Chapter 1 Windows 2000 support for debugging technology
Translation: kendiv (fcczj@263.net)
Update:
Friday, January 18, 2005
Disclaimer: Please indicate the source and guarantee the integrity of the article, and all rights to the translation.
Core debugger command
Although the debugger's command has already paid attention, it is sometimes difficult to recall them. Therefore, I all organize them to Appendix A. Table A-1 is its quick reference. This table is the finishing version of the debugger HELP information (using a command). The type of parameter required for command is summarized in Table A-2.
As mentioned earlier, the kernel debugger needs one when the extended command is executed! No. started. As long as you have a command! No., the debugger will find in the export list of the loaded extension DLL. If you find a match, you will jump to the corresponding DLL. Figure 1-7 shows the kernel debugger loaded KDextx86.dll, userkdx.dll, and dbghelp.dll extension DLL. The last and i386kd.exe are located in the same directory; the first two have four versions: FREE and Checked versions for Windows NT 4.0 (corresponding subdirectory: NT4FR and NT4CHK), for Windows 2000's Free and Checked Versions for Windows 2000. Typically, the debugger will use a default search order in the search expansion command. However, you can change this default setting, just specify the module name before command, use. Symbol as separator. For example, kedxtx86.dll and userkdx.dll export Help commands, type! Help, you will get the help information of KDextx86.dll by default. To perform the help command of userdkx.dll, you must enter! Userkdx.help (or! Userkdx.help -v If you want to get more detailed help information). According to this method, as long as you know the rules, you can also write your own extension commands. You can find a great how-to-to-to-to-To article in The NT Insider (Open Systems Resources 1999a). However, it is for Windbg.exe instead of I386kd.exe, but both use the same extension DLL, most information is also effective for i386kd.exe.
Tables A-3 and A-4 in Appendix A list the output information of KDextx86.dll and userkdx.dll, respectively. For ease of reading, some modifications and editing are made. You will find that there are more commands listed in these tables than in the Microsoft DDK document, some of which are significant with additional parameters that DDK documents are not mentioned.
10 major debugging orders
Tables A-1 to A-4 list the huge commands provided by the kernel debugger and its standard extension DLL. Therefore, I will discuss some details of some common commands.
u: anti-compilation machine code
When checking if the Crash Dump is correct, you have used this command, and the u command has three formats:
1. u
2. U
3. u Do not provide any parameters, start refinement from the position where the last U command is stopped.
Of course, the anti-compilation slogan code is very annoying, but if you just want to know what happens at a particular address, this is the most convenient way. Perhaps u ordered the most interesting feature is that it can parse the symbols referenced by the code ---- Even the target module does not export symbols. However, Multi-Format Visassembler, using this book CD, is very interesting to compile the complete Windows 2000 executive. In the subsequent chapter, more information about the product. DB, DW and DD: Dump Memory Bytes, Words and DWORDS
If your currently interested memory data is binary, the debugger's 16 credit dump command will be able to complete this task. Depending on your judgment of the source address (Source Address) data type, select DD (for Bytes), DW (for Words), DD (for DWORDS).
l DB Displays the data in the specified memory range as two parts: the left is 16 binding representation (one set of 8 bits), the right side is the corresponding ASCI code.
l DW is only displayed according to 16 credit (16 bit group)
l DW is only displayed according to 16 credit (a group of 32 bits)
This group command can use the same parameters as the U command. Note that the address content indicated by
x: Check symbol
X command is very important. It creates a list according to the installed symbol file. Typical ways are as follows:
1. X *! * Displays the module of all available symbols. After startup, the default only NTOSKRNL.EXE symbol is available. The symbols of other modules can be loaded using the .reload command.
