One of Windows debugging

What is debugging?

Find and remove bugs from programs or designs, that is, debugging. Another means is to use tools to identify possible causes of system failures or program errors.

 

Some basic terms

Call Stack

It is a basic function used to save program function calls and include the involved input parameters and data structures.

 

Exception

An error caused by the execution of a special machine command. It can cause hardware or software.

 

I/O Request Packet (IRP)

A Data Structure that represents IO requests and controls the execution of IO requests.

 

Interrupt

The execution of a normal command is interrupted, and the control is sent to the interrupt processor.

 

Interrupt request level (IRQL)

The priority of the interrupt. If the priority is higher than the IRQL interrupt of the processor, it will be processed first. If the priority is low, it will be blocked and the current execution will not be affected.

 

Kernel Mode

The processor access mode of privileged programs and operating systems. In this mode, the process has the right to access any part of the operating system, not as limited as the user-mode process. That is to say, all kernel-State processes share the same address space.

 

Nonpaged pool

The part in the system memory that cannot be mapped to the disk by page.

 

Paged pool

In contrast to the above, this is the part that can be mapped to the disk. It not only refers to the memory that has been mapped to the disk, but also to any memory that can be mapped.

 

Paging

The Memory Manager transfers the memory pagination from the memory to a virtual memory operation on the disk. Page fault occurs when a thread cannot find a page.

 

Process

A process is the container of a series of resources, which are used by the thread of the execution program. Program and process look very similar. They are fundamentally different. Program is a static command sequence, while process is a resource container.

 

Register

Registers, that is, ultra-fast memory directly used by the CPU.

 

Thread

A thread is an entity used for execution in a process.

 

User Mode

The processor access mode used by the application. In this mode, processes use the CPU on their own virtual addresses. They cannot have direct access to many parts of the system, including system hardware, memory not allocated to them, and some sensitive areas that may compromise system integrity. Because processes in this mode have been isolated from those in other user mode, they cannot access these resources.

 

Attach

The action of connecting a debugger to a running program.

 

Blue Screen

When a Windows operating system encounters hardware problems, key data inconsistency, or other serious errors, the operating system automatically becomes a host, then, an error message is displayed on the blue screen.

The most important message in the blue screen is the message code, also known as bug check code.

 

Breakpoint

The debugger allows you to specify a point to stop program execution at this point.

 

Crash Dump File

When a serious error occurs, you can specify the information written by the operating system to the crash dump file on the hard disk. This file contains the debugger that can be used to analyze error information.

 

Debug session

The actual process of using the software debugger to analyze a software component that crashes on a computer is called debug session. It can also be used to analyze a saved dump file.

 

Disassembly/assembly code

Disassembly and code compilation. The microprocessor can only identify a set of commands customized for it. After a program is compiled, the compiler processes the program into some understandable commands on the underlying hardware of some columns. Replace the Binary command with an understandable mnemonic to get the assembly code. This process is called disassembly.

 

Host Machine

The machine that runs debugging session is called host machine.

 

Local debugging

When the debugging program is deployed on one machine, such a debugging session is called local debugging.

 

Remote debugging

Debugger is on the host machine, and the program to be debugged is on the target machine.

 

Symbol files

Including the source code and all the identifiers (variables, function names) mapped, created at compilation, for the files used by the debugger.

 

Target Application

That is, debuggee.

 

Target machine

The previous explanation of the target machine is clear.

 

Types of Debugger

CDB --- Microsoft console Debugger

Ntsd --- Microsoft NT symbolic debugger

KD --- Microsoft kernel debugger

Windbg --- Microsoft Windows Debugger