might, specifying the PID gives nothing, and I can't see a way to find the hexadecimal address of the process structure for a running process.
For e.g., from Sysinternals' Process Explorer, I see a process with PID 672 backed by svchost.exe, as follows:
But when I use the !process command with the PID 672 or its hexadecimal, 2A0, I get nothing. See below:
0: kd> !process 672
Searching for Process with Cid == 672
Cannot resolve nt!_EPROCESS object type
0: kd> !process 2A0
Searching for Process with Cid == 2a0
Cannot resolve nt!_EPROCESS object type
But !process svchost.exe works (for a some instance of that image that's running):
0: kd> !process svchost.exe
PROCESS ffffdc0a4b49b180
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001ad002 ObjectTable: ffff9a0ba4e3ee40 HandleCount: 6664.
Image: System
VadRoot ffffdc0a66ea3200 Vads 58 Clone 0 Private 30. Modified 31341619. Locked 192.
DeviceMap ffff9a0ba4e36360
Token ffff9a0ba4e072b0
ElapsedTime 5 Days 13:59:48.702
I can also use !process ffffdc0a4b49b180 using the information gained from !process svchost.exe, but I want to use the process ID to get this information. How do I do this?
Edit 1: I think that I am setting the symbols correctly, based on information here: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/symbol-path . Please see the output below.
0: kd> .sympath
Symbol search path is: srv*c:\symbols\*https://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*c:\symbols\*https://msdl.microsoft.com/download/symbols
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\symbols\*https://msdl.microsoft.com/download/symbols
0: kd> lml
start end module name
fffff804`82200000 fffff804`83246000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
fffff804`a3420000 fffff804`a342d000 LiveKdD (no symbols)
0: kd> !sym noisy
noisy mode - symbol prompts on
0: kd> .reload nt
SYMSRV: BYINDEX: 0xF
c:\symbols\*https://msdl.microsoft.com/download/symbols
ntoskrnl.exe
F05723421046000
SYMSRV: PATH: c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe
SYMSRV: RESULT: 0x00000000
DBGHELP: c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe - OK
DBGENG: c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe - Mapped image memory
SYMSRV: BYINDEX: 0x10
c:\symbols\*https://msdl.microsoft.com/download/symbols
ntkrnlmp.pdb
1F9BB45B28B806E4D18925C06E924B8C1
SYMSRV: PATH: c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: nt - public symbols
c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
0: kd> dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x438 ProcessLock : _EX_PUSH_LOCK
+0x440 UniqueProcessId : Ptr64 Void
+0x448 ActiveProcessLinks : _LIST_ENTRY
+0x458 RundownProtect : _EX_RUNDOWN_REF
+0x460 Flags2 : Uint4B
+0x460 JobNotReallyActive : Pos 0, 1 Bit
+0x460 AccountingFolded : Pos 1, 1 Bit
+0x460 NewProcessReported : Pos 2, 1 Bit
....
Edit 2:
I just discovered that LiveKdD.sys is not getting loaded. I have reinstalled Windows SDK, and uninstalled my antivirus software. That doesn't fix this issue.
But, LivekdD.sys is present in the directory it's trying to load it from. See below.
PS C:\WINDOWS\system32\drivers> dir livekdd.sys
Directory: C:\WINDOWS\system32\drivers
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 24-11-2021 21:53 39272 livekdd.sys
Launching D:\Windows Kits\10\Debuggers\x64\kd.exe:
Microsoft (R) Windows Debugger Version 10.0.22000.194 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'LiveKD live system view'
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff807`75400000 PsLoadedModuleList = 0xfffff807`7602a2d0
Debug session time: Wed Nov 24 22:03:56.831 2021 (UTC + 5:30)
System Uptime: 0 days 0:13:04.851
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..................................
Loading User Symbols
..........................................
Loading unloaded module list
............
For analysis of this file, run !analyze -v
0: kd> .tlist notepad.exe
Unable to load image \??\C:\WINDOWS\system32\Drivers\LiveKdD.SYS, Win32 error 0n2
0n3176 notepad.exe
As Already commented several times it works
here is an output from livekd
0: kd> .tlist calculator.exe
0n1872 Calculator.exe
0: kd> !process 0n1872 0
Searching for Process with Cid == 750
PROCESS ffffc388a8cd5080
SessionId: 5 Cid: 0750 Peb: 806522f000 ParentCid: 0250
DirBase: 7a081002 ObjectTable: ffff8985feda39c0 HandleCount: 467.
