Swug July 2010 - windows debugging by sainath

948 views

Published on

Sainath shares about the tools he uses when he debugs problems in Windows.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
948
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Swug July 2010 - windows debugging by sainath

  1. 1. <ul><li>Sainath </li></ul><ul><li>BT Frontline </li></ul><ul><li>[email_address] </li></ul><ul><li>MVP – Active Directory </li></ul><ul><li>Microsoft Technet Moderator – Win2k8 , Networking </li></ul><ul><li>Microsoft Technet Magazine – Author </li></ul><ul><li>Microsoft Speaker – SWUG </li></ul>
  2. 2. Windows Debugging
  3. 3. Basic Terms <ul><li>Process </li></ul><ul><li>Thread </li></ul><ul><li>User mode </li></ul><ul><li>Kernel mode </li></ul><ul><li>Call stack </li></ul><ul><li>Register </li></ul><ul><li>Exception </li></ul>
  4. 4. Basic Terms <ul><li>IRQL </li></ul><ul><li>Interrupt </li></ul><ul><li>Free Build </li></ul><ul><li>Check Build </li></ul><ul><li>Paging </li></ul><ul><li>Non paged pool </li></ul><ul><li>Paged pool </li></ul>
  5. 5. Basic Terms <ul><li>Complete Memory Dump </li></ul><ul><li>HKEY_LOCAL_MACHINESystemCurrentControlSetControlCrashControl CrashDumpEnabled REG_DWORD 0x0 = None CrashDumpEnabled REG_DWORD 0x1 = Complete memory dump CrashDumpEnabled REG_DWORD 0x2 = Kernel memory dump CrashDumpEnabled REG_DWORD 0x3 = Small memory dump (64KB) </li></ul>
  6. 6. <ul><li>ASK A QUESTION TO PROCEED  </li></ul>
  7. 7. Debugger Installation Setup <ul><li>Http://www.microsoft.com/ddk/debugging </li></ul><ul><li>Symbol file </li></ul><ul><li>public symbols – global variables, FPO </li></ul><ul><li>private symbols – local symbol, global var </li></ul>
  8. 8. Debugger Setup <ul><li>Problem with Symbol File </li></ul><ul><li>ERROR: Symbol file could not be found. Defaulted to export symbols for <xxx.exe> </li></ul><ul><li>Solution </li></ul><ul><li>Check for the symbol file path </li></ul><ul><li>Use .reload command </li></ul>
  9. 9. AdPlus Tool <ul><li>User mode debugging tool </li></ul><ul><li>Produces memory dumps of an application and processes </li></ul><ul><li>-notify switch notifies user using live messenger </li></ul><ul><li>You Cannot </li></ul><ul><li>Debug startup applications </li></ul><ul><li>Programs generating lot of debug information </li></ul>
  10. 10. AdPlus Tool <ul><li>Adplus Modes </li></ul><ul><li>Hang Mode </li></ul><ul><li>Crash Mode </li></ul><ul><li>First chance exception </li></ul><ul><li>second chance exception </li></ul>
  11. 11. AdPlus Tool <ul><li>Command Line Switches </li></ul><ul><li>Adplus –help </li></ul><ul><li>Adplus –hang </li></ul><ul><li>Adplus –crash </li></ul><ul><li>Adplus –pn </li></ul><ul><li>Adplus –iis </li></ul>
  12. 12. AdPlus Tool <ul><li>Demo 1 </li></ul><ul><li>Adplus hang dump </li></ul><ul><li>Adplus crah dump </li></ul><ul><li>Configuring symbols </li></ul><ul><li>Dumping process </li></ul><ul><li>Analyzing dump </li></ul>
  13. 13. Understanding Assembly <ul><li>c pgm </li></ul><ul><li>void main() </li></ul><ul><li>{ </li></ul><ul><li>int x =10; </li></ul><ul><li>int y = 20; </li></ul><ul><li>x= 30; </li></ul><ul><li>y = 40 ; </li></ul><ul><li>Printf(&quot;value of x is %d &quot;, x); </li></ul><ul><li>} </li></ul>
