Software Generalist

Reading Notebook: 09-November-09

Monday, November 9th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SApp - SCP - SCM (p. 282)

HKLM\S\CCS\Ss\<>\ErrorControl = 3, SERVICE_ERROR_CRITICAL (p. 284) - can be used to force BSOD if service startup fails for postmortem memory dump analysis of the failure

HKLM\S\CCS\Ss\<>\PreshutdownTimeout (p. 286)

HKLM\S\CCS\Ss\<>\RequiredPrivileges (p. 286)

Service threads (p. 287) - some typical thread stack traces can be seen in this case study that also show that service main thread calls control handler functions: http://www.dumpanalysis.org/blog/index.php/2007/10/01/windows-service-crash-dumps-on-vista/

Service accounts (p. 288) - attached WinDbg will not download symbols from MS symbol server unless Run as Administrator

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 29-October-09

Thursday, October 29th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

!reg hivelist -> viewlist -> db (pp. 274 - 275)

Registry cell index mapping as directory:table:offset (p. 275)

Registry key handle -> kcb (pp. 276 - 278)

Hive sync every 5 seconds, *.log{1|2} (pp. 278 - 279)

Registry filtering altitudes (p. 280)

Internal registry optimizations (pp. 280 - 281) - good implementation case study if you need to devise your own database. I perhaps borrow some ideas for the next version of PDBFinder.

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 28-October-09

Wednesday, October 28th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

TxR -> CLFS + \System32\Config\Txr (pp. 260 - 261)

Precedence of a non-transactional writer (p. 261)

Read-commit vs. predictable-read (p. 261)

Process Monitor internals (p. 262) - rather short section but inspired yet another DebugWare pattern: http://www.dumpanalysis.org/blog/index.php/2009/10/28/debugware-patterns-part-11-2/

Process Monitor troubleshooting techniques (pp. 264 - 265) - PM log is a kind of a software trace so the following growing list of patterns may be useful to keep in mind: http://www.dumpanalysis.org/blog/index.php/trace-analysis-patterns/

Surviving logoff (persistent processes) (pp. 265 - 266)

Service profiles are stored in \ServiceProfiles\{Local|Network}Service\Ntuser.dat (p. 267)

HKLM\S\CCS\C\hivelist shows hive to file name mapping (p. 267)

x64 paged pol for registry - x86 mapped views (p. 268)

System and Software hives support values of >1Mb (p. 269)

Bin - block - cell - cell index (pp. 270 - 272)

Disk Probe, dskprobe.exe (pp. 271 - 272)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 22-October-09

Thursday, October 22nd, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

REG_NONE and REG_QWORD (p. 251) - the former should have a purpose as a name switch

REG_LINK (pp. 251 - 252)

HKU\.DEFAULT as a local system profile (p. 253)

\Users location can be changed in HKLM\So\M\WNT\CV\ProfileList\ProfilesDirectory (p. 254)

BCDEdit is for HKLM\BCD, how to enable /DEBUG (pp. 255 - 257) - I also had to add more permissions to Administrators for Elements key to be able to add modifications. Before editing:

C:\Users\Administrator>bcdedit

Windows Boot Manager -------------------- identifier {bootmgr} device partition=C: description Windows Boot Manager locale en-US inherit {globalsettings} default {current} displayorder {current} toolsdisplayorder {memdiag} timeout 30 resume No

Windows Boot Loader ------------------- identifier {current}

After editing:

C:\Users\Administrator>bcdedit

Windows Boot Manager -------------------- identifier {bootmgr} device partition=C: description Windows Boot Manager locale en-US inherit {globalsettings} default {current} displayorder {current} toolsdisplayorder {memdiag} timeout 30 resume No

Windows Boot Loader ------------------- identifier {current} device partition=C: path \Windows\system32\winload.exe description Microsoft Windows Server 2008 locale en-US inherit {bootloadersettings} osdevice partition=C: systemroot \Windows resumeobject {cc03280e-0762-11de-b63a-af7e963a0201} nx OptOut debug Yes

Pdh.dll (p. 260) - Typical stack trace in TS environments:

[...] winsta!WinStationQueryInformationW+0x2a perfts!CollectTSObjectData+0x12f advapi32!QueryExtensibleData+0x617 advapi32!PerfRegQueryValue+0x536 advapi32!LocalBaseRegQueryValue+0x306 advapi32!RegQueryValueExW+0x96 pdh!GetSystemPerfData+0x83 pdh!GetQueryPerfData+0x7f pdh!PdhiCollectQueryData+0x40 pdh!PdhCollectQueryData+0x42 [...]

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 15-October-09

Thursday, October 15th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

TxF <-> KTM <-> TxR (pp. 240 - 241) - how to use files transactionally (CreateFileTransacted): http://msdn.microsoft.com/en-us/library/aa365008(VS.85).aspx

hotpatching is actually 7 bytes: 2 from mov edi, edi and 5 from the previous function (p. 243) - impressive combination of near and far jumps

KPP (PatchGuard) (pp. 244 - 246)

DKOM, direct kernel object modification (p. 245) - looks like subclassing in kernel

Bugcheck 109 - CRITICAL_STRUCTURE_CORRUPTION (p. 245) - used to be not very frequent but increased in frequency since the time of this post: http://www.dumpanalysis.org/blog/index.php/2008/03/12/bug-check-frequencies/

Enhanced process notifications since Vista SP1 to block process launch (p. 246)

Two driver signing policies (KMCS and PnP) (p. 247)

Protected Media Path (p. 247) - more information is here: http://msdn.microsoft.com/en-us/library/aa376846(VS.85).aspx

Per-page image authentication (p. 247)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 05-October-09

