Debugging TV Frame 0x07
0 likes72 views
The document outlines techniques for detecting corruption in executable modules using tools like kd. It discusses the importance of image paths for module analysis and error handling when images are not found. Additionally, it provides commands and options for analyzing dump files and monitoring modules during debugging sessions.
![1: kd> !chkimg -d -v nt
Searching for module with expression: nt
Unable to open image file: C:Program Files (x86)Debugging Tools for Windows
(x86)symntkrpamp.exe4549AE003a1000ntkrpamp.exe
The system cannot find the file specified.
Error for nt: Could not find image file for the module. Make sure binaries are included in the symbol path.
1: kd> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: SRV*c:mss*http://msdl.microsoft.com/download/symbols
1: kd> .exepath+ SRV*c:mss*http://msdl.microsoft.com/download/symbols
Executable image search path is: SRV*c:mss*http://msdl.microsoft.com/download/symbols
Expanded Executable image search path is: srv*c:mss*http://msdl.microsoft.com/download/symbols
1: kd> !chkimg -d -v nt
[...]
Scanning section: .text
Size: 936109
Range to scan: 81801000-818e58ad
81854019 - nt!PsGetCurrentProcess
[ 64:24 ]
Total bytes compared: 936109(100%)
Number of errors: 1
[...]
Checking an Image
© 2012 DumpAnalysis.org + TraceAnalysis.org](https://image.slidesharecdn.com/debuggingtvframe0x07-171020145759/85/Debugging-TV-Frame-0x07-3-320.jpg)
![1: kd> !for_each_module al
Alias Value
------- -------
$CurrentDumpArchiveFile
$CurrentDumpArchivePath
$CurrentDumpFile K:AWMDA-Dumps32-bitKernelMEMORY-CodeOverwrite.DMP
$CurrentDumpPath K:AWMDA-Dumps32-bitKernel
$lowrite C:UsersAdministratorAppDataLocalTempLow
$ntdllnsym
$ntdllsym
$ntdllwsym
$ntnsym nt
$ntsym nt
$ntwsym
$tmpwrite C:UsersADMINI~1AppDataLocalTemp
@#Base 80200000
@#Checksum 0000a38f
@#End 8020a000
@#FileDescription
@#FileVersion
@#Flags 00000004
@#ImageName SystemRootsystem32DRIVERSBATTC.SYS
@#ImageNameSize 00000027
@#LoadedImageName
@#LoadedImageNameSize 00000001
@#MappedImageName
@#MappedImageNameSize 00000001
@#ModuleIndex 00
@#ModuleName BATTC
@#ModuleNameSize 00000006
@#ProductVersion
@#Size 0000a000
@#SymbolFileName BATTC.SYS
@#SymbolFileNameSize 0000000a
@#SymbolType 5
@#TimeDateStamp 4549adb4
[...]
Aliases
© 2012 DumpAnalysis.org + TraceAnalysis.org](https://image.slidesharecdn.com/debuggingtvframe0x07-171020145759/85/Debugging-TV-Frame-0x07-4-320.jpg)
![1: kd> !for_each_module -d -v @#ModuleName
[...]
Searching for module with expression: nt
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: C:Program Files (x86)Debugging Tools for Windows (x86)symntkrpamp.exe4549AE003a1000ntkrpamp.exe
No range specified
Scanning section: .text
Size: 936109
Range to scan: 81801000-818e58ad
81854019 - nt!PsGetCurrentProcess
[ 64:24 ]
Total bytes compared: 936109(100%)
Number of errors: 1
[...]