  14. 14. Understanding Assembly <ul><li>Important Note : </li></ul><ul><li>CPU registers and Variables are different in assembly but serve similar purpose </li></ul><ul><li>12 Major CPU registers </li></ul><ul><li>AX, BX, CX, DX, SI, DI, CS , IP etc.. </li></ul><ul><li>Declaring variables : </li></ul><ul><li>X dw 10; </li></ul><ul><li>Y dw 20 ; </li></ul>
  15. 15. Understanding Assembly <ul><li>Assembly </li></ul><ul><li>Mov [x], 10 </li></ul><ul><li>Mov [y], 20 </li></ul><ul><li>Windbg </li></ul><ul><li>Mov dword ptr [ saiprj!x (0a003456) ], 10 </li></ul>
  16. 16. Assembly Continued <ul><li>Writing data to registers </li></ul><ul><li>Mov eax, 15 </li></ul><ul><li>Mov eax, [x] </li></ul><ul><li>Windbg </li></ul><ul><li>mov eax, [saipgm!x (a0302934)] </li></ul>
  17. 17. Assembly Continued <ul><li>C program </li></ul><ul><li>Int b = 10; </li></ul><ul><li>Int a = 20 ; </li></ul><ul><li>B = b+a ; </li></ul><ul><li>Assembly </li></ul><ul><li>mov eax , b </li></ul><ul><li>Add [a], eax </li></ul><ul><li>Windbg </li></ul><ul><li>Mov eax, [saipgm!b ( a0308923)] </li></ul><ul><li>Add [saipgm!a (02342343)], eax </li></ul>
  18. 18. Assembly Continued <ul><li>Mov [x], 1 </li></ul><ul><li>Mov [y], 1 </li></ul><ul><li>Mov eax, [x] </li></ul><ul><li>Add [b], eax </li></ul><ul><li>Inc eax </li></ul><ul><li>What is the output ??? </li></ul>
  19. 19. Registers <ul><li>Registers are small storage units generally 32 or 64bit wide </li></ul><ul><li>Registers are always accessed using names </li></ul><ul><li>Wrong data in the registers are source of bug </li></ul><ul><li>R command to display registers </li></ul>
  20. 20. Registers Deep Dive <ul><li>EAX = contains return values </li></ul><ul><li>EBX </li></ul><ul><li>ECX = contains loop counter info </li></ul><ul><li>EDX </li></ul><ul><li>EIP = points to next instruction to be executed </li></ul><ul><li>ESP = Stack pointer , points to top of stack. </li></ul>
  21. 21. Registers Deep Dive <ul><li>EBP = Base pointer / Stack Frame Pointer </li></ul><ul><li>EBP will be set before function is called </li></ul>
  22. 22. Reading Memory <ul><li>Variable Types </li></ul><ul><li>Local variables </li></ul><ul><li>Global variables </li></ul><ul><li>Strings </li></ul><ul><li>Unicode </li></ul><ul><li>Arrays </li></ul><ul><li>constants. </li></ul>
  23. 23. Reading Memory <ul><li>D </li></ul><ul><li>DD – display memory 32 bits </li></ul><ul><li>Dw – display as words ( 16 bits ) </li></ul><ul><li>DT – display type </li></ul><ul><li>Example: </li></ul><ul><li>Eg: dt nt!<function name> </li></ul><ul><li>dt yourexe!<function name> </li></ul>
  24. 24. Stacks <ul><li>Program 1 </li></ul><ul><li>function 1 </li></ul><ul><li>function 2 </li></ul><ul><li>program 2 </li></ul><ul><li>calling function 1 (assigns stack ) </li></ul><ul><li>return ( clears stack ) </li></ul><ul><li>calling function 2 </li></ul>
  25. 25. Stacks Continued <ul><li>Every thread has 2 stacks </li></ul><ul><li>User Mode 1 MB </li></ul><ul><li>Kernel Mode 12 KB </li></ul><ul><li>When ever a function is called you see a return instruction. </li></ul>
  26. 26. Deep Dive Stacks. <ul><li>Dd esp </li></ul><ul><li>0012fe6c 004113e0 00000005 0000000a 0127f558 </li></ul><ul><li>0012fe7c 007dca76 7ffd8000 cccccccc cccccccc </li></ul><ul><li>004113e0 = return address </li></ul><ul><li>00000005 = argument 1 </li></ul><ul><li>0000000a = argument 2 </li></ul>
  27. 27. <ul><li>Questions Please  </li></ul>

×