Wednesday, October 7th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

.local file (p. 226) - found this explanation: http://msdn.microsoft.com/en-us/library/aa375142(VS.85).aspx

bound import table, forwarder entries (pp. 226 - 227)

TLS initializers as possible causes of DLL load failures (p. 228)

Hyper-V architectural stack (p. 229) - running processes inside W2K8 Hyper-V host running additional instance of W2K8:

063c vmwp.exe 13755 ( 55020 Kb) 0750 vmconnect.exe 13445 ( 53780 Kb) 0aa4 mmc.exe 13184 ( 52736 Kb) 0714 vmms.exe 12228 ( 48912 Kb) 011c svchost.exe 7930 ( 31720 Kb) 09c0 explorer.exe 4603 ( 18412 Kb) 0340 svchost.exe 4525 ( 18100 Kb) 0ba4 WmiPrvSE.exe 2485 ( 9940 Kb) 04b0 svchost.exe 2321 ( 9284 Kb) 03e4 svchost.exe 2222 ( 8888 Kb) 0158 SLsvc.exe 2220 ( 8880 Kb) 01ec svchost.exe 1858 ( 7432 Kb) 0238 svchost.exe 1753 ( 7012 Kb) 05a8 spoolsv.exe 1698 ( 6792 Kb) 029c lsass.exe 1630 ( 6520 Kb) 0530 taskeng.exe 1275 ( 5100 Kb) 0768 svchost.exe 1120 ( 4480 Kb) 06cc WmiPrvSE.exe 1018 ( 4072 Kb) 03cc msdtc.exe 1007 ( 4028 Kb) 0384 svchost.exe 979 ( 3916 Kb) 0944 taskeng.exe 953 ( 3812 Kb) 0104 svchost.exe 910 ( 3640 Kb) 02a8 lsm.exe 877 ( 3508 Kb) 0708 svchost.exe 820 ( 3280 Kb) 0290 services.exe 802 ( 3208 Kb) 0348 svchost.exe 696 ( 2784 Kb) 0628 svchost.exe 680 ( 2720 Kb) 0004 System 673 ( 2692 Kb) 0214 csrss.exe 579 ( 2316 Kb) 0240 csrss.exe 531 ( 2124 Kb) 0274 winlogon.exe 520 ( 2080 Kb) 0980 dwm.exe 482 ( 1928 Kb) 0248 wininit.exe 472 ( 1888 Kb) 0634 svchost.exe 347 ( 1388 Kb) 068c svchost.exe 306 ( 1224 Kb) 01d0 smss.exe 117 ( 468 Kb) 0b7c wlrmdr.exe 0 ( 0 Kb)

optimization enlightments (p. 229)

VM Infrastructure driver vid.sys and hypervisor API winhv.sys (p. 232)

Vdev virtual devices (p. 234) - here is the list of loaded modules in the virtualization worker process vmwp.exe:

0: kd> lm1m odbcint kernel32 USER32 ntdll PSAPI vmwp dssenh vmbusvdev rdp4vs vmicshutdown vmicvss vmickvpexchange synthnic vmictimesync vmicheartbeat azroles cryptnet ODBC32 fastprox wbemsvc msxml3 SensApi wbemprox vsconfig framedynos wbemcomn vmprox vmwpctrl vid_7fefb420000 vmbuspipe COMCTL32_7fefbb80000 napinsp winrnr rasadhlp WINTRUST XmlLite comctl32 NLAapi wshtcpip NTMARTA GPAPI rsaenh schannel mswsock wship6 kerberos bcrypt ncrypt dhcpcsvc6 dhcpcsvc tspkg wevtapi slc credssp IPHLPAPI CRYPT32 MPR NTDSAPI MSASN1 SAMLIB DNSAPI cryptdll NETAPI32 WINNSI AUTHZ Secur32 USERENV GDI32 MSCTF SETUPAPI ole32 SHLWAPI msvcrt ADVAPI32 CLBCatQ USP10 RPCRT4 IMM32 LPK imagehlp WS2_32 OLEAUT32 COMDLG32 NSI SHELL32 WLDAP32

0: kd> lmv m vmicheartbeat start end module name 000007fe`fa540000 000007fe`fa57c000 vmicheartbeat (deferred) Image path: C:\Windows\System32\vmicheartbeat.dll Image name: vmicheartbeat.dll Timestamp: Wed Jun 11 15:27:36 2008 (484FE0D8) CheckSum: 00033B40 ImageSize: 0003C000 File version: 6.0.6001.18016 Product version: 6.0.6001.18016 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: vmicheartbeat OriginalFilename: vmicheartbeat.dll ProductVersion: 6.0.6001.18016 FileVersion: 6.0.6001.18016 (vistasp1_gdr_vm_rtm.080611-0040) FileDescription: Virtual Machine Integration Service Heartbeat Vdev LegalCopyright: © Microsoft Corporation. All rights reserved.

emulated and synthetic (enlightened I/O) devices (pp. 234 - 237):

0: kd> lmv m synthnic start end module name 000007fe`fa340000 000007fe`fa38a000 synthnic (deferred) Image path: C:\Windows\System32\synthnic.dll Image name: synthnic.dll Timestamp: Wed Jun 11 15:27:30 2008 (484FE0D2) CheckSum: 0003D7AA ImageSize: 0004A000 File version: 6.0.6001.18016 Product version: 6.0.6001.18016 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: SynthNic.dll OriginalFilename: SynthNic.dll ProductVersion: 6.0.6001.18016 FileVersion: 6.0.6001.18016 (vistasp1_gdr_vm_rtm.080611-0040) FileDescription: Microsoft Synthetic Network Card LegalCopyright: © Microsoft Corporation. All rights reserved.

