I see a crash in Explorer.exe, due to our security s/w dll loaded in to the Explorer.exe.
The crash happens during the shutdown of the system. The VM is connected to the Kernel debugger. I don't see Kernel debugger breaks when exception happens. I tried all debug event filters. But I could not success.
Can someone suggest me, why could not I see the break when there is an exception.
I want to break into the debugger, exactly at the time of exception.
Can I use SXE ud "dllName" in kernelmode to notify my when a perticula dll gets unloaded?
the exception was
Explorer Crash, "The instruction at 0x6ad88b5 refrernced memory at 0x0000000. The memory could not be read"
This should work:
Launch gflags.exe from WinDbg.
Go to "Image File" tab, type in "explorer.exe" and hit TAB key.
Check the first item "Stop on Exception".
Now when explorer.exe crash and kernel debugger is connected, WinDbg should break.
First, loading or unloading of DLL will not cause break when debugging in Kernel mode, they work well when doing user mode debugging however.
i believe in kernel mode debugging you should be able to break, when kernel mode binaries like .SYS file are loaded or unloaded.
Now, to your question. One way could be,
set Windbg as the default postmortem debugger. windbg.exe -I.
This will ensure that you break in the debugger when any exception occurs. But this would be user mode debugging.
Next, given that you have a KD setup, just executing .breakin, will take you form user mode to kernel mode debugging.
Italic are debugger commands.
Related
When i am debugging my program and an error occur, the debug session ends, but the program remains in memory. Using the activity manager of Windows to close it does not work. I need to close Visual Studio in order to kill the process.
Why is this happening?
When during debugging a program error occurs, the program usually does not "end". Instead, the debugger (VS2010) pauses execution, allowing you to inspect the code resulting in the error. Depending on the language used (e.g. C#) and the way you compiled your program, you may even be able to edit the program on the fly, move the execution cursor back a bit and continue the program from there.
If the Debug toolbar is visible (in my case it shows up automatically whenever I'm debugging), you should see a couple of "playback" buttons, allowing you to start/continue, pause, stop your program etc. If you stop your program, it will be gone from the task manager too.
As I mentioned in a comment on your question, you can also use the Debug menu to accomplish these tasks.
I am trying to launch an application via the ShellExecute() API call. This application contains only a main function which does some processing and exits.
Now I have put DebugBreak() in starting of main. When ShellExecute() is called the application is launched successfully but it does not ask for breaking.
How can I debug my application when launched from other application using ShellExecute()?
I am using VC++ .
If DebugBreak() isn't workign for you, try _CrtDbgBreak(). Note that _CrtDbgBreak only works in a debug build.
_CrtDebugBreak definitely works for me to make a launched process break on startup, although I'm pretty sure DebugBreak does also.
Note that both functions will make it look like the process has crashed, since they raise an exception. That is normal and gives you the opportunity to attach a debugger via the crash dialog. (The crash dialog also lets you terminate the process; don't use that, obviously.)
Also note that if you have a catch-all SEH exception handler around your main then the exception raise by DebugBreak & friends will be swallowed up and the app will simply exit without showing the crash dialog or letting you attach to it.
You can't do this with VC++; with WinDbg this is just .childdbg 1 to debug all child processes. With VC++, you can use Image File Execution Options in a pinch - check out http://codereflect.com/2009/09/20/how-to-debug-child-process-using-windbgvisual-studio/ for more info. Really though, if you've got the time to learn WinDbg, it's much better at this.
you can try this, it's ok in xp system.
app.exe is your application name,
-s1...-s3 is command line arguments.
HINSTANCE hRet = ShellExecute(NULL, L"open", L"vsjitdebugger.exe", L" app.exe -s1 a1 -s2 a2 a3 -s3", szExePath, SW_SHOW);
There is now a Microsoft Child Process Debugging Power Tool.
The method I use for things like this is to embed some interactive code, which you can either delete afterwards, comment out or conditionally enable. In a few cases we have this code enabled by querying an environment variable which is set by the tool that launches the main application. This allows me to click a check box, hit launch and have the breakpoint dialog in seconds.
if (MessageBox(NULL,
_T("Attach the debugger now, then choose Yes to hit a breakpoint"),
_T("Attach Debugger"),
MB_YESNO) == IDYES)
__debugbreak();
This gives you the ability to attach the debugger when the dialog box appears and the option to hit a breakpoint or not. My earlier versions didn't give me the option and after a while I realised some of the time I wanted the breakpoint, and some of the time I didn't.
