Download - Advanced Windows Debugging
![Page 1: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/1.jpg)
Advanced Windows Debugging
Mario HewardtSenior Development LeadMicrosoft Corporation
Daniel PravatSenior Development LeadMicrosoft Corporation
…and we approve this message
![Page 2: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/2.jpg)
Software Bugs Are EXPENSIVE
![Page 3: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/3.jpg)
A $60 billion problem “Software bugs, or errors, are so prevalent
and so detrimental that they cost the U.S. economy an estimated $59.5 billion annually”
Users choose reliability over price Reliability problems are sticky
Why Debugging?We Need Reliable Software
![Page 4: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/4.jpg)
Agenda
10:15 – 11:30 Introduction to Debuggers
11:30 – 12:00 Managing Symbols/Sources
12:00 – 1:00 Lunch1:00 – 1:55 Resource Leaks2:00 - 3:00 Security3:15 - 3:45 Break3:45 - 4:40 Heap Corruptions4:45 - 5:15 Windows Error Reporting5:15 - 5:45 Managed Code Debugging
![Page 5: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/5.jpg)
Session Structure
Session breaks Q&A feedback loop
AWD PDC 2008 Feedback/Questions Focus is on user mode & native code
debugging Sessions emphasize pragmatism over
theory Advanced Windows Debugging book
coupons (AW Booth 517) Special guests
![Page 6: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/6.jpg)
Example of bugs repartition Open source code
Source: Coverity White Paper
![Page 7: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/7.jpg)
Introduction to the Debugging Tools with examples The basics about the Debugging Tools for
Windows How to set them up How to work with symbols and sources Basic commands available in the Debugging
Tools for Windows Several debugging scenarios How to use the Windows debuggers
remotely
![Page 8: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/8.jpg)
Debugging Tools for Windows
xcopy “installable” Always up to date Low memory footprint Extensible Windows experience build it Public version (search Windbg on the web) http://www.microsoft.com/whdc/devtools/debug
ging/default.mspx Public version update 2 times a year Used everywhere (including ARM devices) Inexpensive high quality tools
![Page 9: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/9.jpg)
User mode debuggers Cdb.exe Ntsd.exe Windbg.exe
Kernel mode debuggers Kd.exe Windbg.exe
Symbol indexing tools Source indexing tools Stand-alone tools (agestore, adplus, breakin,
dbgsrv, gflags, tlist, remote, etc. ) Samples
Package Content
![Page 10: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/10.jpg)
Debugger selection Live debugging vs. crash mode debugging User mode vs. kernel mode Start the UM application under the
debugger or attach to a running instance windbg.exe <app_to_start> windbg –p <PID> windbg –pn <exe_name> windbg –z <crash_dump>
Debugger interaction Multiple debuggers to the same target
Starting the Debugger
![Page 11: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/11.jpg)
Command mode vs. GUI User mode prompt can get us a head start The first step is getting the exception code Understand the environment Set the correct symbols Start from the current execution context Check the loaded module
Interacting with the Debugger
![Page 12: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/12.jpg)
Simple commands02sample.exe Daniel Pravat
demo
![Page 13: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/13.jpg)
Symbol types PDB information Setting the symbol path Checking the symbol loading process Using a symbol server (private vs. public) Using a symbol cache Maintaining the symbol cache
Symbol File & Module Information
![Page 14: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/14.jpg)
Setting the environment Setting the symbols Loading the symbols Loading the source files
Inspecting the target Immutable, read the information from kernel and from the
process space Last event Registers Memory Variables Stack Unassemble Process information Thread information Address information
Working with the Target
![Page 15: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/15.jpg)
Sample commands02sample.exe Daniel Pravat
demo
![Page 16: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/16.jpg)
Breakpoints Breakpoint types Breakpoint info Setting a breakpoint (code BP, processor BP) Conditional breakpoint
Controlling the target Execute Trace
Debugger events What are they? Useful events Controlling the events
Helper commands Math Errors Shell execute
Breakpoints, Events and Others
![Page 17: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/17.jpg)
Sample commands02sample.exe Daniel Pravat
demo
![Page 18: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/18.jpg)
Deadlock10deadlock.exe Daniel Pravat
demo
![Page 19: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/19.jpg)
cs_DB1cs_DB1
cs_DB2
Deadlock Scenario
cs_DB2
Thread 0
Thread 1
No progress = Deadlock
Acquisition order is reversedThe length may be different A,B,C = OKB,C = OKA,B = OKA,C = OKB,C,A = Deadlock
![Page 20: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/20.jpg)
What is it? When to use it? Remote debugging requirements Client command <debugger> –remote <protocol>:<protocol options>
Symbol resolution in remote debugging Source resolution Debug server Non-traditional use in image file execution
options.
Remote Debugging
![Page 21: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/21.jpg)
Offer debugging capabilities for remote labs Small bandwidths Allows testing with limited number of tools
installed
Remote Debugging
Test System
Test System
Test System
Test System
Test Systems
Remote client
SymbolsSources
Smart client
Sources
![Page 22: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/22.jpg)
Stack corruption05async.exe Daniel Pravat
demo
![Page 23: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/23.jpg)
Possible Explanation for Failure09async.exe
DisplayError calls Sleep
Return address is saved
Sleep calls SleepEx
Return address is saved
…
Return address is changed to X
Execution starts at X
There is another thread smashing the stack
How to catch this async operation?
What are the implications of this bug?
Can the execution be controlled? Can this execution be prevented? Welcome NX bit
![Page 24: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/24.jpg)
Tools are free, easy to find, easy to use Use every bit from the debugger target state to
understand the mechanics of the crash Build an hypothesis that can explain the current
problem Reproduce (mentally is fine) the current problem.
If you can’t, build another hypothesis. Find the root cause in the source file Debugging doesn’t stop at component boundary Use remote debugging when you need concurrent
access to the same target
Summary
![Page 25: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/25.jpg)
Questions
![Page 26: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/26.jpg)
Symbol server
Daniel Pravat
![Page 27: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/27.jpg)
Build a new
version
Extract public
symbols
Index symbols
Publish symbols
Use symbols
What is a symbol server? When in the best time to do it? What is the cost-benefit ratio?
Maintaining a Symbol Server
![Page 28: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/28.jpg)
Large store of symbol and binary files Files are organized based on unique
properties of each file: File name File type Time stamp Size of the image RSDS signature
The binary files can be stored on a different location
The files can be compressed
Symbol Server
![Page 29: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/29.jpg)
There is too much information in the symbol files
Small companies can manage the symbols Symbols are large ($.10/GB) We ship infrequently We have no bugs, we don’t debug We use tracing We ship often The code does not change, I can rebuild PDBs are added to the product
Common Misconceptions
![Page 30: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/30.jpg)
Indexing step by step Collecting all binary files in a single location Generate equivalent public symbol files Store them in the final location if not stored on
the symbol server Add both sets of files to their symbol servers
Tools required Pdbcopy.exe (Debugging Tools for Windows) Binplace.exe (WDK) Symstore.exe (Debugging Tools for Windows) Extending the build process (batch files)
Can be done
Building a Symbol Server
![Page 31: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/31.jpg)
Use them from a share (private symbols) Publish the symbols on a HTTP server
(public symbols) Publish them on a secure HTTP server
(private symbols) Purging intermediate build versions The most cost effective way of securely
providing the correct symbols Essential for library vendors
Using the Symbol Server
![Page 32: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/32.jpg)
A problem ~= a defect in the source file The source file should be at exact version Windbg.exe can use source server .srcpath srv*
Source Server
Build a new
version
Extract the source
file list
Store the information required to retrieve the file from SC
Publish symbols
Use the symbols
![Page 33: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/33.jpg)
It is a concept Private symbol PDBs contain the original
file location Source server is an alternate stream into
the private symbol PDBs Contains information to retrieve the source
file from the source revision control system Independent of the source revision control
system Works with: Perforce, Visual SourceSafe,
Team Foundation Server, Subversion
Source Server
![Page 34: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/34.jpg)