VSC vs. VSP, VSC driver re-routes requests to VMBus (PnP enum for synthetic devices) (pp. 236 - 237)

Virtualized processors, virtual APIC, dynamic processor addition (pp. 237 - 238)

GVA, guest virtual address space -> GPA, guest physical address space -> SPA, system physical address space (pp. 238 - 239) - need to add this to my debugging dictionary: http://www.dumpanalysis.org/blog/index.php/category/dictionary-of-debugging/

SPT. shadow page tables, for direct GVA -> SPA

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 24-September-09

Friday, September 25th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Injected debugging thread to generate int 3 event (p. 218)

0:001> kL Child-SP RetAddr Call Site 00000000`0355fdf8 00000000`776c0038 ntdll!DbgBreakPoint 00000000`0355fe00 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38 00000000`0355fe30 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd 00000000`0355fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x21

DbgSSReserved[1] as the handle to a debug object (p. 218) - It is NULL when I break into notepad.exe in both debuggee and debugger TEBs:

0:001> ~*kL

0 Id: cf0.aa0 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen Child-SP RetAddr Call Site 00000000`0016f788 00000000`7753d5be USER32!ZwUserGetMessage+0xa 00000000`0016f790 00000000`ffec6f4a USER32!GetMessageW+0x34 00000000`0016f7c0 00000000`ffecd00b notepad!WinMain+0x176 00000000`0016f840 00000000`7740be3d notepad!IsTextUTF8+0x24f 00000000`0016f900 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd 00000000`0016f930 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

# 1 Id: cf0.974 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen Child-SP RetAddr Call Site 00000000`0355fdf8 00000000`776c0038 ntdll!DbgBreakPoint 00000000`0355fe00 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38 00000000`0355fe30 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd 00000000`0355fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

0:001> dt _TEB DbgSsReserved 000007fffffdc000 ntdll!_TEB +0x16a0 DbgSsReserved : [2] (null)

0:001> dq 000007fffffdc000+0x16a0 l2 000007ff`fffdd6a0 00000000`00000000 00000000`00000000

0:001> .dbgdbg Debugger spawned, connect with "-remote npipe:icfenable,pipe=cdb_pipe,server=Computer"

0:003> ~*kL

0 Id: 268.d70 Suspend: 1 Teb: 000007ff`fffdd000 Unfrozen Child-SP RetAddr Call Site 00000000`000fd660 00000000`7740fc13 ntdll!RtlLockHeap+0x1e 00000000`000fd6c0 000007fe`ff77218e kernel32!LocalLock+0x23 00000000`000fd700 000007fe`fe014772 IMM32!InternalImmLockIMC+0x138 00000000`000fd730 000007fe`fe014743 MSCTF!IMCLock::_LockIMC+0x1d 00000000`000fd760 000007fe`fe01a8fb MSCTF!IMCLock::IMCLock+0x33 00000000`000fd790 00000000`7753d53e MSCTF!CIMEUIWindowHandler::ImeUIWndProcWorke r+0x2cd 00000000`000fd820 00000000`7753d7c6 USER32!UserCallWinProcCheckWow+0x1ad 00000000`000fd8e0 00000001`3f5a1bf0 USER32!DispatchMessageWorker+0x389 00000000`000fd960 00000001`3f5a1c70 windbg!ProcessNonDlgMessage+0x330 00000000`000fd9b0 00000001`3f5a850d windbg!ProcessPendingMessages+0x70 00000000`000fda20 00000001`3f5b3739 windbg!wmain+0x29d 00000000`000ffae0 00000000`7740be3d windbg!_CxxFrameHandler3+0x291 00000000`000ffb20 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd 00000000`000ffb50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

1 Id: 268.a6c Suspend: 1 Teb: 000007ff`fffdb000 Unfrozen Child-SP RetAddr Call Site 00000000`032bfa88 00000000`7741c0b0 ntdll!ZwWaitForSingleObject+0xa 00000000`032bfa90 00000000`7293e711 kernel32!WaitForSingleObjectEx+0x9c 00000000`032bfb50 00000001`3f575a4a dbgeng!DebugClient::DispatchCallbacks+0x61 00000000`032bfb90 00000000`7740be3d windbg!EngineLoop+0x37a 00000000`032bfbd0 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd 00000000`032bfc00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

2 Id: 268.bfc Suspend: 1 Teb: 000007ff`fffd7000 Unfrozen Child-SP RetAddr Call Site 00000000`0699f6c8 00000000`7740f65c ntdll!NtRemoveIoCompletion+0xa 00000000`0699f6d0 000007fe`fe165d0d kernel32!GetQueuedCompletionStatus+0x48 00000000`0699f730 000007fe`fe165b93 RPCRT4!COMMON_ProcessCalls+0x7d 00000000`0699f7c0 000007fe`fe147769 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0 x133 00000000`0699f870 000007fe`fe147714 RPCRT4!ProcessIOEventsWrapper+0x9 00000000`0699f8a0 000007fe`fe1477a4 RPCRT4!BaseCachedThreadRoutine+0x94 00000000`0699f8e0 00000000`7740be3d RPCRT4!ThreadStartRoutine+0x24 00000000`0699f910 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd 00000000`0699f940 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

# 3 Id: 268.f34 Suspend: 1 Teb: 000007ff`fffd9000 Unfrozen Child-SP RetAddr Call Site 00000000`06b6fb68 00000000`776c0038 ntdll!DbgBreakPoint 00000000`06b6fb70 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38 00000000`06b6fba0 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd 00000000`06b6fbd0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