2. X
3. X
As shown together with the symbol name, there is also a virtual address related to it. For function names, it is the entry address of the function. For variables, it is the base address of the change. Where the command is worth noting is that it can output many internal symbols, which cannot be found in the executable export table.
ln: List the nearest symbol
LN is my favorite command. Because it can quickly and easily access the installed symbol files. It is ideal for x command. However, the latter applies to the address of all system symbols. The LN command is used to find symbols in accordance with the address or name.
ln
Displays the address of the address of and the symbol information of the address adjacent before and after it.l Ln
Like the x command, the debugger knows all exported and some internal symbols. Therefore, there is a great help for those who want to figure out the exact meaning of unknown pointers in the anti-compilation list or 16-en-dump. Note that U, DB, DW, and DD will also use symbol files. ! ProcessField: Members listed in EPROCESS
Before the command! Number, means it comes from the debugger extension module - kdextx86.dll. This command can display the EPROCESS structure used by the kernel to represent a process (this structure does not have a formal document document) member and its offset.
Although this command only lists the members' offset, you can easily guess its correct type. For example, Lockevent is located at 0x70, and the offset of the next member is 0x80. The member takes up 16 bytes, which is very similar to the KEVENT structure. If you don't know what is KEVENT, don't worry, I will discuss it in Chapter 7.
! threadfields: List Ethread member
This is another powerful option provided by KDextx86.dll. And! ProcessFields Similar, it lists the members and offsets of undentified Ethread structures. The kernel uses it represents a thread. See example 1-2
! Drivers: List the loaded drivers
Kdextx86.dll is really great. ! DRIVERS lists the details of the currently running kernel and file system modules. If you check Crash Dump, the command lists the system status of the system crash. Example 1-3 is a summary of the output on my machine. Note that at the last line of the output, the address of the Windows 2000 crash is 0xBecc2000, which is obviously the address that W2K_KILL.sys triggered after the blue screen was displayed.
Translation:
In the new i386kd.exe (Ver: 6.3.0017.0), the driver command is not supported. Instead, it is the LM command. The general usage of this command is: LM T N
! SEL: Check the value of Selector
If there is no controversy,! SEL is implemented in kdextx86.dll. It is used to display 16 consecutive MEMORY Selectors (arranged as sequential in address). You can use this command repeatedly until "Selector Is Invalid" appears. In Chapter 4, the Memory Selector will be discussed, and I will provide a quote code to demonstrate how to CRACK Selectors in your program.
Translation:
In the new debugger, the command is not supported, and the replacement is: DG command. Its general usage is: DG. Pay attention to the end. The DG command can list up to 256 Selectors. Detailed description of the debugger online help
Close debugger
You can close the kernel debugger by simply closing the console window. Of course, better closing methods is to use Q commands, "Q" represents quit.
More debugging tools
In the disc of this book, you can find two very valuable debugging tools that have been contributed by my E-Friends. I am very happy that they allow me to put the full version into my disc.
Wayne
J.
Radburn
of
PE
The And Coff file browser (Peview) is a special free tool for this book reader. Jean-Louis Seigne's Multi-Format Visual Disassembler (MFVDASM) a limited time version. This section will briefly introduce these two tools.
MFVDASM: Visualized multi-format anti-compiler
MFVDASM is more than just a compilation list generator. In fact, it adds more navigated navigation features than the assembly code browser. As shown in Figure 1-8, I use MFVDASM to view the screenshot of the Windows 2000 I / O Management Function IodetachDevice (). There is no color on the screen in the figure. For example, all function tables and jumps and calls of a particular address are displayed in red. Jumps and calls for the remaining addresses (addresses without relevant export symbols) are displayed as blue. The display of symbols dynamically exported from other modules is purple. All reachable destination addlines add a loop, which means you can reach its address by clicking on them to scroll. Using the Back and Forward buttons on the toolbar, you can review the Dongdong. This is very similar to the web page that is viewed in IE. On the right, you can choose the symbol or destination address you want to jump. Of course, you can sort by clicking the list. At the bottom of the bottom, MFVDASM provides the TAB page to display symbols, 16-en-dumps (HEXDUMP) and relocation (RELOCATION). The 16-based dump view will look very useful when the code segment containing the embedded string is compiled. When analyzing a large file such as Ntoskrnl.exe, MFVDASM does not block, like other popular anti-compilation tools, the assembly code obtained can be saved to a text file.
Peview --- PE and Coff file viewer
Although MFVDASM demonstrates the details of many internal structures of the PE (Portable Executable) file, it focuses on the code of the code. On the other hand, peview does not display more detail than the 16-encoding code than the code segment, but it can display the details of the file structure very detailed. As shown in Figure 1-9. This is a screenshot of Ntoskrnl.exe I use Peview. It can be seen that PeView uses three forms to display multiple parts of Ntoskrnl.exe. If you click on a leaf node on the left, all information related to this item is displayed on the right. In Figure 1-9, I chose the image_optional_header structure, which is one of the members of the Image_NT_Headers structure.
Translation: There are still two paragraphs I have not translated, and I have nothing to do with the theme of this book, I am interested, go to the original text. J
Windows 2000 debug interface
For those who like to study the system kernel, the kernel debugger is a very powerful tool. However, its interface is somewhat simple. Sometimes you may want to have a more powerful command. Fortunately, Windows 2000 provides two complete debug interface documents that allow you to add debugging features in your program. These interfaces are far less luxurious (but they got the blessing of Microsoft's official documentation. In this section, I will take you to the debug interface day trip, show you these documents to you and how you get more from these documents.
PSAPI.DLL, ImageHLP.DLL and DBGHELP.DLL
For a long time, Windows NT has been accused due to lack of support for Windows 95's Toolhelp32 interface. Possible comments do not all know that Windows NT 4.0 provides its unique debug interface - built-in system components psapi.dll (released with Win32 SDK). This DLL released together with imagehlp.dll and dbghelp.dll and official documents for debug interfaces for NT / 2000. PSAPI is the first letters of Process Status Application Programming Interface, which provides 14 functions for obtaining system information about device drivers, processes, process memory usage and their loading modules, work sets, memory mapping files. PSAPI.dll also supports ANSI and Unicode strings simultaneously. The remaining two debugging DLLS --- ImageHLP.DLL and DGBHELP.DLL covers different working terms. Both export similar functions, differences, imagehlp.dll, provides more functions, but DBGHELP.DLL provides re-published components. This means that Microsoft allows you to put DBGHELP.DLL in your own debugger installation package. If you choose to use imagehlp.dll, you have to get one of the objects installed in the target system. Both DLL provide a rich function to analyze and maintain PE files. The most significant feature of the two is a good use of symbolic files (that is, those prepared for kernel debusers). In order to guide you, which DLL you should choose, I will summarize all the export functions of these two DLLs to Table 1-1, and N / A is not supported.
Serial number
Function name
Imagehlp.dll
DBGHELP.DLL
1 bindlmage
N / a 2 bindlmageex
N / a 3 checksummappedfile
N / a 4 enumerateLoadedModules
5 enumerateLoadedModules64
6 ExtensionApiversion
N / a
7 finddebuglnfofile
8 FindDebuglnfofileex
9 FINDEXECUTABLMAGE
10 FINDEXECUTABLELMAGEX
11 FindfileLnSearchPath
12 getLmageConfiglnformation
N / a 13 getLmageunusedHeaderbytes
N / A 14 getTimeStampForloadedLibrary
15 ImageAdDCertificate
N / A 16 ImageDirectoryEntryTodata
17 ImageDirectoryEntryTodataEx
18 ImageENUMERATECERTIFICATES
N / A 19 ImageGetCertificationData
N / a 20 ImageGetCertificateHeader
N / A 21 ImageGetDigestStream
N / a 22 ImageHlPapiversion
23 ImagehlPapiversionEx
24 ImageLoad
N / a 25 ImagentHeader
26 ImageRemovecertificate
N / a 27 iMagervatosection
28 Imagervatova
29 Imageunload
N / a 30 MakeSuredIRectoryPathexists
31 mapandload
N / A 32 MAPDebuglnFormation
33 MapFileandChecksuma
N / a 34 MapFileAndchecksumw
N / a 35 RebaselMage
N / a 36 rebaseImage64
N / a 37 RemovePrivatecvsymbolic
N / a 38 RemovePrivatecvsymbolicex
N / a 39 RemoveRelocationsn / a 40 SearchTreeForfile
41 SetLmageConfiglnformation
N / a 42 splitsymbols
N / a 43 stackwalk
44 stackwalk64
45 SYM
N / a
46 Symcleanup
47 SymenumerateModules
