Results 1 to 3 of 3

Thread: First time using WinDbg, having some issues

  1. #1
    TheUsualSuspect
    Guest

    Question First time using WinDbg, having some issues

    First of all, hello everyone!

    While I'm rather familiar with debugging and reverse engineering in ring3, I finally made the leap into the ring0 world for a private project and so far it seems it is as fascinating as I imagined it to be. It took me quite some time to get my setup running (WinDbg, VirtualKD, VirtualBox) but eventually it worked. Now my first problem is with WinDbg.

    I use VirtualKD to do remote kernel debugging and am interested in the inner workings of win32k.sys. But when I fire up WinDbg, something weird happens:

    Code:
    kd> x win32k!NtUserInvalidateRect
    bf8153d5 win32k!NtUserInvalidateRect = <no type information>
    kd> u win32k!NtUserInvalidateRect
    win32k!NtUserInvalidateRect:
    bf8153d5 ??              ???
                                    ^ Memory access error in 'u win32k!NtUserInvalidateRect'
    kd> dd win32k!NtUserInvalidateRect
    bf8153d5  ???????? ???????? ???????? ????????
    bf8153e5  ???????? ???????? ???????? ????????
    bf8153f5  ???????? ???????? ???????? ????????
    bf815405  ???????? ???????? ???????? ????????
    bf815415  ???????? ???????? ???????? ????????
    bf815425  ???????? ???????? ???????? ????????
    bf815435  ???????? ???????? ???????? ????????
    bf815445  ???????? ???????? ???????? ????????
    I have no clue what this means. From what I know kernel pages can be paged out and thus might be unaccessible. I tried to use the .pagein command but it just works on virtual memory addresses.

    What's even more weird is that when I do the same thing on the box itself with LiveKd, I can look at the memory but obviously don't set breakpoints and trace the code flow.

    As I said I'm pretty much a beginner when it comes to kernel debugging and I have no idea what this could be. Any concept I'm missing?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5
    Hi

    You need to be in a usermode context first to be able to see win32k memory space. See here for an explanation:

    http://www.woodmann.com/forum/showthread.php?6047-Can-t-see-WIN32K-with-SoftIce

    What isn't mentioned (explicitly) is the effect of the additional SSDT (System Service Descriptor Table) Shadow Table, which is part of win32k and kicks in only for GUI threads. I think that's probably the underlying issue here.

    Choose any non-system process from your guest system and set to that process context. You should be able to see win32k.sys then (I just confirmed that works with Windbg/Vmware)


    Code:
    kd> !process 0 0 winlogon.exe
    PROCESS 81408da0  SessionId: 0  Cid: 024c    Peb: 7ffdf000  ParentCid: 01f4
        DirBase: 06ba3000  ObjectTable: e14dba88  HandleCount: 418.
        Image: winlogon.exe
    
    kd> .process 81408da0
    Implicit process is now 81408da0
    Btw, how do you like VirtualKD? I've been wanting to set that up since it's supposed to speed up remote debugging immensely. I don't actually remote debug much mind you since I'm still a Softice dinosaur for now, but I know I should get with the times...

    Cheers,
    Kayaker

  3. #3
    TheUsualSuspect
    Guest

    Smile

    Thanks, that did the trick. I definitely need to read up on a lot of concepts to understand kernel mode but it is fascinating. Regarding VirtualKD: I think I like it. I can't really compare it to anything, regular named pipe debugging wouldn't work but it supposedly is way faster. It seems fast, but breaking a running OS sometimes takes up to 5 seconds on my (very) strong rig. I don't know how long this would be otherwise for example. For now, it works and that's what counts
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. WinDbg: let's load em all!
    By fasmotol in forum The Newbie Forum
    Replies: 3
    Last Post: February 28th, 2013, 01:56
  2. Share your WinDbg links
    By _genuine in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: May 19th, 2010, 03:13
  3. Share your WinDbg links
    By _genuine in forum Off Topic
    Replies: 6
    Last Post: May 19th, 2010, 03:13
  4. Hi all, it's time for a new interesting tutorial, this time SSlEvIN took time for a j
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: March 5th, 2010, 15:58
  5. Conditional BPs in WinDbg
    By omega_red in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: November 16th, 2005, 03:28

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •