Image File Execution Options just inserts the debugger in front of the command line

re: Image File Execution Options just inserts the debugger in front of the command line

Mark Steward — Mon, 02 Jul 2007 17:40:07 GMT

I frequently find myself having to do this for API calls (SendMessage, especially) that aren't available on the command line. Isn't there an easier way to call into Win32 (without VBA)?

Another handy call is for when the debugger itself is hosed (works in ntsd):

resp=@esp-8

ed @esp 0n{TargetPID}

g=kernel32!DebugActiveProcessStop

[Yaniv Pessach wrote a program that takes a function name and a parameter list on the command line. Ony simple types are supported, but for some purposes that may be enough. -Raymond]

re: Image File Execution Options just inserts the debugger in front of the command line

KJK::Hyperion — Mon, 02 Jul 2007 17:43:36 GMT

Just what is it that makes Notepad such a perfect designated debugger victim?

Doh

Mark Steward — Mon, 02 Jul 2007 17:49:20 GMT

Make that ed @esp @eip 0n{TargetPID}

re: Image File Execution Options just inserts the debugger in front of the command line

El Guapo — Mon, 02 Jul 2007 19:33:18 GMT

Er, why not just try again. Why go through all that manual command entering into the debugger when all you need to do is run it again without the SW_HIDE?

[Why waste your time with Image File Execution options? Just run Notepad under the debugger manually! -Raymond]

re: Image File Execution Options just inserts the debugger in front of the command line

anonymous — Mon, 02 Jul 2007 19:38:15 GMT

> Just what is it that makes Notepad such a perfect

> designated debugger victim?

It's single-threaded and straight-forward crud code.

re: Image File Execution Options just inserts the debugger in front of the command line

GregM — Mon, 02 Jul 2007 19:50:15 GMT

"Just what is it that makes Notepad such a perfect designated debugger victim?"

My guess: it's lightweight so it starts fast, and it's in the PATH, so it's fast to type the command line.

re: Image File Execution Options just inserts the debugger in front of the command line

GregM — Mon, 02 Jul 2007 19:51:14 GMT

"Why go through all that manual command entering into the debugger when all you need to do is run it again without the SW_HIDE?"

This assumes that it's easy to run it again exactly as it was just run. That may not be the case.

Do you know how Raymond Chen shows hidden Windows? » Thursday Night

Do you know how Raymond Chen shows hidden Windows? » Thursday Night — Mon, 02 Jul 2007 19:52:30 GMT

PingBack from http://blog.paulbetts.org/index.php/2007/07/02/do-you-know-how-raymond-chen-shows-hidden-windows/

re: Image File Execution Options just inserts the debugger in front of the command line

KJK::Hyperion — Mon, 02 Jul 2007 19:56:02 GMT

Yes, but, I wonder why not cmd? or the venerable winver? There's _something_ about notepad

re: Image File Execution Options just inserts the debugger in front of the command line

Anders — Mon, 02 Jul 2007 20:42:37 GMT

or just use winspy (http://www.catch22.net/software/winspypics.asp) and show the window

re: Image File Execution Options just inserts the debugger in front of the command line

Kevin — Mon, 02 Jul 2007 20:44:15 GMT

You can also use the .call command if you don't want to fool around with the stack directly. For example:

0:001> .call user32!NtUserShowWindow(0x303e2, 6)

Thread is set up for call, 'g' will execute.

WARNING: This can have serious side-effects,

including deadlocks and corruption of the debuggee.

0:001> g

eax=7ffde000 ebx=00000000 ecx=00000000 edx=77c4f06d esi=00000000 edi=00000000

eip=77c02ea8 esp=01c3f7e0 ebp=01c3f80c iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

ntdll!DbgBreakPoint:

77c02ea8 cc int 3

re: Image File Execution Options just inserts the debugger in front of the command line

Mark Steward — Mon, 02 Jul 2007 22:10:21 GMT

KJK::Hyperion: I wondered this, and decided that Notepad's more popular than Winver and has a main window. In fact, it's got most elements of a Windows program (writing a Notepad replacement was a common project in Win32 programming books), and simpler code than Calc or Winmine. You can also change its title, or type something in and scan memory for it. Cmd has the whole console window thing, which it just annoying.

