WinDBG technologies

Intro

This page collect some technologies related to WinDBG.

sxe command to break before specific driver loaded

0: kd> sxe ld:mpadsys
2: kd> kn
 # Child-SP          RetAddr           Call Site
00 ffffd480`94ac70e8 fffff803`2214ac75 nt!DebugService2+0x5
01 ffffd480`94ac70f0 fffff803`2214ac07 nt!DbgLoadImageSymbols+0x45
02 ffffd480`94ac7140 fffff803`22649d33 nt!DbgLoadImageSymbolsUnicode+0x2b
03 ffffd480`94ac7180 fffff803`2264967a nt!MiDriverLoadSucceeded+0x187
04 ffffd480`94ac7220 fffff803`226477a3 nt!MmLoadSystemImageEx+0x49e
05 ffffd480`94ac73c0 fffff803`22685c7b nt!IopLoadDriver+0x21b
06 ffffd480`94ac75a0 fffff803`22663dee nt!PipCallDriverAddDeviceQueryRoutine+0x1b7
07 ffffd480`94ac7640 fffff803`22663803 nt!PnpCallDriverQueryServiceHelper+0xda
08 ffffd480`94ac76f0 fffff803`22662ecb nt!PipCallDriverAddDevice+0x3f7
09 ffffd480`94ac78a0 fffff803`226dd181 nt!PipProcessDevNodeTree+0x1af
0a ffffd480`94ac7960 fffff803`221700a8 nt!PiProcessStartSystemDevices+0x59
0b ffffd480`94ac79b0 fffff803`2207311a nt!PnpDeviceActionWorker+0x448
0c ffffd480`94ac7a70 fffff803`221376c5 nt!ExpWorkerThread+0x16a
0d ffffd480`94ac7b10 fffff803`221ce49c nt!PspSystemThreadStartup+0x55
0e ffffd480`94ac7b60 00000000`00000000 nt!KiStartSystemThread+0x1c
2: kd> bp mpadsys!driverentry
2: kd> bl *
     0 e Disable Clear  fffff803`3cbfa000     0001 (0001) mpadsys!DriverEntry

The sx*** commands control the action that the debugger takes when an exception occurs in the application that is being debugged, or when certain events occur.

Prevent a driver from being loaded with winDBG

1. "bu" on DriverEntry.

2. Set the status to STATUS NOT SUCCESS or something else before you get out of it.

2: kd> kn
 # Child-SP          RetAddr           Call Site
00 ffff8686`b78b7390 fffff804`57adba45 mpadsys!GsDriverEntry+0x20 
01 ffff8686`b78b73c0 fffff804`57b19c7b nt!IopLoadDriver+0x4bd
02 ffff8686`b78b75a0 fffff804`57af7dee nt!PipCallDriverAddDeviceQueryRoutine+0x1b7
03 ffff8686`b78b7640 fffff804`57af7803 nt!PnpCallDriverQueryServiceHelper+0xda
04 ffff8686`b78b76f0 fffff804`57af6ecb nt!PipCallDriverAddDevice+0x3f7
05 ffff8686`b78b78a0 fffff804`57b71181 nt!PipProcessDevNodeTree+0x1af
06 ffff8686`b78b7960 fffff804`576040a8 nt!PiProcessStartSystemDevices+0x59
07 ffff8686`b78b79b0 fffff804`5750711a nt!PnpDeviceActionWorker+0x448
08 ffff8686`b78b7a70 fffff804`575cb6c5 nt!ExpWorkerThread+0x16a
09 ffff8686`b78b7b10 fffff804`5766249c nt!PspSystemThreadStartup+0x55
0a ffff8686`b78b7b60 00000000`00000000 nt!KiStartSystemThread+0x1c
2: kd> gu
nt!IopLoadDriver+0x4bd:
fffff804`57adba45 8bf8            mov     edi,eax
2: kd> r $retreg 
$retreg=0000000000000000
2: kd> r @rax=0xc0000001
2: kd> r $retreg64
$retreg64=ffffffffc0000001
2: kd> r $retreg
$retreg=ffffffffc0000001
2: kd> g

3. $retreg is a pseudo register for return value.

Debugger commands (dt, ??) that make my life easier

Doron Holan [MSFT]'s blog: Debugger commands (dt, ??) that make my life easier.