48 SYMENUMERATEMODULES64
49 SYMENUMERASYMBOLS
50 SymenumerateSymbols64
51 SYMENUMERATESYMBOLSW
52 SymFunctionTableAccess
53 SymfunctionTA BLE Access64
54 SymgetLineFromaddr
55 SymgetLineFromaddr64
56 SymgetLineFromName
57 SymgetLineFromName64
58 SymgetLinenext
59 SymgetLinenext64
60 SymgetLinePrev
61 SymgetLinePrev64
62 SymgetModuleBase
63 SymgetModuleBase64
64 SymgetModulelnfo
65 SymgetModuleInfo64
66 SymgetModuleLnfo EX
67 SymgetModuleLnfo EX64
68 SymgetModulernFow
69 SymgetModulelnfo W64
70 SymgetOptions
71 SymgetSearchPath
72 Symgetsymbolinfo
73 symgetsymbolinfo64
74 Symgetsymfromaddr
75 symgetsymfromaddr64
76 SymgetsymfromName
77 symgetsymfromname64
78 SymgetsymNext
79 Symgetsymnext64
80 Symgetsymprev
81 Symgetsymprev64
82 SYMLNITIALIZE
83 SymLoadModule
84 symloadmodule64
85 SymmatchFileName
86 SymenumerateSymbolsw64
87 SymregisterCallback
88 SymregisterCallback64
89 SymregisterFunctionEntryCallback
90 symregisterfunctionentrycallback64
91 SymSetOptions
92 SymsetSearchPath
93 SymundName
94 symundname64
95 SymunloadModule
96 SymunloadModule64
97 TouchFileTimes
N / a 98 undecoratesymbolname
99 unmapandload
N / a 100 unmapdebuglnformation
101 Updatedebuglnfofile
N / a 102 Updatedebuglnfofileex
N / a 103 Windbgextensiondllinit N / A
In the sample code of this section, I will demonstrate how to use PSAPI.dll and ImageHLP.dll to complete the following tasks:
l Enumerate all kernel components and drivers
l All processes for enumerating the current management of the system
l Enumerate all modules loaded to the process address space (Modules)
l Enumerate all symbols for a given component (if its symbol file is available)
Psapi.dll's interface is not as good as its design. It provides the smallest function set, although it has tried to add some convenience. Although it can get some information from the kernel but throw it away, only a few parts are left. Since PSAPI.DLL and ImageHLP.DLL are not part of the standard Win32 API, the header files and import libraries they need will not be automatically included in the Visual C / C project. Therefore, the four indicators listed in Listing 1-2 should appear in your original file. The first part is the required header file, the remainder is used to establish dynamic links with the export function in both DLLs.
#include
#include
#pragma comment (Linker, "/ defaultlib: imagehlp.dll")
#pragma comment (Linker, "/ Defaultlib: psapi.dll")
Listing 1-2 Add psapi.dll and imagehlp.dll to Visual C / C project
Translation:
In fact, you can also use static links as follows:
#pragma comment (lib, "psapi.lib")
#pragma comment (Lib, "ImageHLP.LIB")
Diagram code in the disc
Among the included CDs of this book, there are two projects to build on psapi.dll and imagehlp.dll. One of the sample works is W2K_SYM.EXE ---- a Windows 2000 symbol browser, which can extract symbol names from any symbol file (if you have already installed). It outputs the symbol table to be sorted by name, address, and size while accepting a filter using wildcards. As the attachment function, W2k_sym.exe can list the name of the currently active system module / driver, running process and modules loaded for each process. Another example engineering is debugging support library W2K_DBG.DLL, which contains several outsourcing functions for PSAPI.DLL and ImageHLP.DLL for easy use. W2K_SYM.EXE relies entirely on this DLL. The source code of these projects is located on the CD / SRC / W2K_DBG and / SRC / W2K_SYM directory.
Table 1-2 lists the function names used by w2k_dbg.dll. The A / W column represents support for ANSI and Unicode. Tip later, PSAPI.DLL supports ANSI and Unicode. Unfortunately, imagehlp.dll and dbghelp.dll are not so smart, and several functions can only accept ANSI strings. This is some annoying because the debugger of Windows 2000 usually cannot run on Windows 9x, so it is not limited to Unicode. If imagehlp.dll is falsely in your project, you must choose to use ANSI or return to the Unicode string. Because I hate to use 8-bit strings in a system that can handle 16-bit string, I choose the latter method. The string involved in all functions that W2k_dbg.dll export is unicode. So if you use this DLL in your own Windows 2000 project, you don't need to care about the character size.
