Spat's WebLog (Steve Patrick)

When things go wrong...

A few of my favorite things...debug commands

A few of my favorite things...debug commands

  • Comments 2

Well.  not really,  I mean - not in the big picture right? Else that would be a sad existence indeed...  talk about whacked priorities. I thought I would post a few debugger commands I like to use… some new to me, some oldies.

But, there are times I suppose when these really are my favorite things at that moment, when I know it will save me hours of otherwise useless work.  When I used to build furniture ( loved that job back in college ) , it was an amazing thing when you used the right tool for the right job.. (chisel instead of screwdriver )

First of all , the ever useful  FOR command…

 

Find all modules loaded in all processes in dump:

                !for_each_process ".process @#Process;!peb"

Get all stacks for all processes

                !for_each_process ".process /p /r @#Process;!process @#Process"

Check integrity of a binary ( useful for those pesky corrupted binaries  or hax0red even )

                !for_each_module !chkimg @#ModuleName

 

 Use the .shell command.. in this case to find a specific string in data

 

kd> .shell -i - -ci "!thread" findstr -c:"nt!"

Start Address nt!ExpWorkerThread (0x804e4196)

f9015d20 8067e3ac 00000007 805615c0 8056167c nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0])

f9015d74 804e426b 00000000 00000000 82bc4030 nt!ExpDebuggerWorker+0x91 (FPO: [Non-Fpo])

f9015dac 8057d0f1 00000000 00000000 00000000 nt!ExpWorkerThread+0x100 (FPO: [Non-Fpo])

f9015ddc 804f827a 804e4196 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])

00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

.shell: Process exited

 

Get stacks from all processes where win32k is listed:

 

 

kd> !stacks 2 win32k

Proc.Thread  .Thread  Ticks   ThreadState Blocker

 

Max cache size is       : 1048576 bytes (0x400 KB)

Total memory in cache   : 0 bytes (0 KB)

Number of regions cached: 0

0 full reads broken into 0 partial reads

    counts: 0 cached/0 uncached, 0.00% cached

    bytes : 0 cached/0 uncached, 0.00% cached

** User virtual addresses are translated to physical addresses before access

** Prototype PTEs are implicitly decoded

                            [82bc77c0 System]

*** ERROR: Module load completed but symbols could not be loaded for ino_fltr.sys

*** ERROR: Module load completed but symbols could not be loaded for userdump.sys

 

                            [82a8c380 smss.exe]

 

                            [829d5558 csrss.exe]

 22c.000234  82a32da8 0000000 Blocked    nt!KiSwapContext+0x2e

                                        nt!KiSwapThread+0x46

                                        nt!KeWaitForSingleObject+0x1c2

                                        Ntfs!NtfsWaitSync+0x1c

                                        Ntfs!NtfsNonCachedIo+0x30e

                                        Ntfs!NtfsCommonRead+0xbdd

                                        Ntfs!NtfsFsdRead+0x22d

                                        nt!IopfCallDriver+0x31

                                        sr!SrPassThrough+0x31

                                        nt!IopfCallDriver+0x31

                                        ino_fltr+0x7544

                                        nt!IoPageRead+0x1b

                                        nt!MiDispatchFault+0x274

                                        nt!MmAccessFault+0x5bc

                                        nt!KiTrap0E+0xcc

                                        win32k!bDynamicModeChange

                                        win32k!DrvChangeDisplaySettings+0x4de

                                        win32k!xxxUserChangeDisplaySettings+0x141

                                        win32k!RemoteSetDisconectDisplayMode+0x28

                                        win32k!xxxRemoteDisconnect+0x188

                                        win32k!NtUserCallNoParam+0x1b

                                        nt!KiFastCallEntry+0xf8

                                        ntdll!KiFastSystemCallRet

 

 

If you have private symbols you can see your own data type information, or the type info is in  NT and the target is XP or greater..

 

kd> dt NT!*PROCESS*

          NT!_KPROCESSOR_STATE

          NT!_PROCESSOR_POWER_STATE

          NT!_EPROCESS

          NT!_KPROCESS

          NT!_EPROCESS_QUOTA_BLOCK

          NT!_SE_AUDIT_PROCESS_CREATION_INFO

          NT!_EPROCESS

          NT!_EPROCESS_QUOTA_ENTRY

          NT!_EPROCESS_QUOTA_BLOCK

          NT!_RTL_USER_PROCESS_PARAMETERS

          NT!_EPROCESS_QUOTA_ENTRY

    NT!PROCESSOR_IDLE_TIMES

 

 

 

In usermode – the “TC” command..

