driver debugging basics
DESCRIPTION
x64 vs x86 DifferencesTRANSCRIPT
![Page 1: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/1.jpg)
Driver Debugging Basics
Khalil NassarSenior Systems EngineerMicrosoft Corporation
![Page 2: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/2.jpg)
Agenda
Debug 01100101 (Debug 101)x64 versus x86 DifferencesEssential Command ReferenceWindows Vista and Windows Server code name “Longhorn” Architectural ChangesDebugging TechniquesTop 10 Questions
![Page 3: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/3.jpg)
Debug 01100101
What is a debuggerStateDebugger viewBreakpoints and scripts
![Page 4: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/4.jpg)
Debug 01100101
What is a debugger?
![Page 5: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/5.jpg)
Debug 01100101
StateVirtual memoryProcess List -> Directory Base List -
> VM-> Thread List -> Reg
Context
![Page 6: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/6.jpg)
Debug 01100101
StateInterruptsTimeslice/Dispatch
![Page 7: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/7.jpg)
Manipulating Debugger View
demo
![Page 8: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/8.jpg)
Debug 01100101
Manipulating Debugger View.process.cxr, .trap.thread.frame
![Page 9: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/9.jpg)
Debug 01100101
Breakpoints and ScriptsPseudo registersAliases
![Page 10: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/10.jpg)
Debug 01100101
Useful Pseudo Registers$teb,$peb,$p,$ea,$proc,$thread,$tid,$tpid,$mod,$base,$addr,$imagename$ea2 – for instructions that have 2 effective addresses$callret$dbgtime – debugger’s current time$scopeip – returns the instruction pointer for the currently set scope$bp – last hit break point
![Page 11: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/11.jpg)
Debug 01100101
$bphit – user ID of breakpoint just hit$frame – current frame number$! – prefixing a symbol with $! will cause only the current scope to be searched$exentry – address of the entry point for the first executable of the current process$t0 - $t9 – actual pseudo registers used for temporary values
![Page 12: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/12.jpg)
Debug 01100101
$ip – The current instruction pointer
$eventip - The IP at the time of the current event. This can be different from $ip if you switch threads or manually change the IP register
$previp - The $eventip value from the last event. The last event for a user means the last prompt. If there wasn't a last event it'll be an error
$relip - Any related IP value for the current event. When you are branch tracing it'll be the branch source, otherwise it'll be an error.
$retreg = eax (x86) , ret0 (ia64),rax (x64)
$CurrentDumpPath
![Page 13: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/13.jpg)
Debug 01100101
Debugger Aliases @#ModuleName string @#ImageName string @#LoadedImageName
string @#SymbolFileName string @#MappedImageName
string
![Page 14: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/14.jpg)
Debug 01100101
@#Base ULONG64 @#Size ULONG @#TimeDateStamp ULONG @#Checksum ULONG @#Flags ULONG @#SymbolType USHORT
![Page 15: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/15.jpg)
Debug 01100101
@#ImageNameSize ULONG @#ModuleNameSize
ULONG @#LoadedImageNameSize
ULONG @#SymbolFileNameSize
ULONG @#MappedImageNameSize
ULONG
![Page 16: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/16.jpg)
Debug 01100101
Useful BreakpointsSelf clearing call returning –
bp func "bp /1 @$ra \"r$retreg\";g“Set a bp on a yet to be defined module –
bu /1 wmain "ba w4 g_Var \"j ( @@(g_Var==%1) ) '.echo broken because g_Var is %1'; 'gc' \";g“
bu notepad!winmain ".printf \"notepad!winmain entered with hInstance = %p\\n\", poi(hInstance);g"
![Page 17: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/17.jpg)
Debug 01100101
Script ExamplesSearch for kernel trap frames. Demonstrates arbitrary processing on each hit
.foreach ($addr { s-[1]d 80000000 l?7fffffff 23 23 }) { ? $addr ; .trap $addr - 0n52 ; kv }!vm
![Page 18: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/18.jpg)
Debug 01100101Script Examples continued
Display full callstack for all threads
r? $t0 = &nt!PsActiveProcessHead
.for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r $t1 = poi(@$t1))
{
r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
.process /p /r $t2
!process $t2 7
}
![Page 19: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/19.jpg)
x64 And x86 Differences
Architectural IssuesDebugging Relevant Issues
![Page 20: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/20.jpg)
x64 And x86 Differences
ArchitecturalRegistersException handlingStack walking
![Page 21: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/21.jpg)
x64 And x86 Differences
Debugging RelevantDebug 32-bit processes with the 32-bit debuggerUMDH issues with x64From the debugger – access CPU registers with @Issues encountered building the Keyboard filter driver for x64Virtual memory translationPractice inspection with quad words (dq)
