Introduction

1. Types of Windows debuggers

2. User mode debuggers

3. Kernel mode debuggers

3.1 WDEB386 Debugger

3.2 Debugger I386KD

3.3 Win DBG Debugger

3.4 SoftICE Debugger

4. General question debugging

5. Automatic start applications in the debugger

5.1 Interrupt shortcut keys

Conclusion

Literature

Introduction

Learning how software tools work is the most difficult part of the debugging process. Only by understanding the capabilities and limitations of tools can you get more out of them and spend less time debugging. In general, debuggers are extremely useful, but can lead to rather subtle problems that lead the programmer to a dead end. This chapter shows what a debugger is and how various debuggers work on Win32 (32-bit) operating systems operating systems ah Windows from Microsoft).

At the same time, we will focus on those special properties of debuggers in general, which are enabled when some kind of debugger is running under their control. software process. It also explains how you can enhance certain features of 32-bit Windows operating systems to make debugging easier. Two proprietary debuggers will be presented, the source code for which can be found on the accompanying CD. The first (MinDBG) has sufficient capabilities to be called a debugger. The second (WDBG) is an example debugger Microsoft Windows, which does almost everything that the real one does system debugger, including symbol table manipulation, breakpoint handling, disassembler code generation, and coordination with the graphical user interface (GUI). When discussing WDBG, we'll show how breakpoints work and discuss what the various symbol files are.

Before moving on to the main material of this chapter, let's define two standard terms that will be used frequently in this book: main (or base) debugger (debugger) and subordinate debugger (debuggee). In simple terms, a master debugger is a process that can debug-control another process, and a slave debugger is a process that runs underneath the master debugger. On some operating systems, the main debugger is called the parent process, and the slave debugger is called the child process.

Debugger (debugger, English debugger from bug) - computer program, designed to find errors in other programs, operating system kernels, SQL queries and other types of code. The debugger allows you to trace, monitor, set or change variable values ​​as code runs, set and remove breakpoints or stopping conditions, and more.

Most developers are more familiar with user-mode debuggers. Not surprisingly, this mode's debuggers are designed for debugging user-mode applications. A prime example of a user-mode debugger is the Microsoft Visual C++ debugger. Kernel mode debuggers, as their name suggests, are debuggers that allow you to debug the operating system kernel. They are used primarily by those who write (and debug, of course) device drivers.

2. User mode debuggers

User-mode debuggers are designed to debug any application that runs in user mode, including any GUI programs, as well as such unusual applications as Windows 2000 services. In general, debuggers of this type support GUI user (GUI1). Main sign such debuggers - they use the Win32 debug application programming interface (debug API). Because the operating system marks a slave debugger as "running in special mode," you can use the IsDebuggerPresent API function to find out whether your process is running under a debugger.

When supplying the Win32 debugging API, there is an implied convention: once a process is running under the debugging API (and thus makes it a slave process), the main debugger cannot detach from that process. This symbiotic relationship means that if the master debugger exits, the slave debugger exits as well. The master debugger is limited to debugging only the slave debugger and any processes it spawns (if the master debugger supports child processes).

GUI - Graphical User Interface. - Per.

For interpreted languages ​​and run-time systems that use the virtual machine, the full debug environment is provided by the virtual machines themselves, and they do not use the Win32 debugging API. Some examples of these types of environments are the Java virtual machines (JVMs) from Microsoft or Sun, the scripting environment for Web applications from Microsoft, and the p-code interpreter in Microsoft Visual Basic.

debugger kernel operating system

We'll get to debugging in Visual Basic in Chapter 7, but be aware that the Visual Basic p-code interface is not documented. We won't delve into Java and scripting debugging interfaces; those topics are beyond the scope of this book. For more information on debugging and profiling the Microsoft JVM, see Debugging and Profiling Java Applications on MSDN. The set of such interfaces is very rich and varied and allows you to completely control the operation of the JVM. For information about writing a script debugger, see the MSDN topic "Active Script Debugging API Objects." Like the JVM, script debugger objects provide a rich interface for script access and documentation.

A surprising number of programs use the Win32 debugging API. These include: the Visual C++ debugger, which is covered in detail in Chapters 5 and 6; the Windows debugger (WinDBG), which is discussed in the next section (on the kernel-mode debugger); BoundsChecker program from Compuware NuMega; Platform SDK HeapWalker program; Platform SDK Depends program; Borland Delphi and C++ Builder debuggers, as well as the NT Symbolic Debugger (NTSD). I'm sure there are many more.

