Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Help me.About displaying value of local variable using windbg

220 views
Skip to first unread message

shine

unread,
Mar 16, 2009, 10:45:28 AM3/16/09
to
Hi all,
I got a problem when i were using windbg.
It cannot display the value of some local variables of a function.
The source code is part of WRK1.2(Windows research kernel)
Example:
PVOID
ObpLookupDirectoryEntry (
IN POBJECT_DIRECTORY Directory,
IN PUNICODE_STRING Name,
IN ULONG Attributes,
IN BOOLEAN SearchShadow,
OUT POBP_LOOKUP_CONTEXT LookupContext
)
{
ULONG HashIndex;
ULONG HashValue;
ULONG WcharLength;
BOOLEAN CaseInSensitive;
POBJECT_DIRECTORY_ENTRY *LookupBucket;
PVOID Object = NULL;
}

windbg can just display values of HashValue, Object, CaseInSensitive,
not others,like HashIndex
when i move the cursor on the variable in the source window.
Use the dt command, i got the same result.
kd> dt HashValue
Local var @ 0xf7893b64 Type unsigned long
8
kd> dt HashIndex
*** ERROR: Module load completed but symbols could not be loaded for
xpsp2res.dll
*** ERROR: Module load completed but symbols could not be loaded for
browselc.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for HALACPIM.DLL -
Symbol HashIndex not found.

So help me the problem, which make me difficult to debug the source
code.Thanks.

Tim Roberts

unread,
Mar 17, 2009, 12:29:56 AM3/17/09
to
"shine" <geoche...@gmail.com> wrote:
>
> I got a problem when i were using windbg.
> It cannot display the value of some local variables of a function.
> The source code is part of WRK1.2(Windows research kernel)
> Example:
> PVOID
> ObpLookupDirectoryEntry (
> IN POBJECT_DIRECTORY Directory,
> IN PUNICODE_STRING Name,
> IN ULONG Attributes,
> IN BOOLEAN SearchShadow,
> OUT POBP_LOOKUP_CONTEXT LookupContext
> )
> {
> ULONG HashIndex;
> ULONG HashValue;
> ULONG WcharLength;
> BOOLEAN CaseInSensitive;
> POBJECT_DIRECTORY_ENTRY *LookupBucket;
> PVOID Object = NULL;
> }
>
> windbg can just display values of HashValue, Object, CaseInSensitive,
>not others,like HashIndex

You have probably compiled this with optimizations turned on, and the
compiler was able to keep HashIndex in a register. In that case, the value
never EXISTS in memory, so of course the debugger can't see it.

> So help me the problem, which make me difficult to debug the source
>code.Thanks.

No, it doesn't. You can trace through the assembler code and look for the
value in registers, or you can insert debug print statements in the code
itself.
--
Tim Roberts, ti...@probo.com
Providenza & Boekelheide, Inc.

shine

unread,
Mar 17, 2009, 4:55:17 AM3/17/09
to

"Tim Roberts" <ti...@probo.com> ????
news:c59ur4dkojggs4p0h...@4ax.com...
Thank you for the answer, but when i run the kernel with the optimizations
turned off,
i cannot login to the windows, access voilation (blue screen)happened before
the logon dialogbox shown.

Access violation - code c0000005 (!!! second chance !!!)
nt!ExpOptimizePushLockList+0x4d:
8081ab7d 8b5114 mov edx,dword ptr [ecx+14h]

kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************

PROCESS_NAME: lsass.exe

FAULTING_IP:
nt!ExpOptimizePushLockList+4d [d:\wrk-v1.2\base\ntos\ex\pushlock.c @ 422]
8081ab7d 8b5114 mov edx,dword ptr [ecx+14h]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 8081ab7d (nt!ExpOptimizePushLockList+0x0000004d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000014
Attempt to read from address 00000014

ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000014

READ_ADDRESS: 00000014

FOLLOWUP_IP:
nt!ExpOptimizePushLockList+4d [d:\wrk-v1.2\base\ntos\ex\pushlock.c @ 422]
8081ab7d 8b5114 mov edx,dword ptr [ecx+14h]