On the other hand, imagehlp.dll and dbghelp.dll have a pSAPI.dll not characteristic: they also apply to Win64 - 64-bit Windows that makes each developer fear, because no one knows the Win32 program to transplant How difficult to Win64 is available. These DLLs export the Win64 API function, well --- perhaps one day we will use them.
name
A / W
Library
EnumDevicedrivers
PSAPI.dll
Enumprocesses
PSAPI.dll
EnumprocessModulespsapi.dll
GetDevicedriverfilename
A / W PSAPI.dll
GetModuleFileNameex
A / W PSAPI.dll
GetModuleLnFormation
PSAPI.dll
ImageLoad
A imagehlp.dll
Imageunload
Imagehlp.dll
Symcleanup
Imagehlp.dll
SymenumerateSymbols
A / w imagehlp.dll
Symlnitialize
A imagehlp.dll
SymloadModule
A imagehlp.dll
SymunloadModule
Imagehlp.dll
Table 1-2 Debugging functions used by w2k_dbg.dll
I don't intend to explore psapi.dll and imagehlp.dl in depth because the focus of this book is that the documentation related to the two DLL interfaces in the SDK is not bad. However, I will not completely bypass them because they are closely linked to the Windows 2000 Native API (discussed in Chapter 2). Moreover, PSAPI.dll is a better best example that prove why unsocated interface compared to documentation. The DLL interface is not just simple and clumsy --- in some places that it will return to obvious contradictory data. If I have to write a professional debugging tool to sell, I will not expect this DLL. The Windows 2000 kernel provides powerful, universal, and more appropriate debug API functions. However, these almost no documentation. Fortunately, many system tools provided by Microsoft use these APIs, but there are some differences between these APIs between the different versions of Windows NT. Yes, if you use these APIs, whenever the new version of NT, you must be careful to test and revise your software, but the benefits they bring far greater than these obstacles.
Most sample code subsequent this chapter comes from W2k_dbg.dll, you can find them in the disc /SRC/W2K_DBG/W2K_DBG.C. This DLL encapsulates multiple steps to return a richer information. The data returns in a suitable size, a linked list (including an optional index value) to allow for ordering of them. Table 1-3 lists all API functions exported by W2k_dbg.dll. These functions have been discussed in detail. Each function has exceeded the scope of this chapter, so I encourage you to refer to the source code of W2K_SYM.EXE (located in CD / SRC / W2K_SYM / X) to learn their typical usage.
Table 1-3
Function name
Describe
DBGBaseDriver
Return the base address and size of a driver, Given ITS PATH
DBGBaseModule
Return The Base Address and Size of A DLL Module
DBGCRC32BLOCK
Compute the crc32 of a memory block
DBGCRC32BYTE
Bytewise Computation of a CRC32
DBGCRC32Start
CRC32 preconditioning
DBGCRC32STOP
CRC32 Postconditioning
DBGDriveRadd
Add a Driver Entry to a list of drivers
DBGDriveRaddresses
Return An Array Of Driver Addresses (EnumDevicedrivers () Wrapper
DBGDRIVERLNDEX
Create An Indexed (and Optionally Sorted) Driver ListdBGDriverList
Create a flat driver List
DBGFileClose
Close a disk file
DBGFileLoad
Load the contents of a disk file to a memory block
DBGFileNew
Create a new disk file
DBGFileOpen
Open an existing disk file
DBGFileroot
Get the offset of the root token in a File path
Dbgfilesave
Save a Memory Block to a disk file
DBGFileunload
Free A Memory Block Created by DBGFileLoad ()
DBGLNDEXCompare
Compare Two Entries Reference by An Index (Used by DBGIndexsort ())
DBGLNDEXCREATE
Create a Pointer Index on an Object List
DBGLNDEXCREATEX
Create a Sorted Pointer Index on an Object List
DBGLNDEXDESTROY