Source Server Information (VSS)
C:\>pdbstr –r –p:%_NT386TREE%\sym.pri\retail\exe\03sample.pdb –s:srcsrvSRCSRV: ini ------------------------VERSION=1INDEXVERSION=2VERCTRL=Visual Source SafeDATETIME=Mon Jan 8 00:04:15 2007SRCSRV: variables ---------------------SSDIR=C:\AWD\VSSSRCSRVENV=SSDIR=%AWD%VSSTRGDIR=%targ%\%var2%\%fnbksl%(%var3%)\%var4%VSS_EXTRACT_CMD=ss.exe get -GL”%vsstrgdir%” -GF- -I-Y -W “$/%var3%” -V”%var4%”VSS_EXTRACT_TARGET=%targ%\%var2%\%fnbksl%(%var3%)\%var4%\%fnfile%(%var1%)AWD=C:\AWD\VSSSRCSRVTRG=%VSS_extract_target%SRCSRVCMD=%VSS_extract_cmd%SRCSRV: source files --------------------c:\awd\chapter3\spydbg.cpp*AWD*chapter3/spydbg.cpp*VERSION1SRCSRV: end ------------------------
![Page 35: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/35.jpg)
Have customers, manage symbols Symbol server is cost effective One place to manage them all Allow private - publish separation Works with other tools (Process Monitor,
Profilers) Source server helps localize the bugs Can be integrated in most processes Request support from your toolset vendor
Summary
![Page 36: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/36.jpg)
Questions
![Page 37: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/37.jpg)
Resource Leaks
![Page 38: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/38.jpg)
What is a Resource?
Anything that occupies space in the system Simple right?
Resources come in many forms Handles Synchronization primitives Heap memory allocator Virtual memory allocator and many more…
Don’t let the abstraction fool you -- it all boils down to memory
The means by which a resource is acquired and released is key
![Page 39: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/39.jpg)
What is a Resource Leak?
Owning process acquires a resource but fails to release it hHandle = CreateEvent (…,…); QueryInterface(…,…, &pI); pMem=HeapAlloc(…,…);
Not confined within the boundaries of a process
It’s evil. Especially when not easily reproduced
![Page 40: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/40.jpg)
Why are resource leaks bad?
Resources are limited Someone else has to give
Availability goes down Performance degradation Just like any other bug, cost to fix is high
after release Drives the hardware market
![Page 41: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/41.jpg)
Top resource leaks misconceptions
Windows cleans it up so I don’t have to I’ll just recycle if it gets out of hand The code I was calling was supposed to
clean it up!
![Page 42: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/42.jpg)
Resource leaks symptoms
Quantity of a given resource keeps increasing over time Handle count goes up Virtual memory usage goes up Be wary of caching techniques
System becomes sluggish Sporadic failures Inability to start new applications Processes flat out dies
![Page 43: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/43.jpg)
Types of Resources
Handles Heap allocator Virtual memory allocator COM allocator and many more…
![Page 44: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/44.jpg)
Handles
User mode identifier of Windows object types File object Process object Thread object
Applications use the handle to interact with OS objects
Best viewed as an isolation layer between user mode code and the kernel
![Page 45: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/45.jpg)
Handle Architecture Overview
EPROCESS
Ref Count Obj Count Object1 1 <addr>1 1 <addr>3 1 <addr>
Event
WIN32 API
MutantHeader
Header
CreateEvent(…
…);
UserKernel
![Page 46: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/46.jpg)
Handle Code Example
HANDLE hFile=CreateFile( pWorkerData->pszFileName, FILE_READ_DATA,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
// Use file handle
CloseHandle(hFile);
![Page 47: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/47.jpg)
Tools for Handle Tracking
Debugger extension command: !htrace Task Manager
Shows handle count Process Explorer shows handle count as
well as: Type of handle (file, mutant, section etc) Name of the handle Handle value Comes in handy when figuring out what type of
handle is being leaked http://technet.microsoft.com/en-us/
sysinternals/bb896653.aspx
![Page 48: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/48.jpg)
Resolution process
Leak?