BUGCHECK_STR: ACCESS_VIOLATION

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 8081af0d to 8081ab7d

STACK_TEXT:
f7fb76e4 8081af0d 00000007 00000000 00000000 nt!ExpOptimizePushLockList+0x4d
[d:\wrk-v1.2\base\ntos\ex\pushlock.c @ 422]
f7fb775c 80815c3e 00000011 00000000 f7fb7848
nt!ExfAcquirePushLockShared+0x14d [d:\wrk-v1.2\base\ntos\ex\pushlock.c @
713]
f7fb776c 8090fb21 e100e328 00000698 000004d3 nt!ExAcquirePushLockShared+0x2e
[d:\wrk-v1.2\base\ntos\inc\ex.h @ 7351]
f7fb7848 8090ea79 f7fb78d4 00000004 00000004
nt!CmpBuildAndLockKcbArray+0x301 [d:\wrk-v1.2\base\ntos\config\cmparse.c @
3402]
f7fb78a0 8090c2e1 f7fb78d4 00000004 f7fb7b94 nt!CmpCacheLookup+0x39
[d:\wrk-v1.2\base\ntos\config\cmparse.c @ 2574]
f7fb7a54 8090c505 e1674c08 f7fb7b64 f7fb7b7c
nt!CmpBuildHashStackAndLookupCache+0xe1
[d:\wrk-v1.2\base\ntos\config\cmparse.c @ 293]
f7fb7ba4 8099306f e1674c08 81f8f7e0 81df5008 nt!CmpParseKey+0x1a5
[d:\wrk-v1.2\base\ntos\config\cmparse.c @ 495]
f7fb7c34 8098e8e1 00000020 f7fb7c70 00000040 nt!ObpLookupObjectName+0x18f
[d:\wrk-v1.2\base\ntos\ob\obdir.c @ 1913]
f7fb7c90 808e2c5a 00eaf3a8 81f8f7e0 f7fb7d01 nt!ObOpenObjectByName+0x131
[d:\wrk-v1.2\base\ntos\ob\obref.c @ 766]
f7fb7d50 808b3dec 00eaf43c 000f003f 00eaf3a8 nt!NtOpenKey+0x2aa
[d:\wrk-v1.2\base\ntos\config\ntapi.c @ 2144]
f7fb7d50 7c95ed54 00eaf43c 000f003f 00eaf3a8 nt!KiFastCallEntry+0xfc
[D:\wrk-v1.2\base\ntos\ke\i386\trap.asm @ 1369]
00eaf384 7c951764 77f4d991 00eaf43c 000f003f ntdll!KiFastSystemCallRet
00eaf388 77f4d991 00eaf43c 000f003f 00eaf3a8 ntdll!ZwOpenKey+0xc
00eaf3e8 77f4dc4b 00000020 00eaf410 00000000
ADVAPI32!LocalBaseRegOpenKey+0xe4
00eaf41c 770f3ba9 80000002 770f3bb8 00000000 ADVAPI32!RegOpenKeyExW+0x116
00eaf440 770f3b6d 770d0000 00000001 00eaf4c8 setupapi!IsWinPEMode+0x23
00eaf5e4 770f35a3 770d0000 00000001 770d0000 setupapi!GetEmbeddedFlags+0x5a
00eaf868 770f3dc3 00000001 00000000 00000001
setupapi!CommonProcessAttach+0x99
00eaf89c 770d726a 770d0000 00000001 00000000 setupapi!ProcessAttach+0x9c
00eaf8b8 770d161e 770d0000 00000001 00000000 setupapi!DllMain+0x36
00eaf8d8 7c95257a 770d0000 00000001 00000000
setupapi!_DllMainCRTStartup+0x52
00eaf8f8 7c9658fb 770d15d6 770d0000 00000001 ntdll!LdrpCallInitRoutine+0x14
00eafa00 7c965bcb 00000000 00000000 00000000
ntdll!LdrpRunInitializeRoutines+0x367
00eafc94 7c963ee5 00000000 000ea5b8 00eaff5c ntdll!LdrpLoadDll+0x3cd
00eaff10 7c801c90 000ea5b8 00eaff5c 00eaff3c ntdll!LdrLoadDll+0x198
00eaff78 7c827b3f 74223d8c 00000000 00000000 kernel32!LoadLibraryExW+0x1b2
00eaff8c 74223b53 74223d8c 00000000 00000000 kernel32!LoadLibraryW+0x11
00eaffb8 7c826063 00000000 00000000 00000000 LSASRV!EFSRecover+0x16
00eaffec 00000000 74223b3d 00000000 00000000 kernel32!BaseThreadStart+0x34


STACK_COMMAND: kb

FAULTING_SOURCE_CODE:
418: FirstWaitBlock = WaitBlock;
419:
420: while (1) {
421:
> 422: NextWaitBlock = WaitBlock->Last;
423: if (NextWaitBlock != NULL) {
424: FirstWaitBlock->Last = NextWaitBlock;
425: break;
426: }
427:


SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!ExpOptimizePushLockList+4d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: wrkx86.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 49be8332

FAILURE_BUCKET_ID: ACCESS_VIOLATION_nt!ExpOptimizePushLockList+4d

BUCKET_ID: ACCESS_VIOLATION_nt!ExpOptimizePushLockList+4d

Followup: MachineOwner
---------

Please help me the problem.Thanks!

Tim Roberts

unread,
Mar 18, 2009, 11:18:38 PM3/18/09
to
"shine" <geoche...@gmail.com> wrote:

>
>"Tim Roberts" <ti...@probo.com> wrote:
>>
>> No, it doesn't. You can trace through the assembler code and look for the
>> value in registers, or you can insert debug print statements in the code
>> itself.
>
>Thank you for the answer, but when i run the kernel with the optimizations
>turned off,
>i cannot login to the windows, access voilation (blue screen)happened before
>the logon dialogbox shown.
>...

>Please help me the problem.Thanks!

If you will please pay attention to what I wrote, you'll see I offered you
two suggestions, and neither one of them involved turning optimizations
off.

If you want to learn kernel coding, you will need to learn x86 assembler.
With that ability, it's not that hard to trace through the code and see
which values are in which registers.

Why are you digging into ObpLookupDirectoryEntry? Is there some question
you are trying to answer?

shine

unread,
Mar 19, 2009, 11:29:57 AM3/19/09
to

>>"Tim Roberts" <ti...@probo.com> wrote:

> If you want to learn kernel coding, you will need to learn x86 assembler.
> With that ability, it's not that hard to trace through the code and see
> which values are in which registers.
>

i had learned x86 assembling in both protected mode and real mode.
But i think it saves some time (may a little) working in C language level
than Assemble language.


> Why are you digging into ObpLookupDirectoryEntry? Is there some question
> you are trying to answer?

The question is how object manager of windows kernel organizes its objects
using directory object,
and i want to print the object tree like tree in Winobj.exe of sysinternel
suite.

I am a beginner of windows kernel, in which i am very interested , because
my job is about anti-virus.
And i think many things are different between windows world and linux world.
when i build linux kernel, i can modify all of the compilation options, then
the kernel will be still running.
But i just turn optimizations off in windows kernel, it can not run.I am
very troubled at it.
However, thank you for the explanation, it is helpful. I will lookup
assembly statements if necessary.

0 new messages