Monday, September 24, 2012

Description of the default C and C++ libraries that a program will link

Description of the default C and C++ libraries that a program will link with when built by using Visual C++

http://support.microsoft.com/kb/154753
Posted by at No comments:
Labels:

Manually Verifing the stack

#define SAVE_EBP   static unsigned int dwValue1 = 0, dwValue2 = 0; __asm mov eax, [ebp] __asm mov dwValue1, eax
#define COPY_EBP  __asm mov eax, [ebp] __asm mov dwValue2, eax 
#define CHECK_EBP if(dwValue1 != dwValue2) { int i = 0; i = 1/i; }

e.g.

void function()
{
SAVE_EBP
.
.
.
.

COPY_EBP
CHECK_EBP
}
Posted by at No comments:
Labels: , ,

Inspecting CString, wstring, and static char buffer

    char *pString = new char[20];
    ::strcpy_s(pString, 20*sizeof(char), "Test string");
    CString *pStr = new CString("Hello World");
    std::wstring stdString = L"STD String";
    CDialogEx::OnOK(); <= Break point

0:000> dv /V /i /t

prv local  001af284 @ebp-0x3c class ATL::CStringT > > * pStr = 0x0097b830
prv local  001af290 @ebp-0x30 char * pString = 0x0097b7e0 "Test string"
prv local  001af25c @ebp-0x64 class std::basic_string,std::allocator > stdString = class std::basic_string,std::allocator >
0:000> dt -a11 0x0097b7e0 char
[0] @ 0097b7e0
---------------------------------------------
84 'T'
[1] @ 0097b7e1
---------------------------------------------
101 'e'
[2] @ 0097b7e2
---------------------------------------------
115 's'
[3] @ 0097b7e3
---------------------------------------------
116 't'
[4] @ 0097b7e4
---------------------------------------------
32 ' '
[5] @ 0097b7e5
---------------------------------------------
115 's'
[6] @ 0097b7e6
---------------------------------------------
116 't'
[7] @ 0097b7e7
---------------------------------------------
114 'r'
[8] @ 0097b7e8
---------------------------------------------
105 'i'
[9] @ 0097b7e9
---------------------------------------------
110 'n'
[10] @ 0097b7ea
---------------------------------------------
103 'g'
0:000> da 0x0097b7e0
0097b7e0  "Test string"
0:000> !stl -n (std::basic_string,std::allocator >) 001af25c
[du 0x97b920]
0097b920  "STD String"
0:000> dpu 001af25c L2
001af25c  0097b8d8 ".."
001af260  0097b920 "STD String"
0:000> !stl stdString
[du 0x97b920]
0097b920  "STD String"
0:000> !SDbgExt.stlwstring 001af25c
wstring size=10 reserved=15 buf=0097b920 "STD String"
0:000> dt 0x0097b830 CString
mfc_test_del!CString
   +0x000 m_pszData        : 0x0097b880  "Hello World"
Posted by at No comments:
Labels: , , ,