Free the memory use by an index and its associated list
DBGLNDEXDESTROYEX
Free the memory use by a two-dimensional index and its associated lists
DBGLNDEXLIST
Create a flat copy of a list from its index
DBGLNDEXLISTEX
Create a Flat Copy of A Two-Dimensional List from ITS INDEX
DBGLNDEXREVERSE
REVERSE THE ORDER of the list entries reasoned by an index
DBGLNDexsave
Save the memory image of an indexed list to a disk file
DBGLNDexsaveex
Save the memory image of a two-dimensional indexed list to a disk file
DBGLNDEXSORT
Sort the list entries referened by an index by address, size, id, or name
DBGListCreate
Create an Empty List
DBGListCreateex
Create An Empty List with Reserved Space
DBGListDestroy
Free the memory used by a list
DBGLISTFINISH
Terminate a sequentially built list and trim any unused memory
DBGLISTLNDEX
Create a Pointer Index on an Object List
DBGLISTLOAD
Create a list from a disk file image
DBGListNext
Update the list header instator an entry
DBGLISTRESIZE
Reserve Memory for Additional List Entries
DBGLISTSAVE
Save the memory image of a list to a disk file
DBGMEMORY
Align Round Up A Byte Count To The Next 64-bit Boundary
DBGMEMORYALIGNEX
Round Up A String Character Count To The Next 64-bit Boundary
DBGMEMORYBASE
Query The Internal Base Address of a Heap Memory Block
DBGMEMORYBASEEX
Query The Internal Base Address of An Individually Tagged Heap Memory Block
DBGMEMORYCREATE
Allocate a Memory Block from the Heap
DBGMEMORYCREATEX
Allocate An Individally Tagged Memory Block from The Heap
DBGMEMORYDESTROY
Return A Memory Block to the Heap
DBGMEMORYDESTROYEX
Return an Individually Tagged Memory Block To The Heap
DBGMemoryReset
Reset the memory usage statistics
DBGMEMORYRESIZE
Change the allocated size of a heap memory block
DBGMEMORYRESIZEEX
Change the allocated size of an individually tagged Heap Memory Block
DBGMEMORYSTATUS
Query the memory usage statistics
DBGMEMORY
Track Update The Memory Usage Statistics
DBGModuLNDex
Create An Indexed (and Optionally Sorted) Process Module Sub-List
DBGModuList
Create a flat process module sub-list
DBGPATHDRIVER
Build a Default Driver Path Specification
DBGPATHFILE
Get the offset of the file name token in a File path
DBGPRIVILEDEBUG
Request the Debug Privilege for the calling process
DBGPRIVILEGESET
Request The Specified Privilege for the Calling Process
DBGPRocessAdd
Add a Process Entry to a list of processes
DBGProcessGuess
Guess the default display name of an anonymous system process
DBGPROCESSIDS
Return an Array of Process IDs (Enumprocesses () Wrapper
DBGPRocessIndex
Create An Indexed (and Optionally Sorted) Process List
DBGPRocessIndexex
Create A Two-Dimensional Indexed (and Optionally Sorted) Process / Module List
DBGPROCESSLIST
Create a Flat Process ListDBGProcessModules
Return A List of Process Module Handles (EnumprocessModules () Wrapper
DbgsizediDe
Divide a byte country by a power of two, optionally runk up or down
DBGSIZEKB
Convert Bytes to KB, Optionally Rounding Up or Down
DBGSIZEMB
Convert Bytes to MB, Optionally Rounding Up or Down
Dbgstringansi
Convert a Unicode String to Ansi
DBGStringDay
Get the name of a day given a day-of-week Number
DBGStringMatch
Apply a Wildcard Filter to A String
DBGSYMBOLCALLBACK
Add a symbol entry to a list of symbols (caled by SymenumerateSymbols ())
DBGSYMBOLINDEX
Create An Indexed (and Optionally Sorted) Symbol List
DBGSYMBOLLIST
Create a Flat Symbol List
DBGSYMBOLLOAD
Load a Module's Symbol Table
DBGSYMBOLLOKUP
Look Up a symbol name and optional offset given a memory address
DBGSYMBOLUNLOAD
Unload a Module's Symbol Table
.................to be continued...................