0:003> dt _TEB DbgSsReserved 000007ff`fffdb000 ntdll!_TEB +0x16a0 DbgSsReserved : [2] (null)

0:003> dt _TEB DbgSsReserved 000007ff`fffdd000 ntdll!_TEB +0x16a0 DbgSsReserved : [2] (null)

0:003> dt _TEB DbgSsReserved 000007ff`fffd7000 ntdll!_TEB +0x16a0 DbgSsReserved : [2] (null)

0:003> dt _TEB DbgSsReserved 000007ff`fffd9000 ntdll!_TEB +0x16a0 DbgSsReserved : [2] (null)

Image loader (pp. 220 - 221) - We can see loader functions (LdrXXX) in crash dumps when it fails due to 3rd-party hooksware and corrupt images or in memory dumps taken when we have deadlocks involving module load. Also in WOW64 processes we can see it on stack traces:

0:000> kL Child-SP RetAddr Call Site 00000000`0010eb98 00000000`7572ab46 wow64cpu!WaitForMultipleObjects32+0x3a 00000000`0010ec40 00000000`7572a14c wow64!RunCpuSimulation+0xa 00000000`0010ec70 00000000`7762bf9d wow64!Wow64LdrpInitialize+0x4b4 00000000`0010f1d0 00000000`7762bb9c ntdll!LdrpInitializeProcess+0x1568 00000000`0010f490 00000000`776168de ntdll! ?? ::FNODOBFM::`string'+0x20959 00000000`0010f540 00000000`00000000 ntdll!LdrInitializeThunk+0xe

There are some patterns related to DLL load and linkage: http://www.dumpanalysis.org/blog/index.php/2009/02/17/dll-link-patterns/

_LDR_DATA_TABLE_ENTRY field description (p. 223)

0:000> dt _LDR_DATA_TABLE_ENTRY ntdll!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY +0x010 InMemoryOrderLinks : _LIST_ENTRY +0x020 InInitializationOrderLinks : _LIST_ENTRY +0x030 DllBase : Ptr64 Void +0x038 EntryPoint : Ptr64 Void +0x040 SizeOfImage : Uint4B +0x048 FullDllName : _UNICODE_STRING +0x058 BaseDllName : _UNICODE_STRING +0x068 Flags : Uint4B +0x06c LoadCount : Uint2B +0x06e TlsIndex : Uint2B +0x070 HashLinks : _LIST_ENTRY +0x070 SectionPointer : Ptr64 Void +0x078 CheckSum : Uint4B +0x080 TimeDateStamp : Uint4B +0x080 LoadedImports : Ptr64 Void +0x088 EntryPointActivationContext : Ptr64 _ACTIVATION_CONTEXT +0x090 PatchInformation : Ptr64 Void +0x098 ForwarderLinks : _LIST_ENTRY +0x0a8 ServiceTagLinks : _LIST_ENTRY +0x0b8 StaticLinks : _LIST_ENTRY

Handy full !list command for listing module linked lists (pp. 224 - 225) - I was thinking about writing it myself while reading the previous page :-)

Loader entry flags (p. 225)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 21-September-09

Monday, September 21st, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

ETW components (p. 207) - A few years ago I made this UML component diagram showing the relation of various providers to OS components and interfaces:

My trace analysis patterns are largely based on ETW traces: http://www.dumpanalysis.org/blog/index.php/trace-analysis-patterns/

Fragment of process image loading sequence when tracing Microsoft-Windows-Kernel-Process provider:

PID TID User Data 0x00000AC8 0x0000086C "\Device\HarddiskVolume2\Windows\System32\notepad.exe" 0x00000EBC 0x000007E4 "\Device\HarddiskVolume2\Windows\System32\notepad.exe" 0x00000EBC 0x000007E4 "\SystemRoot\System32\ntdll.dll" 0x00000EBC 0x000007E4 "\Windows\System32\kernel32.dll" [...]

\Windows\Sysnative (p. 213)

Wow64Disable(Revert)Wow64FsRedirection (p. 213) - From W2K3 SP1. Code example: http://msdn.microsoft.com/en-us/library/aa365743(VS.85).aspx

KEY_WOW64_64(32)KEY flags for RegXXX API (p. 214)

DeviceIoControlFile and IoIs32bitProcess (pp. 214 - 215) - http://msdn.microsoft.com/en-us/library/aa490629.aspx

On WOW64 16-bit old IS and MS installers are substituted with 32-bit on the fly (p. 215)

User-mode debugging as a producer-consumer framework (p. 217) - Various debug-related function names to set breakpoints when studying debugging (_imp_* and dupilicates are not shown here):

0:000> x ntdll!Dbg* 00000000`7791af70 ntdll!DbgQueryDebugFilterState = <no type information> 00000000`7791af60 ntdll!DbgSetDebugFilterState = <no type information> 00000000`778c3840 ntdll!DbgPrintEx = <no type information> 00000000`779249a0 ntdll!DbgUiStopDebugging = <no type information> 00000000`778c6060 ntdll!DbgBreakPoint = <no type information> 00000000`77924a60 ntdll!DbgUiConnectToDbg = <no type information> 00000000`779249f0 ntdll!DbgUiWaitStateChange = <no type information> 00000000`77932710 ntdll!DbgUiIssueRemoteBreakin = <no type information> 00000000`77932780 ntdll!DbgUiDebugActiveProcess = <no type information> 00000000`778c6080 ntdll!DbgBreakPointWithStatus = <no type information> 00000000`7791af80 ntdll!DbgPrompt = <no type information> 00000000`778c6070 ntdll!DbgUserBreakPoint = <no type information> 00000000`77924a20 ntdll!DbgUiSetThreadDebugObject = <no typeinformation> 00000000`77924790 ntdll!DbgUiConvertStateChangeStructure = <no type information> 00000000`77892560 ntdll!DbgPrint = <no type information> 00000000`77950000 ntdll!DbgUiRemoteBreakin = <no type information> 00000000`779249c0 ntdll!DbgUiContinue = <no type information> 00000000`7793bf30 ntdll!DbgPrintReturnControlC = <no type information> 00000000`77924a40 ntdll!DbgUiGetThreadDebugObject = <no type information> 00000000`778c6082 ntdll!DbgBreakPointWithStatusEnd = <no type information>

