windbg

问题 We are trying to analyze a w3wp memory dump using windbg and we found that w3wp process is crashing due to stack overflow. I loaded the psscor4.dll and got the call stack by issuing !clrstack. But I also want to know the paramaters being passed to the methods. If I issue "!clrstack -p" or "!clrstack -a", we are getting <no data> for all the Parameters and local variables. Any idea, why we are getting <no data> instead of actual values for the Parameters and local variables ? 回答1: If you're

问题 So recently I've been reading up on anti-debug mechanisms and a popular method I've come across to check if the current process is being debugged is OutputDebugString . I've written this piece of code but it doesn't exactly work as intended can someone shed some light on why or what I'm doing wrong? private static bool stub_OutputDebugString() { uint ErrCode = 0x12A6; Native.SetLastError(ErrCode); Native.OutputDebugString("System.Core\n"); if (Marshal.GetLastWin32Error() == (int)ErrCode) { /

问题 I want to kernel-debug my Hyper-V VMs. I can do it via COM port to pipe method (Ref), but that gives me throughput of 60-80 KBytes/sec, which is too slow for e.g. take dump files. So, I'm trying to setup Synthetic kernel debugging for Hyper-V virtual machines, but Kernel debugger never connects. Troubleshooting and details: I verified that the the worker process vmwp.exe listens to UDP:55555 by running netstat -nao | findstr /C:"55555" . I tried to connect from another machine, and confirmed

问题 My pc underwent an automatic restart and when I checked event viewer, I found the bug check error. I found the location of the .dmp file created. I then downloaded WinDbg and understand the first thing I have to do is set the symbol path and then open crash dump and select the .dmp file. I found a list of the paths to use at https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-symbol-and-source-paths-in-windbg but whenever I open crash dump and click the file, it gives

问题 I'm trying to track down issues with a 3thParty application. The path currently being investigated is to look into a Section object that get's created in each process: rpsPdf10.mutex . If the name of the object is any indication for it's intended usage, I'm not sure why they choose a Section object and use it as a Mutex but that's likely largely irrelevant. Using LiveKd I've issued following command's trying to get detailed info of the Section object 0: kd>!process 0 0 3thParty.exe ...

问题 I try to analyze some memory dump. But I stack on debug symbols of some Microsoft dll ( sechost.dll ). What I do: 1) !sym noisy 2) .symfix 3) .sympath My .sympath is: Symbol search path is: srv* Expanded Symbol search path is: cache*;SRV*http://msdl.microsoft.com/download/symbols 4) analyze -v After it I saw symbols loading. But for some symbols I have ...... SYMSRV: The operation timed out SYMSRV: http://msdl.microsoft.com/download/symbols/sechost.pdb/C4FD72A96E384F62A5F796624D37EAB42

问题 I am debugging the live process (not dump) of PresentationHost.exe. It used to works fine, but suddenly few days ago I get the above error message. !Threads, !pe, virtually all SOS command doesn't work. All I remember is that I installed Visual Studio 2010 and .NET framework 4.0 before I'm getting that error. Is it related? UPDATE: I myself can not reproduce the problem I was having. Probably I was debugging 32 bit process with 64 bit debugger, or .NET 4 process with .NET 2.0 SOS, or vice

问题 Are there some limitations to the Local Kernel Mode Debugging option in Windbg? I am running Win XP SP3 inside a VM using VMWare Workstation. The Host operating system is: Windows 7 SP1 I want to perform Kernel Debugging using Windbg inside the VM. However, few commands are not working. For instance, lkd> !process -0 0 PROCESS 82cd38b0 SessionId: 0 Cid: 0cd4 Peb: 7ffd6000 ParentCid: 0638 DirBase: 0e740300 ObjectTable: e2474a10 HandleCount: 43. Image: notepad.exe lkd> .process /i 82cd38b0 ^

问题 I have created a dump using clrdump. When I go to view it using sos, I load up sos and then run !dso, but the error I get is: PDB symbol for mscorwks.dll not loaded However, in the module window it says that the symbol is loaded. I have obtained the up to date symbols from the MS store? Anybody any ideas? Thanks, Darren. 回答1: You don't really need symbols for mscorwks.dll for !dso to work correctly, but here's some advice on how to get the symbols. First thing you need to do is to verify that

问题 Is it possible to obtain summary information for managed objects on the heap in WINDBG that's similar to the summary presented by Visual Studio Ultimate's 'Debug Managed Memory' option. I can obtain some of the information, but it's on a case by case basis, and is quite tedious. Is there a macro or set of commands that can produce similar output using WINDBG? Visual Studio seems to have a neat little routine where it collects all the roots and shows a summary of the root object classes and