Windbg DEBUG command 4 (user layer. Dump)

How to generate a dump file using windbg: when the program crashes (crash), you can use windbg to save all the data in the program's memory space for future debugging and analysis, the generated file is called a dump file. Step: 1) Open windbg and attach it to the crash program process. 2) input the command that generates the dump file. dump. You can select different parameters to generate different types of dump files. Option (1):/M command line example :. dump/m c: \ dumps \ MyApp. DMP annotation: a standard minidump is generated by default. The dump file is usually small, which is easy to transmit via email or other means on the network. This type of file only contains system information, loaded module (DLL) information, process information, and thread information. Option (2):/Ma command line example :. dump/Ma c: \ dumps \ MyApp. DMP annotation: minidump with as many options as possible (including the complete memory content, handle, unloaded modules, etc.), the file is large, but if conditions permit (local debugging, LAN environment), we recommend using dump. Option (3):/mfhuwd command line example :. dump/mfhuwd c: \ dumps \ MyApp. DMP annotation: minidump with data segments, non-shared read/write memory pages, and other useful information. Contains the most information that can be obtained through minidump. Is a compromise

How can we automatically generate dump files? For example, if the recipient's computer does not have windbg, a window system tool is used here, dr. Watson

The running mode is simple:

Run-enter drwtsn32-I. The following message is displayed:

This command is really hard to remember. To be honest, rememberDr Watson, Sherlock Holmes

If a program crashes, dump is automatically generated. Then, enter drwtsn32 to run the program:

Find the DMP file in the corresponding path, which is generally placed in the following path:
C: \ Documents ents and Settings \ All Users \ Application Data \ Microsoft \ Dr Watson

The following instances are from AWD

Code:

/* ++

1. Copyright (c) Advanced Windows debugging (ISBN 0321374460) from Addison-Wesley professional. All rights reserved.
2.  
3. This code and information is provided "as is" without warranty of any
4. Kind, either expressed or implied, including but not limited to
5. Implied warranties of merchantability and/or fitness for a participant
6. Purpose.
7.  
8. --*/
9. # Include "stdafx. H"
10. # Include <windows. h>
11. # Include <stdio. h>
12. # Include <conio. h>
14. Void simulatememoryupload uption ();
16. Class cappinfo
17. {
18. Public:
19. Cappinfo (lpwstr wszappname, lpwstr wszversion)
20. {
21. M_wszappname = wszappname;
22. M_wszversion = wszversion;
23. }
25. Void printappinfo ()
26. {
27. Wprintf (L "\ nfull Application name: % s \ n", m_wszappname );
28. Wprintf (L "version: % s \ n", m_wszversion );
29. }
31. PRIVATE:
32. Lpwstr m_wszappname;
33. Lpwstr m_wszversion;
34. };
36. Cappinfo * g_appinfo;
38. Int _ cdecl wmain (INT argc, wchar * ARGs [])
39. {
40. Wint_t ichar = 0;
41. G_appinfo = new cappinfo (L "memory upload uption sample", l "1.0 ");
42. If (! G_appinfo)
43. {
44. Return 1;
45. }
47. Wprintf (L "Press: \ n ");
48. Wprintf (L "1 to display application information \ n ");
49. Wprintf (L "2 to simulated memory resume uption \ n ");
50. Wprintf (L "3 to exit \ n> ");
52. While (ichar = _ getwche ())! = '3 ')
53. {
54. Switch (ichar)
55. {
56. Case '1 ':
57. G_appinfo-> printappinfo ();
58. Break;
60. Case '2 ':
61. Simulatememoryupload uption ();
62. Wprintf (L "\ nmemory failed uption completed \ n ");
63. Break;
65. Default:
66. Wprintf (L "\ ninvalid option \ n ");
67. }
68. Wprintf (L "\ n> ");
69. }
70. Return 0;
71. }
74. Void simulatememoryupload uption ()
75. {
76. Char * pszwrite = "upt ";
77. Byte * P = (byte *) g_appinfo;
78. Copymemory (p, pszwrite, strlen (pszwrite ));
79. }

/*++Copyright (c) Advanced Windows Debugging (ISBN 0321374460) from Addison-Wesley Professional.  All rights reserved.    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY    KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE    IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR    PURPOSE.--*/#include "stdafx.h"#include <windows.h>#include <stdio.h>#include <conio.h>VOID SimulateMemoryCorruption ( ) ;class CAppInfo{public:     CAppInfo(LPWSTR wszAppName, LPWSTR wszVersion)    {        m_wszAppName=wszAppName;        m_wszVersion=wszVersion;    }    VOID PrintAppInfo()    {        wprintf(L"\nFull application Name: %s\n", m_wszAppName);        wprintf(L"Version: %s\n", m_wszVersion);    }private:    LPWSTR m_wszAppName ;    LPWSTR m_wszVersion ;} ;CAppInfo* g_AppInfo ;int __cdecl wmain (int argc, WCHAR* args[]){    wint_t iChar = 0 ;    g_AppInfo = new CAppInfo(L"Memory Corruption Sample", L"1.0" );    if(!g_AppInfo)    {        return 1;    }    wprintf(L"Press: \n");    wprintf(L"    1    To display application information\n");    wprintf(L"    2    To simulated memory corruption\n");    wprintf(L"    3    To exit\n\n\n>");    while((iChar=_getwche())!='3')    {        switch(iChar)        {            case '1':               g_AppInfo->PrintAppInfo();               break;            case '2':              SimulateMemoryCorruption();              wprintf(L"\nMemory Corruption completed\n");              break;            default:              wprintf(L"\nInvalid option\n");        }        wprintf(L"\n\n> ");    }    return 0;}VOID SimulateMemoryCorruption ( ){    char* pszWrite="Corrupt";    BYTE* p=(BYTE*) g_AppInfo;    CopyMemory(p, pszWrite, strlen(pszWrite));}

Compile, generate release, run, select 1, select 2, and then select 1. The program crashes and dump is Enabled:

0: 000> LM
Start end module name
00400000 00406000 test1 (deferred)
62c20000 62c29000 LPK (deferred)
73fa0000 7400b000 usp10 (deferred)
76300000 7631d000 imm32 (deferred)
76d70000 76d92000 apphelp (deferred)
77bd0000 77bd8000 version (deferred)
77d10000 77da0000 USER32 (deferred)
77da0000 77e49000 advapi32 (deferred)
77e50000 77ee3000 rpcrt4 (deferred)
77ef0000 77f39000 GDI32 (deferred)
Fc770000 77fd1000 secur32 (deferred)
78520000 785c3000 msvcr90 (Private PDB symbols) c: \ mysymbol \ msvcr90.i386. PDB \ 3add2e755bc041bc9149bfbe7c33387c1 \ msvcr90.i386. PDB
7c800000 7c91e000 Kernel32 (deferred)
7c920000 7c9b6000 NTDLL (PDB symbols) c: \ mysymbol \ NTDLL. PDB \ cefc0863b1f84130a11e0f54180cd21a2 \ NTDLL. PDB

Load the symbol file:

0: 000>. sympath + D: \ project1 \ test1 \ release
Symbol search path is: C: \ WINDOWS \ symbols; SRV * c: \ mysymbol * http://msdl.microsoft.com/download/symbols; D: \ project1 \ test1 \ release
Warning: whitespace at end of path element
0: 000>. Reload/F
..............
Loading unloaded module list
.........
0: 000> LM
Start end module name
00400000 00406000 test1 (Private PDB symbols) D: \ project1 \ test1 \ release \ test1.pdb
62c20000 62c29000 LPK (PDB symbols) c: \ windows \ symbols \ dll \ LPK. PDB
73fa0000 7400b000 usp10 (PDB symbols) c: \ mysymbol \ usp10.pdb \ d4ba2952809f469bb6d1d3af6b956e6b1 \ usp10.pdb
76300000 7631d000 imm32 (PDB symbols) c: \ windows \ symbols \ dll \ imm32.pdb
76d70000 76d92000 apphelp (PDB symbols) c: \ windows \ symbols \ dll \ apphelp. PDB
77bd0000 77bd8000 version (PDB symbols) c: \ windows \ symbols \ dll \ version. PDB
77d10000 77da0000 USER32 (PDB symbols) c: \ windows \ symbols \ dll \ user32.pdb
77da0000 77e49000 advapi32 (PDB symbols) c: \ mysymbol \ advapi32.pdb \ f759d3f1c6614313b07c84bc33f02e4d2 \ advapi32.pdb
77e50000 77ee3000 rpcrt4 (PDB symbols) c: \ mysymbol \ rpcrt4.pdb \ 1a450c67828242f28a8c70e3b9d5c4772 \ rpcrt4.pdb
77ef0000 77f39000 GDI32 (PDB symbols) c: \ mysymbol \ gdi32.pdb \ 372c0f0e08fb456eab7b4cb2b53e27952 \ gdi32.pdb
Fc770000 77fd1000 secur32 (PDB symbols) c: \ mysymbol \ secur32.pdb \ 7867b3f28b5c41ce847895e3fc013dc52 \ secur32.pdb
78520000 785c3000 msvcr90 (Private PDB symbols) c: \ mysymbol \ msvcr90.i386. PDB \ 3add2e755bc041bc9149bfbe7c33387c1 \ msvcr90.i386. PDB
7c800000 7c91e000 Kernel32 (PDB symbols) c: \ mysymbol \ kernel32.pdb \ 072ff0eb54d24dfaae9d13885486ee092 \ kernel32.pdb
7c920000 7c9b6000 NTDLL (PDB symbols) c: \ mysymbol \ NTDLL. PDB \ cefc0863b1f84130a11e0f54180cd21a2 \ NTDLL. PDB

View the stack:

0: 000> KB
Childebp retaddr ARGs to child
0012ff20 78556215 785b73c8 004020f4 00000000 msvcr90! _ Woutput_l + 0x94c [F: \ dd \ vctools \ crt_bld \ self_x86 \ CRT \ SRC \ output. c @ 1624]
0012ff64 004010ba 004020f4 72726f43 00403380 msvcr90! Wprintf + 0x73 [F: \ dd \ vctools \ crt_bld \ self_x86 \ CRT \ SRC \ wprintf. c @ 63]
0012ff7c 00401252 00000001 00392940 00392998 test1! Wmain + 0xba [D: \ project1 \ test1 \ test1 \ test1.cpp @ 58]
0012ffc0 7c817077 00300031 0032002d 7ffdc000 test1! _ Tmaincrtstartup + 0x10f [F: \ dd \ vctools \ crt_bld \ self_x86 \ CRT \ SRC \ crtexe. c @ 583]
0012fff0 00000000 0040139a 00000000 78746341 Kernel32! Baseprocessstart + 0x23

Check the 58 lines of code and use g_appinfo-> printappinfo ();

We guess that the two members of g_appinfo are invalid because wprintf calls them.

Find g_appinfo to list its members:

0: 000> X test1! * G _*
00403374 test1! G_appinfo = 0x00395b10
004022f0 test1! _ Load_config_used = struct image_load_config_directory32_2
00402098 test1! _ Imp ___ amsg_exit = <no type information>
004014fa test1! _ Amsg_exit = <no type information>
0: 000> DT cappinfo 0x00395b10
Test1! Cappinfo
+ 0x000 m_wszappname: 0x72726f43 "--- memory read error at address 0x72726f43 ---"
+ 0x004 m_wszversion: 0x00747075 "??? "

Note: Here, DT uses cappinfo to tell it the address type to be parsed.

Let's take a look at the content of these two variables:

0: 000> DT cappinfo 0x00395b10
Test1! Cappinfo
+ 0x000 m_wszappname: 0x72726f43 "--- memory read error at address 0x72726f43 ---"
+ 0x004 m_wszversion: 0x00747075 "??? "
0: 000>! Address 0x72726f43
62c29000: 62c29000-11377000
Type 00000000
Protect 00000001 page_noaccess
State 00010000 mem_free
Usage regionusagefree
0: 000>! Address 0x00747075
005f0000: 005f0000-001be000
Type 00020000 mem_private
Protect 00000004 page_readwrite
State 00001000 mem_commit
Usage regionusageisvad

We found that the first variable was inaccessible and found the problem,

0: 000> DC 0x00395b10
00395b10 72726f43 00747075 00020201 000801c2 0000upt .........
00395b20 6c75460a 7061206c 6da-6c70 6f697461. Full applicatio
00395b30 614e206e 203a656d 64657465 4320790a n name: eted. Y C
00395b40 7572726f 6f697470 6153206e 656c706d orruption sample
00395b50 0000000a 00000000 00000000 00000000 ................
00395b60 00000000 00000000 00000000 00000000 ................
00395b70 00000000 00000000 00000000 00000000 ................
00395b80 00000000 00000000 00000000 00000000 ................

The first variable turned out to be a string upt. Check the code and we found that when we press 2, the program forcibly writes the string "upt"

 

Some Guiding Suggestions and strategies:

1. Run the command DC to dump the memory content of the pointer. The DC can dump the memory content in double-Word format. If any string is displayed in the output, you can dump the string by running the DA or du command.

2 pass! Address collects information about memory ,! Address can tell you the type of memory (such as private memory), protection level (read and write), status (submitted or retained), and usage (stack or heap)

3. Use the DDS command to dump the memory into dual-characters or symbols, which helps to associate the memory with a specific type,

4. use the DPP command to unreference the pointer and dump out the memory content in dual form. If any dual match a symbol, the symbol will be displayed, if the pointer to the memory contains a virtual function table

This technology is very useful.

5. Use DPA and DPU to display the memory pointed to by the pointer in asii and Unicode formats respectively.

6. If the memory content is a small value (4 value), it may be a handle! Handle to dump the handle information.