Explore CLR World with Windbg [1] - Installation and Environment Configuration

http://flier_lu.blogone.net/?id=1270368

I have always, I have a static analysis based on MSDN, .NET Framework SDK's self-contained documentation and Rotor project, which is provided, supplemented by some small examples written by themselves or to Rotor's repairs. Limited dynamic analysis. Although I also use Softice to track the mechanism of some core functions, I feel that it is too painful, huh, huh. Recently, I found that my idol John Robbins published on MSDN's bugslayer found that the original WINDBG can be used so convenient dynamic analysis CLR running mechanism. First, you need to download and install Microsoft Debugging Tools [/ URL]. It is best to download and install Windows Symbol Packages corresponding to the current operating system. Then, configure the system environment variable, let the search path points to the installation directory of the system .NET Framework, both sos.dll's directory set path =% path%; E: /WINDOWS / Microsoft.net/framework/v1.1.4322 Launches Windbg, Add a symbol file installation directory, such as E: / Windows / Symbols; E: / WINDOWS / SYMBOLS; E: /VS2003/SDK/v1.1/symbol, or set system environment variable _NT_SYMBOL_PATH (need to restart Windbg) set _NT_SYMBOL_PATH = E: / WINDOWS / SYMBOLS; E: /VS2003/SDK/v1.1/symbols Finally, in the File menu, open a CLR program with Open Executable or attached to an ATTACH to A Process to an ongoing CLR program. After configuring Windbg, if you open a new executable, WindBG will automatically break to the portal, continue running, and then direct BREAK, if you appendallyvast. Then enter the system command on the bottom command line. Load SOS command loads the external extension sos.dll. If the configuration system path is correct, there will be no response here, you can continue to use the system command. Chain to view the currently loaded extension. As shown below, SOS.DLL is successfully loaded.

The following is quoted:

0:005> .chain

Extension DLL Search Path:

E: / ms / platformsdk / debugging tools / winext; ...; e: /windows/microsoft.net/framework/v1.1.4322

Extension DLL CHAIN:

Sos: API 1.0.0, Built fri feb 21 10:47:40 2003

[path: E: /Windows / Microsoft.Net/framework/v1.1.4322/sos.dll]

DBGHELP: Image 6.3.0005.1, API 6.0.6, Built Fri Oct 24 02:11:02 2003

[path: E: / ms / platformsdk / debugging tools / dbghelp.dll]

Ext: Image 6.3.0005.1, API 1.0.0, Built fri oct 24 09:06:45 2003

[PATH: E: / MS / PlatformSDK / debugging tools / winext / ext.dll]

Ext: image 6.3.0005.1, API 1.0.0, Built fri oct 24 02:10:39 2003 [PATH: E: / MS / Platformsdk / debugging tools / winxp / exts.dll]

UEXT: Image 6.3.0005.1, API 1.0.0, Built Fri Oct 24 02:10:54 2003

[PATH: E: / MS / PlatformSDK / Debugging Tools / Winext / Uext.dll]

NTSDexts: Image 6.0.4044.0, API 1.0.0, Built Wed Oct 22 02:13:21 2003

[PATH: E: / MS / PlatformSDK / Debugging Tools / WinXP / NTSDEXTS.DLL]

After loading Sos.dll, you can use the lm command to see which modules currently loaded into memory, such as

The following is quoted:

0: 005> LM

START End Module Name

...

77F30000 77FFA000 NTDLL (Export Symbols) E: / Windows/system32/NTDLL.DLL

79000000 79010000 Configwizards (DeferRed)

79040000 79085000 Fusion (DeferRed)

79170000 79196000 MSCOREE (Deferred)

791B0000 79412000 Mscorwks (Deferred)

...

For modules that want to analyze, you can use the LD command to load the corresponding debug symbol file (if any, huh, huh). If the symbol file search path configuration is correct, you can see the prompt.

The following is quoted:

0: 005> ld mscorjit

Symbols loaded for mscorjit

At this point, you can see it again.

The following is quoted:

...

79430000 7947C000 Mscorjit (PDB Symbols) E: /VS2003/SDK/v1.1/symbols/mscorjit.pdb

...

If the symbol file search path configuration error, or this module does not debug the symbol file, it will be loaded into the .dll's export table.

The following is quoted:

79170000 79196000 MSCOREE (Export Symbols) E: /Windows/system32/mscoree.dll

Or simply do not sign

The following is quoted:

79780000 79980000 Mscorlib (No Symbols)

After completing the above configuration, you can officially start to explore the internal world of the CLR with Windbg, you can knock! Syncblk, huh.

The following is quoted:

0: 005>! Syncblk

INDEX SYNCBLOCK MONITORHELD Recursion Thread Threadid Object WAITING

-----------------------------

Total 3

ComcallWrapper 0

ComplusWrapper 0

COMCLASSFAACTORY 0

Free 0