How to break winbb when ntdll.dll is displayed in a new process

Question

How to break winbb when ntdll.dll is displayed in a new process

I want to use the following command to go to WinDBG when ntdll.dll is displayed in a new process, and before starting any initialization of the ntdll process.

sxe ld ntdll.dll; g

However, the trick doesn't work at all,

ModLoad: 7c900000 7c9b0000 ntdll.dll eax=010043af ebx=7ffde000 ecx=020f18f5 edx=00000034 esi=00c2f720 edi=00c2f6f2 eip=7c810867 esp=0006fffc ebp=00000720 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000200 7c810867 ?? ??? Processing initial command 'sxe ld ntdll.dll ;g' 0:000> sxe ld ntdll.dll ;g (ae8.6f4): Break instruction exception - code 80000003 (first chance) eax=00181eb4 ebx=7ffde000 ecx=00000001 edx=00000002 esi=00181f48 edi=00181eb4 eip=7c901230 esp=0006fb20 ebp=0006fc94 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c901230 cc int 3

So, how to get into WinDBG when ntdll.dll is displayed in a new process? thanks

[UPDATE]

I followed the steps mentioned by jcopenha for sure, but I don’t know why Windbg gives a weird error ( Memory access error ) where Notepad.exe works.

Please give me your hand! Thank you very much!

 0:000> .restart /f CommandLine: C:\WINDOWS\NOTEPAD.EXE Symbol search path is: D:\Symbols\Symbols;SRV*D:\Symbols\MySymbols*http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 01000000 01014000 notepad.exe eax=0100739d ebx=7ffd9000 ecx=020f18f5 edx=0000004e esi=00f7f73a edi=00f7f6f2 eip=7c810867 esp=0007fffc ebp=0000024c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000200 7c810867 ?? ??? 0:000> u 7c810867 7c810867 ?? ??? ^ Memory access error in 'u 7c810867'

[UPDATE2] I found the odd instruction displayed on 7c810867, but the p command can still work.

Is this a bug in WinDBG?

enter image description here

+4

debugging windbg

Matt elson Aug 27 '12 at 14:11

source share

3 answers

jcopenha · Answer 1 · 2012-08-27T19:41:02+0000

If you go to Debug-> Event Filters and change the "Create process" to "enabled", restart the application that it will run before ntdll.dll appears in the list of modules. If you then run sxe ld ntdll.dll;g , it will stop at ntdll!RtlUserThreadStart .

 0:000> .restart /f CommandLine: C:\Windows\System32\notepad.exe Symbol search path is: SRV*d:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00000000`ffe00000 00000000`ffe35000 notepad.exe 00000000`7790c500 4883ec48 sub rsp,48h 0:000> sxe ld ntdll.dll;g ModLoad: 00000000`778e0000 00000000`77a89000 ntdll.dll ntdll!RtlUserThreadStart: 00000000`7790c500 4883ec48 sub rsp,48h

user1354557 · Answer 2 · 2012-09-11T23:35:12+0000

Regarding downloading ntdll, I recommend reading this . You can break into the process before running any code:

 windbg -xe cpr notepad

or

 windbg -xe ld:ntdll notepad

ntdll will still be displayed in the process at this point - you cannot break before this happens.

As for the memory access error, kernel32 is not yet loaded into the process. The initial thread is queued to run in kernel32! BaseProcessStartThunk, but since kernel32 is not yet loaded into the address space, you will not see anything at that address.

The reason that the start address of a thread can start in unmarked memory is because before the thread starts executing, the very first thing that happens is the user's APC, which runs in the context of this start thread, which takes care of all processes initialization, including loading the kernel 32. You can see this event if you set a similar event, for example:

 sxe ld kernel32

You will need to load the characters to get the names of the internal functions in the stack trace.

In addition to the first link, you can learn more about the process initialization here . Hope this helps.

djgandy · Answer 3 · 2012-09-12T13:03:53+0000

As far as I remember, ntdll is not displayed in user mode. If it was displayed in user mode, what would the module display that ntdll display? ntdll contains a set of stubs for system calls to enter the kernel, and also contains several other things, such as the COFF loader, which is part of the process initialization. This is a little magic dll, and it cannot be moved, therefore it is always located on one virtual address in each process.

If you want to break ntdll before displaying, I'm afraid you will have to use a kernel debugger.

May I ask what you are trying to achieve, crashed before displaying ntdll?

How to break winbb when ntdll.dll is displayed in a new process

More articles: