windbg

WinDbg callstack hexadecimal offset [duplicate]

旧城冷巷雨未停 提交于 2020-02-07 10:13:12
问题 This question already has answers here : How to understand the call stack of Visual Studio? (3 answers) Closed 3 years ago . what does the hexadecimal value (with the +) behind the function name stands for ? 00 012ff668 7795aa24 ntdll_778f0000!LdrInitShimEngineDynamic+0x726 01 012ff8a0 77956e84 ntdll_778f0000!WinSqmSetDWORD64+0x14e4 02 012ff8f4 77956cd0 ntdll_778f0000!LdrInitializeThunk+0x1c4 03 012ff8fc 00000000 ntdll_778f0000!LdrInitializeThunk+0x10 回答1: These numbers indicate offset from

windbg调试符号下载不了

回眸只為那壹抹淺笑 提交于 2020-02-05 00:57:05
微软符号服务器已经很久没ping通了,挂上全局代理可以下载符号,但是又不想总是开着全局代理。 后来找到一种替代方案,可以通过设置系统环境变量,来让下载符号的流量走代理服务器 _NT_SYMBOL_PROXY 设置好代理后,再下载符号,已经有提示下载进度了! 来源: CSDN 作者: FFE4 链接: https://blog.csdn.net/cssxn/article/details/104173175

Unable to debug the kernel driver using Serial cable

那年仲夏 提交于 2020-01-25 12:55:07
问题 I am new to driver stuff. I have tried to debug the kernel driver using serial COM port without success. Could someone show me proper direction how to fix the problem? I am seeing the following messages on kd console. ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 127 ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 127 ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 127 At this time, I pressed Ctl^D and kd console and I am seeing READ: Timeout. READ: Wait

使用Windbg和VMware来搭建调试内核的环境

泄露秘密 提交于 2020-01-24 09:58:38
现象:虚拟机内还原系统镜像后蓝屏。通过调试查看蓝屏码为7B蓝屏,是由于磁盘类型选用SCSI导致了蓝屏无法正常开机,应改用IDE类型。 原理:VMware在虚拟机OS虚拟一个COM口,并在HostOS创建了一个管道,这个管道的一端连接虚拟机OS的COM口,另一端则是Windbg,所以HostOS(Windbg)和虚拟机OS的所有数据交换都是通过这个管道来流通转发的。 过程: 1、安装好Windbg   2、创建一个Windbg的快捷方式,在“目标”一栏后面加上:-b -k com:pipe,port=\\.\pipe\com_1,resets=0    3、右键此电脑—属性—高级系统设置—环境变量,新建一个环境变量_NT_SYMBOL_PATH 值为: SRV*d:\mysymbol* http://msdl.microsoft.com/download/symbols    4、添加一个串行端口(需先关闭虚拟机OS)      输出到命名管道 \\.\pipe\com_1    5、在虚拟机OS的boot.ini(映射到磁盘中寻找该文件)里填入如下内容:multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Debug" /fastdetect /debugport=com1

In Windbg, how do I determine if a ManualResetEvent is signaled or not?

荒凉一梦 提交于 2020-01-23 08:26:32
问题 I took a memory dump of a process using .dump /ma c:\mydump.dmp I would like to figure out if a specific ManualResetEvent handle is set or waiting. I've tried 0:181> !handle 2db0 f Event Handle 0000000000002db0 Type Event Attributes 0 GrantedAccess 0x1f0003: Delete,ReadControl,WriteDac,WriteOwner,Synch QueryState,ModifyState HandleCount 2 PointerCount 524289 Name <none> Object specific information I have discovered that someone got more information using the same command somewhere on the

In Windbg, how do I determine if a ManualResetEvent is signaled or not?

浪子不回头ぞ 提交于 2020-01-23 08:26:31
问题 I took a memory dump of a process using .dump /ma c:\mydump.dmp I would like to figure out if a specific ManualResetEvent handle is set or waiting. I've tried 0:181> !handle 2db0 f Event Handle 0000000000002db0 Type Event Attributes 0 GrantedAccess 0x1f0003: Delete,ReadControl,WriteDac,WriteOwner,Synch QueryState,ModifyState HandleCount 2 PointerCount 524289 Name <none> Object specific information I have discovered that someone got more information using the same command somewhere on the

In Windbg, how do I determine if a ManualResetEvent is signaled or not?

非 Y 不嫁゛ 提交于 2020-01-23 08:26:09
问题 I took a memory dump of a process using .dump /ma c:\mydump.dmp I would like to figure out if a specific ManualResetEvent handle is set or waiting. I've tried 0:181> !handle 2db0 f Event Handle 0000000000002db0 Type Event Attributes 0 GrantedAccess 0x1f0003: Delete,ReadControl,WriteDac,WriteOwner,Synch QueryState,ModifyState HandleCount 2 PointerCount 524289 Name <none> Object specific information I have discovered that someone got more information using the same command somewhere on the

windbg - automatically continue when child process created and .childdbg 1 enabled

主宰稳场 提交于 2020-01-23 08:12:05
问题 I'm using a startup script for windbg, and would like to debug child processes (.childdbg 1). However, once I enable it, i find that windbg automatically breaks when the child process is created. I'm not sure why this is occurring, but here's the script I'm using: sxe -c ".echo ********** CLR 1st Chance Exception **********;!pe -nested;.echo ----------- CLRStack ----------;!clrstack;g" clr sxe -c ".echo Child Process Created;g" cpr sxe -c ".echo Child Process Exited;g" epr .load psscor2.dll

Is there a way in windbg to create a break point that will fire when a certain parameter is passed on the stack?

空扰寡人 提交于 2020-01-23 03:00:07
问题 I'm trying to track down who is making an allocation of a certain size, and I tried using the user mode stack trace db (gflags +ust), but due to FPO I can't see the entire stack. So instead I wanted to set a breakpoint on RtlAllocateHeap when it makes the allocation size I'm looking for. The only problem is I can't seem to find out a way to get this to work. I initially tried using @esi since it looked like the third parameter was being passed using this register, but it doesn't appear that's

Analyzing output of !threadpool and !threads in windbg

丶灬走出姿态 提交于 2020-01-22 09:08:46
问题 I have generated dumps on four servers and am analyzing the output of !threadpool and !threads. I noticed the roughly consistent following output: 0:024> !threadpool CPU utilization 0% Worker Thread: Total: 2 Running: 0 Idle: 2 MaxLimit: 200 MinLimit: 2 Work Request in Queue: 0 Number of Timers: 27 Completion Port Thread:Total: 2 Free: 0 MaxFree: 4 CurrentLimit: 2 MaxLimit: 200 MinLimit: 2 !threads -special ThreadCount: 32 UnstartedThread: 0 BackgroundThread: 19 PendingThread: 0 DeadThread:
订阅 windbg