четверг, 30 августа 2012 г.

Inside Windows Debugging

Finished reading of this excellent book. A very good introduction for using windbg/appverifier/xperf. Although author don`t know about commands .pagein & !pool this books still contains lots of usefull debugging tricks:
  • for wow64 debugging
  • for .net debugging (like setting COMPLUS_HeapVerify & COMPLUS_GCStress environment vars)
  • ntdll!g_dwLastErrorToBreakOn 
  • using xperf to capture stack traces (sadly works only since windows 7)
  • and many others !

вторник, 21 августа 2012 г.

sprintf_s - wtf ?

Lets assume that we set some handler with LdrRegisterDllNotification and just dump all (un)loaded modules to log file. Access to this log is synchronized with critical section - lets name it LogFileCSection. Today I discovered that this simple scheme can lead to unpredictable deadlocks:
thread 1:

02fbd09c 77c88dd4 ntdll_77c50000!ZwWaitForSingleObject+0x15
02fbd100 77c88cb8 ntdll_77c50000!RtlpWaitOnCriticalSection+0x13e
02fbd128 6c4d6144 ntdll_77c50000!RtlEnterCriticalSection+0x150 ; waits on
02fbd1e0 6c4baf66 xxx!log_with_time+0x22
02fbd210 77cb76b8 xxx!my_notifier+0x36
02fbd240 77c8c74a ntdll_77c50000!LdrpSendDllNotifications+0x45
02fbd328 77c8c389 ntdll_77c50000!LdrpFindOrMapDll+0x735
02fbd4a8 77c8c4b5 ntdll_77c50000!LdrpLoadDll+0x2b2
02fbd4e0 759a1d2a ntdll_77c50000!LdrLoadDll+0xaa ; LdrpLoaderLock acquired
02fbd518 7741493c KERNELBASE!LoadLibraryExW+0x178
02fbd52c 6b268546 KERNEL32!LoadLibraryW+0x11
02fbd540 6b261404 IEFRAME!GetDloadFunction+0x20
02fbd55c 6b261623 IEFRAME!DwmSetWindowAttribute+0x2f
02fbd580 6b2615bd IEFRAME!CTabThumbnailHandler::_OnCreate+0x45
02fbd59c 6b2d7e17 IEFRAME!CTabThumbnailHandler::v_WndProc+0xa0
02fbd5c0 766c62fa IEFRAME!CImpWndProc::s_WndProc+0x65
02fbd5ec 766c6d3a USER32!InternalCallWinProc+0x23
02fbd664 766c6de8 USER32!UserCallWinProcCheckWow+0x109
02fbd6c0 766ca740 USER32!DispatchClientMessage+0xe0
02fbd700 77c6011a USER32!__fnINLPCREATESTRUCT+0x91
02fbd780 766ca8e8 ntdll_77c50000!KiUserCallbackDispatcher+0x2e
02fbda2c 766caa3c USER32!VerNtUserCreateWindowEx+0x1a9
02fbdae0 766c8a5c USER32!_CreateWindowEx+0x210
02fbdb1c 6b293892 USER32!CreateWindowExW+0x33
02fbdb5c 6b24ad22 IEFRAME!Detour_CreateWindowExW+0x6a
02fbdb9c 6b261adb IEFRAME!SHFusionCreateWindowEx+0x47
02fbdcec 6b2619f6 IEFRAME!CTabThumbnailHandler::_Initialize+0xc6
02fbdcfc 6b261118 IEFRAME!CTabThumbnailHandler::CreateInstance+0x3f
02fbdd2c 6b284a68 IEFRAME!CShellBrowser2::AfterWindowCreated+0x9c
02fbfe40 6b294f7a IEFRAME!CTabWindow::_TabWindowThreadProc+0x23c
02fbfef8 76215c2b IEFRAME!LCIETab_ThreadProc+0x2c1
02fbff08 774133ca iertutil!CIsoScope::RegisterThread+0xab
02fbff14 77c89ed2 KERNEL32!BaseThreadInitThunk+0xe

суббота, 4 августа 2012 г.


Very cool tool to show windows hooks - with source code !
It seems that it using dbghelp.dll to download win32k.pdb and extract following symbols:
  • ValidateHwnd
  • gpresUser
  • UserGetAtomName - why not NtUserGetAtomName ?
  • aatomSysLoaded
  • grpWinStaList
I already described how to get aatomSysLoaded. It seems that most hard part is how to find grpWinStaList