Greetings,
I have set up Windbg with a com1 port to debug a file system driver on a Targeted System. When I start the
Windbg from the host system, the Windbg keep dropping
into the following break points. How do I get rid of these
annoying break points?
Thanks for your advice in advance,
John W.
Break instruction exception - code 80000003 (first chance)
001b:74c30190 cc int 3
kd> g
Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll!KiUserExceptionDispatcher+0x4:
001b:7c90e480 8b1c24 mov ebx,dword ptr [esp]
kd> g
Break instruction exception - code 80000003 (first chance)
001b:74c30194 cc int 3
kd> g
What process does !process -1 0 show?
This is generally indicative of software with some sort of anti-debug
mechanism built in (various A/V products are notorious for this, especially
during the installation process). Great for them and all, but a total PITA
if you’re just trying to debug your stuff with their stuff running
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
wrote in message news:xxxxx@windbg…
> Greetings,
>
> I have set up Windbg with a com1 port to debug a file system driver on a
> Targeted System. When I start the
> Windbg from the host system, the Windbg keep dropping
> into the following break points. How do I get rid of these
> annoying break points?
> Thanks for your advice in advance,
>
> John W.
>
>
> Break instruction exception - code 80000003 (first chance)
> 001b:74c30190 cc int 3
> kd> g
> Single step exception - code 80000004 (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> ntdll!KiUserExceptionDispatcher+0x4:
> 001b:7c90e480 8b1c24 mov ebx,dword ptr [esp]
> kd> g
> Break instruction exception - code 80000003 (first chance)
> 001b:74c30194 cc int 3
> kd> g
>
>
This looks like it might be some sort of anti-re mechanism.
mm
Hi scott,
kd> !process -1 0
NT symbols are incorrect, please fix symbols
I followed the instructions in Kernel Debugging Tutorial to
set up the symbols. What does this ‘NT symbols are incorrect’
mean?
John W.
What process does !process -1 0 show?
This is generally indicative of software with some sort of anti-debug
mechanism built in (various A/V products are notorious for this,
especially
during the installation process). Great for them and all, but a total PITA
if you’re just trying to debug your stuff with their stuff running
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
wrote in message news:xxxxx@windbg…
>> Greetings,
>>
>> I have set up Windbg with a com1 port to debug a file system driver on a
>> Targeted System. When I start the
>> Windbg from the host system, the Windbg keep dropping
>> into the following break points. How do I get rid of these
>> annoying break points?
>> Thanks for your advice in advance,
>>
>> John W.
>>
>>
>> Break instruction exception - code 80000003 (first chance)
>> 001b:74c30190 cc int 3
>> kd> g
>> Single step exception - code 80000004 (first chance)
>> First chance exceptions are reported before any exception handling.
>> This exception may be expected and handled.
>> ntdll!KiUserExceptionDispatcher+0x4:
>> 001b:7c90e480 8b1c24 mov ebx,dword ptr [esp]
>> kd> g
>> Break instruction exception - code 80000003 (first chance)
>> 001b:74c30194 cc int 3
>> kd> g
>>
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
John W.
Twin Peaks Software
Innovation for business continuity
E-mail: xxxxx@TwinPeakSoft.com
Tel: (510) 438-0536
It means that you haven’t set up your symbols correctly, which is the first thing you need to do.
.symopt+ 0x80000000
.sympath srv*c:\sym*http://msdl.microsoft.com/download/symbols
.reload -f -n
lml
In the second line, you may replace ‘c:\sym’ with the fullpath of a folder which you would like to use to store your symbols.
If the error message doesn’t go away, please post the results of the ‘lml’ command, along with any other error messages that you might receive.
Good luck,
mm
Hi mm,
Thanks, your instructions works.
The Tutorial doesn’t mention ‘.symopt+ 0x80000000’ and
that seems to be the problem in set up the symbols.
Here is the output of ‘!process -1 0’
kd> !process -1 0
PROCESS 828e7b78 SessionId: 0 Cid: 0920 Peb: 7ffd5000 ParentCid: 073c
DirBase: 1e1bd000 ObjectTable: e31385b8 HandleCount: 454.
Image: Skype.exe
Is skype the culprit?
John W.
It means that you haven’t set up your symbols correctly, which is the
first thing you need to do.
.symopt+ 0x80000000
.sympath srv*c:\sym*http://msdl.microsoft.com/download/symbols
.reload -f -n
lml
In the second line, you may replace ‘c:\sym’ with the fullpath of a folder
which you would like to use to store your symbols.
If the error message doesn’t go away, please post the results of the ‘lml’
command, along with any other error messages that you might receive.
