Reading Notebook: 21-September-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
ETW components (p. 207) - A few years ago I made this UML component diagram showing the relation of various providers to OS components and interfaces:
My trace analysis patterns are largely based on ETW traces: http://www.dumpanalysis.org/blog/index.php/trace-analysis-patterns/
Fragment of process image loading sequence when tracing Microsoft-Windows-Kernel-Process provider:
PIDÂ Â Â Â Â Â Â Â Â TIDÂ Â Â Â Â Â Â Â User DataÂ
0x00000AC8Â 0x0000086CÂ "\Device\HarddiskVolume2\Windows\System32\notepad.exe"
0x00000EBCÂ 0x000007E4Â "\Device\HarddiskVolume2\Windows\System32\notepad.exe"
0x00000EBCÂ 0x000007E4Â "\SystemRoot\System32\ntdll.dll"
0x00000EBCÂ 0x000007E4Â "\Windows\System32\kernel32.dll"
[...]
\Windows\Sysnative (p. 213)
Wow64Disable(Revert)Wow64FsRedirection (p. 213) - From W2K3 SP1. Code example: http://msdn.microsoft.com/en-us/library/aa365743(VS.85).aspx
KEY_WOW64_64(32)KEY flags for RegXXX API (p. 214)Â
DeviceIoControlFile and IoIs32bitProcess (pp. 214 - 215) - http://msdn.microsoft.com/en-us/library/aa490629.aspx
On WOW64 16-bit old IS and MS installers are substituted with 32-bit on the fly (p. 215)
User-mode debugging as a producer-consumer framework (p. 217) - Various debug-related function names to set breakpoints when studying debugging (_imp_* and dupilicates are not shown here):
0:000> x ntdll!Dbg*
00000000`7791af70 ntdll!DbgQueryDebugFilterState = <no type information>
00000000`7791af60 ntdll!DbgSetDebugFilterState = <no type information>
00000000`778c3840 ntdll!DbgPrintEx = <no type information>
00000000`779249a0 ntdll!DbgUiStopDebugging = <no type information>
00000000`778c6060 ntdll!DbgBreakPoint = <no type information>
00000000`77924a60 ntdll!DbgUiConnectToDbg = <no type information>
00000000`779249f0 ntdll!DbgUiWaitStateChange = <no type information>
00000000`77932710 ntdll!DbgUiIssueRemoteBreakin = <no type information>
00000000`77932780 ntdll!DbgUiDebugActiveProcess = <no type information>
00000000`778c6080 ntdll!DbgBreakPointWithStatus = <no type information>
00000000`7791af80 ntdll!DbgPrompt = <no type information>
00000000`778c6070 ntdll!DbgUserBreakPoint = <no type information>
00000000`77924a20 ntdll!DbgUiSetThreadDebugObject = <no typeinformation>
00000000`77924790 ntdll!DbgUiConvertStateChangeStructure = <no type information>
00000000`77892560 ntdll!DbgPrint = <no type information>
00000000`77950000 ntdll!DbgUiRemoteBreakin = <no type information>
00000000`779249c0 ntdll!DbgUiContinue = <no type information>
00000000`7793bf30 ntdll!DbgPrintReturnControlC = <no type information>
00000000`77924a40 ntdll!DbgUiGetThreadDebugObject = <no type information>
00000000`778c6082 ntdll!DbgBreakPointWithStatusEnd = <no type information>
0:000> x ntdll!*Debug*
00000000`779970c0 ntdll!LoaderLockDebug = <no type information>
00000000`778c7810 ntdll!ZwDebugActiveProcess = <no type information>
00000000`779350f0 ntdll!RtlDebugFreeHeap = <no type information>
00000000`7794ff40 ntdll!RtlpSetProcessDebugInformationRemote = <no type information>
00000000`77952960 ntdll!RtlpQueryProcessDebugInformationFromWow64 = <no type information>
00000000`779405b0 ntdll!RtlDebugCreateHeap = <no type information>
00000000`779988a0 ntdll!RtlCriticalSectionDebugSList = <no type information>
00000000`778c8550 ntdll!NtWaitForDebugEvent = <no type information>
00000000`7799b760 ntdll!RtlpDefaultHeapDebuggingOptions = <no type information>
00000000`778c7dd0 ntdll!NtQueryDebugFilterState = <no type information>
00000000`778c60cc ntdll!DebugService2 = <no type information>
00000000`778c81e0 ntdll!NtSetDebugFilterState = <no type information>
00000000`7791b740 ntdll!IsDebugPortPresent = <no type information>
00000000`778c7650 ntdll!ZwCreateDebugObject = <no type information>
