Debugging TV Frame 0x06
0 likes98 views
The document focuses on advanced debugging techniques using Windbg, covering topics such as value passing, register reuse, and breakpoint execution commands. It provides detailed examples of command usage for inspecting messages and managing events in Windows applications. Additionally, it includes information on training sessions for memory dump analysis scheduled for January 2012.
![0:000> ub 00000000`ff2d1064
notepad!WinMain+0xf5:
[...]
00000000`ff2d1051 488d4c2440 lea rcx,[rsp+40h]
00000000`ff2d1056 4533c9 xor r9d,r9d
00000000`ff2d1059 4533c0 xor r8d,r8d
00000000`ff2d105c 33d2 xor edx,edx
00000000`ff2d105e ff1524b40000 call qword ptr [notepad!_imp_GetMessageW (...)] * bp 0
0:000> u 00000000`ff2d1064
notepad!WinMain+0x182:
00000000`ff2d1064 413bc4 cmp eax,r12d * bp 1
00000000`ff2d1067 0f84b2060000 je notepad!WinMain+0x18b (00000000`ff2d171f)
[...]
0:000> bl
0 e 00000000`ff2d105e 0001 (0001) 0:**** notepad!WinMain+0x17c "r $t0 = rcx; g"
1 e 00000000`ff2d1064 0001 (0001) 0:**** notepad!WinMain+0x182 ".printf "hwnd: %p message: %p
wParam: %p lParam: %p", poi(@$t0), poi(@$t0+@$ptrsize), poi(@$t0+2*@$ptrsize),
poi(@$t0+3*@$ptrsize); .echo; g"
Event State Management
© 2012 DumpAnalysis.org + TraceAnalysis.org](https://image.slidesharecdn.com/debuggingtvframe0x06-171020145113/85/Debugging-TV-Frame-0x06-5-320.jpg)
Debugging TV Frame 0x06
- 1. Frame 0x06 Presenter: Dmitry Vostokov Sponsors Debugging.TV
- 2. • Value passing and register reuse • Breakpoint execution commands • WinDbg pseudo-registers and scripting • Passing data between breakpoints • Platform independent commands • Logging window messages • Module load events Topics © 2012 DumpAnalysis.org + TraceAnalysis.org
- 3. BOOL WINAPI GetMessage ( __out LPMSG lpMsg, // RCX __in_opt HWND hWnd, // RDX __in UINT wMsgFilterMin, // R8d __in UINT wMsgFilterMax // R9d ); GetMessage © 2012 DumpAnalysis.org + TraceAnalysis.org
- 4. typedef struct tagMSG { HWND hwnd; // 64 UINT message; // 64 WPARAM wParam; // 64 LPARAM lParam; // 64 DWORD time; // 32 POINT pt; // 32, 32 } MSG, *PMSG, *LPMSG; MSG © 2012 DumpAnalysis.org + TraceAnalysis.org
- 5. 0:000> ub 00000000`ff2d1064 notepad!WinMain+0xf5: [...] 00000000`ff2d1051 488d4c2440 lea rcx,[rsp+40h] 00000000`ff2d1056 4533c9 xor r9d,r9d 00000000`ff2d1059 4533c0 xor r8d,r8d 00000000`ff2d105c 33d2 xor edx,edx 00000000`ff2d105e ff1524b40000 call qword ptr [notepad!_imp_GetMessageW (...)] * bp 0 0:000> u 00000000`ff2d1064 notepad!WinMain+0x182: 00000000`ff2d1064 413bc4 cmp eax,r12d * bp 1 00000000`ff2d1067 0f84b2060000 je notepad!WinMain+0x18b (00000000`ff2d171f) [...] 0:000> bl 0 e 00000000`ff2d105e 0001 (0001) 0:**** notepad!WinMain+0x17c "r $t0 = rcx; g" 1 e 00000000`ff2d1064 0001 (0001) 0:**** notepad!WinMain+0x182 ".printf "hwnd: %p message: %p wParam: %p lParam: %p", poi(@$t0), poi(@$t0+@$ptrsize), poi(@$t0+2*@$ptrsize), poi(@$t0+3*@$ptrsize); .echo; g" Event State Management © 2012 DumpAnalysis.org + TraceAnalysis.org
- 6. .logopen kv u ub bp bl g r dp Commands and pseudo-registers © 2012 DumpAnalysis.org + TraceAnalysis.org .printf .echo poi $t0 $ptrsize bc dd .logclose
- 7. !Ad Hardcore Technical Support Training © 2012 DumpAnalysis.org + TraceAnalysis.org Advanced Windows Memory Dump Analysis Accelerated Windows Memory Dump AnalysisJanuary 18-23, 2012: January 13, 2012: Training Schedule Accelerated .NET Memory Dump AnalysisJanuary 26-27, 2012:
- 8. Debugging.TV