SlideShare a Scribd company logo

Debugging TV Frame 0x08

Dmitry Vostokov
Dmitry Vostokov

This episode discusses logging WinDbg extension, adding your API for custom logging, different logging formats, viewing verbose logging extension logs, tracing Win32 API while debugging a process, Activation Context memory analysis pattern.

Software
1 of 8
Download to read offline
Frame 0x08 Presenter: Dmitry Vostokov Sponsors Debugging.TV
• Logging WinDbg extension • Adding your API for logging • Different logging formats • Viewing verbose logging extension logs Topics © 2012 DumpAnalysis.org + TraceAnalysis.org Tracing Win32 API while debugging a process Activation Context pattern
C:Program FilesDebugging Tools for Windows (x64)winextmanifestcontexts.h // +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ // // Activation Context API // // +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ category ActivationContext: module KERNEL32.DLL: FailOnFalse ActivateActCtx(HANDLE hActCtx, [out] PULONG_PTR lpCookie); FailOnFalse DeactivateActCtx(DWORD dwFlags, ULONG_PTR upCookie); C:Program FilesDebugging Tools for Windows (x64)winextmanifestmain.h [...] #include "contexts.h" Custom Logging © 2012 DumpAnalysis.org + TraceAnalysis.org
0:001> !logexts.loge Windows API Logging Extensions v3.01 Parsing the manifest files... Location: C:Program FilesDebugging Tools for Windows (x64)winextmanifestmain.h Parsing file "main.h" ... Parsing file "winerror.h" ... Parsing file "kernel32.h" ... [...] Parsing completed. Logexts injected. Output: "C:UsersTrainingDesktopLogExts" Logging enabled. 0:001> !logc d * All categories disabled. 0:001> !logc Categories: 1 ActivationContext Disabled 2 AdvApi32 Disabled [...] 0:001> !logc e 1 1 ActivationContext Enabled Enabling Logging © 2012 DumpAnalysis.org + TraceAnalysis.org
0:001> !logo Logging currently enabled. Output directory: C:UsersDump AnalysisDesktopLogExts Output settings: Debugger Disabled Text file Disabled Verbose log Enabled 0:001> !logo e t Debugger Disabled Text file Enabled Verbose log Enabled 0:001> !logo e d Debugger Enabled Text file Enabled Verbose log Enabled Logging Output © 2012 DumpAnalysis.org + TraceAnalysis.org
0:001> g ModLoad: 00000000`56bd0000 00000000`56c35000 C:Program FilesDebugging Tools for Windows (x64)winextlogexts.dll [...] Thrd 1498 000000013F5F1163 ActivateActCtx( 0x000000000044DD58) -> TRUE ( 0x000000000031F8F8) Thrd 1498 000000013F5F11CD ActivateActCtx( 0x0000000000460188) -> TRUE ( 0x000000000031F908) Thrd 1498 000000013F5F1201 ActivateActCtx( 0x000000000044E038) -> TRUE ( 0x000000000031F8F0) (13f0.1498): Unknown exception - code 00000001 (first chance) (13f0.1498): Unknown exception - code c015000f (first chance) (13f0.1498): Unknown exception - code c015000f (!!! second chance !!!) ntdll! ?? ::FNODOBFM::`string'+0x13ab0: 00000000`77c4fd5c 488b36 mov rsi,qword ptr [rsi] ds:00000000`030b04d0=00000000030b0470 0:000> kL Child-SP RetAddr Call Site 00000000`0031f5b0 00000000`77ac42d3 ntdll! ?? ::FNODOBFM::`string'+0x13ab0 00000000`0031f690 00000000`56c0d163 kernel32!DeactivateActCtx+0x23 00000000`0031f6c0 00000000`56bed394 logexts!LogHookCallFunction+0x73 00000000`0031f730 00000000`56c0d0e5 logexts!LogProcessHook+0x514 00000000`0031f870 00000001`3f5f1254 logexts!LogHook+0x45 00000000`0031f8c0 00000001`3f5f13db TestActCtx!wmain+0x224 00000000`0031f930 00000000`77ad652d TestActCtx!__tmainCRTStartup+0x13b 00000000`0031f970 00000000`77c0c521 kernel32!BaseThreadInitThunk+0xd 00000000`0031f9a0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d 0:000> g Thrd 1498 000000013F5F1254 DeactivateActCtx( 0x00000000 0x13AB3BF900000002) -> TRUE Thrd 1498 000000013F5F1263 DeactivateActCtx( 0x00000000 0x13AB3BF900000001) -> TRUE ntdll!NtTerminateProcess+0xa: 00000000`77c315da c3 ret Tracing Example © 2012 DumpAnalysis.org + TraceAnalysis.org
!Ad Hardcore Technical Support Training © 2012 DumpAnalysis.org + TraceAnalysis.org Advanced Windows Memory Dump Analysis Accelerated Windows Memory Dump AnalysisApril 11-16, 2012: April 20-23, 2012: Training Schedule Accelerated Software Trace AnalysisApril 27-30, 2012: Accelerated Mac OS X Core Dump Analysis Forthcoming: Linux Core Dump Analysis
Debugging.TV