00000000`77914020 ntdll!RtlpDebugPageHeapDestroy = <no type information>
00000000`778c8550 ntdll!ZwWaitForDebugEvent = <no type information>
00000000`7791bc80 ntdll!RtlpCommitQueryDebugInfo = <no type information>
00000000`778c7dd0 ntdll!ZwQueryDebugFilterState = <no type information>
00000000`778c81e0 ntdll!ZwSetDebugFilterState = <no type information>
00000000`778c7650 ntdll!NtCreateDebugObject = <no type information>
00000000`7791e190 ntdll!RtlIsAnyDebuggerPresent = <no type information>
00000000`77950050 ntdll!RtlQueryProcessDebugInformation = <no type information>
00000000`77954db0 ntdll!RtlpQueryProcessDebugInformationRemote = <no type information>
00000000`77913a30 ntdll!RtlSetLFHDebuggingInformation = <no type information>
00000000`778c7810 ntdll!NtDebugActiveProcess = <no type information>
00000000`77942b90 ntdll!RtlDebugCompactHeap = <no type information>
00000000`77997c70 ntdll!RtlpDebugPageHeapTable = <no type information>
00000000`77914630 ntdll!RtlDebugPrintTimes = <no type information>
00000000`77941af0 ntdll!RtlDebugDestroyHeap = <no type information>
00000000`7791dab0 ntdll!RtlpSubSegmentDebugInitialize = <no type information>
00000000`77992738 ntdll!RtlpStaticDebugInfoEnd = <no type information>
00000000`77997080 ntdll!RtlpDynamicFunctionTableLockDebug = <no type information>
00000000`7791bc50 ntdll!RtlpDeCommitQueryDebugInfo = <no type information>
00000000`778c8060 ntdll!NtRemoveProcessDebug = <no type information>
00000000`7793c6a0 ntdll!CpupDebugPrintOnAmd64 = <no type information>
00000000`77940c30 ntdll!RtlDebugSetUserFlagsHeap = <no type information>
00000000`778c8060 ntdll!ZwRemoveProcessDebug = <no type information>
00000000`77923b20 ntdll!RtlpChangeQueryDebugBufferTarget = <no type information>
00000000`77954b10 ntdll!RtlDebugCreateTagHeap = <no type information>
00000000`77923b10 ntdll!RtlCommitDebugInfo = <no type information>
00000000`77914030 ntdll!RtlpDebugPageHeapCreate = <no type information>
00000000`7799e9c8 ntdll!AVrfpDebug = <no type information>
00000000`77923720 ntdll!AVrfpIsDebuggerPresent = <no type information>
00000000`77940f70 ntdll!RtlDebugGetUserInfoHeap = <no type information>
00000000`77940ab0 ntdll!RtlDebugSizeHeap = <no type information>
00000000`77997050 ntdll!RtlCriticalSectionLock_DEBUG = <no type information>
00000000`778c7820 ntdll!ZwDebugContinue = <no type information>
00000000`778c8260 ntdll!ZwSetInformationDebugObject = <no type information>
00000000`77898b00 ntdll!RtlpFreeDebugInfo = <no type information>
00000000`778c60ac ntdll!DebugPrompt = <no type information>
00000000`778c8470 ntdll!NtSystemDebugControl = <no type information>
00000000`778c8470 ntdll!ZwSystemDebugControl = <no type information>
00000000`77935420 ntdll!RtlSetProcessDebugInformation = <no type information>
00000000`77941710 ntdll!RtlDebugAllocateHeap = <no type information>
00000000`7794f390 ntdll!RtlSetHeapDebuggingInformation = <no type information>
00000000`77928060 ntdll!RtlDestroyQueryDebugBuffer = <no type information>
00000000`7792d560 ntdll!RtlpGetColdpatchDebugSignature = <no type information>
00000000`778c608c ntdll!DebugPrint = <no type information>
00000000`7791c320 ntdll!LdrpDoDebuggerBreak = <no type information>
00000000`77940960 ntdll!RtlDebugQueryTagHeap = <no type information>
00000000`77923b00 ntdll!RtlDeCommitDebugInfo = <no type information>
00000000`778c8260 ntdll!NtSetInformationDebugObject = <no type information>
00000000`778c7820 ntdll!NtDebugContinue = <no type information>
00000000`77941110 ntdll!RtlDebugReAllocateHeap = <no type information>
00000000`779408d0 ntdll!RtlDebugWalkHeap = <no type information>
00000000`779988c0 ntdll!RtlpStaticDebugInfo = <no type information>
00000000`7791ba70 ntdll!RtlCreateQueryDebugBuffer = <no type information>