Type ofresource
InitialAnalysis
Use tools
AvoidanceStrategy
DoneNo
![Page 49: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/49.jpg)
Basic Handle Leak
Mario Hewardt
Demo
![Page 50: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/50.jpg)
Inconsistent Handle Leak
Mario Hewardt
Demo
![Page 51: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/51.jpg)
Cross Process Handle Leak
Mario Hewardt
Demo
![Page 52: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/52.jpg)
Heap Memory
Most commonly used allocator for user mode applications
Uses the virtual memory manager Provides more manageable chunks of
memory than virtual memory manager Other allocators are built on top of heap
manager
![Page 53: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/53.jpg)
Windows Memory Architecture
Application
Virtual Memory Manager
Heap Manager
Default Process
Heap
C RuntimeHeap Other Heaps
![Page 54: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/54.jpg)
Heap Memory Code Example
BYTE* pMem=(BYTE*) HeapAlloc(GetProcessHeap(), 0, 100);
// Use memory
HeapFree(GetProcessHeap(), 0, pMem);
![Page 55: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/55.jpg)
Tools for Heap Memory Tracking
UMDH Tracks heap based memory Requires OS instrumentation to be enabled
(gflags) LeakDiag
Tracks different types of memory allocators: Heap allocator Virtual memory allocator COM allocator C runtime allocator
Uses Microsoft Detours library Debugger command: !heap
![Page 56: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/56.jpg)
Memory Leak using UMDH
Mario Hewardt
Demo
![Page 57: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/57.jpg)
Memory Leak using LeakDiag
Mario Hewardt
Demo
![Page 58: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/58.jpg)
Preemptive Strategies
Static source code analysis tools Prefast (available with WDK)
Always run with UMDH or LeakDiag At the very least during select milestones
Memory wrappers
![Page 59: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/59.jpg)
Questions
![Page 60: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/60.jpg)
DebuggingSecurity
![Page 61: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/61.jpg)
Agenda
The basics of Windows security Inspecting security elements
Debugging a distributed scenario Debugging a simple in process scenario Alternative way to debug it
![Page 62: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/62.jpg)
Past: Lack security Current generation: C2 compliant OS
(Starting with Windows 3.5 SP3) Most of the users in unmanaged
environment are administrators on the system
The security related problems are visible when running as a normal privilege user
UAC introduced in Windows Vista Vista and Windows Server 2008 uses
service accounts
Security is Important
![Page 63: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/63.jpg)
Complex systems are harder to debug The complexity must be understood The failure origin is often lost There are many layers participating Each layer can make a security check Upper layer sees generic errors
Complex System Use Security Mechanisms
Web client Web front-end Middle tier Database
back-end
![Page 64: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/64.jpg)
By probing the execution path Each component offers a probing point Most probing points are provided by the
operating system On the probing point we can identify
The principal making the operation Who has right for that operation If the execution path reaches that component
Empiric process Complexity reduction
Debugging Complex Systems
![Page 65: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/65.jpg)
Autorization model
AccessCheck Allowed Denied
![Page 66: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/66.jpg)
Authorization ComponentsThe User Identity (principal)
The equivalent of a passport There is a 3rd trusted issuer Contains user membership and other claims It is a secure container, its content cannot
be falsified It is used for all operations performed
against a protected object Each process started on the system
operates on behalf of the user !token can decipher the user token
![Page 67: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/67.jpg)
Displaying an access token
0:000> !token 7bc -nTS Session ID: 0User: S-1-5-21-1060284298-2111687655-1957994488-1003 (User: XP-SP2\TestAdmin)Groups:00 S-1-5-21-1060284298-2111687655-1957994488-513 (Group: XP-SP2\None)Attributes - Mandatory Default Enabled01 S-1-1-0 (Well Known Group: localhost\Everyone)Attributes - Mandatory Default Enabled02 S-1-5-32-544 (Alias: BUILTIN\Administrators)Attributes - Mandatory Default Enabled Owner03 S-1-5-32-545 (Alias: BUILTIN\Users)Attributes - Mandatory Default Enabled04 S-1-5-4 (Well Known Group: NT AUTHORITY\INTERACTIVE)Attributes - Mandatory Default Enabled05 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)Attributes - Mandatory Default Enabled06 S-1-5-5-0-35778 (no name mapped)Attributes - Mandatory Default Enabled LogonId07 S-1-2-0 (Well Known Group: localhost\LOCAL)Attributes - Mandatory Default EnabledPrimary Group: S-1-5-21-1060284298-2111687655-1957994488-513 (Group: XP-SP2\None)Privs:00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default01 0x000000008 SeSecurityPrivilege Attributes -...17 0x000000009 SeTakeOwnershipPrivilege Attributes -18 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default19 0x00000001d SeImpersonatePrivilege Attributes - Enabled DefaultAuth ID: 0:1c3a8Impersonation Level: IdentificationTokenType: Impersonation
![Page 68: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/68.jpg)
The equivalent of border regulation Many objects, many rules A collection of rights allowed to different
identities Each object has a security descriptor that
can allow or deny access to the object Granted access cannot be taken away DACLs are not accessible to the user of the
object !dacl, !sid, !acl extension can by used in
debugger
Authorization ComponentsThe Discretionary Access Control List (DACL)
![Page 69: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/69.jpg)
Displaying ACLs
0:000> !acl 000840acACL is:ACL is: ->AclRevision: 0x2ACL is: ->Sbz1 : 0x0ACL is: ->AclSize : 0x1cACL is: ->AceCount : 0x1ACL is: ->Sbz2 : 0x0ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPEACL is: ->Ace[0]: ->AceFlags: 0x0ACL is: ->Ace[0]: ->AceSize: 0x14ACL is: ->Ace[0]: ->Mask : 0x00120089ACL is: ->Ace[0]: ->SID: S-1-1-0
![Page 70: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/70.jpg)
Displaying Security Descriptors
kd> !sd 00084098->Revision: 0x1->Sbz1 : 0x0->Control : 0x8004SE_DACL_PRESENTSE_SELF_RELATIVE->Owner : S-1-5-18->Group : S-1-5-32-544->Dacl :->Dacl : ->AclRevision: 0x2->Dacl : ->Sbz1 : 0x0->Dacl : ->AclSize : 0x1c->Dacl : ->AceCount : 0x1->Dacl : ->Sbz2 : 0x0->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE->Dacl : ->Ace[0]: ->AceFlags: 0x0->Dacl : ->Ace[0]: ->AceSize: 0x14->Dacl : ->Ace[0]: ->Mask : 0x00120089->Dacl : ->Ace[0]: ->SID: S-1-1-0->Sacl : is NULL
![Page 71: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/71.jpg)
The equivalent of border policeEnforces the DACLs accessCan be a custom SRM
Implemented as a different process DACL information is protected The resources must be protected Example: DCOM
Lives in a different security boundaryDemo
Authorization ComponentsThe Security Reference Monitor (SRM)
![Page 72: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/72.jpg)
!token wmiprvse.exe Daniel Pravat
demo
![Page 73: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/73.jpg)
DCOM Example
void MTAClientCall(){ COSERVERINFO si;
MULTI_QI mqi; ... if (SUCCEEDED(CoCreateInstanceEx( CLSID_Calculator, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER, &si, 1, &mqi ))) { ICalculator * pCalculator = NULL; pCalculator = (ICalculator*)mqi.pItf; __int32 result = 0; wprintf(L"Calling SumSlow ..."); pCalculator->SumSlow(1,2, &result); pCalculator->Release(); wprintf(L"done\n"); }}
![Page 74: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/74.jpg)
DCOM CoCreateInstance complexity
Not all connections are shown Each box has IPC code Each box performs security validation The client cannot identify the failing
operation
Remote client
RPCSS Server
DCOM server
DCOM LaunchHOST OS SCM
DCOM client
![Page 75: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/75.jpg)
08cli.exe
Daniel Pravat
demo
![Page 76: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/76.jpg)
Summary
Security, usability or both? Security can be a differentiator Secure by default in the new wave Enable security after understanding it Requires good knowledge of the underlying
components and the ability to step into such systems
Debugging by probing The landscape changes, be prepared!
![Page 77: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/77.jpg)
Questions
![Page 78: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/78.jpg)
Heap Corruptions
![Page 79: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/79.jpg)
What is a Heap Corruption?