Recommended

Valgrind tool
Valgrind toolValgrind tool
Valgrind tool
KrishnaPrasad630
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
Ji Hun Kim
 
Debugging TV Frame 0x02
Debugging TV Frame 0x02Debugging TV Frame 0x02
Debugging TV Frame 0x02
Dmitry Vostokov
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slides
Dmitry Vostokov
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARF
Samy Bahra
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 

Recommended

Valgrind tool
Valgrind toolValgrind tool
Valgrind tool
KrishnaPrasad630
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
Ji Hun Kim
 
Debugging TV Frame 0x02
Debugging TV Frame 0x02Debugging TV Frame 0x02
Debugging TV Frame 0x02
Dmitry Vostokov
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slides
Dmitry Vostokov
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARF
Samy Bahra
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
A 3D printing programming API
A 3D printing programming APIA 3D printing programming API
A 3D printing programming API
Max Kleiner
 
Controlando windows like a boss com Intel Real Sense SDK
Controlando windows like a boss com Intel Real Sense SDKControlando windows like a boss com Intel Real Sense SDK
Controlando windows like a boss com Intel Real Sense SDK
Andre Carlucci
 
Accelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump AnalysisAccelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump Analysis
Dmitry Vostokov
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
OOO "Program Verification Systems"
 
Debugging TV Frame 0x05
Debugging TV Frame 0x05Debugging TV Frame 0x05
Debugging TV Frame 0x05
Dmitry Vostokov
 
eel6935_ch2.pdf
eel6935_ch2.pdfeel6935_ch2.pdf
eel6935_ch2.pdf
Sambasiva62
 
Debugging TV Frame 0x16
Debugging TV Frame 0x16Debugging TV Frame 0x16
Debugging TV Frame 0x16
Dmitry Vostokov
 
5054a v19 english version installation instructions
5054a v19 english version installation instructions5054a v19 english version installation instructions
5054a v19 english version installation instructions
Bill Zhao
 
Key codes
Key codesKey codes
Key codes
tusher khan
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
Felipe Prado
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
kbour23
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
Arno Huetter
 
Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)
yang firo
 
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)
yang firo
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharing
James Hsieh
 
TinyOS 2.1 Tutorial: Hands-on Session
TinyOS 2.1 Tutorial: Hands-on SessionTinyOS 2.1 Tutorial: Hands-on Session
TinyOS 2.1 Tutorial: Hands-on Session
Razvan Musaloiu-E.
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
Positive Hack Days
 
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
CODE BLUE
 
Spug pt session2 - debuggingl
Spug pt session2 - debugginglSpug pt session2 - debuggingl
Spug pt session2 - debuggingl
Comunidade Portuguesa de SharePoiint
 
Sigfox XKit Workshop
Sigfox XKit WorkshopSigfox XKit Workshop
Sigfox XKit Workshop
Nicolas Lesconnec
 
Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slides
Dmitry Vostokov
 
Debugging TV Frame 0x1C
Debugging TV Frame 0x1CDebugging TV Frame 0x1C
Debugging TV Frame 0x1C
Dmitry Vostokov
 

More Related Content

Similar to Debugging TV Frame 0x08

Accelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump AnalysisAccelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump Analysis
Dmitry Vostokov
 
5054a v19 english version installation instructions
5054a v19 english version installation instructions5054a v19 english version installation instructions
5054a v19 english version installation instructions
Bill Zhao
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
kbour23
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharing
James Hsieh
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
Positive Hack Days
 
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
CODE BLUE
 

Similar to Debugging TV Frame 0x08 (20)

A 3D printing programming API
A 3D printing programming APIA 3D printing programming API
A 3D printing programming API
 
Controlando windows like a boss com Intel Real Sense SDK
Controlando windows like a boss com Intel Real Sense SDKControlando windows like a boss com Intel Real Sense SDK
Controlando windows like a boss com Intel Real Sense SDK
 
Accelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump AnalysisAccelerated Windows Memory Dump Analysis
Accelerated Windows Memory Dump Analysis
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Debugging TV Frame 0x05
Debugging TV Frame 0x05Debugging TV Frame 0x05
Debugging TV Frame 0x05
 
eel6935_ch2.pdf
eel6935_ch2.pdfeel6935_ch2.pdf
eel6935_ch2.pdf
 
Debugging TV Frame 0x16
Debugging TV Frame 0x16Debugging TV Frame 0x16
Debugging TV Frame 0x16
 
5054a v19 english version installation instructions
5054a v19 english version installation instructions5054a v19 english version installation instructions
5054a v19 english version installation instructions
 
Key codes
Key codesKey codes
Key codes
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)
 
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharing
 
TinyOS 2.1 Tutorial: Hands-on Session
TinyOS 2.1 Tutorial: Hands-on SessionTinyOS 2.1 Tutorial: Hands-on Session
TinyOS 2.1 Tutorial: Hands-on Session
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
 
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
 
Spug pt session2 - debuggingl
Spug pt session2 - debugginglSpug pt session2 - debuggingl
Spug pt session2 - debuggingl
 
Sigfox XKit Workshop
Sigfox XKit WorkshopSigfox XKit Workshop
Sigfox XKit Workshop
 

More from Dmitry Vostokov

More from Dmitry Vostokov (20)

Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slides
 
Debugging TV Frame 0x1C
Debugging TV Frame 0x1CDebugging TV Frame 0x1C
Debugging TV Frame 0x1C
 
Debugging TV Frame 0x1A
Debugging TV Frame 0x1ADebugging TV Frame 0x1A
Debugging TV Frame 0x1A
 
Debugging TV Frame 0x34
Debugging TV Frame 0x34Debugging TV Frame 0x34
Debugging TV Frame 0x34
 
Debugging TV Frame 0x33
Debugging TV Frame 0x33Debugging TV Frame 0x33
Debugging TV Frame 0x33
 
Debugging TV Frame 0x31
Debugging TV Frame 0x31Debugging TV Frame 0x31
Debugging TV Frame 0x31
 
Debugging TV Frame 0x25
Debugging TV Frame 0x25Debugging TV Frame 0x25
Debugging TV Frame 0x25
 
Debugging TV Frame 0x24
Debugging TV Frame 0x24Debugging TV Frame 0x24
Debugging TV Frame 0x24
 
Debugging TV Frame 0x21
Debugging TV Frame 0x21Debugging TV Frame 0x21
Debugging TV Frame 0x21
 
Debugging TV Frame 0x20
Debugging TV Frame 0x20Debugging TV Frame 0x20
Debugging TV Frame 0x20
 
Debugging TV Frame 0x19
Debugging TV Frame 0x19Debugging TV Frame 0x19
Debugging TV Frame 0x19
 
Debugging TV Frame 0x18
Debugging TV Frame 0x18Debugging TV Frame 0x18
Debugging TV Frame 0x18
 
Debugging TV Frame 0x17
Debugging TV Frame 0x17Debugging TV Frame 0x17
Debugging TV Frame 0x17
 
Debugging TV Frame 0x15
Debugging TV Frame 0x15Debugging TV Frame 0x15
Debugging TV Frame 0x15
 
Debugging TV Frame 0x14
Debugging TV Frame 0x14Debugging TV Frame 0x14
Debugging TV Frame 0x14
 
Debugging TV Frame 0x13
Debugging TV Frame 0x13Debugging TV Frame 0x13
Debugging TV Frame 0x13
 
Debugging TV Frame 0x12
Debugging TV Frame 0x12Debugging TV Frame 0x12
Debugging TV Frame 0x12
 
Debugging TV Frame 0x11
Debugging TV Frame 0x11Debugging TV Frame 0x11
Debugging TV Frame 0x11
 
Debugging TV Frame 0x10
Debugging TV Frame 0x10Debugging TV Frame 0x10
Debugging TV Frame 0x10
 
Debugging TV Frame 0x0F
Debugging TV Frame 0x0FDebugging TV Frame 0x0F
Debugging TV Frame 0x0F
 

Recently uploaded

The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 

Recently uploaded (20)

