Comments on: Debugger tricks: Find all probable CONTEXT records in a crash dump http://www.nynaeve.net/?p=309 Adventures in Windows debugging and reverse engineering. Tue, 24 Aug 2010 12:05:39 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Dan http://www.nynaeve.net/?p=309&cpage=1#comment-41419 Dan Mon, 27 Jul 2009 14:16:56 +0000 http://www.nynaeve.net/?p=309#comment-41419 You don't have to use the pseudo-register trick to work around the spaces on symbol replacement. You can use the alias interpreter macro to handle it. For example: .foreach (CxrPtr {}){.cxr ${CxrPtr}-8c} The alias interpreter version does not require spaces around it. You don’t have to use the pseudo-register trick to work around the spaces on symbol replacement. You can use the alias interpreter macro to handle it.

For example:

.foreach (CxrPtr {}){.cxr ${CxrPtr}-8c}

The alias interpreter version does not require spaces around it.

]]> By: Genius http://www.nynaeve.net/?p=309&cpage=1#comment-40900 Genius Wed, 22 Jul 2009 09:18:24 +0000 http://www.nynaeve.net/?p=309#comment-40900 hi dear, I need some source code for DDK, some good sample for driver programming, if you can send me some stuff related to this and kernel level programming and how use some important kernel functions it's apperciated. thanks man ... if it's no problem send them to me through E-mail . thanks . hi dear, I need some source code for DDK, some good sample for driver programming, if you can send me some stuff related to this and kernel level programming and how use some important kernel functions it’s apperciated.
thanks man …
if it’s no problem send them to me through E-mail .
thanks .

]]> By: Kjell Gunnar http://www.nynaeve.net/?p=309&cpage=1#comment-35632 Kjell Gunnar Tue, 05 May 2009 08:27:42 +0000 http://www.nynaeve.net/?p=309#comment-35632 Hi Thank you for your post, however maybe it could be improved. I have for years used the “~*e s -d poi(@$teb+8) poi(@$teb+4) 1003f” to real stack "behind" the exception. (posted by Ivan Brugiolo). When I tried your method on a recent dump, it did not find the correct CONTEXT structure because the FS in the correct CONTEXT was 3b instead of 38. after ntdll!DbgUiRemoteBreakin. I don’t understand the difference between ContextFlags 1003f and 10017 can you explain ? Thank you ! My output: 0:010> .foreach ( CxrPtr { s -[w1]d 0 l?ffffffff @gs @fs @es @ds } ) {.echo "=== CxrPtr: ";.echo CxrPtr; dd CxrPtr - 8c l1;.cxr CxrPtr - 8c } === CxrPtr: 0x0229fdb8 0229fd2c 00010017 eax=00000000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005 eip=7c95077b esp=0229fff8 ebp=00000000 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000200 ntdll!DbgUiRemoteBreakin: 7c95077b 6a08 push 8 === CxrPtr: 0x03f2fdbc 03f2fd30 00010017 eax=7c0040e2 ebx=016c5388 ecx=7c910970 edx=7c90ee18 esi=00000000 edi=0012f440 eip=7c810856 esp=03f2fffc ebp=7c913e6f iopl=0 nv up ei pl nz na po nc cs=05e0 ss=0010 ds=0023 es=0023 fs=0038 gs=0000 efl=00000200 kernel32!BaseThreadStartThunk: 05e0:7c810856 33ed xor ebp,ebp === CxrPtr: 0x043cfdbc 043cfd30 00010017 eax=791d24e3 ebx=04201eb0 ecx=0000ce91 edx=00000002 esi=00000000 edi=00150178 eip=7c810856 esp=043cfffc ebp=7c91664e iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000200 kernel32!BaseThreadStartThunk: 7c810856 33ed xor ebp,ebp ====> Correct fault here ! 0:010> ~*e s -d poi(@$teb+8) poi(@$teb+4) 1003f 0012f87c 0001003f 00000000 00000000 00000000 ?............... 0:010> .cxr 0012f87c eax=616e614d ebx=07dea796 ecx=09647dc8 edx=00000001 esi=09647dc8 edi=06e82408 eip=0b5a145e esp=0012fc08 ebp=0012fc18 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 0b5a145e 8b5804 mov ebx,dword ptr [eax+4] ds:0023:616e6151=???????? See: http://groups.google.com/group/microsoft.public.windbg/tree/browse_frm/thread/e0270232f2560e5e/4938d2d8b2e4edec?hl=en&rnum=1&q=real+stack+%22behind%22+the+exception&_done=%2Fgroup%2Fmicrosoft.public.windbg%2Fbrowse_frm%2Fthread%2Fe0270232f2560e5e%2F4938d2d8b2e4edec%3Fhl%3Den%26tvc%3D1%26q%3Dreal%2Bstack%2B%2522behind%2522%2Bthe%2Bexception%26#doc_08b20827422f3d42 Hi
Thank you for your post, however maybe it could be improved.
I have for years used the “~*e s -d poi(@$teb+8) poi(@$teb+4) 1003f” to real stack “behind” the exception. (posted by Ivan Brugiolo).
When I tried your method on a recent dump, it did not find the correct CONTEXT structure because the FS in the correct CONTEXT was 3b instead of 38. after ntdll!DbgUiRemoteBreakin.
I don’t understand the difference between ContextFlags 1003f and 10017 can you explain ?

Thank you !
My output:

0:010> .foreach ( CxrPtr { s -[w1]d 0 l?ffffffff @gs @fs @es @ds } ) {.echo “=== CxrPtr: “;.echo CxrPtr; dd CxrPtr – 8c l1;.cxr CxrPtr – 8c }
=== CxrPtr:
0×0229fdb8
0229fd2c 00010017
eax=00000000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c95077b esp=0229fff8 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000200
ntdll!DbgUiRemoteBreakin:
7c95077b 6a08 push 8
=== CxrPtr:
0×03f2fdbc
03f2fd30 00010017
eax=7c0040e2 ebx=016c5388 ecx=7c910970 edx=7c90ee18 esi=00000000 edi=0012f440
eip=7c810856 esp=03f2fffc ebp=7c913e6f iopl=0 nv up ei pl nz na po nc
cs=05e0 ss=0010 ds=0023 es=0023 fs=0038 gs=0000 efl=00000200
kernel32!BaseThreadStartThunk:
05e0:7c810856 33ed xor ebp,ebp
=== CxrPtr:
0×043cfdbc
043cfd30 00010017
eax=791d24e3 ebx=04201eb0 ecx=0000ce91 edx=00000002 esi=00000000 edi=00150178
eip=7c810856 esp=043cfffc ebp=7c91664e iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000200
kernel32!BaseThreadStartThunk:
7c810856 33ed xor ebp,ebp

====> Correct fault here !
0:010> ~*e s -d poi(@$teb+8) poi(@$teb+4) 1003f
0012f87c 0001003f 00000000 00000000 00000000 ?……………
0:010> .cxr 0012f87c
eax=616e614d ebx=07dea796 ecx=09647dc8 edx=00000001 esi=09647dc8 edi=06e82408
eip=0b5a145e esp=0012fc08 ebp=0012fc18 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
0b5a145e 8b5804 mov ebx,dword ptr [eax+4] ds:0023:616e6151=????????

See:
http://groups.google.com/group/microsoft.public.windbg/tree/browse_frm/thread/e0270232f2560e5e/4938d2d8b2e4edec?hl=en&rnum=1&q=real+stack+%22behind%22+the+exception&_done=%2Fgroup%2Fmicrosoft.public.windbg%2Fbrowse_frm%2Fthread%2Fe0270232f2560e5e%2F4938d2d8b2e4edec%3Fhl%3Den%26tvc%3D1%26q%3Dreal%2Bstack%2B%2522behind%2522%2Bthe%2Bexception%26#doc_08b20827422f3d42

]]> By: Yuhong Bao http://www.nynaeve.net/?p=309&cpage=1#comment-34880 Yuhong Bao Mon, 13 Apr 2009 05:46:53 +0000 http://www.nynaeve.net/?p=309#comment-34880 I am kind of mixed on the fact that both skape and Skywing are now at MS, just like I was kind of mixed on MS buying Winternals. For example, both skape and Skywing wrote the papers on PatchGuard, and I was not able to find anything about PatchGuard in Windows 7 x64. I am kind of mixed on the fact that both skape and Skywing are now at MS, just like I was kind of mixed on MS buying Winternals. For example, both skape and Skywing wrote the papers on PatchGuard, and I was not able to find anything about PatchGuard in Windows 7 x64.

]]> By: Marc Sherman http://www.nynaeve.net/?p=309&cpage=1#comment-34457 Marc Sherman Tue, 31 Mar 2009 15:47:09 +0000 http://www.nynaeve.net/?p=309#comment-34457 Thanks for this info and congratulations on your new position at MS (http://blogs.msdn.com/michael_howard/archive/2009/03/24/ken-johnson-skywing-joins-microsoft.aspx) Thanks for this info and congratulations on your new position at MS (http://blogs.msdn.com/michael_howard/archive/2009/03/24/ken-johnson-skywing-joins-microsoft.aspx)

]]>