Violate the integrity of memory allocated on the heap Stray pointers Overruns Underruns Over-deletion Re-use after deletion Many others
Arguably one of the toughest categories of problems to debug
![Page 80: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/80.jpg)
Common Misconceptions
Top most frame not in my code!000bfdf4 7781f676 ntdll!RtlpCoalesceFreeBlocks+0x4f0
000bfeec 7781f285 ntdll!RtlpFreeHeap+0x1e2
000bff08 75f93593 ntdll!RtlFreeHeap+0x14e
000bff1c 010012cc kernel32!HeapFree+0x14
000bff38 01001302 06overrun+0x12cc
000bff44 0100147c 06overrun+0x1302
000bff88 75f9e3f3 06overrun+0x147c
…
…
…
![Page 81: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/81.jpg)
Common Misconceptions (cont)
My code is not on the stack period! It must be a hardware problem! I use my own heap, cant possibly corrupt
someone elses’ heap Window of opportunity is too small. It will
never happen
![Page 82: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/82.jpg)
Heap Corruption Symptoms
Wide range of strange behavior can be exhibited
Application crashes Application hangs Application exhibits “undesirable” behavior. If you are lucky, symptom close to source More commonly, symptom far from source
![Page 83: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/83.jpg)
Windows Memory Architecture
Application
Virtual Memory Manager
Heap Manager
Default Process
Heap
C RuntimeHeap Other Heaps
![Page 84: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/84.jpg)
Heap Manager: Frontend Allocator
Look aside Table
0
1
2
3
…
127
Unused
16
24
32
…1024
![Page 85: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/85.jpg)
Heap Manager: Backend Allocator
0
1
2
3
…
127
Variable Size
unused
16
24
…1016
Free Lists12
X…
Segment List
![Page 86: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/86.jpg)
Heap Segments
Or where does the memory come from? One ore more chunks of virtual memory Each segment contains heap blocks Structural integrity maintained by the heap
manager Represented by _HEAP_SEGMENT New segments created as needed
![Page 87: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/87.jpg)
Heap Segment Structure
Busy Block Busy Block Uncommitted rangeFree Block
![Page 88: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/88.jpg)
Heap Blocks
Basic allocation unit Contained within segment Contains allocation metadata
Allows heap manager to effectively manage the memory
Can contain debug info depending on what instrumentation is enabled
![Page 89: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/89.jpg)
Heap Block Structure
Current Size
Previous Size
SegIndex Flags Unused Tag
Index
Pre-allocation Metadata Post-allocation Metadata
User accessible part
Pre-allocation Metadata
Suffix Bytes
Fill Area(debug)
Heap Extra
Post-allocation Metadata
User accessible part
User accessible part
![Page 90: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/90.jpg)
Heap Coalescing
A mechanism to avoid fragmentation Avoids memory failures when not enough
contiguous memory is available Merges adjacent free blocks into large block Imagine freeing an allocation of size 32
Allocation Size: 32Allocation Size: 16 Allocation Size: 16
Allocation Size: 64
![Page 91: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/91.jpg)
Tools for Debugging Heap Corruptions
Goal is to break when the corruption occurs and not after
Pageheap helps with that goal Annotates heap blocks to trigger fault at the
time of write Light pageheap uses fill patterns Full pageheap uses fill patterns and guard
pages Very memory intensive
![Page 92: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/92.jpg)
Heap Overrun
Mario Hewardt
Demo
![Page 93: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/93.jpg)
Reuse after Deletion
Mario Hewardt
Demo
![Page 94: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/94.jpg)
Heap Handle Mismatch
Mario Hewardt
Demo
![Page 95: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/95.jpg)
Questions
![Page 96: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/96.jpg)
Windows Error Reporting
![Page 97: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/97.jpg)
Windows Error Reporting (WER)
Allows you to track the health of your applications in the wild
Failure data aggregation service provided by Microsoft
Signup is easy and free Certificate required for verification purposes VeriSign organizational Certificate
https://winqual.microsoft.com/
![Page 98: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/98.jpg)
WER Functionality
Allows ISVs to Manage applications to be monitored Query for application fault data Retrieve extensive application fault data Provide a feedback loop for customers Also allows hardware fault monitoring
![Page 99: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/99.jpg)
Application Fault Data
Downloaded as CAB files Each CAB file contains fault data
Perhaps most important is the dump file ISV’s can customize the type of dump file to
collect ISV’s can customize additional data to
collect Additional data files can be collected Extensive machine information
![Page 100: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/100.jpg)
WER Architecture
Error SentDr.