3. Kernel mode debuggers

Kernel mode debuggers sit between the CPU and the operating system. This means that when you stop the kernel mode debugger, the operating system also stops completely. It's easy to see that bringing the operating system to a hard stop is useful when you're working on timers and timing issues. However, with the exception of one debugger, which will be discussed below (in the "SoftlCE Debugger" section of this chapter), you cannot debug user-mode code using kernel-mode debuggers.

There are not many kernel mode debuggers. Here are some of them: Windows 80386 Debugger (WDEB386), Kernel Debugger (1386KD), WinDBG and SoftlCE. Each of these debuggers is briefly described in the following sections.

3.1 WDEB386 Debugger

WDEB386 is a Windows 98 kernel mode debugger distributed as part of the Platform SDK. This debugger is only useful for developers writing Windows 98 virtual device drivers (VxD). Like most kernel mode debuggers for Windows operating systems, the WDEB386 debugger requires two machines and a null modem cable to operate. Two machines are needed because the part of the debugger that runs on the target machine has limited access to its hardware, so it sends its output to and receives commands from the other machine.

The WDEB386 debugger has an interesting history. It started out as an internal background tool for Microsoft during the Windows 3.0 era. It was difficult to use and did not have enough support for debugging source code and other nice properties that the Visual C++ and Visual Basic debuggers spoiled us with.

"Dot" (DOT) commands are the most important feature of the WDEB386. Through interrupt INT 41, the WDEB386 can be expanded to add commands. This extensibility allows VxD driver authors to create custom debugging commands that give them easy access to information in their virtual devices. The debug version of Windows 98 supports many DOT commands that allow you to observe the exact state of the operating system at any point in the debugging process.

3.2 Debugger I386KD

Windows 2000 differs from Windows 98 in that the actual working part of the kernel mode debugger is the NTOSKRNL part. EXE - file of the main operating kernel Windows systems 2000. This debugger is available in both free (release) and tested (debug) operating system configurations. To enable kernel mode debugging, set the bootloader option /DEBUG to BOOT. INI and, additionally, the bootloader option /DEBUGPORT, if you need to set the kernel mode debugger communication port to a value other than the default (COM1). I386KD runs on its own machine and communicates with Windows machine 2000 via a null modem cable.

Kernel mode debugger NTOSKRNL. The EXE does only enough to control the CPU so that the operating system can be debugged. Most of the debugging work - symbol processing, extended breakpoints and disassembly - is done on the 1386KD side. One Windows time The NT 4 Device Driver Kit (DDK) documented the protocol used in the null modem cable. However, Microsoft no longer documents it.

The power of the 1386KD is obvious when you look at all the commands it offers to access internal Windows state 2000. Knowledge of how device drivers work in Windows 2000 will help the programmer monitor the output of many commands. Despite all its power, i386KD is almost never used because it is a console application, which is very tedious to use for baseline debugging.

3.3 Win DBG Debugger

WinDBG is a debugger that comes as part of the Platform SDK. You can also download it from #"897008.files/image001.gif">

Figure 1. Output of the GFLAGS program. EXE

Listing 4-1. Example of Windows 2000 heap destruction

void main (void)

HANDLE hHeap = HeapCreate (0, 128, 0);

// Allocate memory for a block of 10 bytes.

LPVOID pMem = HeapAlloc(hHeap, 0.10);

// Write 12 bytes into a 10-byte block (heap overflow).

memset (pMem, OxAC,

// Allocate a new block of 20 bytes.

LPVOID pMem2 = HeapAlloc(hHeap, 0, 20);

// Write 1 byte to the second block.

char * pUnder = (char *) ((DWORD) pMem2 - 1);

// Free the first block. This appeal to HeapFree will be

// trigger a breakpoint in the debug heap code

// operating system.

HeapFree(hHeap, 0, pMem);

// Free the second block. Note that this call will not

// issue error messages

HeapFree(hHeap, 0, pMem2);

// Free the dummy block. Note that this call will not

// issue error messages

If you check the same boxes as in Fig. 4.1 and repeat the execution of HEAPER. EXE, you will get the following, more verbose output:

PAGEHEAP: process 0x490 created debug heap 00430000

(flags 0xl, 50, 25, 0, 0): process 0x490 created debug heap 00CF0000

(flags Oxl, 50, 25, 0, - 0): process 0x490 created debug heap 01600000

(flags Oxl, 50, 25, 0, 0): Tail fill corruption detected:at 0x01606FF0size 0x0000000Asize 0x00000010at Ox01606FFA: Attempt to reference block which is not allocated

The contents of the listing are explained by the names of the flags set by the Global Flags panel.