Checking All Modules
© 2012 DumpAnalysis.org + TraceAnalysis.org](https://image.slidesharecdn.com/debuggingtvframe0x07-171020145759/85/Debugging-TV-Frame-0x07-5-320.jpg)
Debugging TV Frame 0x07
- 1. Frame 0x07 Presenter: Dmitry Vostokov Sponsors Debugging.TV
- 2. • Detecting corruption in executable modules • Aliases • Image paths • Troubleshoting image path problems • When we need image paths? Topics © 2012 DumpAnalysis.org + TraceAnalysis.org
- 3. 1: kd> !chkimg -d -v nt Searching for module with expression: nt Unable to open image file: C:Program Files (x86)Debugging Tools for Windows (x86)symntkrpamp.exe4549AE003a1000ntkrpamp.exe The system cannot find the file specified. Error for nt: Could not find image file for the module. Make sure binaries are included in the symbol path. 1: kd> .sympath Symbol search path is: srv* Expanded Symbol search path is: SRV*c:mss*http://msdl.microsoft.com/download/symbols 1: kd> .exepath+ SRV*c:mss*http://msdl.microsoft.com/download/symbols Executable image search path is: SRV*c:mss*http://msdl.microsoft.com/download/symbols Expanded Executable image search path is: srv*c:mss*http://msdl.microsoft.com/download/symbols 1: kd> !chkimg -d -v nt [...] Scanning section: .text Size: 936109 Range to scan: 81801000-818e58ad 81854019 - nt!PsGetCurrentProcess [ 64:24 ] Total bytes compared: 936109(100%) Number of errors: 1 [...] Checking an Image © 2012 DumpAnalysis.org + TraceAnalysis.org
- 4. 1: kd> !for_each_module al Alias Value ------- ------- $CurrentDumpArchiveFile $CurrentDumpArchivePath $CurrentDumpFile K:AWMDA-Dumps32-bitKernelMEMORY-CodeOverwrite.DMP $CurrentDumpPath K:AWMDA-Dumps32-bitKernel $lowrite C:UsersAdministratorAppDataLocalTempLow $ntdllnsym $ntdllsym $ntdllwsym $ntnsym nt $ntsym nt $ntwsym $tmpwrite C:UsersADMINI~1AppDataLocalTemp @#Base 80200000 @#Checksum 0000a38f @#End 8020a000 @#FileDescription @#FileVersion @#Flags 00000004 @#ImageName SystemRootsystem32DRIVERSBATTC.SYS @#ImageNameSize 00000027 @#LoadedImageName @#LoadedImageNameSize 00000001 @#MappedImageName @#MappedImageNameSize 00000001 @#ModuleIndex 00 @#ModuleName BATTC @#ModuleNameSize 00000006 @#ProductVersion @#Size 0000a000 @#SymbolFileName BATTC.SYS @#SymbolFileNameSize 0000000a @#SymbolType 5 @#TimeDateStamp 4549adb4 [...] Aliases © 2012 DumpAnalysis.org + TraceAnalysis.org
- 5. 1: kd> !for_each_module -d -v @#ModuleName [...] Searching for module with expression: nt Will apply relocation fixups to file used for comparison Will ignore NOP/LOCK errors Will ignore patched instructions Image specific ignores will be applied Comparison image path: C:Program Files (x86)Debugging Tools for Windows (x86)symntkrpamp.exe4549AE003a1000ntkrpamp.exe No range specified Scanning section: .text Size: 936109 Range to scan: 81801000-818e58ad 81854019 - nt!PsGetCurrentProcess [ 64:24 ] Total bytes compared: 936109(100%) Number of errors: 1 [...] Checking All Modules © 2012 DumpAnalysis.org + TraceAnalysis.org
- 6. .exepath !for_each_module al Commands and Aliases © 2012 DumpAnalysis.org + TraceAnalysis.org !chkimg @#ModuleName .sympath
- 7. !Ad Hardcore Technical Support Training © 2012 DumpAnalysis.org + TraceAnalysis.org Advanced Windows Memory Dump Analysis Accelerated Windows Memory Dump AnalysisApril 11-16, 2012: April 20-23, 2012: Training Schedule Accelerated Software Trace AnalysisApril 27-30, 2012: Accelerated Mac OS X Core Dump AnalysisForthcoming:
- 8. Debugging.TV