0:000> x ntdll!*Debug* 00000000`779970c0 ntdll!LoaderLockDebug = <no type information> 00000000`778c7810 ntdll!ZwDebugActiveProcess = <no type information> 00000000`779350f0 ntdll!RtlDebugFreeHeap = <no type information> 00000000`7794ff40 ntdll!RtlpSetProcessDebugInformationRemote = <no type information> 00000000`77952960 ntdll!RtlpQueryProcessDebugInformationFromWow64 = <no type information> 00000000`779405b0 ntdll!RtlDebugCreateHeap = <no type information> 00000000`779988a0 ntdll!RtlCriticalSectionDebugSList = <no type information> 00000000`778c8550 ntdll!NtWaitForDebugEvent = <no type information> 00000000`7799b760 ntdll!RtlpDefaultHeapDebuggingOptions = <no type information> 00000000`778c7dd0 ntdll!NtQueryDebugFilterState = <no type information> 00000000`778c60cc ntdll!DebugService2 = <no type information> 00000000`778c81e0 ntdll!NtSetDebugFilterState = <no type information> 00000000`7791b740 ntdll!IsDebugPortPresent = <no type information> 00000000`778c7650 ntdll!ZwCreateDebugObject = <no type information> 00000000`77914020 ntdll!RtlpDebugPageHeapDestroy = <no type information> 00000000`778c8550 ntdll!ZwWaitForDebugEvent = <no type information> 00000000`7791bc80 ntdll!RtlpCommitQueryDebugInfo = <no type information> 00000000`778c7dd0 ntdll!ZwQueryDebugFilterState = <no type information> 00000000`778c81e0 ntdll!ZwSetDebugFilterState = <no type information> 00000000`778c7650 ntdll!NtCreateDebugObject = <no type information> 00000000`7791e190 ntdll!RtlIsAnyDebuggerPresent = <no type information> 00000000`77950050 ntdll!RtlQueryProcessDebugInformation = <no type information> 00000000`77954db0 ntdll!RtlpQueryProcessDebugInformationRemote = <no type information> 00000000`77913a30 ntdll!RtlSetLFHDebuggingInformation = <no type information> 00000000`778c7810 ntdll!NtDebugActiveProcess = <no type information> 00000000`77942b90 ntdll!RtlDebugCompactHeap = <no type information> 00000000`77997c70 ntdll!RtlpDebugPageHeapTable = <no type information> 00000000`77914630 ntdll!RtlDebugPrintTimes = <no type information> 00000000`77941af0 ntdll!RtlDebugDestroyHeap = <no type information> 00000000`7791dab0 ntdll!RtlpSubSegmentDebugInitialize = <no type information> 00000000`77992738 ntdll!RtlpStaticDebugInfoEnd = <no type information> 00000000`77997080 ntdll!RtlpDynamicFunctionTableLockDebug = <no type information> 00000000`7791bc50 ntdll!RtlpDeCommitQueryDebugInfo = <no type information> 00000000`778c8060 ntdll!NtRemoveProcessDebug = <no type information> 00000000`7793c6a0 ntdll!CpupDebugPrintOnAmd64 = <no type information> 00000000`77940c30 ntdll!RtlDebugSetUserFlagsHeap = <no type information> 00000000`778c8060 ntdll!ZwRemoveProcessDebug = <no type information> 00000000`77923b20 ntdll!RtlpChangeQueryDebugBufferTarget = <no type information> 00000000`77954b10 ntdll!RtlDebugCreateTagHeap = <no type information> 00000000`77923b10 ntdll!RtlCommitDebugInfo = <no type information> 00000000`77914030 ntdll!RtlpDebugPageHeapCreate = <no type information> 00000000`7799e9c8 ntdll!AVrfpDebug = <no type information> 00000000`77923720 ntdll!AVrfpIsDebuggerPresent = <no type information> 00000000`77940f70 ntdll!RtlDebugGetUserInfoHeap = <no type information> 00000000`77940ab0 ntdll!RtlDebugSizeHeap = <no type information> 00000000`77997050 ntdll!RtlCriticalSectionLock_DEBUG = <no type information> 00000000`778c7820 ntdll!ZwDebugContinue = <no type information> 00000000`778c8260 ntdll!ZwSetInformationDebugObject = <no type information> 00000000`77898b00 ntdll!RtlpFreeDebugInfo = <no type information> 00000000`778c60ac ntdll!DebugPrompt = <no type information> 00000000`778c8470 ntdll!NtSystemDebugControl = <no type information> 00000000`778c8470 ntdll!ZwSystemDebugControl = <no type information> 00000000`77935420 ntdll!RtlSetProcessDebugInformation = <no type information> 00000000`77941710 ntdll!RtlDebugAllocateHeap = <no type information> 00000000`7794f390 ntdll!RtlSetHeapDebuggingInformation = <no type information> 00000000`77928060 ntdll!RtlDestroyQueryDebugBuffer = <no type information> 00000000`7792d560 ntdll!RtlpGetColdpatchDebugSignature = <no type information> 00000000`778c608c ntdll!DebugPrint = <no type information> 00000000`7791c320 ntdll!LdrpDoDebuggerBreak = <no type information> 00000000`77940960 ntdll!RtlDebugQueryTagHeap = <no type information> 00000000`77923b00 ntdll!RtlDeCommitDebugInfo = <no type information> 00000000`778c8260 ntdll!NtSetInformationDebugObject = <no type information> 00000000`778c7820 ntdll!NtDebugContinue = <no type information> 00000000`77941110 ntdll!RtlDebugReAllocateHeap = <no type information> 00000000`779408d0 ntdll!RtlDebugWalkHeap = <no type information> 00000000`779988c0 ntdll!RtlpStaticDebugInfo = <no type information> 00000000`7791ba70 ntdll!RtlCreateQueryDebugBuffer = <no type information> 00000000`7794eda0 ntdll!RtlpSetHeapDebuggingInformation = <no type information> 00000000`77934fd0 ntdll!RtlDebugZeroHeap = <no type information> 00000000`77992640 ntdll!RtlFailedCriticalDebugAllocations = <no type information> 00000000`77940df0 ntdll!RtlDebugSetUserValueHeap = <no type information> 00000000`779925d0 ntdll!LdrpDebugFlags = <no type information>

0:000> x kernel32!Dbg* 00000000`77791bd0 kernel32!DbgUiStopDebugging = <no type information> 00000000`77791b7c kernel32!DbgBreakPoint = <no type information> 00000000`77791bb8 kernel32!DbgUiConnectToDbg = <no type information> 00000000`77791b88 kernel32!DbgUiWaitStateChange = <no type information> 00000000`77791bdc kernel32!DbgUiIssueRemoteBreakin = <no type information> 00000000`77791bc4 kernel32!DbgUiDebugActiveProcess = <no type information> 00000000`77791ba0 kernel32!DbgUiConvertStateChangeStructure = <no type information> 00000000`7775d970 kernel32!DbgPrint = <no type information> 00000000`77791bac kernel32!DbgUiContinue = <no type information> 00000000`77791be8 kernel32!DbgUiGetThreadDebugObject = <no type information> 00000000`777e5170 kernel32!DbgPrintOut = <no type information>

0:000> x kernel32!*Debug* 00000000`777e41d0 kernel32!DebugActiveProcessStop = <no type information> 00000000`777e4230 kernel32!ContinueDebugEvent = <no type information> 00000000`7780e9b0 kernel32!_imp_NtRemoveProcessDebug = <no type information> 00000000`7780b780 kernel32!WerpLaunchAeDebug = <no type information> 00000000`777a2b20 kernel32!DebugTest = <no type information> 00000000`777b4340 kernel32!BasepIsDebugPortPresent = <no type information> 00000000`777b7540 kernel32!DebugSetProcessKillOnExit = <no type information> 00000000`77791c0c kernel32!NtRemoveProcessDebug = <no type information> 00000000`777ceac0 kernel32!WaitForDebugEvent = <no type information> 00000000`777b7650 kernel32!CheckRemoteDebuggerPresent = <no type information> 00000000`777e9ad0 kernel32!PatchDebug<_IMAGE_NT_HEADERS> = <no type information> 00000000`7775db30 kernel32!OutputDebugStringA = <no type information> 00000000`777a8f40 kernel32!DebugBreak = <no type information> 00000000`777efaf0 kernel32!WerpGetDebugger = <no type information> 00000000`777e98b0 kernel32!PatchDebug<_IMAGE_NT_HEADERS64> = <no type information> 00000000`777b75a0 kernel32!DebugBreakProcess = <no type information> 00000000`77791bf4 kernel32!NtSetInformationDebugObject = <no type information> 00000000`777ea590 kernel32!WerpIsProcessInAeDebugExclusionList = <no type information> 00000000`7775dcd0 kernel32!OutputDebugStringW = <no type information> 00000000`777cea50 kernel32!DebugActiveProcess = <no type information> 00000000`777a61b0 kernel32!BasepIsKernelDebuggerPresent = <no type information> 00000000`77757d20 kernel32!IsDebuggerPresent = <no type information>

0:000> x user32!*Debug* 00000000`776cc560 USER32!_fnHkINLPDEBUGHOOKSTRUCT = <no type information> 00000000`776beff0 USER32!SetDebugErrorLevel = <no type information>

0:000> x user32!Dbg* 00000000`77700a74 USER32!DbgPrint = <no type information>

0:000> x advapi32!Dbg* 000007fe`fecc9d40 ADVAPI32!DbgTrace = <no type information> 000007fe`fece9670 ADVAPI32!DbgPrint = <no type information> 000007fe`fec52c30 ADVAPI32!DbgStartTrace = <no type information>

0:000> x advapi32!*Debug* 000007fe`fed34ba8 ADVAPI32!fDebugInitialised = <no type information> 000007fe`fec88c10 ADVAPI32!InitDebugSupport = <no type information> 000007fe`fecbbd80 ADVAPI32!_DebugMsg = <no type information> 000007fe`fed21484 ADVAPI32!gDebugLevel = <no type information> 000007fe`fed117e0 ADVAPI32!cszPerfDebugTraceLevel = <no type information> 000007fe`fed21488 ADVAPI32!gDebugBreak = <no type information> 000007fe`fece1eb0 ADVAPI32!InitDebug = <no type information>

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 16-September-09

Wednesday, September 16th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

InitOnceExecuteOnce API, synchronous (p. 197) - new in Vista and W2K8, http://msdn.microsoft.com/en-us/library/ms683493(VS.85).aspx

InitOnceBeginInitialize / InitOnceComplete API, asynchronous (p. 197) - code examples for one-time initialization: http://msdn.microsoft.com/en-us/library/ms686934(VS.85).aspx

Dynamic worker threads (pp. 199 - 200)

ALPC (pp. 202 - 206) - ALPC is used extensively in terminal services environments. Here is the sample output from WinDbg to mine for ALPC wait chains in frozen systems and blocked services:

1: kd> !process 0 ff

[...]