Discussing the GFLAGS program. EXE, I want to point out one very useful option - Show Loader Snaps. If you check this box and run the application, you will see what is called a snapshot of the application, which shows where Windows 2000 loads the DLL files and how it begins organizing the import. If you need to see exactly what the Windows 2000 boot loader is doing when loading an application (especially if it has a problem), turning on this option can be a very useful step. For more information on bootloader snapshots, see Matt Pietrek's "Under the Hood" column in the September 1999 issue of Microsoft Systems Journal.

5. Automatically launch applications in the debugger

The most difficult types of applications to debug are those that are launched by another process. This category is attacked Windows services 2000 and out-of-process COM servers (COM out-of-process servers). To force a debugger to attach to a process, in many cases you can use the DebugBreak API function. In two cases, however, this function will not work. First, it sometimes doesn't work with Windows 2000 services. If you need to debug the startup of a service, calling DebugBreak will attach the debugger, but by the time the debugger starts, the service may have timed out and Windows 2000 will stop it. Secondly, DebugBreak will not work when you need to debug an out-of-process COM server. If you call DebugBreak, the COM error handler will catch the breakpoint exception and terminate the COM server. Fortunately, Windows 2000 allows you to specify that the application should start in the debugger. This property allows you to start debugging right from the first instruction. However, before you enable this property for a Windows 2000 service, make sure that the service is configured to communicate with the worker Windows table 2000.

The Run with Debugger property can be enabled in two ways. The easiest one is to run the GFLAGS utility. EXE and select the radio button ImageFile Options(see Fig. 4.1). After entering in the editable field I mageFileName program binary file name check box Debugger in Group Image DebuggerOptions) and enter the full path to the debugger in the editable field next to this checkbox.

A more difficult method: you need to manually set the necessary parameters in the appropriate registry sections (using the RegEdit editor). Under_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NTXCurrent Version\Image Tile Execution Options

create a subkey whose name is the same as the file name of your application. For example, if the application name is FOO. EXE, then the registry subkey name is also FOO. EXE. In this subkey, create a new string parameter named Debugger. In the Edit String Parameter dialog box, type the full (including directory path) file name of the debugger you selected. If you specified GFLAGS. EXE and set some global options, you will notice the string value GiobaiFiag in your application key.

Now when you start your application, the debugger is automatically loaded and launched. Options command line for a debugger can also be specified in the Debugger string parameter (following the debugger program name). For example, in order to use the WinDBG debugger and automatically initiate debugging as soon as WinDBG starts, you need to enter the value d: \platform sdk\bin\windbg in the dialog box for changing the Debugger string parameter. exe-g.

5.1 Interrupt shortcut keys

Sometimes you need to quickly jump into the debugger. If you are debugging console applications, then keystrokes +or +will throw a special exception (named DBG_CONTROL_C). This exception will take you straight to the debugger and allow you to start debugging.

A useful feature of both Windows 2000 and Windows NT 4 is the ability to switch to the debugger at any time, also in GUI applications. When running under the debugger, pressing the key results (by default) in calling the DebugBreak function. The interesting aspect of handling this key is that even if you use it as an accelerator or otherwise handle keyboard messages for this key, it will still connect you to the debugger.

On Windows NT 4 shortcut key interrupts assigned by default, but in Windows 2000 you can determine which key to use for these purposes. Why in the registry section

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebug

Set the userDebuggerHotKey parameter to the key code (VK_*). For example, to use the key To connect to the debugger, you should set the UserDebuggerHotKey value to 0x91. The changes take effect after the computer is restarted.

Conclusion

We looked at the basic features of debugging, its types and types, the general issue of debugging, as well as errors and how to detect them.

Existing debuggers play an important role in software development when searching for logical errors, providing a wide range of tools, including source code support, application execution tracing, dynamic memory modification, etc. etc.

Literature

1.. aspx?.aspx?id=553022>

2. https://ru. wikipedia.org/wiki/%D0%9E%D1%82%D0%BB%D0%B0%D0%B4%D1%87%D0%B8%D0%BA

http://bourabai. kz/alg/debug4. htm

4. Kostyukhin K. - DEBUGING REAL TIME SYSTEMS. Review

How to start the kernel debugger?