Image: Calculator.exe
0: kd> !process 0 0 calculator.exe
PROCESS ffffc388a8cd5080
SessionId: 5 Cid: 0750 Peb: 806522f000 ParentCid: 0250
DirBase: 7a081002 ObjectTable: ffff8985feda39c0 HandleCount: 467.
Image: Calculator.exe
EDIT
a complete session
D:\>livekd
LiveKd v5.63 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2020 Mark Russinovich and Ken Johnson
Launching C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\kd.exe:
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'LiveKD live system view'
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff803`3cc00000 PsLoadedModuleList = 0xfffff803`3d045f30
Debug session time: Wed Nov 24 06:55:11.500 2021
System Uptime: 3 days 5:19:28.286
Loading Kernel Symbols
...............................................................
................................................................
................................................................
................................................
Loading User Symbols
Loading unloaded module list
..................................................
0: kd> .tlist cmd.exe
*** ERROR: Module load completed but symbols could not be loaded for LiveKdD.SYS
0n7836 cmd.exe
0: kd> !process 0n7836 0
Searching for Process with Cid == 1e9c
PROCESS ffffc388b2810080
SessionId: 9 Cid: 1e9c Peb: 7f78344000 ParentCid: 1468
DirBase: 115d4a002 ObjectTable: ffff8985fed9ad40 HandleCount: 68.
Image: cmd.exe
0: kd>
edit 2
my module is as follows
0: kd> lmv live
start end module name
fffff803`59090000 fffff803`5909d000 LiveKdD (no symbols)
Symbol file: LiveKdD.SYS
Image path: \??\C:\WINDOWS\system32\Drivers\LiveKdD.SYS
Image name: LiveKdD.SYS
Timestamp: Mon Apr 27 21:28:28 2020 (5EA70124)
CheckSum: 00014362
ImageSize: 0000D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
0: kd>
I have a driver built with WDK 8.1 which I'm trying to run on Windows 10 with
the Verifier enabled with Code Integrity check. I receive the following BSOD when the driver is started:
Do I need to rebuild the Driver with changing any settings.
And what is the meaning of "Arg1: 00002000, subclass of driver violation."
Bugcheck Analysis:
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00002000, subclass of driver violation.
Arg2: 93d76b70
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
Failed calling InternetOpenUrl, GLE=12007
BUGCHECK_STR: 0xc4_2000
IMAGE_NAME: McPvDrv.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5317613a
MODULE_NAME: McPvDrv
FAULTING_MODULE: 93d70000 McPvDrv
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8277336a to 8233bac4
STACK_TEXT:
876c76d8 8277336a 000000c4 00002000 93d76b70 nt!KeBugCheckEx
876c76fc 8241f7ea 93d76b70 00000000 00000000 nt!VerifierBugCheckIfAppropriate+0x36
876c771c 8276c018 93d76b70 00000000 00000000 nt!VfReportIssueWithOptions+0xd3
876c773c 8276a4b7 00000000 00000000 876c77c4 nt!VfCheckPoolType+0x61
876c774c 93d76b70 00000000 00000014 0000002d nt!VerifierExAllocatePool+0x15
WARNING: Stack unwind information not available. Following frames may be wrong.
876c77c4 93d7581d 93d7e14c 00000020 876c79ec McPvDrv+0x6b70
876c7a34 93d75fc1 93d73dba 00000001 71bfe534 McPvDrv+0x581d
876c7ae0 93d7145c b27cef30 860ebbe0 82217938 McPvDrv+0x5fc1
876c7b20 825a2920 b27cef30 b27ef000 ab95fcf0 McPvDrv+0x145c
876c7d00 825bd192 00000000 876c7d1c ab95fcf0 nt!IopLoadDriver+0x62a
876c7d20 82314145 ab95fcf0 00000000 861a8700 nt!IopLoadUnloadDriver+0x42
876c7d70 822a3da1 82487220 71bfe2e4 00000000 nt!ExpWorkerThread+0xd5
876c7db0 8234f2f1 82314070 82487220 00000000 nt!PspSystemThreadStartup+0x5b
876c7dbc 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x15
STACK_COMMAND: kb
FOLLOWUP_IP:
McPvDrv+6b70
93d76b70 8bf0 mov esi,eax
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: McPvDrv+6b70
FOLLOWUP_NAME: wintriag
FAILURE_BUCKET_ID: 0xc4_2000_VRF_McPvDrv+6b70
BUCKET_ID: 0xc4_2000_VRF_McPvDrv+6b70
Followup: wintriag
according to https://msdn.microsoft.com/en-us/library/windows/hardware/ff560187(v=vs.85).aspx
arg 0x2000 suggests you are calling StorPortInitialize function
please double check that you are using the correct OS symbols otherwise debugger output can be completely wrong! Also include a symbol folder path for your driver (File -> symbol file path).