THREAD fffffa8006ef7060 Cid 0350.279c Teb: 000007fffffa4000 Win32Thread: fffff900c22904f0 WAIT: (WrLpcReply) UserMode Non-Alertable fffffa8006ef73f0 Semaphore Limit 0x1 Waiting for reply to ALPC Message fffff880104eecf0 : queued at port fffffa80060d4c80 : owned by process fffffa8004c39040 IRP List: fffffa8006d21c60: (0006,03a0) Flags: 00060030 Mdl: 00000000 fffffa8005f876c0: (0006,03a0) Flags: 00060030 Mdl: 00000000 Not impersonating DeviceMap fffff88000007450 Owning Process fffffa80057844d0 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 10908131 Ticks: 18864 (0:00:04:54.750) Context Switch Count 12660 LargeStack UserTime 00:00:00.671 KernelTime 00:00:00.578 Win32 Start Address 0×000007fefe51fdec Stack Init fffffa6006249db0 Current fffffa6006249670 Base fffffa600624a000 Limit fffffa6006243000 Call 0 Priority 13 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`062496b0 fffff800`016a36fa nt!KiSwapContext+0×7f fffffa60`062497f0 fffff800`0169835b nt!KiSwapThread+0×13a fffffa60`06249860 fffff800`016cd4e2 nt!KeWaitForSingleObject+0×2cb fffffa60`062498f0 fffff800`01916d14 nt!AlpcpSignalAndWait+0×92 fffffa60`06249980 fffff800`019137a6 nt!AlpcpReceiveSynchronousReply+0×44 fffffa60`062499e0 fffff800`0190330f nt!AlpcpProcessSynchronousRequest+0×24f fffffa60`06249b00 fffff800`016a0ef3 nt!NtAlpcSendWaitReceivePort+0×19f fffffa60`06249bb0 00000000`774d756a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`06249c20) 00000000`029decd8 00000000`00000000 0×774d756a

1: kd> !alpc /m fffff880104eecf0

Message @ fffff880104eecf0 MessageID : 0x053C (1340) CallbackID : 0xC26264 (12739172) SequenceNumber : 0x0000031F (799) Type : LPC_REQUEST DataLength : 0x0048 (72) TotalLength : 0x0070 (112) Canceled : No Release : No ReplyWaitReply : No Continuation : Yes OwnerPort : fffffa800a7804d0 [ALPC_CLIENT_COMMUNICATION_PORT] WaitingThread : fffffa8006ef7060 QueueType : ALPC_MSGQUEUE_PENDING QueuePort : fffffa80060d4c80 [ALPC_CONNECTION_PORT] QueuePortOwnerProcess : fffffa8004c39040 (svchost.exe) ServerThread : fffffa800aa8c700 QuotaCharged : No CancelQueuePort : 0000000000000000 CancelSequencePort : 0000000000000000 CancelSequenceNumber : 0×00000000 (0) ClientContext : 0000000004e87390 ServerContext : 0000000000000000 PortContext : 0000000005615340 CancelPortContext : 0000000000000000 SecurityData : 0000000000000000 View : 0000000000000000

1: kd> !alpc /p fffffa80060d4c80 Port @ fffffa80060d4c80 Type : ALPC_CONNECTION_PORT CommunicationInfo : fffff88007f66ba0 ConnectionPort : fffffa80060d4c80 ClientCommunicationPort : 0000000000000000 ServerCommunicationPort : 0000000000000000 OwnerProcess : fffffa8004c39040 (svchost.exe) SequenceNo : 0x00000000 (0) CompletionPort : fffffa80057d8040 CompletionList : 0000000000000000 MessageZone : 0000000000000000 ConnectionPending : No ConnectionRefused : No Disconnected : No Closed : No FlushOnClose : Yes ReturnExtendedInfo : No Waitable : No Security : Static Wow64CompletionList : No

Main queue is empty.

Large message queue is empty.

Pending queue has 192 message(s)

fffff88012c7e030 0000201c 0000000000013f88:00000000000154fc 0000000000000000 fffffa8008573a30 LPC_CANCELED fffff88009a98cf0 0000221c 0000000000000b04:00000000000109b4 fffffa800b533bb0 fffffa8008ee7bb0 LPC_REQUEST fffff880129b9cf0 00001ffc 00000000000067d8:000000000000a85c fffffa800a032060 fffffa800a408060 LPC_REQUEST fffff8800ed62cf0 00001ea4 0000000000012c1c:0000000000013238 fffffa800afbcbb0 fffffa800bbf1060 LPC_REQUEST fffff88011fa7cf0 000014ec 0000000000000b04:0000000000013a38 fffffa80072c6bb0 fffffa800b4d2700 LPC_REQUEST fffff8801001e980 0000159c 000000000000b25c:0000000000003004 fffffa8006ebcbb0 fffffa8009c25060 LPC_REQUEST fffff88009a56cf0 00001f94 0000000000012940:0000000000015478 fffffa800a75d700 fffffa800b4b8060 LPC_REQUEST [...] fffff880129aa640 000018f0 000000000000d31c:00000000000147c0 fffffa800ab9bbb0 fffffa8006ffb560 LPC_REQUEST fffff88008b29ac0 0000152c 000000000000fa5c:000000000000faa4 0000000000000000 fffffa800abadbb0 LPC_CANCELED fffff88009eaa460 000005dc 000000000000e13c:000000000000e3d4 fffffa800921b630 fffffa800a191060 LPC_REQUEST

Canceled queue is empty.

