How to setup kernel debug in Virtual Machine and redirect usermode debug sessions
轉載自:http://blog.sina.com.cn/s/blog_65e729050100m7on.html
在Windows高效排錯中提到了除錯重定向。書中沒有詳細介紹。今天恰好有機會在虛擬機器上從頭開始配置了一下,所以把詳細的內容記錄在這裡,算是補充。
文章本身使用英文寫的。由於書中是用中文,所以又不得不用中文自己翻譯自己一遍。我日,自己翻譯自己的東西,感覺太彆扭了。
How to setup kernel debug in Virtual Machine and redirect usermode debug sessions
如何設定虛擬機器的核心除錯,以及把使用者態偵錯程式的輸出重定向到核心除錯輸出
1. Run msconfig and enables kernel debug in the VM OS:
這裡以Windows Server 2008作為目標系統演示。首先在虛擬機器中執行msconfig,然後如圖配置,啟用debug,並且把debug輸出到COM1口。
2. In the properties pages of Virtual Machine, redirect the COM1 to a named pipe
在對應的虛擬機器設定中,把COM1口重定向到物理機器的named pipe。
3. In the host machine, use the following command to start kd:
kd -k com:pipe,port=\\.\pipe\newtoolpipe,resets=0,reconnect
接下來就可以在物理機器中用
kd -k com:pipe,port=\\.\pipe\newtoolpipe,resets=0,reconnect
命令連線到kd了。
4. Restart the Virtual Machine, the kd session will be active. Then you can perform the kernel debugging.
這個時候重新啟動虛擬機器,物理機的kd連線就會自動開始,接下來就可以進行kernel debug了
Under kernel debugger session, you are able to perform the followings:
在kernel debug會話中,可以進行如下操作。
1. When the kernel debugger session is attached, the target OS is running by default. At this time, the debugger ignores any input. If the target OS is running, there is no command prompt in the debugger session. Like the following:
當kernel debugger載入的時候,目標作業系統預設情況下是不會掛起的。這個時候,偵錯程式會忽略除錯輸入。同時偵錯程式沒有除錯符出現。如圖
2. To perform the kernel debugging, you need to breakin the debugger to stop the OS. In debugger session, type ctrl+C or ctrl+break. If ctrl+C closes the debugger session, you just need to rerun the same kd command to reconnect. When the kernel debugger breaks in, it shows kd> as the prompt and you are able to input kernel debug command. At this time, the target OS halts:
如果要進行kernel debug,首先應該掛起目標機器。在偵錯程式會話中,通過ctrl+C或者ctrl+break可以做到。如果不小心把除錯會話也連同關掉了,只需要重新執行上面的kd命令就可以重新開啟。當目標機器被kd掛起後,偵錯程式的提示符變成kd>。這個時候可以輸入kernel除錯命令了。
3. To resumes the execution, just type command “g” in debugger. Then the OS continues to run, and the kd> prompts disappears.
如果要恢復執行,直接通過g命令就可以。這個時候目標OS恢復執行,kd>提示符消失。
4. To redirect user mode debugging session in to kernel debugger, you need to use “ntsd” with “–d” parameter. The following demo shows how to redirect a user mode notepad debugging session into kernel.
如果要重定向使用者態除錯到核心態,需要在目標機器中使用使用者態除錯程式ntsd,加上-d引數。下面的demo演示瞭如何把notepad的除錯衝定向到核心態。
5. In VM, starts notepad.exe. Then use “ntsd –d –pn notepad.exe” to start the user mode debug, and redirects the debug session into kernel debugger. After you type the command in VM, both the notepad.exe and the VM OS stops. In kernel debugger session, the user mode debug output shows, and the prompt turns to 0:001>. Then you are able to type user mode debug command like thread switching.
首先在VM中啟動notepad,然後用ntsd –d –pn notepad.exe 啟動使用者態除錯,-d引數重定向除錯到核心態。當摁下ntsd命令的回車後,notepad和目標OS都會同時掛起。在除錯會話中,會看到使用者態除錯的輸出,以及使用者態偵錯程式的提示符0:000>。這個時候可以輸入使用者態除錯命令進行除錯。虛擬機器和除錯會話的截圖如下。
VM:
Debug session:
6. When the debug session is stopped by user mode, there are three options to switch the status.
Option 1 is to use “g” command to resume both the user mode application and the OS.
Option 2 is to use “.breakin” command to switch from user mode debug into kernel mode debug. If you want to switch back from kernel mode debug into user mode debug, use “g” command.
Option 3 is to use .sleep command to get into sleep mode.
For detailed explanation about the context switching, please refer to windbg’s help file, in “Controlling the User-Mode Debugger from the Kernel Debugger” section.