In this case I am in notepad.exe and want to “fast forward” my debugging to the  next call in DialogBox2(), step over it and see the result then move on or re-examine it.

 

 

0:000> KL 3

ChildEBP RetAddr 

0015f9b8 77491460 USER32!DialogBox2

0015f9e0 774914a2 USER32!InternalDialogBox+0xd0

0015fa00 774b12de USER32!DialogBoxIndirectParamAorW+0x37

 

0:000> r

eax=00141904 ebx=00000000 ecx=00141904 edx=008c0570 esi=00000001 edi=000c18fe

eip=77491244 esp=0015f9bc ebp=0015f9e0 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

USER32!DialogBox2:

77491244 8bff            mov     edi,edi

 

0:000> tc

eax=00141904 ebx=00000000 ecx=00141904 edx=008c0570 esi=00000001 edi=000c18fe

eip=7749125e esp=0015f990 ebp=0015f9b8 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

USER32!DialogBox2+0x16:

7749125e e8ed080100      call    USER32!ValidateHwnd (774a1b50)

 

0:000> p

eax=009bde28 ebx=00000000 ecx=00062c30 edx=008c0501 esi=00000001 edi=000c18fe

eip=77491263 esp=0015f990 ebp=0015f9b8 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

USER32!DialogBox2+0x1b:

77491263 8bf0            mov     esi,eax

 

 

 

Again in usermode - the  “gu”  command..

This gets me quickly to the return address of the current function.

 

 

0:000> KL4

ChildEBP RetAddr 

0015f9b8 77491460 USER32!DialogBox2

0015f9e0 774914a2 USER32!InternalDialogBox+0xd0

0015fa00 774b12de USER32!DialogBoxIndirectParamAorW+0x37

0015fa24 760d1832 USER32!DialogBoxParamW+0x3f

 

0:000> r

eax=001a18d4 ebx=00000000 ecx=001a18d4 edx=008c0570 esi=00000001 edi=000c18fe

eip=77491244 esp=0015f9bc ebp=0015f9e0 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

USER32!DialogBox2:

77491244 8bff            mov     edi,edi

 

0:000> gu

eax=00000001 ebx=00000000 ecx=0015f980 edx=77340f34 esi=00000001 edi=000c18fe

eip=77491460 esp=0015f9d0 ebp=0015f9e0 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

USER32!InternalDialogBox+0xd0:

77491460 5f              pop     edi

 

0:000> KL4

ChildEBP RetAddr 

0015f9e0 774914a2 USER32!InternalDialogBox+0xd0

0015fa00 774b12de USER32!DialogBoxIndirectParamAorW+0x37

0015fa24 760d1832 USER32!DialogBoxParamW+0x3f

0015fa48 761ea0e5 SHELL32!SHFusionDialogBoxParam+0x32

 

 

 

 

DT – Dump Type… go explore this one yourself… quite handy for all kinds of things

 

DL – Dump a simple list – you can specify the type information via !list – another handy one.

 

The  j command - conditional BP's sure are handy

 

The  e* commands - great for editing code in ASM on the fly... noop out,  jmp etc...

 

The r command - view\set registers:   r EAX=00000000 , nice to see - hey what if that had succeeded (kind of dangerous used randomly ) 

 

 

 

All of the below  explained in the debug help:

 

!address

 

!token

 

!sd 

 

!pool

 

!pte

 

!heap

 

 

 

 

Anyway – there are a few of them…

 

 

 

Have fun!

 

spatdsg

 

 

Leave a Comment
  • Please add 2 and 4 and type the answer here:
  • Post
  • Like usual I'm impressed by your wealth of knowledge.  

    One that I've grown attached to lately is ub.  Good for when you hit an AV.  You can then unassemble backwards to that point.  Nice to see where that parameter came from.

    ub mod!function+offset l20

  • Thanks Brad... UB and UF -- two other good ones.

Page 1 of 1 (2 items)