![Page 22: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/22.jpg)
x64 And x86 Differences
Trap FramesNonvolative registers (rbx, rsi, rdi, etc.) not preserved for perf reasonsMust dig them out of the callee stacks
![Page 23: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/23.jpg)
Essential Commands
Debugger Setup.sympath, .srcpath, .lsrcpath, .lines.reload, lml!sym noisy.enable_unicode 1x
![Page 24: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/24.jpg)
Essential Commands - 2
Virtual Memory!pool, !poolused, !poolval, !poolfind!vm!vprot, !address
![Page 25: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/25.jpg)
Essential Commands - 3
System Wide!locks, !irpfind -4/v!pcr, !idt!object, !drvobj, !devstack!cpuid
![Page 26: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/26.jpg)
Essential Commands - 4
Relative To Current Thread!peb, !teb!handle!thread.cxr, .trap.exr -1
![Page 27: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/27.jpg)
Essential Commands - 5
Relative To Current Process!process, !pcr
![Page 28: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/28.jpg)
Essential Commands - 6
Error Analysis!analyze –v, !verifier, !avrf!error, !errorlog, !gle.exr -1, .eventlog, .lastevent
![Page 29: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/29.jpg)
Essential Commands - 7
Data Analysisdv, dt, ?, ??k (kp, kP, kv, kn)r (rMff).formatsd (dc, du, dq, dl, dds, dqs)!du, ub, uf
![Page 30: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/30.jpg)
Essential Commands - 8
Executiong, t, p, wt, bp, busx
![Page 31: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/31.jpg)
New Commands
.bpsync 1
.flash_on_break
![Page 32: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/32.jpg)
Windows Vista/Windows Server Longhorn Architectural ChangesImproved Thread Pooling – including
multiple thread poolsBoot environment reengineeredNeed KD for unsigned kernel drivers on x64
![Page 33: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/33.jpg)
demo
![Page 34: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/34.jpg)
Top 10 Debugger Questions
#10: Is there a way to redirect the output of a debugger extension to a text file?
![Page 35: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/35.jpg)
Top 10 Debugger Questions
#9: Is there a way to make the debugger flash or emit a sound when a breakpoint is hit?
![Page 36: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/36.jpg)
Top 10 Debugger Questions
#8: .kdfiles on Windows Vista
![Page 37: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/37.jpg)
Top 10 Debugger Questions
#7: Breaking in Main() from KD. Module Load
![Page 38: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/38.jpg)
Top 10 Debugger Questions
#6: .crash behavior
![Page 39: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/39.jpg)
Top 10 Debugger Questions
#5: BCDEDIT
![Page 40: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/40.jpg)
Top 10 Debugger Questions
#4: Why Does KD Get Wedged
![Page 41: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/41.jpg)
Top 10 Debugger Questions
#3: kd -kl
![Page 42: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/42.jpg)
Top 10 Debugger Questions
#2: Can I force the symbols to match?
![Page 43: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/43.jpg)
Top 10 Debugger Questions
#1: Why is the sky blue?
![Page 44: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/44.jpg)
Summary
Debugging effectively requires understanding your target code, debugger theory and Operating System (OS) theory. This presentation has been an introduction to operating system and debugger theory with an emphasis on debugger capabilities and commands. The related lab gives hands on experience with driver and OS theory using the debugger as the enabler
![Page 45: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/45.jpg)
Call To Action
Understand the system state, not just your driver
Virtual MemoryInterruptsTimeslice/Dispatch
Go beyond Call Stacks and Exceptions
Know more of the essential commands
Debugging Well is Very Rewarding
![Page 46: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/46.jpg)
Additional ResourcesWeb Resources
Debugging Tools for Windows: http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx
Training, message boards, etc: http://www.microsoft.com/whdc/devtools/debugging/resources.mspx
Related Sessions
DVR-T410 Driver Debugging Basics
DVR-C478 Debugging Drivers: Discussion
DVR-C408 Driver Verifier: Internals Discussion
DVR-H409 Debugging Bugs Exposed by Driver Verifier: Workshop
DVR-H481 64-bit Driver Debugging Basics: Workshop (2 sessions)
Help: Create a support incident: DDK Developer Support
Feedback: Send suggestions or bug reports:
Windbgfb @ microsoft.com
![Page 47: Driver Debugging Basics](https://reader034.vdocuments.net/reader034/viewer/2022051323/549a09ddb47959002c8b477c/html5/thumbnails/47.jpg)
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.