Kevin: what symbols are you using?

re: Image File Execution Options just inserts the debugger in front of the command line

Ehtyar — Tue, 03 Jul 2007 00:00:35 GMT

For sending random messages to windows: http://www.maxoutput.com/SendMsg.html

For modifying properties of random windows: http://nirsoft.net/utils/winexp.html

Ehtyar.

re: Image File Execution Options just inserts the debugger in front of the command line

Nick — Tue, 03 Jul 2007 00:20:47 GMT

I admit I'm not real knowledgeable when it comes to Win32 debugging, but I got lost about the time ntsd was invoked.

I assume you're connecting the debugger to Notepad, and then issuing commands to manually execute the ShowWindow API call, correct?

I've not heard of ntsd before. Does it come with Windows, or is it part of Visual Studio (which I have installed)?

re: Image File Execution Options just inserts the debugger in front of the command line

Dean Harding — Tue, 03 Jul 2007 02:39:22 GMT

> I've not heard of ntsd before. Does it come with Windows, or is it part

> of Visual Studio (which I have installed)?

It's part of the "Debugging Tools for Windows".

Interesting Finds: July 2, 2007

Jason Haley — Tue, 03 Jul 2007 06:05:13 GMT

re: Image File Execution Options just inserts the debugger in front of the command line

Chad Austin — Tue, 03 Jul 2007 09:46:55 GMT

Python (with the pywin32 package) works pretty well too:

import win32gui, win32con

win32gui.ShowWindow(0x5656, win32con.SW_SHOW)

re: Image File Execution Options just inserts the debugger in front of the command line

Jonathan — Tue, 03 Jul 2007 11:48:54 GMT

I must say that's a rather poor design on the kernel's part, and very easy to cause minor behavior changes when launched under debugger - exactly those who would hide the bug you're trying to find. Also, this trick is non-trivial (= few would ever figure it out without having the accurate magic spell from a great wizard).

Alternately, you could run ntsd as a debugging server:

ntsd -server tcp:port=1234 -gGW

And then connect with windbg:

windbg -remote tcp:server=localhost,port=1234

Also works for services that are not allowed to interact with the desktop. And across the network too (of course).

[And what would be a better design? -Raymond]

re: Image File Execution Options just inserts the debugger in front of the command line

Neil — Tue, 03 Jul 2007 11:58:37 GMT

Kevin wrote:

You can also use the .call command if you don't want to fool around with the stack directly. For example:

0:001> .call user32!NtUserShowWindow(0x303e2, 6)

^ Symbol not a function in '.call user32!NtUserShowWindow(0x303e2, 6)'

Raymond mentioned that you can do this if you have some other function with the same signature as the API that you're trying to call, but that's unlikely when you're debugging Notepad.

Raymond wrote:

Yaniv Pessach wrote a program that takes a function name and a parameter list on the command line.

Personally I use a version of the Callfunc executable from Undocumented Windows 3.1 that I modified to work as a Win32 console application. Sadly I don't have the exact source of the current version I use available - I tried and failed to add pagination to the dump command (I couldn't work out how to wait for a keypress...)

re: Image File Execution Options just inserts the debugger in front of the command line

Harold Hunt — Tue, 03 Jul 2007 15:47:03 GMT

I'm usually a lurker... but after seeing this (never thought of it before) I have to remark:

That's awesome!

Thanks Raymond

Harold

re: Image File Execution Options just inserts the debugger in front of the command line

Neil — Wed, 04 Jul 2007 15:02:26 GMT

[And what would be a better design? -Raymond]

Perhaps the debugger could use saved winposinfo for itself and pass on the startup info to the child process?

[And that's the design we have today. -Raymond]

re: Image File Execution Options just inserts the debugger in front of the command line

Dean Harding — Thu, 05 Jul 2007 02:23:06 GMT

> Perhaps the debugger could use saved winposinfo for itself and

> pass on the startup info to the child process?

The debugger can choose to do whatever it likes. We're talking about the design of Image File Execution Options here.

MITHUN SHANBHAG’S BLOG » Blog Archive » Image File Execution Options (IFEO)

MITHUN SHANBHAG’S BLOG » Blog Archive » Image File Execution Options (IFEO) — Thu, 19 Jul 2007 03:21:09 GMT

PingBack from http://www.debugtricks.com/?p=15

Not a kernel guy » Blog Archive » ?????????????????????? ?????????? «Image File Execution Options».

Thu, 10 Jan 2008 10:36:56 GMT

PingBack from http://blog.not-a-kernel-guy.com/2008/01/09/277