Reading Notebook: 24-September-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Injected debugging thread to generate int 3 event (p. 218)
0:001> kL
Child-SP RetAddr Call Site
00000000`0355fdf8 00000000`776c0038 ntdll!DbgBreakPoint
00000000`0355fe00 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38
00000000`0355fe30 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0355fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x21
DbgSSReserved[1] as the handle to a debug object (p. 218) - It is NULL when I break into notepad.exe in both debuggee and debugger TEBs:
0:001> ~*kL
0 Id: cf0.aa0 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen
Child-SP RetAddr Call Site
00000000`0016f788 00000000`7753d5be USER32!ZwUserGetMessage+0xa
00000000`0016f790 00000000`ffec6f4a USER32!GetMessageW+0x34
00000000`0016f7c0 00000000`ffecd00b notepad!WinMain+0x176
00000000`0016f840 00000000`7740be3d notepad!IsTextUTF8+0x24f
00000000`0016f900 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0016f930 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
# 1 Id: cf0.974 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen
Child-SP RetAddr Call Site
00000000`0355fdf8 00000000`776c0038 ntdll!DbgBreakPoint
00000000`0355fe00 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38
00000000`0355fe30 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0355fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:001> dt _TEB DbgSsReserved 000007fffffdc000
ntdll!_TEB
+0x16a0 DbgSsReserved : [2] (null)
0:001> dq 000007fffffdc000+0x16a0 l2
000007ff`fffdd6a0 00000000`00000000 00000000`00000000
0:001> .dbgdbg
Debugger spawned, connect with
"-remote npipe:icfenable,pipe=cdb_pipe,server=Computer"
0:003> ~*kL
0 Id: 268.d70 Suspend: 1 Teb: 000007ff`fffdd000 Unfrozen
Child-SP RetAddr Call Site
00000000`000fd660 00000000`7740fc13 ntdll!RtlLockHeap+0x1e
00000000`000fd6c0 000007fe`ff77218e kernel32!LocalLock+0x23
00000000`000fd700 000007fe`fe014772 IMM32!InternalImmLockIMC+0x138
00000000`000fd730 000007fe`fe014743 MSCTF!IMCLock::_LockIMC+0x1d
00000000`000fd760 000007fe`fe01a8fb MSCTF!IMCLock::IMCLock+0x33
00000000`000fd790 00000000`7753d53e MSCTF!CIMEUIWindowHandler::ImeUIWndProcWorke
r+0x2cd
00000000`000fd820 00000000`7753d7c6 USER32!UserCallWinProcCheckWow+0x1ad
00000000`000fd8e0 00000001`3f5a1bf0 USER32!DispatchMessageWorker+0x389
00000000`000fd960 00000001`3f5a1c70 windbg!ProcessNonDlgMessage+0x330
00000000`000fd9b0 00000001`3f5a850d windbg!ProcessPendingMessages+0x70
00000000`000fda20 00000001`3f5b3739 windbg!wmain+0x29d
00000000`000ffae0 00000000`7740be3d windbg!_CxxFrameHandler3+0x291
00000000`000ffb20 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`000ffb50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
1 Id: 268.a6c Suspend: 1 Teb: 000007ff`fffdb000 Unfrozen
Child-SP RetAddr Call Site
00000000`032bfa88 00000000`7741c0b0 ntdll!ZwWaitForSingleObject+0xa
00000000`032bfa90 00000000`7293e711 kernel32!WaitForSingleObjectEx+0x9c
00000000`032bfb50 00000001`3f575a4a dbgeng!DebugClient::DispatchCallbacks+0x61
00000000`032bfb90 00000000`7740be3d windbg!EngineLoop+0x37a
00000000`032bfbd0 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`032bfc00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
2 Id: 268.bfc Suspend: 1 Teb: 000007ff`fffd7000 Unfrozen