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 

Debugging TV Frame 0x08

  • 1. Frame 0x08 Presenter: Dmitry Vostokov Sponsors Debugging.TV
  • 2. • Logging WinDbg extension • Adding your API for logging • Different logging formats • Viewing verbose logging extension logs Topics © 2012 DumpAnalysis.org + TraceAnalysis.org Tracing Win32 API while debugging a process Activation Context pattern
  • 3. C:Program FilesDebugging Tools for Windows (x64)winextmanifestcontexts.h // +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ // // Activation Context API // // +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ category ActivationContext: module KERNEL32.DLL: FailOnFalse ActivateActCtx(HANDLE hActCtx, [out] PULONG_PTR lpCookie); FailOnFalse DeactivateActCtx(DWORD dwFlags, ULONG_PTR upCookie); C:Program FilesDebugging Tools for Windows (x64)winextmanifestmain.h [...] #include "contexts.h" Custom Logging © 2012 DumpAnalysis.org + TraceAnalysis.org
  • 4. 0:001> !logexts.loge Windows API Logging Extensions v3.01 Parsing the manifest files... Location: C:Program FilesDebugging Tools for Windows (x64)winextmanifestmain.h Parsing file "main.h" ... Parsing file "winerror.h" ... Parsing file "kernel32.h" ... [...] Parsing completed. Logexts injected. Output: "C:UsersTrainingDesktopLogExts" Logging enabled. 0:001> !logc d * All categories disabled. 0:001> !logc Categories: 1 ActivationContext Disabled 2 AdvApi32 Disabled [...] 0:001> !logc e 1 1 ActivationContext Enabled Enabling Logging © 2012 DumpAnalysis.org + TraceAnalysis.org
  • 5. 0:001> !logo Logging currently enabled. Output directory: C:UsersDump AnalysisDesktopLogExts Output settings: Debugger Disabled Text file Disabled Verbose log Enabled 0:001> !logo e t Debugger Disabled Text file Enabled Verbose log Enabled 0:001> !logo e d Debugger Enabled Text file Enabled Verbose log Enabled Logging Output © 2012 DumpAnalysis.org + TraceAnalysis.org
  • 6. 0:001> g ModLoad: 00000000`56bd0000 00000000`56c35000 C:Program FilesDebugging Tools for Windows (x64)winextlogexts.dll [...] Thrd 1498 000000013F5F1163 ActivateActCtx( 0x000000000044DD58) -> TRUE ( 0x000000000031F8F8) Thrd 1498 000000013F5F11CD ActivateActCtx( 0x0000000000460188) -> TRUE ( 0x000000000031F908) Thrd 1498 000000013F5F1201 ActivateActCtx( 0x000000000044E038) -> TRUE ( 0x000000000031F8F0) (13f0.1498): Unknown exception - code 00000001 (first chance) (13f0.1498): Unknown exception - code c015000f (first chance) (13f0.1498): Unknown exception - code c015000f (!!! second chance !!!) ntdll! ?? ::FNODOBFM::`string'+0x13ab0: 00000000`77c4fd5c 488b36 mov rsi,qword ptr [rsi] ds:00000000`030b04d0=00000000030b0470 0:000> kL Child-SP RetAddr Call Site 00000000`0031f5b0 00000000`77ac42d3 ntdll! ?? ::FNODOBFM::`string'+0x13ab0 00000000`0031f690 00000000`56c0d163 kernel32!DeactivateActCtx+0x23 00000000`0031f6c0 00000000`56bed394 logexts!LogHookCallFunction+0x73 00000000`0031f730 00000000`56c0d0e5 logexts!LogProcessHook+0x514 00000000`0031f870 00000001`3f5f1254 logexts!LogHook+0x45 00000000`0031f8c0 00000001`3f5f13db TestActCtx!wmain+0x224 00000000`0031f930 00000000`77ad652d TestActCtx!__tmainCRTStartup+0x13b 00000000`0031f970 00000000`77c0c521 kernel32!BaseThreadInitThunk+0xd 00000000`0031f9a0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d 0:000> g Thrd 1498 000000013F5F1254 DeactivateActCtx( 0x00000000 0x13AB3BF900000002) -> TRUE Thrd 1498 000000013F5F1263 DeactivateActCtx( 0x00000000 0x13AB3BF900000001) -> TRUE ntdll!NtTerminateProcess+0xa: 00000000`77c315da c3 ret Tracing Example © 2012 DumpAnalysis.org + TraceAnalysis.org
  • 7. !Ad Hardcore Technical Support Training © 2012 DumpAnalysis.org + TraceAnalysis.org Advanced Windows Memory Dump Analysis Accelerated Windows Memory Dump AnalysisApril 11-16, 2012: April 20-23, 2012: Training Schedule Accelerated Software Trace AnalysisApril 27-30, 2012: Accelerated Mac OS X Core Dump Analysis Forthcoming: Linux Core Dump Analysis