SlideShare a Scribd company logo

Swug July 2010 - windows debugging by sainath

Download as PPT, PDF
D
Dennis Chung

The document provides an overview of basic debugging terms and tools like process, thread, registers, exceptions, memory dumps, and AdPlus. It discusses setting up a debugger, understanding assembly code, using important CPU registers and variables, reading memory types, and examining stacks. The document also asks questions to check understanding of debugging concepts.

Technology
1 of 27
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Sainath BT Frontline [email_address] MVP – Active Directory Microsoft Technet Moderator – Win2k8 , Networking Microsoft Technet Magazine – Author Microsoft Speaker – SWUG
Windows Debugging
Basic Terms Process Thread User mode Kernel mode Call stack Register Exception
Basic Terms IRQL Interrupt Free Build Check Build Paging Non paged pool Paged pool
Basic Terms Complete Memory Dump HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl CrashDumpEnabled REG_DWORD 0x0 = None CrashDumpEnabled REG_DWORD 0x1 = Complete memory dump CrashDumpEnabled REG_DWORD 0x2 = Kernel memory dump CrashDumpEnabled REG_DWORD 0x3 = Small memory dump (64KB)
ASK A QUESTION TO PROCEED 
Debugger Installation Setup Http://www.microsoft.com/ddk/debugging Symbol file public symbols – global variables, FPO private symbols – local symbol, global var
Debugger Setup Problem with Symbol File ERROR: Symbol file could not be found. Defaulted to export symbols for <xxx.exe> Solution Check for the symbol file path Use .reload command
AdPlus Tool User mode debugging tool Produces memory dumps of an application and processes -notify switch notifies user using live messenger You Cannot Debug startup applications Programs generating lot of debug information
AdPlus Tool Adplus Modes Hang Mode Crash Mode First chance exception second chance exception
AdPlus Tool Command Line Switches Adplus –help Adplus –hang Adplus –crash Adplus –pn Adplus –iis
AdPlus Tool Demo 1 Adplus hang dump Adplus crah dump Configuring symbols Dumping process Analyzing dump
Understanding Assembly c pgm void main() { int x =10; int y = 20; x= 30; y = 40 ; Printf(&quot;value of x is %d \n&quot;, x); }
Understanding Assembly Important Note : CPU registers and Variables are different in assembly but serve similar purpose 12 Major CPU registers AX, BX, CX, DX, SI, DI, CS , IP etc.. Declaring variables : X dw 10; Y dw 20 ;
Understanding Assembly Assembly Mov [x], 10 Mov [y], 20 Windbg Mov dword ptr [ saiprj!x (0a003456) ], 10
Assembly Continued Writing data to registers Mov eax, 15 Mov eax, [x] Windbg mov eax, [saipgm!x (a0302934)]
Assembly Continued C program Int b = 10; Int a = 20 ; B = b+a ; Assembly mov eax , b Add [a], eax Windbg Mov eax, [saipgm!b ( a0308923)] Add [saipgm!a (02342343)], eax
Assembly Continued Mov [x], 1 Mov [y], 1 Mov eax, [x] Add [b], eax Inc eax What is the output ???
Registers Registers are small storage units generally 32 or 64bit wide Registers are always accessed using names Wrong data in the registers are source of bug R command to display registers
Registers Deep Dive EAX = contains return values EBX ECX = contains loop counter info EDX EIP = points to next instruction to be executed ESP = Stack pointer , points to top of stack.
Registers Deep Dive EBP = Base pointer / Stack Frame Pointer EBP will be set before function is called
Reading Memory Variable Types Local variables Global variables Strings Unicode Arrays constants.
Reading Memory D DD – display memory 32 bits Dw – display as words ( 16 bits ) DT – display type Example: Eg: dt nt!<function name> dt yourexe!<function name>
Stacks Program 1 function 1 function 2 program 2 calling function 1 (assigns stack ) return ( clears stack ) calling function 2
Stacks Continued Every thread has 2 stacks User Mode 1 MB Kernel Mode 12 KB When ever a function is called you see a return instruction.
Deep Dive Stacks. Dd esp 0012fe6c 004113e0 00000005 0000000a 0127f558 0012fe7c 007dca76 7ffd8000 cccccccc cccccccc 004113e0 = return address 00000005 = argument 1 0000000a = argument 2
Questions Please 