You have here: https://msdn.microsoft.com/en-us/library/windows/desktop/ms681416(v=vs.85).aspx details on how to use the Microsoft symbols server in order download required OS symbols.
You can add to your symbol path something like srvc:\MyTempSymbolFolderhttp://msdl.microsoft.com/download/symbols but be sure to use ";" do delimit symbol paths
After doing this should be able to do this commands in windbg successfully:
.reload /f nt
.reload /f McPvDrv.sys
and now rerun the !analyze -v command which might show you a modified call stack
I am unable to figure this problem out. Symbol is not being resolved
Deployment
There are number of exes of my system deployed on a network path. All users run those exes from that shared network path. This was working fine two weeks ago but now some of those exes have started crashing. There is no fix pattern of being crashed, it happens to any user, anytime during any activity.
Troubleshooting
I have got the dump of one of them, i tried WinDbg and got following
Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\crash\RNS1000.exe.mdmp]
User Mini Dump File: Only registers, stack and portions of memory are available
Symbol search path is: SRV*c:\crash*http://msdl.microsoft.com/download/symbols;c:\crash
Executable search path is:
Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Wed Oct 10 15:36:36.000 2012 (UTC + 5:00)
System Uptime: not available
Process Uptime: 0 days 7:12:54.000
................................................................
.........................................................
Loading unloaded module list
.......
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(924.85c): In-page I/O error ffffffffc000020c - code c0000006 (first/second chance not available)
eax=02060000 ebx=7c90fe01 ecx=00001000 edx=7c90e4f4 esi=000003a0 edi=00000000
eip=7c90e4f4 esp=0013afdc ebp=0013b040 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200297
ntdll!KiFastSystemCallRet:
7c90e4f4 c3 ret
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
GetUrlPageData2 (WinHttp) failed: 12007.
FAULTING_IP:
RNS1000+55f610
0095f610 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0095f610 (RNS1000+0x0055f610)
ExceptionCode: c0000006 (In-page I/O error)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 00000008
Parameter[1]: 0095f610
Parameter[2]: c000020c
Inpage operation failed at 0095f610, due to I/O error c000020c
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT
PROCESS_NAME: RNS1000.exe
ERROR_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".
EXCEPTION_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 0095f610
EXCEPTION_PARAMETER3: c000020c
IO_ERROR: (NTSTATUS) 0xc000020c - The transport connection is now disconnected.
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 00000000 to 00000000
APP: rns1000.exe
FAULTING_THREAD: ffffffff
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT
BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT
STACK_TEXT:
00000000 00000000 hardware_disk!Unknown+0x0
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: hardware_disk!Unknown
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: hardware_disk
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: ** Pseudo Context ** ; kb
FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_c0000006_hardware_disk!Unknown
BUCKET_ID: APPLICATION_FAULT_SOFTWARE_NX_FAULT_hardware_disk!Unknown
IMAGE_NAME: hardware_disk
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/RNS1000_exe/2_0_0_5/4f17b9d2/RNS1000_exe/2_0_0_5/4f17b9d2/c0000006/0055f610.htm?Retriage=1
Followup: MachineOwner
---------
I am expecting RNS1000+55f610 to be resolved to one of my programs function but it has not been resolved. The sysmbol path contains exe, pdb and mdmp.
Please tell me why has it not been resolved? what wrong am i doing?
The key part here is the In-page I/O error. The underlying disk/network drive disappeared.
The crash occurs some time later when it tries to page back in part of the executable, but it no longer has a valid file handle/connection.
The only fix is to run it locally or make sure the disk doesn't disappear while they're running.
More generally, you can get VB to create the info files for native debugging using the "Create symbolic debug info" option in the project's Compile settings. This can only be done before the fact though and won't help with debugging an existing build.
I found Windbg is very useful during development and debugging.
but mostly i use windbg in use mode debugging.
What kernel debugging can do in windbg?
or When should I use windbg's kernel debugging?
Is there a toturial about kernel debugging in windbg?
Thanks in advance.
you usually use kernel debugging when you need to debug low level device drivers interacting directly with the hardware.
It's more complicated to debug in kernel mode, among other things for a live kernel debug session you have to run the debugger on a different system than the one being debugged . for the majority of developers user mode is enough to do most of the work.
Advanced Windows Debugging is a very good book about debugging with wndbg (includes discussions about kernel debugging).
the dump analysis site has many tutorials including kernel debugging scenarios
the main difference between user mode and kernel mode WINDBG, is you can see EVERY process in kernel mode WINDBG, and all threads. You wont necessary get to see every stack frame since they get paged out frequently by the memory manager.
some common commands I use frequently.
!process 0 0
lists every running process:
**** NT ACTIVE PROCESS DUMP ****
PROCESS 80a02a60 Cid: 0002 Peb: 00000000 ParentCid: 0000
DirBase: 00006e05 ObjectTable: 80a03788 TableSize: 150.
Image: System
PROCESS 80986f40 Cid: 0012 Peb: 7ffde000 ParentCid: 0002
DirBase: 000bd605 ObjectTable: 8098fce8 TableSize: 38.
Image: smss.exe
PROCESS 80958020 Cid: 001a Peb: 7ffde000 ParentCid: 0012
DirBase: 0008b205 ObjectTable: 809782a8 TableSize: 150.
Image: csrss.exe
PROCESS 80955040 Cid: 0020 Peb: 7ffde000 ParentCid: 0012
DirBase: 00112005 ObjectTable: 80955ce8 TableSize: 54.
Image: winlogon.exe
PROCESS 8094fce0 Cid: 0026 Peb: 7ffde000 ParentCid: 0020
DirBase: 00055005 ObjectTable: 80950cc8 TableSize: 222.
Image: services.exe
PROCESS 8094c020 Cid: 0029 Peb: 7ffde000 ParentCid: 0020
DirBase: 000c4605 ObjectTable: 80990fe8 TableSize: 110.
Image: lsass.exe
PROCESS 809258e0 Cid: 0044 Peb: 7ffde000 ParentCid: 0026
DirBase: 001e5405 ObjectTable: 80925c68 TableSize: 70.
Image: SPOOLSS.EXE
.process {x}
Select the process you want to make active, usually followed by the !threads command to list a processes current threads.
!stacks 0x2 {foo.sys}
searches ALL threads for call stacks that contain the specified driver.
!poolused
useful when debugging low kernel memory situations and all you have is a kernel crash dump
.crash
Useful for when you are debugging live via serial cable and you want to make the target machine write a crash dump
!vm 1
Useful display of the memory managers statistics, example:
*** Virtual Memory Usage ***
Physical Memory: 16270 ( 65080 Kb)
Page File: \??\E:\pagefile.sys
Current: 98304Kb Free Space: 61044Kb
Minimum: 98304Kb Maximum: 196608Kb
Available Pages: 5543 ( 22172 Kb)
ResAvail Pages: 6759 ( 27036 Kb)
Locked IO Pages: 112 ( 448 Kb)
Free System PTEs: 45089 ( 180356 Kb)
Free NP PTEs: 5145 ( 20580 Kb)
Free Special NP: 336 ( 1344 Kb)
Modified Pages: 714 ( 2856 Kb)
NonPagedPool Usage: 877 ( 3508 Kb)
NonPagedPool Max: 6252 ( 25008 Kb)
PagedPool 0 Usage: 729 ( 2916 Kb)
PagedPool 1 Usage: 432 ( 1728 Kb)
PagedPool 2 Usage: 436 ( 1744 Kb)
PagedPool Usage: 1597 ( 6388 Kb)
PagedPool Maximum: 13312 ( 53248 Kb)
Shared Commit: 1097 ( 4388 Kb)
Special Pool: 229 ( 916 Kb)
Shared Process: 1956 ( 7824 Kb)
PagedPool Commit: 1597 ( 6388 Kb)
Driver Commit: 828 ( 3312 Kb)
Committed pages: 21949 ( 87796 Kb)
Commit limit: 36256 ( 145024 Kb)
And don't forget the ALL MIGHTY !locks
absolutely essential for troubleshooting a deadlocked machine,
kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks......
Resource # 0x80e97620 Shared 4 owning threads
Threads: ff688da0-01<*> ff687da0-01<*> ff686da0-01<*> ff685da0-01<*>
KD: Scanning for held locks.......................................................
Resource # 0x80e23f38 Shared 1 owning threads
Threads: 80ed0023-01<*> *** Actual Thread 80ed0020
KD: Scanning for held locks.
Resource # 0x80d8b0b0 Shared 1 owning threads
Threads: 80ed0023-01<*> *** Actual Thread 80ed0020
2263 total locks, 3 locks currently held
using this command you can track down threads that are stuck waiting for another thread to release an ERESOURCE
Probably, you'll only want to debug in kernel mode when your code is running in kernel mode, ie when you're writing a drivers or something else that runs in the kernel. Or possibly if you're trying to learn more about Windows itself at a very low level by exploring around in the kernel and poking and prodding at things.
When looking for tutorials and other reference material, you might look for "kd" references as well as they are likely to be very similar. (kd is a command line kernel debugging tool.)