Master's answer:

There is one very important component in the software development process - debugging. Towards application programs it is carried out by means that work in user mode and often built into the IDE. In order to be able to debug, for example, drivers, you need to run the kernel debugger.

Need to start the processor command cmd. Open the Start menu on the taskbar. In the window that appears, click on the “Run…” item. The “Run Program” window will appear. In the text box, enter cmd, then click OK.

Now create backup copy boot.ini file. First find out the installation path of the current copies of Windows, using the command: echo %SystemRoot%

Next, go to the disk with the installed operating system by entering the device letters, followed by a colon. Using the cd command, go to the root directory. Now, using the attrib command, remove the "hidden", "read-only" and "system" attributes from the boot.ini file. Use the copy command to create a backup copy, and then set the attributes in place.

To display the current list of boot options, use the bootcfg /query command. Look through the list and determine the element on the basis of which new settings will be created with the ability to debug in kernel mode. The boot entry ID should be remembered.

Use the bootcfg/copy command to create a boot entry. To specify the identifier of the record that you will copy, use the /id parameter. Using the /d option, specify the name of the entry that will be displayed. Now you need to go back to the list of boot options using the bootcfg /query command, and look at the ID of the added entry.

Now you need to enable options for launching the kernel debugger in the previously created boot entry. If you will be debugging on the target machine, you just need to add the /debug option.

If you want to perform remote debugging by connecting the target computer via a com port to the host machine, then use the /port and /baud options to specify the port number and baud rate.

If you will be performing remote debugging via a FireWire cable (IEEE 1394 interface), then use the /dbg1394 option to enable the corresponding mode and the /ch option to specify the channel number.

To ensure that the changes have been made, check your boot files using the bootcfg command with the /query parameter. After executing the exit command, close the shell window.

If necessary, change the operating system boot settings. Open the Control Panel through the Start menu, and in it open the System item. In the “System Properties” window that opens, select the “Advanced” tab. In this tab, select the section called “Boot and Recovery” and click on the “Options” button. In the “Boot and Recovery” window that appears, you need to activate the “Display list of operating systems” option. Close both dialog boxes"OK" button.

Restart your computer. Select boot with debugger. Log in and start working on the target machine or start debugging remotely. Use tools such as WinDbg and KD.

chPF OELPFPTSCHE KHLBBOYS RP TBVPFE U PFMBDLPK SDTB U BCHBTYKOSHNY DBNRBNY RBNSFY. lBL RTBCHYMP, CHBN OHTSOP VKDEF ЪBDBFSH PDOP YЪ KHUFTPKUFCH RPDLBYULY, RETEYUYUMEOOSCHI CH ZHBKME /etc/fstab . uvtpu pvtbpch RBNSFY O KHUFTPKUFCHB, OE SCHMSAEYEUS KHUFTPKUFCHBNY RPDLBYULY, OBRTYNET, MEOFSHCH, CH DBOOSCHK NPNEOF OE RPDDETSYCHBAFUS.

Note: yURPMSHHKFE LPNBODH dumpon (8) DMS KHLBBOYS SDTH NEUFB, ZDE OHTsOP UPITBOSFSH BCHBTYKOSHCHE DBNRSCH. rPUME OBUFTPKLY RP LPNBODE swapon (8) TBDEMB RPDLBYULY DPMTSOB VSHFSH CHSHCHBOB RTPZTBNNNB dumpon . pVSHYUOP LFP CHSHRPMOSEPHUS ЪBDBOYEN RETENOOOPK dumpdev CH ZHBKME rc.conf (5). еUMY ЪБДБOB ьФБ RATENEOOBS, FP RPUME UVPS RTY RETCHPK NOPZPRPMSHЪPCHBFEMSHULPK RETEЪBZTHЪLE VHDEF BCHFPNBFYUEULY ЪBRHEEOOB RTPZTBNNNB savecore (8). pOB UPITBOIF BCHBTYKOSHCHK DBNR SDTB CH LBFBMPZ, ЪBDBOOSCHK CH RETENEOOOPK dumpdir ZHBKMB rc.conf . rP KHNPMYUBOYA LBFBMPZPN DMS BCHBTYKOSCHI DBNRPCH SCHMSEFUS /var/crash .