More Related Content

PDF
Make A Shoot ‘Em Up Game with Amethyst Framework
Yodalee
 
PDF
Introduction to nand2 tetris
Yodalee
 
PDF
Gameboy emulator in rust and web assembly
Yodalee
 
PDF
GLX, DRI, and i965
Chia-I Wu
 
PDF
OSTEP Chapter2 Introduction
Shuya Osaki
 
PDF
Linux fundamental - Chap 00 shell
Kenny (netman)
 
PDF
Building Network Functions with eBPF & BCC
Kernel TLV
 
PDF
Java JVM Memory Cheat Sheet
Mark Papis
 
Make A Shoot ‘Em Up Game with Amethyst Framework
Yodalee
 
Introduction to nand2 tetris
Yodalee
 
Gameboy emulator in rust and web assembly
Yodalee
 
GLX, DRI, and i965
Chia-I Wu
 
OSTEP Chapter2 Introduction
Shuya Osaki
 
Linux fundamental - Chap 00 shell
Kenny (netman)
 
Building Network Functions with eBPF & BCC
Kernel TLV
 
Java JVM Memory Cheat Sheet
Mark Papis
 

What's hot (20)

PPTX
Mysql5.1 character set testing
Philip Zhong
 
PDF
Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"
OdessaJS Conf
 
PPTX
Compare mysql5.1.50 mysql5.5.8
Philip Zhong
 
PPTX
Mysql handle socket
Philip Zhong
 
PDF
37562259 top-consuming-process
skumner
 
PDF
Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"
OdessaJS Conf
 
PDF
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
Cyber Security Alliance
 
PPTX
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
David Evans
 
PDF
Preparation for mit ose lab4
Benux Wei
 
ODP
Java 7 new features
Aliaksandr Kazlou
 
PPTX
Making a Process (Virtualizing Memory)
David Evans
 
DOC
100 comment win xp
Nie Andini
 
PDF
ch6-pv2-device-drivers
yushiang fu
 
PDF
Linux fundamental - Chap 05 filter
Kenny (netman)
 
PPTX
System Calls
David Evans
 
PPTX
We Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle Games
Unity Technologies
 
PDF
Taipei.py 2018 - Control device via ioctl from Python
Hua Chu
 
PDF
A CTF Hackers Toolbox
Stefan
 
PDF
Tracer Evaluation
Qiao Han
 
PPTX
MongoDB 2.8 Replication Internals: Fitting it all together
Scott Hernandez
 
Mysql5.1 character set testing
Philip Zhong
 
Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"
OdessaJS Conf
 
Compare mysql5.1.50 mysql5.5.8
Philip Zhong
 
Mysql handle socket
Philip Zhong
 
37562259 top-consuming-process
skumner
 
Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"
OdessaJS Conf
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
Cyber Security Alliance
 
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
David Evans
 
Preparation for mit ose lab4
Benux Wei
 
Java 7 new features
Aliaksandr Kazlou
 
Making a Process (Virtualizing Memory)
David Evans
 
100 comment win xp
Nie Andini
 
ch6-pv2-device-drivers
yushiang fu
 
Linux fundamental - Chap 05 filter
Kenny (netman)
 
System Calls
David Evans
 
We Love Performance! How Tic Toc Games Uses ECS in Mobile Puzzle Games
Unity Technologies
 
Taipei.py 2018 - Control device via ioctl from Python
Hua Chu
 
A CTF Hackers Toolbox
Stefan
 
Tracer Evaluation
Qiao Han
 
MongoDB 2.8 Replication Internals: Fitting it all together
Scott Hernandez
 
Ad

Viewers also liked (20)

PDF
I talk3
Takashi Masuda
 
PDF
Culinaria para uma boa saude
barbiebruxadoleste
 
PPSX
Bronk ppshow
guestb8609
 
PPT
Lu isfer
LuisFer2010
 
DOC
Rajeev_CV
rajeevps
 
PPTX
New microsoft office power point presentation
Karl Daniel, M.D.
 
PDF
5 Steps to Secure Google Drive
Datto
 
PPTX
19 Luglio 2013 - Il futuro della TV - Marco Cantamessa - I3P
CSP Scarl
 
PPT
Mentors
Grintex India Ltd
 
PDF
Powerbreathe - Final Presentation
Leo Cheng
 
PDF
Svea piemonte regional_analysis_report
CSP Scarl
 
PDF
Event driven actors - lessons learned
Rick van der Arend
 
PPTX
Marketing On The Internet
Jeremy Schneider
 
PPT
Radisson Hotel Whittier Feb2010 Powerpoints
tstyoung
 
DOC
Xampp
Reno Bastian Syah
 
PPT
Apd 2
Karl Daniel, M.D.
 
