200 likes | 685 Views
WinDbg 简介. 操作系统课程组. 内容安排. WinDbg的特点 User Mode调试 Kernel Mode调试 Kernel Mode调试环境 启动kernel mode调试 WinDbg窗体 WinDbg命令. WinDbg 的特点. Microsoft Windows Debugger(WinDbg) WinDbg is a powerful Windows-based debugging tool. It
E N D
WinDbg简介 操作系统课程组
内容安排 • WinDbg的特点 • User Mode调试 • Kernel Mode调试 • Kernel Mode调试环境 • 启动kernel mode调试 • WinDbg窗体 • WinDbg命令
WinDbg的特点 • Microsoft Windows Debugger(WinDbg) • WinDbg is a powerful Windows-based debugging tool. It • Has the capability of both user-mode and kernel-mode debugging. • Provide full source-level debugging for the Windows kernel, kernel-mode drivers, and system services, as well as user-mode applications and drivers. • Can view source code, set breakpoints, view variables (including C++ objects), stack traces, and memory. Its Debugger Command window allows the user to issue a wide variety of commands. • Supports various remote debuggingoptions for both user-mode and kernel-mode targets. • Is the graphical-interface counterpart to CDB / NTSD and to KD.
User Mode调试 • User-mode debugging • Is a debugger session in which the target is running in user mode. • User mode • In user mode, processes that run in user mode do so within their own virtual address spaces. They are restricted from gaining direct access to many parts of the system, including system hardware, memory that was not allocated for their use, and other portions of the system that might compromise system integrity. • Categories of User-mode processes: • System Processes. • Server Processes. • Environment Subsystems. • User Applications.
Kernel Mode调试 • Kernel-mode debugging • A debugger session in which the target is running in kernel mode. • Kernel-mode • Kernel-mode code has permission to access any part of the system, and is not restricted like user-mode code. It can gain access to any part of any other process running in either user mode or kernel mode. • Kernel-mode components: • Executive (执行体) • Kernel(内核) • Hardware Abstraction Layer (HAL,硬件抽象层) • Window and Graphics Subsystem(窗体和图形子系统)
Kernel Mode调试环境 • 硬件环境要求 需要一个主机(Host computer, 运行WinDbg)。 需要一个目标机(Target computer, 运行kernel-mode program), Null-modem cable
Virtual PC 2007/Windows server 2003 sp1 Windows XP 命名管道 Kernel Mode调试环境 • 我们的实验环境
启动kernel mode调试 • 启动方法 • 在主机(Host computer)启动“命令提示符”窗体(点击“开始运行”,输入cmd,点击确定),输入以下命令: • set _NT_SYMBOL_PATH=D:\WRK-v1.2\base\ntos\BUILD\EXE;D:\WRK-v1.2\WS03SP1HALS\x86\halacpim • path D:\WRK-v1.2\DebugTools • windbg -k com:pipe,port=\\.\pipe\debug,resets=0,reconnect
启动kernel mode调试 命令解释: set_NT_SYMBOL_PATH=D:\WRK-v1.2\base\ntos\BUILD\EXE;D:\WRK-v1.2\WS03SP1HALS\x86\halacpim • Symbol file: • 当我们在编译一个程序,进行相关链接(link)时,通常会产生.exe, .dll文件,同时也会产生一些辅助性的文件,我们称之为symbol files. • Symbol files中包含的信息:Global variables, Local variables, Function names and the addresses of their entry points, FPO data, Source-line numbers。这些信息并不在程序执行运行,不过在调试过程中却十分有用。 • 在Windows xp及之后的版本中,symbol files的后缀名为.pdb
启动kernel mode调试 命令解释: windbg -kcom:pipe,port=\\.\pipe\debug,resets=0,reconnect -k //Kernel mode debugging模式 com:pipe //WinDbg和目标机之间通过命名管道连接 port=\\.\pipe\debug //命名管道位置,格式:VMHost\pipe\PipeName resets=0 //主机和目标机之间的同步设置参数 reconnect //使WinDbg自动和命名管道进行连接或断开连接
启动kernel mode调试 启动虚拟机,选择第二项
启动kernel mode调试 选择命令“DebugBreak”,暂停目标机的运行 命令输入行:“kd”意思为Kernel Debug
WinDbg窗体 • 调试信息窗体(Debugging Information Windows)
WinDbg命令 • 命令类型 • Debugger Commands • Commands • Meta-Commands //常以“.”作为前缀,如:.cls (Clear Screen),.echo (Echo Comment),.help • Command Tokens //.block .break .catch .continue .do .else .elsif .for .foreach .if .leave .printf .while • Debugger Extension Commands • General Extensions • Kernel-Mode Extensions • User-Mode Extensions • Specialized Extensions 以“!”号开头,如: !peb !process !dt
WinDbg命令 • 常用命令 • Controlling the Target • Execution halts • Target executes freely • Target executes one instruction //If this is a function call, debugger traces into that call.
WinDbg命令 • Target executes one instruction //If this is a function call, that function is executed as a single step. • Halts all debugging and terminates the target ……
WinDbg命令 • Other commands • .cls (Clear Screen) //clears the Debugger Command window display. • !process //displays information about the specified process, or about all processes, including the EPROCESS block. 例如: • !process 0 0 //查看目标机中正在活动的进程的基本信息,其中最后一个参数可以在0~7范围内变化,表示显示信息的详细程度 • !process ProcessAddress 0 !process 0 0 ProcessImageFileName //显示指定进程的详细信息
WinDbg命令 • !thread //displays summary information about a thread on the target system, including the ETHREAD block. 例如: • !thread Address 0 //显示当前正在活动的线程的基本信息,最后一个参数可以在0~7范围内变化,表示显示信息的详细程度 • !thread –p Address //显示当前正在活动的线程的基本信息,同时显示其父进程的信息 • dt //displays information about a local variable, global variable or data type. 例如: • dt eprocess //显示进程执行体定义 • dt eprocess ProcessAddrss //显示指定进程执行体的值 更多命令请大家查阅WinDbg帮助文档 Debugger Reference栏
Homework • 熟悉WRK调试环境,学习WinDbg的使用方法
References [1] WinDbg, Debugging Help