mYVP CHSC NPTSEFE ЪBDBFSH KHUFTPKUFCHP DMS UVTPUB PVTBB RBNSFY SCHOP YUETE RBTBNEFT dump CH UFTPLE config LPOZHYZHTBGYPOOPZP ZHBKMB CHBYEZP SDTB. fBLPK URPUPV YURPMSHЪPCHBFSH OE TELPNEODHEFUS Y PO DPMTSEO YURPMSHЪPCHBFSHUS, FPMSHLP EUMY CHSCH IPFYFE RPMKHYUBFSH BCHBTYKOSHCH PVTBYSH RBNSFY SDTB, LPFPTPPE BCHBTYKOP ЪBCHETYBEF UCHPA TBVPFH RTY ЪBZTHЪLE.

Note: dBMEE FETNYO gdb PYOBYUBEF PFMBDYUYL gdb , ЪBRHEEOOSCHK CH ``TETSINE PFMBDLY SDTB". RETEIPD CH LFPF TETSYN DPUFYZBEFUS ЪBRHULPN gdb U RBTBNEFTPN -k . h TETSYNE PFMBDLY SDTB gdb YЪNEOSEF UCHPЈ RTYZMBYEOYE ABOUT (kgdb) .

Tip: Eumi Chechi yurpmshhef FreeBSD Cetui 3 ymi tbooaa, Cheshchiki DPMTSOSH Cheshrpmeifsh Huyuye PFMBDPZP SDTB LPNBODPK STRIP, Hufbobchmychbfsh PFMSHYP PFMBDPUOP:

# cp kernel kernel.debug # strip -g kernel

bFPF YBZ OE FBL KhTS Y OEPVIPDYN, OP TELPNEODKHEN. (PhP FreeBSD 4th VPMEE RPJDOYI TEMYBI LFPF YBZ CHSHRPMOSEFUS BCHFPNBFYUEULY CH LPOGE RTPGEUUB RPUFTPEOOYS SDTB make .) lPZDB SDTP HUEYEOP, BCHFPNBFYUEULY YMY RTY RPNPEY LPNBOD CHCHYE, CHCH NPTSEFE KHUFBOPCHYFSH EZP PVSHYUOSCHN PVTBBPN, OVTTBCH make install .

ъBNEFSHFE, YuFP CH UFBTSHCHETUISI FreeBSD (DP 3.1, OE CHLMAYUBS LFPF TEMY), YURPMSHKHEFUS SDTB CH ZHTNBFE a.out, RPFPNH YI FBVMYGSH UYNCHPMPCH DPMTSOSCH TBURPMBZBFSHUS RPUFPSOOP CH RBNSFY. u VPMSHYPK FBVMYGEK UYNCHPMPCH CH OE HUEYOOOPN PFMBDPUOPN SDTE LFP YЪMYYOSS FTBFB. rPUMEDOYE TEMYYSH FreeBSD YURPMSHJHAF SDTB CH ZHTNBFE ELF, ZHE LFP OE SCHMSEFUS RTPVMENPK.

eUMY CHSH FEUFYTHEFE OPCHPE SDTP, ULBTSEN, OBVYTBS YNS OPCHPZP SDTB CH RTYZMBYYEOYY UBZTHYUYLB, OP CHBN OHTSOP ЪBZTHTSBFSH Y TBVPFBFSH U DTHZYN SDTPN, YUFPVSH UOPChB CHETOHFSHUS L OPTNBMSHOPNH ZHOLGYPOYTPCHBOYA, ЪBZTHTSBKFE EZP FPMSHLP CH PDOPRPMSHЪPCHBFEMSHULPN TETSYNE RTY RPNPEY ZHMBZB -s , KHLBSCCHBENPZP RTY ЪBZTHЪLE , B ЪBFEN CHSHRPMOYFE FBLYE YBZY:

# fsck -p # mount -a -t ufs # so your filesystem for /var/crash is writable # savecore -N /kernel.panicked /var/crash # exit # ...to multi-user

bFB RPUMEDPCHBFEMSHOPUFSH KHLBSCCHBEF RTPZTBNNE savecore (8) ABOUT YURPMSHЪPCHBOYE DTHZPZP SDTB DMS YЪCHMEYUEOYS UYNCHPMYUEULYI YNEO. YOBYUE POB VHDEF YURPMSHЪPCHBFSH SDTP, TBVPFBAEEE CH DBOOSHCHK NPNEOF Y, ULPTEE CHUEZP, OYUEZP OE UDEMBEF, RPFPNH YuFP BCBTYKOSHCHK PVTB RBNSFY YYNCHPMSCH SDTB VHDHF PFMYUBFSHUS.

