Transcript Chris Jackson The App Compat Guy Microsoft Corporation WCL401 When Do You Debug?

Chris Jackson
The App Compat Guy
Microsoft Corporation
WCL401
When Do You Debug?
The Debugging Process
Learn and
share
Application Compatibility Issues
Symbols: Privates
ntdll
0xA3419
0x8E21
4
0x9135
0x0000
Symbols: Publics
ntdll
0xA3419
0x8E21
4
0x9135
0x0000
Symbols
Publics: http://msdl.microsoft.com/
download/symbols
Download for offline use
Updated with every build
Recommend symbol servers
http://windowssdk.msdn.microsoft.com/enus/library/ms681417.aspx
Symbol Paths
_NT_SYMBOL_PATH
srv*<Path1>*<server1>;
srv*<Path2>*<server2>;…
Calling Conventions
Calling Convention
Argument Passing Order
Stack Maintenance
Responsibility
__cdecl
Right to left
Caller
__stdcall
Right to left
Callee
__fastcall
ECX, EDX, right to left
Callee
__thiscall
ECX this, Right to left
Callee
__stdcall and the Stack
EBP
ESP
Argument 2
Argument 1
Return Address
EBP
Public Windows Symbols
Discovering Arguments using MSDN and the Debugger
Kernel Dump Files
Complete (RAM)
Kernel memory (~1/3 RAM)
Small memory (64k)
User Mode Dump Files
Full
Mini
Memory
Memory information
Handles
Unloaded modules
Thread information
Secondary memory
Process and Thread Environment Blocks
…
Creating dump files
Task Manager
.dump
ADPlus
Crash
Hang
ADPlus Configuration Files
<ADPlus>
<!-- defining breakpoints -->
<Breakpoints>
<NewBP>
<Address> mscorsvr!RaiseTheException </Address>
<Type> BU </Type>
<Actions> VOID </Actions>
<CustomActions> j (poi(poi(poi(poi(esp+4))+8)+48) =
02000004) '.time;du poi((poi(esp+4)+10))+c;.dump /u /mfh
d:\dumps\Insite.dmp;gc';'.time;du
poi((poi(esp+4)+10))+c;gc'</CustomActions>
<ReturnAction> VOID </ReturnAction>
</NewBP>
</Breakpoints>
</ADPlus>
ADPlus
Capturing and Analyzing a Crash Dump
Interactive Debugger Commands
k* - callstack
d* – memory
b* - breakpoints
u* – unassembling
~ - threads
lm – loaded modules
lmv m <module> - module info
Color Coding Output
Debugee level command window text
User-selected command window line text
Right click in title area
Frequently Interesting Registers
Register
Purpose
EAX
Accumulator: Return Values
ECX
Counter: Loop Iterations
EBP
Base Pointer: Relevant Stack
ESP
Stack Pointer: Entire Stack
EIP
Instruction Pointer: Executing Code
ESI
Source Index: String Operations
EDI
Destination Index: String Operations
x86 Instruction Set, In (Very) Brief
Instruction
Purpose
call <destination>
Subroutine or method call
ret <nbytes>
Return from a subroutine or method
jmp/je/jz/jne/jnz/j*… <destination>
Branch
mov <destionation>,<source>
Copy data
cmp <destination>,<source>
Compare two values
push <source>
Add value to the stack
pop <source>
Remove top value from stack
inc <destination>
Increment destination
dec <destination>
Decrement destination
From C to Assembly Code 1/2
; int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd) {
push
ebp
mov
ebp, esp
sub
esp, 288
; 00000120H
mov
eax, DWORD PTR ___security_cookie
xor
eax, ebp
DWORD PTR __$ArrayPad$[ebp], eax
; OSVERSIONINFO osvi;
; ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
push
276
; 00000114H
push
0
lea
eax, DWORD PTR _osvi$[ebp]
push
eax
call
_memset
add
esp, 12
; 0000000cH
; osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
mov
DWORD PTR _osvi$[ebp], 276
; 00000114H
; GetVersionEx(&osvi);
lea
ecx, DWORD PTR _osvi$[ebp]
push
ecx
call
DWORD PTR __imp__GetVersionExW@4
From C to Assembly Code 2/2
; if (osvi.dwMajorVersion != 5 || osvi.dwMinorVersion != 1) {
cmp
DWORD PTR _osvi$[ebp+4], 5
jne
SHORT $LN1@WinMain
cmp
DWORD PTR _osvi$[ebp+8], 1
je
SHORT $LN2@WinMain
$LN1@WinMain:
; MessageBox(NULL, L"This application requires Windows XP", L"Unsupported Version", MB_OK |
MB_ICONERROR);
push
16
; 00000010H
push
OFFSET $SG-5
push
OFFSET $SG-6
push
0
call
DWORD PTR __imp__MessageBoxW@16
; return 1;
mov
eax, 1
jmp
SHORT $LN3@WinMain
$LN2@WinMain:
;}
Interactive Debugging
Coaxing Secrets from a
Misbehaving Application
Common Breakpoints
“I run the executable and nothing happens” or
“I click the menu item and nothing happens”
bm kernel32!*create*process
bm shell32!shellexecute*
bm ole32!cocreateinstance*
bp kernel32!winexec
Common Breakpoints
“My application is doing something in the registry,
where do I start?”
