1

Topic: WinDbg - how to debug in DLL

All greetings. It was necessary to search for the reason of falling DLL. From the known information - the address on which my unit, and call stack with instructions of the specific address on which happened  booted. From accessible materials - a PE-file (.dll), corresponding to it.pdb and . I pay your attention that no damp-file I have. On the Internet came across council to use here such command: WinDbg-z somebin.dll Glanced in online help and with couples did not catch up:-z DumpFile Specifies the name of a crash dump file to debug. If the path and file name contain spaces, this must be surrounded by quotation marks. It is possible to open several dump files at once by including multiple-z options, each followed by a different DumpFile value why it they-z use It, if in the documentation is explicitly told, what the given option is intended for instructions of a name of a damp-file, instead of ? Well it is fine, tried - it turned out (that it is remarkable, in GUI for debugging DLL I did not find point). WinDbg there and then reported: ModLoad: 10000000 100f0000 somebin.dll I so understand, 10000000 is an address on which itself WinDbg loaded the unit transferred to it, truly? If so that then designates second address? Further I looked at the address on which I DLL has been loaded by host-process at the moment of falling. It appeared it 0x6F760000. Further I looked at the address on which there was a falling, and saw 0x6F7E9521. 0x6F7E9521 - 0x6F760000 = 0x89521 Thus, I received the address in mine , on which there was a falling, and which is not anchored to the address, on which it booted (I after all the rights?) . For obtaining of function name which is to this address, I used the following command: ln 10000000 + 89521, i.e. to 10000000 (on which as I assume, my WinDbg' unit has been loaded) added just calculated 0x89521. Received an exhaust in the form of two functions: main.cpp (379) +0x1c SomeProject! Foo:: Bar+0x19 | (10089540) SomeProject! Foo:: Baz How much I understood, the second of them is following for found the character. In the official documentation of it it has not been told, but here found the following: ' ln ' will find the symbol, report its address, and in addition report the address and the name of the symbol that follows the specified one Here now I sit, I analyze. A question - whether correctly I do all? Confuses much that in the absence of the normal documentation (at least, at me debugger.chm about which it is told in manuals, it did not appear anywhere, and in online docks as you see, much that simply falls).

2

Re: WinDbg - how to debug in DLL

Forgot to specify: B> From the known information - the address on which my unit, and call stack with instructions of the specific address on which happened  booted. Callstack which is available for me, contains only addresses of functions, instead of their titles. Actually, that  addresses to titles, I also undertook for WinDbg.

3

Re: WinDbg - how to debug in DLL

Hello, b0r3d0m, you wrote: B> Well it is fine, tried - it turned out (that it is remarkable, in GUI for debugging DLL I did not find point). In GUI File-> Open Crash Dump (Ctrl-D) B> B> ModLoad: 10000000 100f0000 somebin.dll B> I so understand, 10000000 is an address on which itself WinDbg loaded the unit transferred to it, truly? If so that then designates second address? The end of a range of addresses, on which  DLL. B> For obtaining of function name which is to this address, I used the following command: B> B> ln 10000000 + 89521 I still would try uf 10000000 + 89521 B> How much I understood, the second of them is following for found the character. In the official documentation of it it has not been told, but here found the following: B> B> ' ln ' will find the symbol, report its address, and in addition report the address and the name of the symbol that follows the specified one ln produces the character previous and following the specified address, therefore their two. B> here now I sit, I analyze. B> a question - whether correctly I do all? Confuses much that in the absence of the normal documentation (at least, at me debugger.chm about which it is told in manuals, it did not appear anywhere, and in online docks as you see, much that simply falls). All is correct. From the available information except a falling place in the code and a readable stack, probably it is more nothing to recover. chm at me always in the directory with windbg.exe lay, I do not know as it can not be.

4

Re: WinDbg - how to debug in DLL

B>> Well it is fine, tried - it turned out (that it is remarkable, in GUI for debugging DLL I did not find point). zou> In GUI File-> Open Crash Dump (Ctrl-D) is faster, the question such - why it is called crash dump'? It after all never crash dump, and a researched PE-file. B>> B>> ModLoad: 10000000 100f0000 somebin.dll B>> I so understand, 10000000 is an address on which itself WinDbg loaded the unit transferred to it, truly? If so that then designates second address? zou> the end of a range of addresses, on which  DLL. Clearly, thanks. B>> for obtaining of function name which is to this address, I used the following command: B>> B>> ln 10000000 + 89521 zou> I still would try uf 10000000 + 89521 Well, it too can help in place localizations, thanks. B>> how much I understood, the second of them is following for found the character. In the official documentation of it it has not been told, but here found the following: B>> B>> ' ln ' will find the symbol, report its address, and in addition report the address and the name of the symbol that follows the specified one zou> ln produces the character previous and following the specified address, therefore their two. And whether there is in it any practical sense? zou> chm at me always in the directory with windbg.exe lay, I do not know as it can not be. I, probably, swung WinDbg separately from WDK, and in that assembly it was not valid debugger.chm.

5

Re: WinDbg - how to debug in DLL

Hello, b0r3d0m, you wrote: B> is faster, the question such - why it is called crash dump'? It after all never crash dump, and a researched PE-file. I do not know. In 99 % load . Probably, is problematic to formulate short in UI (that it did not cause new questions) that there is a possibility except  to load dll or exe, but it will not be start exe, and in what cases it is useful. But, basically, it agree that it would be possible to make it more explicitly. zou>> ln produces the character previous and following the specified address, therefore their two. B> and whether there is in it any practical sense? It is not assured, but, probably, from the general reasons sees that if there is a certain "approximate" address (probably, received as a result of an error of calculation of the pointer in the program) the character both previous it, and following behind it can be interesting at once.

6

Re: WinDbg - how to debug in DLL

Hello, b0r3d0m, you wrote: B> It was necessary to search for the reason of falling DLL. On the future I advise to include creation of map-files at the assembly. At their presence all these dances with windbg can be lowered - function in which happened , is simple search in a map-file.

7

Re: WinDbg - how to debug in DLL

B>> is faster, the question such - why it is called crash dump'? It after all never crash dump, and a researched PE-file. zou> I do not know. In 99 % load . Probably, is problematic to formulate short in UI (that it did not cause new questions), what there is a possibility except  to load dll or exe, but it will not be start exe "Open PE"? Well it is fine, made and made.

8

Re: WinDbg - how to debug in DLL

L> On the future I advise to include creation of map-files at the assembly. At their presence all these dances with windbg can be lowered - function in which happened , is simple search in a map-file. Yes not strongly it differs. Also chance to be mistaken above - to compare hexadecimal addresses it is necessary eyes, the probability to be mistaken increases.