b FERETSH, RPUME UVTPUB BCHBTYKOPZP DBNRB, RETEKDYFE CH LBFBMPZ /sys/compile/WHATEVER Y ЪBRKHUFYFE LPNBODH gdb -k . yЪ RTPZTBNNSH gdb UDEMBKFE CHPF SFP:

Symbol-file kernel.debug exec-file /var/crash/kernel.0 core-file /var/crash/vmcore.0 Y CHBMS - CHCH NPTSEFE PFMBTSYCHBFSH BCHBTYKOSHK DBNR, YURPMSHЪHS YUIPDOSCH FELUFSCH SDTB FPYuOP FBLCE, LBL CHSHCH LFP DEM BEFE AT MAVPC DTHZPK RTPZTBNNPK.

chPF TsKHTOBM LPNBOD UEBOUB TBVPFSH gdb, YMMAUFTYTHAEIK bfh RTPGEDHTH. dMYOOSCH UFTPLY VSHMY TBPTCHBOSH DMS KHMHYUYEOYS YUYFBVEMSHOPUFY Y DMS KHDPVUFCHB UFTPLY VSHCHMY RTPOKHNETPCHBOSHCH. CHUE PUFBMSHOPE SCHMSEFUS FTBUUYTPCHLPK PYYVLY, TEBMSHOP CHPOYLOKHCHYEK PE CHTENS TBVPFSCH OBD DTBKCHETPN LPOUPMY pcvt.

1:Script started on Fri Dec 30 23:15:22 1994 2: # cd /sys/compile/URIAH 3: # gdb -k kernel /var/crash/vmcore.1 4:Reading symbol data from /usr/src/ sys/compile/URIAH/kernel ...done. 5:IdlePTD 1f3000 6:panic: because you said to! 7:current pcb at 1e3f70 8:Reading in symbols for ../../i386/i386/machdep.c...done. 9: (kgdb) where 10:#0 boot (arghowto=256) (../../i386/i386/machdep.c line 767) 11:#1 0xf0115159 in panic () 12:#2 0xf01955bd in diediedie ( ) (../../i386/i386/machdep.c line 698) 13:#3 0xf010185e in db_fncall () 14:#4 0xf0101586 in db_command (-266509132, -266509516, -267381073) 15:#5 0x f0101711 in db_command_loop () 16:#6 0xf01040a0 in db_trap () 17:#7 0xf0192976 in kdb_trap (12, 0, -272630436, -266743723) 18:#8 0xf019d2eb in trap_fatal (...) 19:#9 0xf0 19ce60 in trap_pfault ( ...) 20:#10 0xf019cb2f in trap (...) 21:#11 0xf01932a1 in exception:calltrap () 22:#12 0xf0191503 in cnopen (...) 23:#13 0xf0132c34 in spec_open () 24: #14 0xf012d014 in vn_open () 25:#15 0xf012a183 in open () 26:#16 0xf019d4eb in syscall (...) 27: (kgdb) up 10 28:Reading in symbols for ../../i386/i386 /trap.c...done. 29:#10 0xf019cb2f in trap (frame=(tf_es = -260440048, tf_ds = 16, tf_\ 30:edi = 3072, tf_esi = -266445372, tf_ebp = -272630356, tf_isp = -27\ 31:2630396, t f_ebx = - 266427884, tf_edx = 12, tf_ecx = -266427884, tf\ 32:_eax = 64772224, tf_trapno = 12, tf_err = -272695296, tf_eip = -26\ 33:6672343, tf_cs = -26646936 8, tf_eflags = 66066, tf_esp = 3072, tf_\ 34:ss = -266427884)) (../../i386/i386/trap.c line 283) 35:283 (void) trap_pfault(&frame, FALSE); 36: (kgdb) frame frame->tf_ebp frame->tf_eip 37:Reading in symbols for ../../i386/isa/pcvt/pcvt_drv.c...done. 38:#0 0xf01ae729 in pcopen (dev=3072, flag=3, mode=8192, p=(struct p\ 39:roc *) 0xf07c0c00) (../../i386/isa/pcvt/pcvt_drv.c line 403) 40:403 return ((*linesw.l_open)(dev, tp)); 41: (kgdb) list 42:398 43:399 tp->t_state |= TS_CARR_ON; 44:400 tp->t_cflag |= CLOCAL; /* cannot be a modem (:-) */ 45:401 46:402 #if PCVT_NETBSD || (PCVT_FREEBSD >= 200) 47:403 return ((*linesw.l_open)(dev, tp)); 48:404 #else 49:405 return ((*linesw.l_open)(dev, tp, flag)); 50:406 #endif /* PCVT_NETBSD || (PCVT_FREEBSD >= 200) */ 51:407 ) 52: (kgdb) print tp 53:Reading in symbols for ../../i386/i386/cons.c...done. 54:$1 = (struct tty *) 0x1bae 55: (kgdb) print tp->t_line 56:$2 = 1767990816 57: (kgdb) up 58:#1 0xf0191503 in cnopen (dev=0x00000000, flag=3, mode=8192 , p=(st\ 59:ruct proc *) 0xf07c0c00) (../../i386/i386/cons.c line 126) 60: return ((*cdevsw.d_open)(dev, flag, mode, p) ); 61: (kgdb) up 62:#2 0xf0132c34 in spec_open () 63: (kgdb) up 64:#3 0xf012d014 in vn_open () 65: (kgdb) up 66:#4 0xf012a183 in open () 67: (kgdb) up 68:#5 0xf019d4eb in syscall (frame=(tf_es = 39, tf_ds = 39, tf_edi =\ 69: 2158592, tf_esi = 0, tf_ebp = -272638436, tf_isp = -272629788, tf\ 70:_ebx = 7086 , tf_edx = 1, tf_ecx = 0, tf_eax = 5, tf_trapno = 582, \71:tf_err = 582, tf_eip = 75749, tf_cs = 31, tf_eflags = 582, tf_esp \72:= -272638456, tf_ss = 39)) (. ./../i386/i386/trap.c line 673) 73:673 error = (*callp->sy_call)(p, args, rval); 74: (kgdb) up 75:Initial frame selected; you cannot go up. 76: (kgdb) quit 77: # exit 78:exit 79: 80:Script done on Fri Dec 30 23:18:04 1994