Write?
bm advapi32!regcreatekey*
bm advapi32!regsetvalue*
Read?
bm advapi32!regenumkey*
bm advapi32!reggetvalue*
bm advapi32!regqueryvalue*
bm advapi32!regquerymultiple
Delete?
bm advapi32!regdelete*
Common Breakpoints
“My app creates a window and it looks funny”
or “My app is supposed to create a window, and
it doesn’t”
bm user32!createwindow*
bm user32!createdialog*param*
bm user32!createmdiwindow*
bp user32!destroywindow
Common Breakpoints
“My app is missing a menu item” or “my app
has a menu item that is inactive”
bm user32!createmenu*
bm user32!createpopupmenu*
bm user32!loadmenu*
bp user32!destroymenu
Common Breakpoints
“I’m having problems with COM/COM+/DCOM”
bm ole32!cocreateinstance*
bm ole32!cogetclassobject*
bm ole32!IClassFactory::CreateInstance*
Common Breakpoints
“I’m having a problem where I can see an exception”
bm ntdll!*RaiseException
bm ntdll!RtlDispatchException
bp ntdll!raise
bp ntdll!RtlIsValidHandler
bp ntdll!InvalidHandlerDetected
bp ntdll!ExecuteHandler2
bp rpcrt4!RpcRaiseException
bp rpcrt4!NdrpRaisePipeException
bp ole32!RtlReportException
Common Breakpoints
“My app has a problem using common dialogs”
bm comdlg32!GetSaveFileName*
bm comdlg32!GetOpenFileName*
Common Breakpoints
“My app starts a service, where do I start?”
bm advapi32!CreateService*
bm advapi32!StartService*
bm advapi32!ControlService*
Common Breakpoints
“My app or one of its dlls appears to have
problems even loading”
bp kernel32!BaseThreadInitThunk
bp ntdll!LdrpRunInitializeRoutines
bp ntdll!LdrpMapDll
bp ntdll!LdrpLoadDll
bp ntdll!LdrpUnloadDll
bm kernel32!LoadLibrary*
Common Breakpoints
“My app is having problems with files or objects”
Bm kernel32!CreateFile*
Bm kernel32!DeleteFile*
Bm Kernel32!ReadFile*
Bm kernel32!CopyFile*
Bm kernel32!WriteFile*
Bm kernel32!GetPrivateProfileString
Bm kernel32!GetFileAttributes*
Bp kernel32!StgCreateDocfile
Bm kernel32!GetFileVersionInfo*
Bm kernel32!FindFirstFile*
Bm kernel32!FindNextFile*
Bm kernel32!MoveFile*
Common Breakpoints
“My app is an msi, and I think I need to debug a
custom action”
Bp msi!CmsiCustomAction__CustomActionThread
Bp msi!CmsiCustomAction__RunScriptAction
Bp msi!CmsiEngine__FindAndRunAction
Common Breakpoints
“My app is having networking issues. I have installed
the proxy client, and I am connected.”
Bm mpr!*wnetaddconnection*
Bm mpr!*GetConnection*
Bm ws2_32!*send*
Bm ws2_32!*recv*
Bm ws2_32!*getsockname*
Bm ws2_32!*connect*
Bm Wininet!*InternetOpen*
Bm Wininet!*InternetConnect*
Bm Wininet!*GetProxyInfo*
Common Breakpoints
“My app may be dependent on the old TCP-IP
stack”
Bm Tcpip!FreeIprBuff
Bm Tcpip!IPAllocBuff
Bm Tcpip!IPFreeBuff
Bm Tcpip!LookupRouteInformation
Common Breakpoints
“My app has an embedded IE window and
might be using URL monikers”
Bm urlmon!URLOpenStream*
Bm urlmon!URLDownloadToFile*
Bm urlmon!IsValidURL*
Bm urlmon!CreateURLMoniker*
Common Breakpoints
“I think my app is mishandling critical sections”
bm kernel32!EnterCriticalSection*
bm kernel32!DeleteCriticalSection*
bm kernel32!InitializeCriticalSection*
bm kernel32!LeaveCriticalSection*
Common Breakpoints
“I think my app is reporting a specific Windows
error code”
Bm kernel32!GetLastError*
Bm kernel32!SetLastError*
Bm kernel32!FormatMessage
More Interactive Debugging
Coaxing Secrets from a
Misbehaving Application
Additional Tools
err.exe
depends.exe
pebrowse pro
logman.exe
Sysinternals
ACT
LUA Buglight
http://www.appcompatguy.com
[email protected]
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Related Content
Breakout Sessions (session codes and titles)
WCL302 – Are You Breaking my Stuff Again? The Windows 7 App Compat Story
WCL304 – Fix Your Broken Applications: The Black Art of Shims
WCL401 – Not for the Faint of Heart: Hard Core App Compat Debugging
Track Resources
→ Want to find out which Windows Client sessions are best
suited to help you in your deployment lifecycle?
→ Want to talk face-to-face with folks from
the Windows Product Team?
Meet us today at the
Springboard Series Lounge, or visit us at
www.microsoft.com/springboard
Springboard Series
The Springboard Series empowers you to select the right resources, at the right
technical level, at the right point in your Windows® Client adoption and management
process. Come see why Springboard Series is your destination for Windows 7.
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.