Good luck,
mm
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
John W.
Twin Peaks Software
Innovation for business continuity
E-mail: xxxxx@TwinPeakSoft.com
Tel: (510) 438-0536
“skype anti debugging” brings up lots of articles on the measures Skype goes
through to prevent debugging/reverse engineering, so I’d say you have your
culprit.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“John Wong” wrote in message news:xxxxx@windbg…
> Hi mm,
>
> Thanks, your instructions works.
> The Tutorial doesn’t mention ‘.symopt+ 0x80000000’ and
> that seems to be the problem in set up the symbols.
>
> Here is the output of ‘!process -1 0’
> kd> !process -1 0
> PROCESS 828e7b78 SessionId: 0 Cid: 0920 Peb: 7ffd5000 ParentCid:
> 073c
> DirBase: 1e1bd000 ObjectTable: e31385b8 HandleCount: 454.
> Image: Skype.exe
>
>
> Is skype the culprit?
>
> John W.
>
>
>> It means that you haven’t set up your symbols correctly, which is the
>> first thing you need to do.
>>
>> .symopt+ 0x80000000
>> .sympath srvc:\symhttp://msdl.microsoft.com/download/symbols
>> .reload -f -n
>> lml
>>
>> In the second line, you may replace ‘c:\sym’ with the fullpath of a
>> folder
>> which you would like to use to store your symbols.
>>
>> If the error message doesn’t go away, please post the results of the
>> ‘lml’
>> command, along with any other error messages that you might receive.
>>
>> Good luck,
>>
>> mm
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> John W.
>
> Twin Peaks Software
> Innovation for business continuity
> E-mail: xxxxx@TwinPeakSoft.com
> Tel: (510) 438-0536
>
>
Hi scott, mm,
I removed the skype from the targeted system and
windbg does not drop into the unwanted break points.
Thanks for your help.
John W.
“skype anti debugging” brings up lots of articles on the measures Skype
goes
through to prevent debugging/reverse engineering, so I’d say you have your
culprit.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“John Wong” wrote in message
> news:xxxxx@windbg…
>> Hi mm,
>>
>> Thanks, your instructions works.
>> The Tutorial doesn’t mention ‘.symopt+ 0x80000000’ and
>> that seems to be the problem in set up the symbols.
>>
>> Here is the output of ‘!process -1 0’
>> kd> !process -1 0
>> PROCESS 828e7b78 SessionId: 0 Cid: 0920 Peb: 7ffd5000 ParentCid:
>> 073c
>> DirBase: 1e1bd000 ObjectTable: e31385b8 HandleCount: 454.
>> Image: Skype.exe
>>
>>
>> Is skype the culprit?
>>
>> John W.
>>
>>
>>> It means that you haven’t set up your symbols correctly, which is the
>>> first thing you need to do.
>>>
>>> .symopt+ 0x80000000
>>> .sympath srvc:\symhttp://msdl.microsoft.com/download/symbols
>>> .reload -f -n
>>> lml
>>>
>>> In the second line, you may replace ‘c:\sym’ with the fullpath of a
>>> folder
>>> which you would like to use to store your symbols.
>>>
>>> If the error message doesn’t go away, please post the results of the
>>> ‘lml’
>>> command, along with any other error messages that you might receive.
>>>
>>> Good luck,
>>>
>>> mm
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>> John W.
>>
>> Twin Peaks Software
>> Innovation for business continuity
>> E-mail: xxxxx@TwinPeakSoft.com
>> Tel: (510) 438-0536
>>
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
John W.
Twin Peaks Software
Innovation for business continuity
E-mail: xxxxx@TwinPeakSoft.com
Tel: (510) 438-0536
These breakpoints come from usermode, so you can ignore them
using kdbgctrl -du
( not supported on XP though, only from win2003 ).
–pa
wrote in message news:xxxxx@windbg…
> Greetings,
>
> I have set up Windbg with a com1 port to debug a file system driver on a
> Targeted System. When I start the
> Windbg from the host system, the Windbg keep dropping
> into the following break points. How do I get rid of these
> annoying break points?
> Thanks for your advice in advance,
>
> John W.
>
>
> Break instruction exception - code 80000003 (first chance)
> 001b:74c30190 cc int 3
> kd> g
> Single step exception - code 80000004 (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> ntdll!KiUserExceptionDispatcher+0x4:
> 001b:7c90e480 8b1c24 mov ebx,dword ptr [esp]
> kd> g
> Break instruction exception - code 80000003 (first chance)
> 001b:74c30194 cc int 3
> kd> g
>
>