lPNNEOFBTYY L CHSHCHYYERTYCHEDEOOPNH TSHTOBMKH:

UFTPLB 6:

ьФП DBNR, CHSFSHCHK RTY RPNPEY DDB (UNPFTY OITSE), RPPFPNH LPNNEOFBTYK L BCHBTYKOPNH PUFBOPCHH YNEEF YNEOOP CHYD ``because you said to!'' Y FTBUUYTPCHLB UFELB ZMHVPLB; PDOBLP YOBYUBMSHOPK RTYYUYOPK RETEIPDB CH DDB VSHMB BCHBTYKOBS PUFBOPCHLB RTY CHPOYLOPCHEOYA PYYVLY UFTBOIGSC RBNSFY.

UFTPLB 20:

lFP NEUFPOBIPTSDEOOYE ZHKHOLGYY trap() CH FTBUUYTPCHLE UFELB.

UFTPLB 36:

rTYOKHDIFEMSHOPE YURPMSHЪPCHBOIE OPChPK ZTBOYGSCH UFELB; FERTSH LFP OE OHTSOP. rTEDRPMBZBEFUS, YuFP ZTBOYGSCH UFELB KHLBSCCHBAF ABOUT RTBCHYMSHOP TBURPMPTSEOYE, DBCE CH UMHUBE BCHBTYKOPZP PUFBOPCHB. zMSDS ABOUT UFTPLH YUIPDOPZP LPDB 403, NPTsOP ULBBFSH, YuFP CHEUSHNB CHETPSFOP, YuFP MYVP CHYOPCHBF DPUFHR RP KHLBBFEMA ``tp"", MYVP VSHM CHSHCHIPD ЪB ZТBOYGSC NBUUYCHB.

UFTPLB 52:

rPIPTSE, YuFP CHYOPCHBF KHLBBFEMSH, OP ON SCHMSEFUS DPRKHUFYNSCHN BDTEUPN.

UFTPLB 56:

pDOBLP, PYUECHYDOP, YuFP PO KHLBSHCHCHBEF ABOUT NHUPT, FBL YuFP NSCH OBYMY OBYKH PYYVLH! (DMS FEI, LFP OE ЪOBLPN U LFPC YUBUFSHHA LPDB: tp->t_line UMHTSYF DMS ITBOEOYS TETSYNB LBOBMMB LPOUPMSHOPZP KHUFTPKUFCHB, Y LFP DPMTSOP VShchFSH DPUFBFPYuOP NBMEOSHLPE GEMPE YUYUMP. )

To debug the kernel, you need to connect to your computer using null modem cable or modem connection. The computer performing debugging will be called “Host”, and the problem computer will be called “Target”.

