Chapter 1: Windows debugging support
Gushaow@mails.gscas.ac.cn
Symbolic file
Install Windows 2000 Customer Support-Diagnostic Tools CD. If Free Build, run /symbols/i386/retail/symbolsx.exe, if it is Checked Build, run /symbols/i386/debug/symbolsx.exe. A environment variable _nt_symbol_path is added to the% systemroot% / Symbols directory. DDK's core driver documentation says the Symbols subdirectory must be included. However, in the platform SDK document, the symbol path about dbghelp.dll has different statements: library uses symbol search path to .dll, .exe, and .sys file positioning debug symbol (.dbg file), add / Symbols, / DLL, and / EXE, / sys to the path. For example, the symbol file of the general.dll file is located in C: / MySymbols / Symblos / DLL. If you set the _nt_symbol_path environment variable. The search path is as follows:
1 Current Work Contents for Programs
2_NT_SYMBOL_PATH environment variable
3_NT_ALT_SYMBOL_PATH environment variable
4 SystemRoot environment variable
Listed _nt_symbol_path should be set to D: / Winnt, not D: / Winnt / Symbols. In fact, both are ok.
If you want to use i386kd to check the Crash dump file, you need a -z parameter, such as a shortcut target, /bin/i386kd.exe -z c: /winnt/memory.dmp
KD extension DLL: KDextx86 Userkdx DBGHELP. You can add the name of the module in front of the extended command.
The most useful top ten debug parameters:
u: disassembled machine code.
Format: u
DB, DW, DD: Show memory
Like the parameter and u command, only
x: Check symbol
It can create a list of symbols obtained by the installed symbol file.
1 x *! * Display the list of symbols of all modules. Once started, only NTOSKRNL.EXE symbols are available by default.
2 x
3 x
Ln: Lists the most recent symbols.
If you need a list of addresses of many symbols, the ln command can look at a single symbol with the name of the symbol or address.
l Ln
Shows symbols near a given address.l LN
Please note that U, DB, DW, DD can accept symbols (parsing to address).
! processfields: List the EPRocess member (kdextx86.dll) This command lists all offsets and members of the process structure.
! threadfields: List Ethread member
! drivers: List all already loaded drivers
It is no longer supported in the new version of Debugging Tools, but lm instead
! SEL check the value of the selection.
If there is no parameters, 16 memory selection is displayed. In the new version of DEBUGGING TOOLS, instead of the internal command DG. DG
Author as the final result of multi-year assembly programmers
Debug interface
PSAPI.DLL, ImageHLP.DLL, DBGHELP.DLL
PSAPI provides a function of 14 query system information, including drivers, processes, memory usage, process modules, work sets, memory maps.
ImageHLP and DBGHELP include different ranges of tasks. They export similar function sets, iMageHLP provides more functions, while DBGHELP is a component that can be renewed. They all include rich analysis and functions of the PE file. Their main difference is the ability to parse the symbol from the symbol file. Table 1-1 lists the functions exported by the two DLLs. P51-53.
PSAPI.DLL and ImageHLP.dll can complete the following tasks
l Enumerate all kernel components and drivers
EnumDevicedrivers, getDevicedriverfilename
l All processes for enumerating the current management of the system
Enumprocesses, OpenProcess
l Enumerate all modules loaded into a process virtual address space
EnumProcessModules
l Enumerate all symbols of a given component if the symbol is available.
Because psapi.dll and imagehlp.dll functions are not part of the standard WIN32 API, in VC projects, their header files and import libraries will not be automatically included. If you use them, you need the following four line statements:
#include
#image
#pragma comment (Linker, "/ Defaultlib: ImageHLP.LIB")
#pragma comment (Linker, "/ Defaultlib: psapi.lib")
W2K_SYM.EXE and W2K_DBG.DLL use these two DLLs.
Under 2k hModule is the base address of the module, in the SDK header file, it is defined as Hinstance alias, while the latter is a handle type. Noth of HMODULE, in strict sense, is not a handle. Handle is usually the system maintained. Index, the properties of the object are found from there, and each system returned to the handle of the object to add the handle count. The object instance cannot be removed from the memory before all the handle is returned to the system. Function CloseHandle is used for this purpose. The corresponding native function is ntciose (). The main point of HModules is that it does not need to be closed. The comment section of the getModuleHandle () in the SDK document pointed out that multi-threaded applications must be careful. Because a thread may uninstall the module so that the HModule used by another thread is invalid.
In both cases, hmodule can remain effective.
1. HModule returned by loadLibrary () or loadLibraryEx () is valid before the process call freeElibrary () because these functions are related to the module reference count, so that other threads are not expensive uninstallation.
2. A hmodule from different processes is valid if a permanently loaded module is referenced. For example, all Windows 2000 kernel modules (excluding core drivers) are always mapped to different processes fixed to the same address, which is valid in the life cycle of the process. Unfortunately, the module handle returned from PSAPI.dll Functions EnumprocessModules does not meet the above two cases. So only valid at the time of the call. This and EnumDevicedrivers, the array returned by EnumProcesses is the same problem.
The EnumprocessModules function is better than the first few, because it indicates how many byte missing, please note that the LIST1-7 does not include a loop of the growth cache. Basically, it calls, ntQueryInf ormationProcess () gets the PEB of the target process, then gets the pointer of the module information table from the PEB. Because these data are in another process, you need to call readProcessMemory to get data
Adjusting process privilege
Turn on the low ID process requires higher permissions. You can get more permissions by stating your own declaration as a debugger.
Steps to adjust the permissions:
1 Call Advapi32.OpenProcessToken to open the process token.
2 Prepare a token_privileges structure that contains the need. Usually advapi32.lookupprivilerage. Privilege With name description, 27 privileges and symbols are defined in Winnt.h. For example, debug privilege is SE_Debug_name, equivalent to string "setDebugprivilege"
3 call advapi32.adjustTokenprivileges ()
GetCurrentProcess returns a pseudo handle -1, GetCurrentThread also returns a pseudo handle -2.
Microsoft symbol information typically contains prefixes or suffixes. The code generated by C language often has underscore or @ beginning. @ Represents the _fastcall function, and the next line indicates _stdcall and _cdecl functions. Because FastCall and StdCall are scheduled to leave the task of the clear parameter stack to the called function, the symbol information also contains the number of parameter bytes of the caller in the stack. This information is attached to the back by @ separated decimal number. Global variables are treated as the _cdecl function.
Symbol Undecorated Symbol (Might Have Been Declared In an asm module)
_SYMBOL CDECL Function Or Global Variable
_Symbol @ n stdcall function with n argument bytes
@ Symbol @ n fastcall function with n argument bytes
_imp_symbol import thunk of a cdecl function or variable
_imp_symbol @ n import thunk of a stdcall function with n argument bytes_
_imp_ @ symbol @ n import thunk of a fastcall function with n argument bytes
? Symbol C Symbol with Embedded Argument Type Information
__ @@ _ PCHSYM_SYMBOL PCH SYMBOL Book Next, there is a large part of the analysis of the format of Microsoft debug files, and there is no patience.