PPTX
Uncover opportunities i
Todd Alan Sloane, MSEd - Protean Trainer and Coach
 
PDF
e-Commerce are you there?
Shay Rosen (שי רוזן)
 
PDF
Csp@scuola uav corso1_lez2
CSP Scarl
 
PDF
The Wizards Behind Google Apps: 11 Google Apps Setup Tips for Admins by Admins
Datto
 
I talk3
Takashi Masuda
 
Culinaria para uma boa saude
barbiebruxadoleste
 
Bronk ppshow
guestb8609
 
Lu isfer
LuisFer2010
 
Rajeev_CV
rajeevps
 
New microsoft office power point presentation
Karl Daniel, M.D.
 
5 Steps to Secure Google Drive
Datto
 
19 Luglio 2013 - Il futuro della TV - Marco Cantamessa - I3P
CSP Scarl
 
Mentors
Grintex India Ltd
 
Powerbreathe - Final Presentation
Leo Cheng
 
Svea piemonte regional_analysis_report
CSP Scarl
 
Event driven actors - lessons learned
Rick van der Arend
 
Marketing On The Internet
Jeremy Schneider
 
Radisson Hotel Whittier Feb2010 Powerpoints
tstyoung
 
Xampp
Reno Bastian Syah
 
Apd 2
Karl Daniel, M.D.
 
Uncover opportunities i
Todd Alan Sloane, MSEd - Protean Trainer and Coach
 
e-Commerce are you there?
Shay Rosen (שי רוזן)
 
Csp@scuola uav corso1_lez2
CSP Scarl
 
The Wizards Behind Google Apps: 11 Google Apps Setup Tips for Admins by Admins
Datto
 
Ad

Similar to Swug July 2010 - windows debugging by sainath (20)

PDF
CNIT 127 Ch 1: Before you Begin
Sam Bowne
 
PDF
CNIT 126 4: A Crash Course in x86 Disassembly
Sam Bowne
 
PDF
CNIT 127 Ch Ch 1: Before you Begin
Sam Bowne
 
PPTX
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Sam Bowne
 
PDF
Debugger Principle Overview & GDB Tricks
dutor
 
PPTX
Driver Debugging Basics
Bala Subra
 
PPTX
amr_systemsdadwdsdasdsadsadsaaddsdw.pptx
ahmadtomizi95
 
PDF
N_Asm Assembly macros (sol)
Selomon birhane
 
PDF
Assembly level language
PDFSHARE
 
PPT
Advanced driver debugging (13005399) copy
Burlacu Sergiu
 
PPTX
Reversing malware analysis training part4 assembly programming basics
Cysinfo Cyber Security Community
 
PDF
X86 assembly & GDB
Jian-Yu Li
 
PDF
Mp lab manual
Pradeep Kumar
 
PPTX
Coal (1)
talhashahid40
 
PPTX
Introduction to debugging linux applications
commiebstrd
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PPT
Assembler
Manish Pandey
 
PDF
Debug tutorial
Defri N
 
PPTX
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
securityxploded
 
PPT
Malware Analysis - x86 Disassembly
Natraj G
 
CNIT 127 Ch 1: Before you Begin
Sam Bowne
 
CNIT 126 4: A Crash Course in x86 Disassembly
Sam Bowne
 
CNIT 127 Ch Ch 1: Before you Begin
Sam Bowne
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Sam Bowne
 
Debugger Principle Overview & GDB Tricks
dutor
 
Driver Debugging Basics
Bala Subra
 
amr_systemsdadwdsdasdsadsadsaaddsdw.pptx
ahmadtomizi95
 
N_Asm Assembly macros (sol)
Selomon birhane
 
Assembly level language
PDFSHARE
 
Advanced driver debugging (13005399) copy
Burlacu Sergiu
 
Reversing malware analysis training part4 assembly programming basics
Cysinfo Cyber Security Community
 
X86 assembly & GDB
Jian-Yu Li
 
Mp lab manual
Pradeep Kumar
 
Coal (1)
talhashahid40
 
Introduction to debugging linux applications
commiebstrd
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Assembler
Manish Pandey
 