WatsonProcessCrash
Crash data over HTTPS
Fault response over HTTPS
Windows Error Reporting Service
ISV
Query Fault Data
![Page 101: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/101.jpg)
Windows Error Reporting
Mario Hewardt
Demo
![Page 102: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/102.jpg)
Programmatic Access to WER
WER exposed as a set of Web Services Open source project on codeplex
http://www.codeplex.com/wer/ Initial projects include
Client DLL Sample web service interaction Gadget to track events
Develop customized WER applications for you company
![Page 103: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/103.jpg)
WER Summary
Great way to gauge the health of your application
Its free! Extensive fault data collection policies Provides the ability to close the feedback
loop with customers
![Page 104: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/104.jpg)
Questions
![Page 105: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/105.jpg)
Managed code supportDaniel Pravat
![Page 106: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/106.jpg)
Minimal support through the sos.dll debugger extension Shipped with each framework version Easy to find it Well documented
Minimal integration with the debugger The integration point may increase in time No good understanding of the market What does not work
Variable/type dump Breakpoints
Managed Code Support in Debugging Tools for Windows
![Page 107: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/107.jpg)
Crash mode Over-stressed systems
Other tools may not work Mixing with native components No sources available Debugging dump files Debugging interop (Pinvoke) layers Debugging on customer site Debugging retail code Need to use tools designed for native code Kernel mode redirection Nothing else works
When to Use Debugging Tools for Windows
![Page 108: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/108.jpg)
During code development Tracing the code 100% managed code Need frequent variable inspection Need frequent references to the source files Debugging partial dumps Kernel mode debugging
SOS needs access to the entire address space Some pages are paged out
When Not to Use Debugging Tools for Windows
![Page 109: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/109.jpg)
Sample Code
Main(){... int operationCount = 0; for (; ; ) { operationCount++; HostInfo hi = HostInfo.GetDefault(hostAddress, userName, password); IWSManSession session = GetSession(hi); string response = session.Get("wmicimv2/Win32_OperatingSystem", 0); Console.Write("\rNumber of calls: " + operationCount); }...}
![Page 110: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/110.jpg)
Sample code (cont.)
static public IWSManSession GetSession(HostInfo hi) { IWSManSession session = null; // Get a cached session string key = hi.GetKey(); if (!sessionCache.TryGetValue(key, out session)) { session = CreateSession(hi); sessionCache[key] = session; } return session; }
![Page 111: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/111.jpg)
Monitor.exe
Daniel Pravat
demo
![Page 112: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/112.jpg)
Summary
Managed code applications are partially native
Use the best tools for the job Sometime the best tools were designed for
native processes The knowledge is portable to the managed
world Working knowledge of CLR internals
![Page 113: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/113.jpg)
Additional Support in Debugging Tools for Windows
Increased CLR presence Reliability focus Now we have minimal integration
JIT compilation Requires information from the process, not
from PDBs Future (wish list)
Each operation intercepted by CLR support All commands work (dv works!) Seamless transition from native to managed
![Page 114: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/114.jpg)
Everyone loves reliable applications Be aware of magic The code is just that, code Be curious and adventurous, explore new
areas Patience is key Use the tools extensively THANK YOU !
Summary
![Page 115: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/115.jpg)
Books: Advanced Windows Debugging
by Mario Hewardt, Daniel PravatAddison-Wesley Professional (November 8, 2007)Free chapter on book’s site
Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition, by Mark E. Russinovich and David A. Solomon
Windows via C/C++ by Jeffrey M. Richter; Christophe Nasarre Microsoft Press; 5th edition (December 12, 2007)
Blogs: Microsoft Advanced Windows Debugging and Troubleshooting Crash Dump Analysis If broken it is, fix it you should
Usenet Microsoft.public.windbg
Refferences
![Page 116: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/116.jpg)
TL59 – VS Debugger Tips and Tricks Driving for software quality through
customer feedback (web exclusive) Windows Fundamentals Kiosk Addison Wesley Kiosk
Don’t Miss
![Page 117: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/117.jpg)
Questions
![Page 118: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/118.jpg)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
![Page 119: Advanced Windows Debugging](https://reader038.vdocuments.net/reader038/viewer/2022102613/549a09e7b479590a4a8b460c/html5/thumbnails/119.jpg)