當除錯會話處於使用者態模式下,有三種切換選擇
首先可以用g命令恢復使用者態程式和目標OS的執行。
其次可以用”.breakin”命令從使用者態切換到核心態。如果想從核心態切換回原來的使用者態,直接輸入”g”命令就可以
第三種選擇是.sleep命令。
關於上面三種模式的切換,詳細資訊請參考windbg幫助檔案中的” Controlling the User-Mode Debugger from the Kernel Debugger”
7. I use “g” to resume the notepad execution, and then close the notepad application. It triggers the process exit debug event, and breaks into user mode again. If I try to use “g” command to continue, it shows “No runnable debuggees error” because the notepad process is dying. Here to resume the execution, we need to use “q” command.
這裡我通過g命令恢復notepad的執行。然後關閉notepad程式。於是notepad的process exit debug event就會觸發,同時切入到偵錯程式。這個時候如果試圖用”g”命令,得到的結果是” No runnable debuggees error”,原因是notepad程式正在退出,無法g執行了。這個時候可以直接用q命令退出使用者態除錯,恢復OS的執行。
Above example shows how to setup user mode redirection debug. However, the major question is not about how to do that, it is “why we need to debug user mode application in kernel session?”
上面的步驟演示瞭如何設定核心態除錯,如何重定向使用者態除錯。但是問題的關鍵不在於如何做,而是在於為何需要把使用者態程式重定向到核心態?
1. For some of the user mode application, it is not convenient to use normal user mode debugger to check. Examples are Windows Services, WinLogon session, and other user mode processes start before Windows Desktop/User session is ready. For such applications, the problem occurs before Windows user interface is ready, there is no way for you to start normal user mode debugger.
Besides redirecting to kernel mode, another way is available here:
How to debug Windows services
http://support.microsoft.com/kb/824344
對某些使用者態的程式來說,並不是可以方便地啟動普通使用者態偵錯程式進行除錯。比如Windows Services, WinLogon程序,以及其它先於Windows桌面和使用者介面模組啟動的程序。對於這樣的程式來說,由於需要除錯的時機先於使用者態介面,就無法啟動普通的使用者態偵錯程式進行除錯。
對於這類程式,除了通過除錯重定向外,另一種方便的除錯方法是:
How to debug Windows services
http://support.microsoft.com/kb/824344
2. For some of the core application, normal user mode debugging may cause deadlock. An example is lsass.exe process, which is the user mode process for Windows Authentications. As you know, debugging requires authentication. When attaching to lsass.exe process, the OS requires lsass.exe process to perform authentication, but the lsass.exe is being debugged and halted…… In earlier version of Windows, debug redirection is the only way to solve the issue. In current version, normal user mode debugger works well for lsass.exe. Even there might be some confliction, another good way to solve is to use dbgsrv:
Debugging LSASS ... oh what fun, it is to ride..
http://blogs.msdn.com/spatdsg/archive/2005/12/27/507265.aspx
對於某些系統模組來說,直接使用使用者態偵錯程式進行除錯,可能導致死鎖。比如lsass.exe程序是控制Windows認證的使用者態程序。除錯程式本身需要一定許可權,也是要進行認證的。如果用使用者態程序除錯lsass.exe,首先需要認證,但是管理認證的程序又是正在被除錯的lsass.exe…… 在Windows的早期版本中,除錯重定向是解決這個問題的唯一辦法。在現在的Windows中,普通的使用者態偵錯程式在大多數情況下也能直接除錯lsass.exe。如果遇上死鎖,除了用重定向外,最新的Windbg還支援另外一種解決辦法:
Debugging LSASS ... oh what fun, it is to ride..
http://blogs.msdn.com/spatdsg/archive/2005/12/27/507265.aspx
3. If you need to monitor both kernel and user mode issues, combining them into a single session is the most convenient way.
如果需要同時監視使用者態程式和核心態的問題,把兩者合在一起顯然是一種很好的辦法。
There are some experiences on using this technique:
使用這種除錯方法的一些經驗:
1. If you want to redirect user mode debug for some process automatically, you can modify the following key “Image File Execution Options” regkey, which supports debugger auto attach. For example, you can create “notepad.exe” subkey, and create a string value named debugger, the value is “C:\debugger\ntsd.exe –d”. Then everytime notepad starts, the debugger is auto attached and redirected. If you want to ignore the initial and final auto break-in, you can add “–g” and “–G” options.
如果需要對某些使用者態程序進行自動重定向,而不是每次都執行ntsd,可以通過修改“Image File Execution Options”完成。比如建立notepad子鍵,建立字串鍵值,名稱為debugger,值為” C:\debugger\ntsd.exe –d”。這樣每次notepad啟動的時候,ntds就會自動啟動進行重定向。如果需要忽略程序每次啟動和結束時候的除錯事件,可以加上-g和-G引數。
2. For user mode debugging, you can always use .dump command to save the dump file to analyze if you do not feel the kernel session comfortable.
對於使用者態態除錯,如果覺得在kernel session中不方便,可以通過.dump命令把使用者態dump儲存下來,然後用普通的使用者態偵錯程式檢查。