Is there a way to follow a program's execution through DLL code in hex?
For example, I want to see what sections have just been read when I press a button. It has to work for x64 DLL's.
Thanks!
Yes you load the process into debugger and single step it.
Load the project in visual studio.
Press 'Play' or F5 to start the program in the debugger.
You will need to eventually halt execution sometime so you can start stepping through code or assembly code. You can do this by inserting a breakpoint, or breaking the execution by hitting the break command in the visual studio IDE.
Once halted, you can right click in the code view window, and select "Show Disassembly". Then it will show you the machine instructions.
Also in the watch window in the visual studio debugger, the right click pop up menu has an option to display all variables as hexidecimal. I'm beginning to prefer hex myself lately, because I can see invalid memory patterns easier.
You can use the tool at http://ircdb.org to log function calls arbitrary DLLs.
It's name is SocketSpy, because initially it was created for tracing winsock.dll only, but it does allow you to trace other dlls.
From http://fixunix.com/programmer/95098-tracing-library-dll-calls-win32.html
Use Option->Default Break Point List
Menu to add or remove soft breakpoints
from attached DLLs. Put soft
breakpoints only at function you need
to maximize execution time.
Soft breakpoint means that socketspy
does not stop at this breakpoint, only
log breakpoint information. Hard
breakpoint means that socketspy DOES
STOP at this breakpoint, and
Breakpoint dialog is opened. Specify
what calls should be captured ALL,
FROM EXE FILE or from DLLs (Combobox).
Specify log file File->Open Log File
menu if you want to save function
DLLs' calls into the text file, enable
logging (check box).
Then select a new or already action
process (Select Process button). The
tool can be used in NT/2000/XP only
Alternatively, there is StraceNT, which can trace arbitrary Dlls. It is available for free from http://www.intellectualheaven.com/default.asp?BH=projects&H=strace.htm
I've not used it, but I once stumble upon an Intel tool, which samples the context of the Instruction Pointer, and is able to use symbol files to convert IP to an actual function name... VTune maybe?
I guess there might be other such tools
UPDATE: aka. "statistical profilers"...
Debugging using IDE does not show you the assembly language equivalent of the execution of an IL instruction. You need to write your own hooks to a proper disassembler.
I work for an orginization that has a custom built Access/SQL Application running in house. We have a problem Explorer.exe throwing an error and crashing.
This is a picture of the crash:
What is the best way to start tracking this problem down and finding a solution ?
Make sure WinDBG is installed, set it up as the default debugger then use Analyze and get a crash dump.
The next time you get that dialog click "OK" to attach in WinDbg
Keep in mind that if you attach a debugger to explorer, then break, that you should not try to do anything in the debugger that invokes a call to explorer or you will deadlock the debugger. This can be surprisingly tricky as it means you cannot open a "File Open" dialog, print, browse to another computer and any number of other things.
Often WinDbg will enter a state where it is *Busy* performing an operation.
Often this is due to some mistake I made trying to dt some_variable_itll_never_find or setting a break point somewhere without symbols or the 1000's of other mistakes I make fumbling around this tool.
Is there a way to cancel the current operation?
I don't have the tool now, but as far as I remember it should be Ctrl+Break.
Sometimes Ctrl+Break doesnt work. At that point you may use Debug menu -> Break.
Thanks
Ctrl+Break
will forcibly Debug break all but if for instance you entered some windbg command that takes a long time and you want to kill that then you should enter
Ctrl+c
This will kill the current running command.
You probably had "http://msdl.microsoft.com/download/symbols" in the symbol path.
Windbg will try to locate all your PDBs on Microsoft site :-(.
Pressing Ctrl+Break is not fast enough.
What I usually do is to unplug the network cable, until Windbg wakes up.
Just be carfull, if Windbg was realy downloading one if its OS DLL, the DLL gets curropted. You will need .reload /o to fix that DLL. I only unplug when I know all OS DLL were already downloaded.
To avoid this delay in the first place, uncheck "Resolve Unqualified Symbols" found under the "Debug" menu.