Child-SP RetAddr Call Site
00000000`0699f6c8 00000000`7740f65c ntdll!NtRemoveIoCompletion+0xa
00000000`0699f6d0 000007fe`fe165d0d kernel32!GetQueuedCompletionStatus+0x48
00000000`0699f730 000007fe`fe165b93 RPCRT4!COMMON_ProcessCalls+0x7d
00000000`0699f7c0 000007fe`fe147769 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0
x133
00000000`0699f870 000007fe`fe147714 RPCRT4!ProcessIOEventsWrapper+0x9
00000000`0699f8a0 000007fe`fe1477a4 RPCRT4!BaseCachedThreadRoutine+0x94
00000000`0699f8e0 00000000`7740be3d RPCRT4!ThreadStartRoutine+0x24
00000000`0699f910 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0699f940 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
# 3 Id: 268.f34 Suspend: 1 Teb: 000007ff`fffd9000 Unfrozen
Child-SP RetAddr Call Site
00000000`06b6fb68 00000000`776c0038 ntdll!DbgBreakPoint
00000000`06b6fb70 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38
00000000`06b6fba0 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`06b6fbd0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:003> dt _TEB DbgSsReserved 000007ff`fffdb000
ntdll!_TEB
+0x16a0 DbgSsReserved : [2] (null)
0:003> dt _TEB DbgSsReserved 000007ff`fffdd000
ntdll!_TEB
+0x16a0 DbgSsReserved : [2] (null)
0:003> dt _TEB DbgSsReserved 000007ff`fffd7000
ntdll!_TEB
+0x16a0 DbgSsReserved : [2] (null)
0:003> dt _TEB DbgSsReserved 000007ff`fffd9000
ntdll!_TEB
+0x16a0 DbgSsReserved : [2] (null)
Image loader (pp. 220 - 221) - We can see loader functions (LdrXXX) in crash dumps when it fails due to 3rd-party hooksware and corrupt images or in memory dumps taken when we have deadlocks involving module load. Also in WOW64 processes we can see it on stack traces:
0:000> kL
Child-SP RetAddr Call Site
00000000`0010eb98 00000000`7572ab46 wow64cpu!WaitForMultipleObjects32+0x3a
00000000`0010ec40 00000000`7572a14c wow64!RunCpuSimulation+0xa
00000000`0010ec70 00000000`7762bf9d wow64!Wow64LdrpInitialize+0x4b4
00000000`0010f1d0 00000000`7762bb9c ntdll!LdrpInitializeProcess+0x1568
00000000`0010f490 00000000`776168de ntdll! ?? ::FNODOBFM::`string'+0x20959
00000000`0010f540 00000000`00000000 ntdll!LdrInitializeThunk+0xe
There are some patterns related to DLL load and linkage: http://www.dumpanalysis.org/blog/index.php/2009/02/17/dll-link-patterns/
_LDR_DATA_TABLE_ENTRY field description (p. 223)
0:000> dt _LDR_DATA_TABLE_ENTRY
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY
+0x010 InMemoryOrderLinks : _LIST_ENTRY
+0x020 InInitializationOrderLinks : _LIST_ENTRY
+0x030 DllBase : Ptr64 Void
+0x038 EntryPoint : Ptr64 Void
+0x040 SizeOfImage : Uint4B
+0x048 FullDllName : _UNICODE_STRING
+0x058 BaseDllName : _UNICODE_STRING
+0x068 Flags : Uint4B
+0x06c LoadCount : Uint2B
+0x06e TlsIndex : Uint2B
+0x070 HashLinks : _LIST_ENTRY
+0x070 SectionPointer : Ptr64 Void
+0x078 CheckSum : Uint4B
+0x080 TimeDateStamp : Uint4B
+0x080 LoadedImports : Ptr64 Void
+0x088 EntryPointActivationContext : Ptr64 _ACTIVATION_CONTEXT
+0x090 PatchInformation : Ptr64 Void
+0x098 ForwarderLinks : _LIST_ENTRY
+0x0a8 ServiceTagLinks : _LIST_ENTRY
+0x0b8 StaticLinks : _LIST_ENTRY
Handy full !list command for listing module linked lists (pp. 224 - 225) - I was thinking about writing it myself while reading the previous page :-)
Loader entry flags (p. 225)
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