Inspecting CObList using Windbg

void Cmfc_test_delDlg::OnBnClickedOk()
{
    CObList *pList = new CObList();
    pList->AddTail(new CAge(10));
    pList->AddTail(new CAge(20));
    pList->AddTail(new CAge(30));
    pList->AddTail(new CAge(40));
    pList->AddTail(new CAge(50));
    pList->AddTail(new CAge(60));
    // TODO: Add your control notification handler code here
    CDialogEx::OnOK();
}
0:000> *Beakpoint is at CDialogEx::OnOK() in Cmfc_test_delDlg::OnBnClickedOk()
0:000> bl
 0 e 00335010 [c:\vs\mfc_test_del\mfc_test_del\mfc_test_deldlg.cpp @ 158]    0001 (0001)  0:**** mfc_test_del!Cmfc_test_delDlg::OnBnClickedOk
0:000> *Lets look at local variable
0:000> dv /V /i /t
prv local  00a8ef58 @ebp-0x14 class Cmfc_test_delDlg * this = 0x00a8f864
prv local  00a8ef4c @ebp-0x20 class CObList * pList = 0x01e58cc8
0:000> *Display  the type for CObList
0:000> dt 0x01e58cc8 CObList
mfc_test_del!CObList
   +0x000 __VFN_table : 0x007f7f6c
   =007f7fb4 CObject::classCObject : CRuntimeClass
   =008b0c28 CObList::classCObList : CRuntimeClass
   +0x004 m_pNodeHead      : 0x01e5b5dc CObList::CNode  <= Pointer to linked list from Start
   +0x008 m_pNodeTail      : 0x01e5b618 CObList::CNode   <= Pointer to listed list from  End
   +0x00c m_nCount         : 0n6                                                <= Number of elements in the linked list
   +0x010 m_pNodeFree      : 0x01e5b624 CObList::CNode
   +0x014 m_pBlocks        : 0x01e5b5d8 CPlex
   +0x018 m_nBlockSize     : 0n10                                           <= memory reserved for 10 elements
0:000> *Find the head of the list
0:000> ?poi(0x01e58cc8+0x004 )
Evaluate expression: 31831516 = 01e5b5dc
0:000> *Display the list
0:000> dt CObList::CNode -l 0x01e5b5dc pNext
mfc_test_del!CObList::CNode
pNext at 0x1e5b5dc
---------------------------------------------
   +0x000 pNext            : 0x01e5b5e8 CObList::CNode
   +0x004 pPrev            : (null)
   +0x008 data             : 0x01e58d20 CObject
pNext at 0x1e5b5e8
---------------------------------------------
   +0x000 pNext            : 0x01e5b5f4 CObList::CNode
   +0x004 pPrev            : 0x01e5b5dc CObList::CNode
   +0x008 data             : 0x01e5b690 CObject
pNext at 0x1e5b5f4
---------------------------------------------
   +0x000 pNext            : 0x01e5b600 CObList::CNode
   +0x004 pPrev            : 0x01e5b5e8 CObList::CNode
   +0x008 data             : 0x01e5b6d8 CObject
pNext at 0x1e5b600
---------------------------------------------
   +0x000 pNext            : 0x01e5b60c CObList::CNode
   +0x004 pPrev            : 0x01e5b5f4 CObList::CNode
   +0x008 data             : 0x01e5b720 CObject
pNext at 0x1e5b60c
---------------------------------------------
   +0x000 pNext            : 0x01e5b618 CObList::CNode
   +0x004 pPrev            : 0x01e5b600 CObList::CNode
   +0x008 data             : 0x01e5b768 CObject
pNext at 0x1e5b618
---------------------------------------------
   +0x000 pNext            : (null)
   +0x004 pPrev            : 0x01e5b60c CObList::CNode
   +0x008 data             : 0x01e5b7b0 CObject
0:000> *Display the list from back
0:000> dt CObList::CNode -l 0x1e5b618 pPrev
mfc_test_del!CObList::CNode
pPrev at 0x1e5b618
---------------------------------------------
   +0x000 pNext            : (null)
   +0x004 pPrev            : 0x01e5b60c CObList::CNode