The .NET Developer’s Guide to Windows Security by M. Brown:

Developing code in non-privileged way: two logons (p. 35)

whoami command (p. 37) - whoami /all

netsh command (p. 37)

runas /netonly (p. 39)

Nested runas commands (p. 40)

Debugger Users group (p. 41)

Run - install assumption (p. 46) - Got an idea for a bugtation: “You must assume that your program will be” coded “by one person and” debugged “by another!”

Least privilige for installer design (p. 46)

Software Requirements & Specifications by M. Jackson:

Indicative mood of formalizations (p. 9)

Application domain vs. generic domain and app. domain vs. environment (p. 9)

Structured Analysis of DeMArco / Gane / Sarson - the danger of thinking in terms of a machine when looking at the existing system (p. 10)

Costruction of difficulty from simplicity in software development, shorter vs. longer problem description spans (pp. 12 - 14) - lesson: create one structural UML diagram that covers all possible problem spans

Different views on the origin of software development disasters (pp. 14 - 15) - the view from memory dump analysis engineer: study crash dump analysis patterns (by applying bijectionism) and learn from them. Software artifacts are memory dumps. Software development is memory change.

Software technology as technology of description (p. 17)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Guide to Windows Security, Notes on Software Requirements and Specifications, Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 09-September-09

Wednesday, September 9th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

InitializeCriticalSectionAndSpinCount (p. 187) - API description: http://msdn.microsoft.com/en-us/library/ms683476(VS.85).aspx

Tricky behaviour of keyed events (p. 188)

0: kd> dt _ETHREAD nt!_ETHREAD +0x000 Tcb : _KTHREAD +0x330 CreateTime : _LARGE_INTEGER +0x338 ExitTime : _LARGE_INTEGER +0×338 KeyedWaitChain : _LIST_ENTRY +0×348 ExitStatus : Int4B +0×348 OfsChain : Ptr64 Void +0×350 PostBlockList : _LIST_ENTRY +0×350 ForwardLinkShadow : Ptr64 Void +0×358 StartAddress : Ptr64 Void +0×360 TerminationPort : Ptr64 _TERMINATION_PORT +0×360 ReaperLink : Ptr64 _ETHREAD +0×360 KeyedWaitValue : Ptr64 Void +0×360 Win32StartParameter : Ptr64 Void +0×368 ActiveTimerListLock : Uint8B +0×370 ActiveTimerListHead : _LIST_ENTRY +0×380 Cid : _CLIENT_ID +0×390 KeyedWaitSemaphore : _KSEMAPHORE +0×390 AlpcWaitSemaphore : _KSEMAPHORE

Safe and unsafe acquisition of fast and guarded mutexes (p. 189)

Gate primitive as an optimized event (pp. 189 - 190)

Executive resources (pp. 190 - 192) - These objects make analysis of synchronization issue easier because they have an owner thread:

0: kd> dt _ERESOURCE nt!_ERESOURCE +0x000 SystemResourcesList : _LIST_ENTRY +0×010 OwnerTable : Ptr64 _OWNER_ENTRY +0×018 ActiveCount : Int2B +0×01a Flag : Uint2B +0×020 SharedWaiters : Ptr64 _KSEMAPHORE +0×028 ExclusiveWaiters : Ptr64 _KEVENT +0×030 OwnerEntry : _OWNER_ENTRY +0×040 ActiveEntries : Uint4B +0×044 ContentionCount : Uint4B +0×048 NumberOfSharedWaiters : Uint4B +0×04c NumberOfExclusiveWaiters : Uint4B +0×050 Reserved2 : Ptr64 Void +0×058 Address : Ptr64 Void +0×058 CreatorBackTraceIndex : Uint8B +0×060 SpinLock : Uint8B

0: kd> dt _OWNER_ENTRY nt!_OWNER_ENTRY +0×000 OwnerThread : Uint8B +0×008 OwnerCount : Int4B +0×008 TableSize : Uint4B

There are some crash dump analysis pattern examples that involve executive resources: Deadlock (executive resources), High Contention (executive resources) and Wait Chain (executive resources)

Pushlocks are built on gates, pointer-size and have shared/exclusive mode (p. 192)

Lock convoys (p. 193) - This article explains them using critical section example: http://en.wikipedia.org/wiki/Lock_convoy

Shared vs. exclusive use of user mode critical sections (pp. 194 - 195)

Condition variables (p. 195) - New in Vista and W2K8. MSDN example of usage: http://msdn.microsoft.com/en-us/library/ms682052(VS.85).aspx. So it seems (if I understand it correctly) Windows implemented Monitor concept at OS level. I’m not accustomed to think in “high-level ” monitor terms when designing concurrency on Windows although it is a natural concept in Java. Even when I was programming in Java in the past I was thinking Windows primitives.

SRW (Slim Reader Writer) Locks to replace critical sections in user mode (p. 196) - Looks like new to Vista and W2K8

SRW + conditional variable as ideal combination (p. 196)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Archive for the ‘Reading Notebook’ Category

Reading Notebook: 09-November-09

Reading Notebook: 29-October-09

Reading Notebook: 28-October-09

Reading Notebook: 22-October-09

Reading Notebook: 15-October-09

Reading Notebook: 05-October-09

Reading Notebook: 24-September-09

Reading Notebook: 21-September-09

Reading Notebook: 16-September-09

Reading Notebook: 09-September-09

Pages

Archives

Categories