[Debugging] How to find length of a CString string in application memory or in a dump

Recently a colleague of mine asked where’s the length of CString string stored in memory. Hmm so lets dig around. Please note I’ve declared the following CString object in my code… CString TestCString = _T(“Nibu is testing CString”); If you dump CString type in the debugger we see following… 0:000> dt TestCStringLocal var @ 0xb4fcd4 […]
Continue reading…

 

Stepping/tracing to next function or branching call

While stepping through disassembly code you might have wondered if there is a way to jump directly to the next branching statement or the next call or the next return statement instruction. The answer is: Yes there are some very useful ones, the following table of commands is taken from WinDbg documentation. p (Step) Debug […]
Continue reading…

 

NonInvasive debugging

Non-Invasive debugging is a useful technique to debug hung processes. The debugger suspends all threads in the process and has access to all threads, memory and register’s of the process. To do non-invasive debugging via windbg/cdb check this link out: http://msdn.microsoft.com/en-in/library/windows/hardware/ff552274(v=vs.85).aspx To do this via WinDbg UI, press F6 or File->Attach to a Process… While […]
Continue reading…

 

windbg: kf command

kf is a useful command to find out stack memory taken by a frame. See below… I have three functions which looks like this… #pragma auto_inline(off) void TestStack2() {        printf("hello");        return; } void TestStack1() {        TestStack2();        char bytes[0x190] = {9};        printf("hello: %s", bytes); } void TestStack() {        TestStack1();        […]
Continue reading…

 

How to force symbol loading in WinDbg

Sometimes we could have a dump which does not load .pdb files even though they are present in the dump folder. The reason for the load failure is not necessarily every time a code change but could be just a rebuild of the source code. In such cases if you force load the .pdb file […]
Continue reading…

 

How to list out binaries for which symbol loading failed

Use ‘lml’ to list all dlls whose symbols has been loaded/failed to load, the list will also include dlls which failed symbol loading. See sample… 0:000> lml start end module name 00000000`03d90000 00000000`040e3000 Test1 T (no symbols)  00000000`77d40000 00000000`77eb3000 kernel32 (private pdb symbols) c:symkernel32.pdbF0EC676938D745549823C7204D03B07B2kernel32.pdb 00000000`77ec0000 00000000`77ffc000 ntdll (private pdb symbols) c:symntdll.pdbC5666A2C21444EFAA53EB4F1CFBE56D22ntdll.pdb 00000001`55600000 00000001`55801000 Test2 (export […]
Continue reading…

 

How to search a range of addresses using ‘s’ command in WinDbg

-> Please note for demo purpose we are using current thread stack range as address range: poi(@$teb+8) poi(@$teb+4) <- Search for an ascii string beginning with "Rtl" s -a poi(@$teb+8) poi(@$teb+4) "Rtl" //Output 0fd3d906 52 74 6c 47 65 74 50 72-6f 64 75 63 74 49 6e 66 RtlGetProductInf Search for a unicode string […]
Continue reading…

 

.loadby sos clr fails! Why?

You have a managed application crash dump and you would like to load sos.dll, to use the powerful commands it provides to help with managed debugging, but the load of sos.dll always fails. The command that you are executing for loading sos.dll is… 0:015> .loadby sos clr Unable to find module ‘clr’ On enter you […]
Continue reading…

 

Dump file

This blog entry deals with user mode dumps only. Kernel mode dump files is not dealt with here but should be quite similar. Define dump file It is the memory snapshot of a process. The dump file saves all information pertaining to a process. The information include, loaded modules/dlls, handles, executing threads and other stuffs. Optionally we can […]
Continue reading…

 

Breakpoints in Windbg

WinDbg rocks. 🙂 Setting breakpoints is very easy in WinDbg. The command to set a breakpoint is ‘bp’. So if you want to break whenever a dll is loaded into a process then type in following command… [sourcecode language=”cpp”]bp kernel32!LoadLibraryW[/sourcecode] So to trigger this breakpoint attach ‘notepad.exe’ to the debugger and then type in this command. Now let the app run […]
Continue reading…