00000000`7794eda0 ntdll!RtlpSetHeapDebuggingInformation = <no type information>
00000000`77934fd0 ntdll!RtlDebugZeroHeap = <no type information>
00000000`77992640 ntdll!RtlFailedCriticalDebugAllocations = <no type information>
00000000`77940df0 ntdll!RtlDebugSetUserValueHeap = <no type information>
00000000`779925d0 ntdll!LdrpDebugFlags = <no type information>
0:000> x kernel32!Dbg*
00000000`77791bd0 kernel32!DbgUiStopDebugging = <no type information>
00000000`77791b7c kernel32!DbgBreakPoint = <no type information>
00000000`77791bb8 kernel32!DbgUiConnectToDbg = <no type information>
00000000`77791b88 kernel32!DbgUiWaitStateChange = <no type information>
00000000`77791bdc kernel32!DbgUiIssueRemoteBreakin = <no type information>
00000000`77791bc4 kernel32!DbgUiDebugActiveProcess = <no type information>
00000000`77791ba0 kernel32!DbgUiConvertStateChangeStructure = <no type information>
00000000`7775d970 kernel32!DbgPrint = <no type information>
00000000`77791bac kernel32!DbgUiContinue = <no type information>
00000000`77791be8 kernel32!DbgUiGetThreadDebugObject = <no type information>
00000000`777e5170 kernel32!DbgPrintOut = <no type information>
0:000> x kernel32!*Debug*
00000000`777e41d0 kernel32!DebugActiveProcessStop = <no type information>
00000000`777e4230 kernel32!ContinueDebugEvent = <no type information>
00000000`7780e9b0 kernel32!_imp_NtRemoveProcessDebug = <no type information>
00000000`7780b780 kernel32!WerpLaunchAeDebug = <no type information>
00000000`777a2b20 kernel32!DebugTest = <no type information>
00000000`777b4340 kernel32!BasepIsDebugPortPresent = <no type information>
00000000`777b7540 kernel32!DebugSetProcessKillOnExit = <no type information>
00000000`77791c0c kernel32!NtRemoveProcessDebug = <no type information>
00000000`777ceac0 kernel32!WaitForDebugEvent = <no type information>
00000000`777b7650 kernel32!CheckRemoteDebuggerPresent = <no type information>
00000000`777e9ad0 kernel32!PatchDebug<_IMAGE_NT_HEADERS> = <no type information>
00000000`7775db30 kernel32!OutputDebugStringA = <no type information>
00000000`777a8f40 kernel32!DebugBreak = <no type information>
00000000`777efaf0 kernel32!WerpGetDebugger = <no type information>
00000000`777e98b0 kernel32!PatchDebug<_IMAGE_NT_HEADERS64> = <no type information>
00000000`777b75a0 kernel32!DebugBreakProcess = <no type information>
00000000`77791bf4 kernel32!NtSetInformationDebugObject = <no type information>
00000000`777ea590 kernel32!WerpIsProcessInAeDebugExclusionList = <no type information>
00000000`7775dcd0 kernel32!OutputDebugStringW = <no type information>
00000000`777cea50 kernel32!DebugActiveProcess = <no type information>
00000000`777a61b0 kernel32!BasepIsKernelDebuggerPresent = <no type information>
00000000`77757d20 kernel32!IsDebuggerPresent = <no type information>
0:000> x user32!*Debug*
00000000`776cc560 USER32!_fnHkINLPDEBUGHOOKSTRUCT = <no type information>
00000000`776beff0 USER32!SetDebugErrorLevel = <no type information>
0:000> x user32!Dbg*
00000000`77700a74 USER32!DbgPrint = <no type information>
0:000> x advapi32!Dbg*
000007fe`fecc9d40 ADVAPI32!DbgTrace = <no type information>
000007fe`fece9670 ADVAPI32!DbgPrint = <no type information>
000007fe`fec52c30 ADVAPI32!DbgStartTrace = <no type information>
0:000> x advapi32!*Debug*
000007fe`fed34ba8 ADVAPI32!fDebugInitialised = <no type information>
000007fe`fec88c10 ADVAPI32!InitDebugSupport = <no type information>
000007fe`fecbbd80 ADVAPI32!_DebugMsg = <no type information>
000007fe`fed21484 ADVAPI32!gDebugLevel = <no type information>
000007fe`fed117e0 ADVAPI32!cszPerfDebugTraceLevel = <no type information>
000007fe`fed21488 ADVAPI32!gDebugBreak = <no type information>
000007fe`fece1eb0 ADVAPI32!InitDebug = <no type information>
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