   +0x008 data             : 0x01e5b7b0 CObject
pPrev at 0x1e5b60c
---------------------------------------------
   +0x000 pNext            : 0x01e5b618 CObList::CNode
   +0x004 pPrev            : 0x01e5b600 CObList::CNode
   +0x008 data             : 0x01e5b768 CObject
pPrev at 0x1e5b600
---------------------------------------------
   +0x000 pNext            : 0x01e5b60c CObList::CNode
   +0x004 pPrev            : 0x01e5b5f4 CObList::CNode
   +0x008 data             : 0x01e5b720 CObject
pPrev at 0x1e5b5f4
---------------------------------------------
   +0x000 pNext            : 0x01e5b600 CObList::CNode
   +0x004 pPrev            : 0x01e5b5e8 CObList::CNode
   +0x008 data             : 0x01e5b6d8 CObject
pPrev at 0x1e5b5e8
---------------------------------------------
   +0x000 pNext            : 0x01e5b5f4 CObList::CNode
   +0x004 pPrev            : 0x01e5b5dc CObList::CNode
   +0x008 data             : 0x01e5b690 CObject
pPrev at 0x1e5b5dc
---------------------------------------------
   +0x000 pNext            : 0x01e5b5e8 CObList::CNode
   +0x004 pPrev            : (null)
   +0x008 data             : 0x01e58d20 CObject
0:000> *Check the data field
0:000> dt 0x01e58d20 CAge
mfc_test_del!CAge
   +0x000 __VFN_table : 0x007f0c58
   =007f7fb4 CObject::classCObject : CRuntimeClass
   +0x004 m_years          : 0n10
0:000> *Same thing can be done using !list too.
0:000> !list -t CObList::CNode.pNext -x "dt" -a "CObList::CNode" -e 01e5b5dc
dt 0x1e5b5dc CObList::CNode
mfc_test_del!CObList::CNode
   +0x000 pNext            : 0x01e5b5e8 CObList::CNode
   +0x004 pPrev            : (null)
   +0x008 data             : 0x01e58d20 CObject
dt 0x1e5b5e8 CObList::CNode
mfc_test_del!CObList::CNode
   +0x000 pNext            : 0x01e5b5f4 CObList::CNode
   +0x004 pPrev            : 0x01e5b5dc CObList::CNode
   +0x008 data             : 0x01e5b690 CObject
dt 0x1e5b5f4 CObList::CNode
mfc_test_del!CObList::CNode
   +0x000 pNext            : 0x01e5b600 CObList::CNode
   +0x004 pPrev            : 0x01e5b5e8 CObList::CNode
   +0x008 data             : 0x01e5b6d8 CObject
dt 0x1e5b600 CObList::CNode
mfc_test_del!CObList::CNode
   +0x000 pNext            : 0x01e5b60c CObList::CNode
   +0x004 pPrev            : 0x01e5b5f4 CObList::CNode
   +0x008 data             : 0x01e5b720 CObject
dt 0x1e5b60c CObList::CNode
mfc_test_del!CObList::CNode
   +0x000 pNext            : 0x01e5b618 CObList::CNode
   +0x004 pPrev            : 0x01e5b600 CObList::CNode
   +0x008 data             : 0x01e5b768 CObject
dt 0x1e5b618 CObList::CNode
mfc_test_del!CObList::CNode
   +0x000 pNext            : (null)
   +0x004 pPrev            : 0x01e5b60c CObList::CNode
   +0x008 data             : 0x01e5b7b0 CObject
0:000> !list -t CObList::CNode.pNext -x "dt" -a "CObList::CNode data" -e 01e5b5dc
dt 0x1e5b5dc CObList::CNode data
mfc_test_del!CObList::CNode
   +0x008 data : 0x01e58d20 CObject
dt 0x1e5b5e8 CObList::CNode data
mfc_test_del!CObList::CNode
   +0x008 data : 0x01e5b690 CObject
dt 0x1e5b5f4 CObList::CNode data
mfc_test_del!CObList::CNode
   +0x008 data : 0x01e5b6d8 CObject
dt 0x1e5b600 CObList::CNode data
mfc_test_del!CObList::CNode
   +0x008 data : 0x01e5b720 CObject
dt 0x1e5b60c CObList::CNode data
mfc_test_del!CObList::CNode
   +0x008 data : 0x01e5b768 CObject
dt 0x1e5b618 CObList::CNode data
mfc_test_del!CObList::CNode
   +0x008 data : 0x01e5b7b0 CObject
 
Posted by at No comments:
Labels: , ,

Tuesday, September 11, 2012

Windows: Transition from User to Kernel


1. Find the notepad process object
kd> !process 0 0 notepad.exe
PROCESS 859c29b8  SessionId: 1  Cid: 0914    Peb: 7ffd4000  ParentCid: 0600
    DirBase: 3ec4c420  ObjectTable: 921e3470  HandleCount:  57.
    Image: notepad.exe

2.Switch to notepad process context
kd> .process /i 859c29b8 
You need to continue execution (press 'g' ) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
826b9394 cc              int     3

3. Disassemble the NtCreateFile
kd> uf ntdll!ntCreateFile
ntdll!NtCreateFile:
77234a10 b842000000      mov     eax,42h
77234a15 ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
77234a1a ff12            call    dword ptr [edx]
77234a1c c22c00          ret     2Ch

4. Find the content at 7ffe0300
kd> dd 7ffe0300 L1
7ffe0300  772364f0

5. Disassemble the code at 7ffe0300
kd> uf 772364f0
ntdll!KiFastSystemCall:
772364f0 8bd4            mov     edx,esp
772364f2 0f34            sysenter
772364f4 c3              ret

6. Find the address of KiServiceTable
kd> x nt!KiServiceTable
826bd6f0 nt!KiServiceTable =

7. Now display the function in System Service Table
kd> dps 0x826bd6f0+0x4*0x42 L1
826bd7f8  82898e82 nt!NtCreateFile
Posted by at No comments:
Labels: ,

Monday, September 3, 2012

Capturing Dump Using Windbg

Copy this script and save as .reg file. Dump files will be saved in c:\dump folder.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"
"UserDebuggerHotKey"=dword:00000000
"Debugger"="\"c:\\Program Files\\Debugging Tools for Windows (x86)\\windbg.exe\" -p %ld -e %ld -g -Q -c \".dump /mfhtpu /u c:\\dump.dmp;q\""
Posted by at No comments:
Labels:

Wednesday, August 29, 2012

Links for FCMDA-materials

Posted by at No comments:
Labels:

Friday, June 15, 2012

Visual Studio: How to: Debug in Mixed Mode

Posted by at No comments:
Labels:

Wednesday, June 13, 2012

!htrace: The difference between the two snapshot is too large

Click on Debug > Break (or just CTRL+Break)
image
Type “!htrace –diff” without the quotation marks and then press Enter.
image
Note: By default, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 keep a history of 4000 handles open and close operations.
With !htrace you can enable to keep a much higher history by doing the following:
image
Type “!htrace –enable 0x20000” without the quotation marks and then press Enter.
In this example, we are increasing the handle history to 128000 (decimal, 0x20000 hexadecimal).
image

Link:- http://blogs.technet.com/b/yongrhee/archive/2011/12/19/how-to-troubleshoot-a-handle-leak.aspx
Posted by at No comments:
Labels:

Tuesday, June 12, 2012

MSIL tutorials


The following is some useful links to MSIL tutorials.

Posted by at No comments:
Labels:

Monday, June 4, 2012

Windows 7 No Longer Supports Full Memory Dumps??

A new registry value has been added that will override this behavior and always cause the crash dump file to be generated. By setting the \HKLM\System\CCS\Control\CrashControl\AlwaysKeepMemoryDump DWORD value to 1 you will guarantee that you will always have a crash dump file after crashing the system.

For details fo though this:- http://www.osronline.com/article.cfm?article=545
Posted by at No comments:

Thursday, May 24, 2012

Debugging Focus Bugs

  1. Jeffrey Richter wrote an article in 1997 which contains a tool for finding the focus among other things: http://www.microsoft.com/msj/0397/Win32/Win320397.aspx
  2. We can use SPY++ and analyze messages
  3. We can do Remote Debugging and Multi-Monitor.
  4. The Inspect tool, part of the Windows SDK download, can be useful here. It's designed to test out the two Accessibility-related APIs - MSAA and UI Automation - and one of the things that both those APIs to is allow accessibility and test tools to track the focus.
    The simplest way to use it for tracking focus is to put it into MSAA mode, check the options to follow only focus changes (ie. turn off following the mouse pointer), then turn on the yellow highlight rectangle. Now as focus changes, you can see the rectangle move. As a bonus, if focus goes to something that's hidden or offscreen, you won't see a rectangle, but the name and Win32 class of the control will be displayed in the window.
    Note that Inspect shows a superset of focus events: you get not just HWND focus changes, but also notifications when focus moves within certain controls - such as between items in a list box. Automated test and accessibility need these, but for your purposes you should be ok to just ignore these; it's extra information, but shouldn't get in the way too much.
  5. Win32 Activation and Focus :- http://blogs.msdn.com/b/jfoscoding/archive/2006/08/02/686141.aspx
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)