Debug tutorial
Defri N
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
securityxploded
 
Malware Analysis - x86 Disassembly
Natraj G
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 

Swug July 2010 - windows debugging by sainath

  • 1. Sainath BT Frontline [email_address] MVP – Active Directory Microsoft Technet Moderator – Win2k8 , Networking Microsoft Technet Magazine – Author Microsoft Speaker – SWUG
  • 3. Basic Terms Process Thread User mode Kernel mode Call stack Register Exception
  • 4. Basic Terms IRQL Interrupt Free Build Check Build Paging Non paged pool Paged pool
  • 5. Basic Terms Complete Memory Dump HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl CrashDumpEnabled REG_DWORD 0x0 = None CrashDumpEnabled REG_DWORD 0x1 = Complete memory dump CrashDumpEnabled REG_DWORD 0x2 = Kernel memory dump CrashDumpEnabled REG_DWORD 0x3 = Small memory dump (64KB)
  • 6. ASK A QUESTION TO PROCEED 
  • 7. Debugger Installation Setup Http://www.microsoft.com/ddk/debugging Symbol file public symbols – global variables, FPO private symbols – local symbol, global var
  • 8. Debugger Setup Problem with Symbol File ERROR: Symbol file could not be found. Defaulted to export symbols for <xxx.exe> Solution Check for the symbol file path Use .reload command
  • 9. AdPlus Tool User mode debugging tool Produces memory dumps of an application and processes -notify switch notifies user using live messenger You Cannot Debug startup applications Programs generating lot of debug information
  • 10. AdPlus Tool Adplus Modes Hang Mode Crash Mode First chance exception second chance exception
  • 11. AdPlus Tool Command Line Switches Adplus –help Adplus –hang Adplus –crash Adplus –pn Adplus –iis
  • 12. AdPlus Tool Demo 1 Adplus hang dump Adplus crah dump Configuring symbols Dumping process Analyzing dump
  • 13. Understanding Assembly c pgm void main() { int x =10; int y = 20; x= 30; y = 40 ; Printf(&quot;value of x is %d \n&quot;, x); }
  • 14. Understanding Assembly Important Note : CPU registers and Variables are different in assembly but serve similar purpose 12 Major CPU registers AX, BX, CX, DX, SI, DI, CS , IP etc.. Declaring variables : X dw 10; Y dw 20 ;
  • 15. Understanding Assembly Assembly Mov [x], 10 Mov [y], 20 Windbg Mov dword ptr [ saiprj!x (0a003456) ], 10
  • 16. Assembly Continued Writing data to registers Mov eax, 15 Mov eax, [x] Windbg mov eax, [saipgm!x (a0302934)]
  • 17. Assembly Continued C program Int b = 10; Int a = 20 ; B = b+a ; Assembly mov eax , b Add [a], eax Windbg Mov eax, [saipgm!b ( a0308923)] Add [saipgm!a (02342343)], eax
  • 18. Assembly Continued Mov [x], 1 Mov [y], 1 Mov eax, [x] Add [b], eax Inc eax What is the output ???
  • 19. Registers Registers are small storage units generally 32 or 64bit wide Registers are always accessed using names Wrong data in the registers are source of bug R command to display registers
  • 20. Registers Deep Dive EAX = contains return values EBX ECX = contains loop counter info EDX EIP = points to next instruction to be executed ESP = Stack pointer , points to top of stack.
  • 21. Registers Deep Dive EBP = Base pointer / Stack Frame Pointer EBP will be set before function is called
  • 22. Reading Memory Variable Types Local variables Global variables Strings Unicode Arrays constants.
  • 23. Reading Memory D DD – display memory 32 bits Dw – display as words ( 16 bits ) DT – display type Example: Eg: dt nt!<function name> dt yourexe!<function name>
  • 24. Stacks Program 1 function 1 function 2 program 2 calling function 1 (assigns stack ) return ( clears stack ) calling function 2
  • 25. Stacks Continued Every thread has 2 stacks User Mode 1 MB Kernel Mode 12 KB When ever a function is called you see a return instruction.
  • 26. Deep Dive Stacks. Dd esp 0012fe6c 004113e0 00000005 0000000a 0127f558 0012fe7c 007dca76 7ffd8000 cccccccc cccccccc 004113e0 = return address 00000005 = argument 1 0000000a = argument 2