Windows Driver Debugging with WinDbg.
Window Memory architecure
<fig 32 bit windows memory archtecture>
windows kernel debugging model
<fig windows kernerl debugging model>
Debugging types
User mode debugging
It is debugging a process that is started on user mode.
by visual studio , windbg
Kernel mode debugging
It is debugging a process that is started on Kernel mode.
by windbg
live debugging
it is debugging a process that is running step by step each line of source.
dump debugging
It is a analying dump when is created at the system crash or blue screen.
Terms
user dump
It is a dump on the user mode.
kernel dump
It is a dump on the kernel mode.
the debugger
It means a something installed tools for debugging.
the debugee
it means target like processes or drivers will be debugged.
Debug Symbols
such as a pdb files
it includes function, variablable’s name and location and source line.
Stack
In x86 arch , The register ESP, EBP invloves meaning of the stack’s start and stop address.
Command Prompt
0:000> - The first part of ‘0’ being means process number. and, The left ‘000’ part is thread number
kd> - The kernel mode command prompt.
0: kd > The front ‘0’ is the Processor( means cpu ) number. and ‘kd’ means being that is in kernel mode.
windbg commands
Debugger Commands
- r - register - Display cpu resister information.
- k - call stack - Show call stack backtrace
- g - go - keep going kernel
- p - pause - pause step
- pc - - Step to next call
- t - trace -
- tb - - trace to next branch
- tc - - trace to next call
- wt - - Trace and watch data
- a - assemble
- u - unassemble
- bc - breakpoint cleaar
- bd - breakpoit disable
- be - breakpoit enable
- bl - breakpoit list
- ba - break on access
- d , da, db, dw, dd - display - display memory
- dds - - display word and symbol
- dl - - display linked list
- ds - - Display string
- dt - - Display type
- dv - - Display local variable
- s - - Search memory
- ls - - load symbol
- lm - - list loaded symbol
- ln - - list nearest symbol
- k, kb, kd, kp, kv - - display stack backtrace
- e, ea, ed, ed, ew, eu - enter - enter values
- etc...
Meta Commands
- .sympath - Set symbol path
- .reload - Reload module
- .srcpath - set source path
- .exepath - Set executable path
- .trap - Display trap frame
- .ecxr - Display exception context record
- .exr - Display exception record
- .cxr - Display context record
- .reboot - reboot target compter
- .dump - Create dump file
- .enable_uncode - Enable unicode display
- .ofilter - Filter target output
- .cls - clear screen
- .bugcheck - Display bug check data
- .context - Set user mode address context
- .process -Set process context
- .thread - Set register context
- .tss - display Task stte segment
- .load - Load extension dll
- etc...
Extension Commands
- !anlyze - Displays information about the current bug check
- !cpuid - Displays information about the prosessors on the system
- !error - Decodes and displays information about an error value
- !gle - Displays the last error value for the current thread
- !obja - Displays the attributes of an oobject in the object manager
- !peb - D!peb - Display a fomattes view of the information in the processs environment block (PEB)
- !teb - Display a fomatted view of the information in the thread environment block (PEB)
- !token - Display a formatted view of a security token object
- !process - Displays information about the specified process or all
- !stacks - Display a information about a current kernel stacks
- !thread - Displays summary information about a thread
- !zombies - Displays all dead “zombie” processes or thread
- !drivers - Displays list of all drivers loaded
- !devnote - Displays a formatted view of the device stack
- !devobj -Displays detailed information about a DEVICE_OBJECT
- !devstack - Displays a formatted view of the device stack
- !drvobj -Displays detailed information about a DRIVER_OBJET
- etc..
No comments:
Post a Comment