Both computers must be running the same version of Windows, and the symbol files for the Target computer must be installed on the Host computer. The symbol files are provided on the Windows installation CD in the Support\Debug directory.

To enable debugging, you must make changes to the BOOT.INI file on the Target computer.

1. Change the attributes of the BOOT.INI file:

attrib c:\boot.ini –r –s

2. Edit this file and into the line Windows startup add the /debug parameter (to tell the system to boot into RAM kernel debugger booting Windows). Additional parameters are /Debugport, which tells the system which COM port must be used (COM2 by default) and /Baudrate - to specify the data transfer rate (the default is 19200 baud, but it is better to use 9600). For example:

multi(0)disk(0)rdisk(0)partition(0)\WINDOWS="Windows NT" /debug /debugport=com2 /baudrate=9600

3. Save the file.

4. Set the previous attributes of the BOOT.INI file:

attrib c:\boot.ini +r +s

IN in this example the Target computer allowed the connection through the COM2 port at 9600 bps.

The Host computer must be configured with the settings required for debugging. In addition, the symbol files must be installed. To install them, go to the \support\debug directory on the installation CD and enter the following command:

expndsym : <целевой диск и каталог>

For example:

expndsym f: d:\symbols

Installation may take some time. Remember that if service packs have been installed on the Target computer, the symbol files for those packages must also be installed on the Host computer. Symbol files for update packages can be downloaded from the Microsoft website.

The next stage is setup environment variables, necessary for debugging, for example, variables indicating the location of symbol files, etc. The following is a description of these variables.

Description of system variables

The definition of these variables can be placed in batch file in order to avoid entering the corresponding commands at each boot:

echo off
set_nt_debug_port=com2
set_nt_debug_baud_rate=9600
set _nt_symbol_path=d:\symbols\i386
set _nt_log_file_open=d:\debug\logs\debug.log

Now you need to copy software debugging the kernel, which is located in the support\debug\ directory<процессор>on the installation CD (support\debug\I386). The easiest way is to copy the entire directory, since it has small size(about 2.5 MB). For the I386 platform, a debugger is used, which is supplied as the I386KD.EXE file. The debugger is launched using the I386KD command. To enter a command, press the key combination and wait for the kd> command prompt to appear.

The term "kernel debugging" means studying internal structure kernel data and/or step-by-step tracing of functions in the kernel. This debugging is a very useful way to explore internal structure Windows because it allows you to view internal system information that is not available through any other means, and gives a clear picture of the progress of code in the kernel.

Before you consider various ways kernel debugging, let's explore the set of files that will be needed to perform any kind of such debugging.

Symbols for kernel debugging

Symbol files contain the names of functions and variables, as well as the design and format of data structures. They are generated by the linker program and are used by debuggers to reference these names and to display them during a debugging session. This information is usually not stored in binary code because it is not needed when the code is executed. This means that without it, the binary code is smaller and runs faster. But this also means that when debugging, you need to ensure that the debugger has access to the symbol files associated with the binary images referenced during the debugging session.

To use any kernel-mode debugging tool to examine the internals of the Windows kernel data structure (list of processes, thread blocks, list of loaded drivers, memory usage information, etc.), you need correct files symbols and, at a minimum, the symbol file for the kernel binary image - Ntoskrnl.exe. Symbol table files must match the version of the binary image from which they were extracted. For example, if installed Windows package Service Pack or some kind of patch that updates the kernel, you need to get the symbol files updated accordingly.

Download and install symbols for various Windows versions It’s not difficult, but it’s not always possible to update symbols for corrections. The easiest way to obtain the required version of symbols for debugging is to contact the Microsoft symbol server specially designed for this purpose, using the special syntax for the symbol path specified in the debugger. For example, the following symbol path causes the debugging tools to download the symbols from an online symbol server and store a local copy in c:\symbols:srv*c:\symbols*http://msdl.microsoft.com/download/symbols

Detailed instructions for using the symbol server can be found in the debugging tools help file or online at http://msdn.microsoft.com/en-us/windows/hardware/gg462988.aspx.