FREE THOUGHT · FREE SOFTWARE · FREE WORLD

Debugging Tools for Windows

I am almost ready to publish the final tutorial on using ssh tunnels from a truecrypt partition on a Windows machine. Of course I choose to go way overboard in my research and the tutorial is full of some pretty awesome windows tricks.. I will come back to this post soon and post all the other advanced tools I use for debugging windows, for now though you MUST know how to debug the kernel and use these basic debugging tools.

WINDOWS NETWORKING !!!!!
Debugging Tools for Windows
Target Computer and Host Computer
Kernel-mode debugging requires a target computer and a host computer. The target computer is used to run the kernel-mode application. The host computer is used to run the debugger. The following diagram shows the typical Microsoft Windows setup that you can use to perform kernel debugging and diagnose system failures. Typical Windows debugging setup This diagram shows the typical setup. However, the current versions of KD and WinDbg (which you installed with this documentation) are flexible. KD and WinDbg can do the following
  • Debug a target computer that is running Windows.
  • Debug a target computer that is running on an x86-based platform, an Itanium-based platform, or an x64-based platform.
  • Can be started from a host computer that is running Windows.
  • Can be started from a host computer that is on an x86-based platform, an Itanium-based platform, or an x64-based platform.
The target computer and host computer do not have to use the same platform or the same version of Windows. Kernel debugging does not require specific combinations of the free or checked builds. You can debug a free system from a free or checked system, and you can debug a checked system from a free or checked system. However, typically, there is no reason for the host computer to run the slower checked build. Note If you are running the debuggers from an Itanium-based host computer, make sure that you are using the correct version of the binaries. For more information about which version of the debugger package to use, see Choosing a 32-bit or 64-bit Debugger Package.
Debugging Tools for Windows
List of Tools and Documentation
Microsoft Debugging Tools for Windows includes a number of debuggers and other tools. Some of them are described in this documentation, and others are described elsewhere. The following list briefly describes each tool and where its documentation can be found.

Debuggers

Debugging Tools for Windows includes the following debuggers. These are described throughout this documentation, and are referred to by their individual names or collectively as "the debugger":
WinDbg (Windbg.exe)
A user-mode and kernel-mode debugger with a graphical interface.
KD (Kd.exe)
A kernel-mode debugger with a console interface.
CDB (Cdb.exe)
A user-mode debugger with a console interface.
NTSD (Ntsd.exe)
A user-mode debugger with a console interface. CDB and NTSD are virtually identical. In this documentation, whenever a reference is made to "CDB", it applies to both CDB and NTSD. When these two debuggers differ, it is noted. (See CDB and NTSD for details.)

Debugging Tools for Windows - Overview

Looking for updates and drivers for your personal computer? You can use Debugging Tools for Windows to debug drivers, applications, and services on systems that are running Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2008 R2, or Windows 7. You can also use Debugging Tools for Windows to debug the operating system itself. Versions of the Debugging Tools for Windows package are available for 32-bit x86, native Intel Itanium, and native x64 platforms. The latest release of Debugging Tools for Windows is available as part of the Windows Driver Kit (WDK). Note: If you have a system with a 64-bit processor and you are debugging an application on it, you must use one of the native 64-bit packages.
Using Debugging Tools for Windows
Tools Download Windows Symbol Packages Symbol packages for a variety of Windows versions.
White Paper Install Debugging Tools for Windows 32-bit Version Download page for the latest 32-bit packages.
White Paper Install Debugging Tools for Windows 64-bit Versions Download page for the latest 64-bit packages.
White Paper What's New for Debugging Tools for Windows
WHDC Portal/Nodal Debugging Tools and Symbols: Getting Started Tips for using Debugging Tools for Windows, with links to presentations and papers on best practices
Debugger How-Tos
White Paper Driver Tip: Debugging Windows Vista
White Paper Improve Driver Debugability
Microsoft Powerpoint (.ppt) 1394 Kernel Debugging Tips and Tricks [WinHEC 2004; 373 KB]
Microsoft Powerpoint (.ppt) Advanced Driver Debugging [336 KB]
Microsoft Powerpoint (.ppt) Driver Debugging Basics [WinHEC 2007; 633 KB]
WHDC Portal/Nodal Debugging Kernel-Mode Driver Framework Drivers
WHDC Portal/Nodal Debugging User-Mode Driver Framework Drivers Training Sessions
Microsoft.com Debugging Tools for Windows (MSDN)
Microsoft.com HOWTO: Enable Verbose Debug Tracing in Various Drivers and Subsystems (314743)
Microsoft.com WDK Online: Tools for Debugging Drivers
Resources
White Paper WDK Documentation Download
WHDC Portal/Nodal Driver Developer Community Resources
WHDC Portal/Nodal Driver Signing Requirements for Windows
WHDC Portal/Nodal Notes from Windows Development Teams
WHDC Portal/Nodal Support for Developer Kits and Tools
Other Driver Developer Blogs
Other Windows Driver Kit (WDK) Version 7.1.0 Release Notes
Microsoft.com WDK Documentation on MSDN
See Also
Microsoft.com Microsoft Application Verifier

Additional Tools and Utilities

Debugging Tools for Windows also includes the following tools and utilities:
Logger (Logger.exe and Logexts.dll)
A tool and an extension DLL that record the function calls and other actions of a program. Logger is described in this documentation; see Logger and LogViewer.
LogViewer (Logviewer.exe)
A tool that displays the logs created by Logger. LogViewer is described in this documentation; see Logger and LogViewer.
ADPlus (Autodump+, Adplus.vbs)
A console-based Microsoft Visual Basic script that can automatically create memory dump files and log files with debug output from one or more processes. ADPlus is described in this documentation; see ADPlus.
DbgRpc (Dbgrpc.exe)
A tool used to display Microsoft Remote Procedure Call (RPC) state information. DbgRpc is described in this documentation; see RPC Debugging and Using the DbgRpc Tool.
KDbgCtrl (Kernel Debugging Control, Kdbgctrl.exe)
A tool that controls and configures the kernel debugging connection. KDbgCtrl is described in this documentation; see Using KDbgCtrl.
SrcSrv (Srcsrv.dll)
A source server that can be used to deliver source files while debugging. SrcSrv is described in this documentation; see SrcSrv.
SymSrv (Symsrv.dll)
A symbol server that the debugger can use to connect to a symbol store. SymSrv is described in this documentation; see SymSrv.
SymStore (Symstore.exe)
A tool used to create a symbol store. SymSrv is described in this documentation; see Using SymStore.
SymProxy
A tool used to create a single HTTP symbol server on your network that all your debuggers can point to. This has the benefit of pointing to multiple symbol servers (both internal and external) with a single symbol path, handling all authentication, and increasing performance via symbol caching. SymProxy is described in this documentation; see SymProxy.
AgeStore (Agestore.exe)
A tool that removes old entries in the downstream store of a symbol server or a source server. AgeStore is described in this documentation; see AgeStore.
DBH (Dbh.exe)
A tool that displays information about the contents of a symbol file. DBH is described in this documentation; see DBH.
PDBCopy (Pdbcopy.exe)
A tool that removes private symbol information from a symbol file, and controls which public symbols are included in the file. PDBCopy is described in this documentation; see PDBCopy.
DumpChk (Dump File Checking Utility, Dumpchk.exe)
A tool used to validate a memory dump file. DumpChk is described in this documentation; see DumpChk.
DbgSrv (Dbgsrv.exe)
A process server used for remote debugging. DbgSrv is described in this documentation; see Process Servers (User Mode).
KdSrv (Kdsrv.exe)
A KD connection server used for remote debugging. KDSrv is described in this documentation; see KD Connection Servers (Kernel Mode).
DbEngPrx (Dbengprx.exe)
A repeater (small proxy server) used for remote debugging. DbgSrv is described in this documentation; see Repeaters.
The Remote tool (Remote.exe)
A remoting tool that can be used to remotely control any console program, including KD, CDB, and NTSD. The Remote tool is described in this documentation; see Remote Tool and Remote Debugging Through Remote.exe.
GFlags (Global Flags Editor, Gflags.exe)
A tool used to control registry keys and other settings. GFlags is described in this documentation; see GFlags.
The Kill tool (Kill.exe)
A tool used to terminate a process. The Kill tool is described in this documentation; see Kill Tool.
The Breakin tool (Breakin.exe)
A tool used to cause a user-mode break to occur in a process. Breakin.exe is not described in this documentation. Use the breakin /? command for help with this tool.
The List tool (File List Utilit y, List.exe)
List.exe is not described in this documentation. Use the list /? command for help with this tool.
TList (Task List Viewer, Tlist.exe)
A tool used to list all running processes. TList is described in this documentation; see TList.
RTList (Remote Task List Viewer, Rtlist.exe)
A tool used to list running processes via a DbgSrv process server. RTList is not described in this documentation. Use the rtlist /? command for help with this tool.
UMDH (User-Mode Dump Heap utility, Umdh.exe)
A tool used to analyze heap allocations. UMDH is described in this documentation; see UMDH.
USBView (Universal Serial Bus Viewer, Usbview.exe)
A tool used to display the USB devices connected to a computer. USBView is described in this documentation; see USBView.
If you peform a custom install of Debugging Tools for Windows and select the SDK feature and all of its subfeatures, the libraries, headers, and samples used to build debugger extensions will be installed.

Documentation

"Debugging Tools for Windows" (Debugger.chm)
This is the documentation you are currently reading. It is the central documentation for Debugging Tools for Windows.
"Debug Help Library" (Dbghelp.chm)
This documentation describes the DbgHelp API and the ImageHlp API, and also explains how to create your own symbol server. This is installed when you peform a custom install of Debugging Tools for Windows and select the SDK feature and its subfeatures.

Tools Outside the Debugging Tools for Windows Package

The following related tools are not part of the Debugging Tools for Windows package:
Dr. Watson (Drwtsn32.exe)
A tool used for automatically creating dump files and sending error reports to Microsoft Online Crash Analysis (OCA). Dr. Watson is partially described in this documentation; see Dr. Watson. The other features of Dr. Watson are described in the help file associated with drwtsn32.exe.
Build utility (Build.exe)
A compiler and linker used to build debugger extensions and other programs. The Build utility and its documentation can be found in the Windows Driver Kit, and in earlier versions of the Windows DDK.
BinPlace (Binplace.exe)
A tool used to control symbol files for build products. BinPlace and its documentation can be found in the Windows Driver Kit, and in earlier versions of the Windows DDK.
Application Verifier (AppVerif.exe and !avrf)
A tool used to test user-mode applications. This tool consists of two components: the AppVerif.exe utility and the !avrf extension command. All the features of Application Verifier that are debugger-related are described in Application Verifier. The other features of Application Verifier are described in the help file associated with AppVerif.exe.
Debugging Tools for Windows
WinDbg
Microsoft Windows Debugger (WinDbg) is a powerful Windows-based debugging tool. It is capable of both user-mode and kernel-mode debugging. WinDbg provides full source-level debugging for the Windows kernel, kernel-mode drivers, and system services, as well as user-mode applications and drivers. WinDbg uses the Microsoft Visual Studio debug symbol formats for source-level debugging. It can access any symbol or variable from a module that has PDB symbol files, and can access any public function's name that is exposed by modules that were compiled with COFF symbol files (such as Windows .dbg files). WinDbg can view source code, set breakpoints, view variables (including C++ objects), stack traces, and memory. Its Debugger Command window allows the user to issue a wide variety of commands. For kernel-mode debugging, WinDbg requires two machines (the host computer and the target computer). Kernel debugging is only supported on NT-based Windows operating systems. WinDbg also supports various remote debugging options for both user-mode and kernel-mode targets. WinDbg is the graphical-interface counterpart to CDB / NTSD and to KD.
Debugging Tools for Windows
KD
Microsoft Kernel Debugger (KD) is a character-based console program that enables in-depth analysis of kernel-mode activity on all NT-based operating systems. KD can be used to debug kernel-mode programs and drivers, or to monitor the behavior of the operating system itself. KD also supports multiprocessor debugging. Typically, the KD tool will not be run on the computer being debugged. Two machines (the host computer and the target computer) are needed for kernel-mode debugging. Most KD commands cannot be targeted to specific processes or threads, as they can in CDB, NTSD, and WinDbg.

Debugging different target platforms

KD is capable of debugging a target computer which is running on an x86, Itanium, or x64 platform. The debugger will automatically detect the platform on which the target is running. You do not need to specify the target on the KD command line. The older syntax (using the name I386KD or IA64KD) is obsolete.
Debugging Tools for Windows
CDB and NTSD
CDB and NTSD are console applications which can debug user-mode programs. These two debuggers are nearly identical, except in the manner in which they are launched. This documentation will use "CDB" when referring to the capabilities of both CDB and NTSD. Except as noted, all references to CDB in this documentation apply equally to NTSD. There are a few techniques that can only work properly with CDB, or can only work properly with NTSD. These differences are documented in the appropriate sections.

CDB

Microsoft Console Debugger (CDB) is a character-based console program that enables low-level analysis of Windows user-mode memory and constructs. CDB is extremely powerful for debugging a program that is currently running or has recently crashed ("live analysis"), yet simple to set up. It can be used to investigate the behavior of a working application. In the case of a failing application, CDB can be used to obtain a stack trace or to look at the guilty parameters. It works well across a network (using a remote access server), as it is character-based. With CDB, you can display and execute program code, set breakpoints, and examine and change values in memory. CDB can analyze binary code by "disassembling" it and displaying assembly instructions. It can also analyze source code directly. Because CDB can access memory locations through addresses or global symbols, you can refer to data and instructions by name rather than by address, making it easy to locate and debug specific sections of code. You can also display disassembled machine code. CDB supports debugging multiple threads and processes. It is extensible, and can read and write both paged and non-paged memory. If the target application is itself a console application, the target will share the console window with CDB. To spawn a separate console window for a target console application, use the -2 command-line option.

NTSD

There is a variation of the CDB debugger named Microsoft NT Symbolic Debugger (NTSD). It is identical to CDB in every way, except that it spawns a new text window when it is started, whereas CDB inherits the Command Prompt window from which it was invoked. Like CDB, NTSD is fully capable of debugging both console applications and graphical Windows programs. (The name "Console Debugger" is used to indicate the fact that CDB is classified as a console application; it does not imply that the target application must be a console application.) Since the start command can also be used to spawn a new console window, the following two constructions will give the same results: start cdb parameters ntsd parameters

NTSD in the System32 Directory

Whereas CDB is only available as part of the Debugging Tools for Windows package, NTSD is available both in this package and as part of the Windows system itself. It can be found in the system32 directory of Windows. If you are planning on using the NTSD that appears in the system32 directory, there are two important facts you should be aware of: To avoid these issues, it is recommended that you use only the version of NTSD or CDB that was installed as part of the Debugging Tools for Windows package.

Controlling CDB or NTSD from the Kernel Debugger

It is possible to redirect the input and output from CDB or NTSD so that it can be controlled from a kernel debugger (either KD or WinDbg). If this technique is used with CDB, the CDB window will appear but will not be useable for input and output. If this is used with NTSD, no console window will appear at all. Controlling NTSD from the kernel debugger is therefore especially useful, since it results in an extremely light-weight debugger that places almost no burden on the computer containing the target application. This combination can be used to debug system processes, shutdown, and the later stages of boot up. See Controlling the User-Mode Debugger from the Kernel Debugger for details.

Windows Assemblers basic debugging tools Debug Debuggers Debugging Kernel

 

 

Comments