Jump-start your project by learning from devs who
write Windows drivers and file systems every day.
Take an OSR seminar!

OSR is Hiring! Click here to find out more.

Go Back   OSR Online Lists > windbg
link Unwanted windbg break points
Welcome, Guest
You must login to post to this list
  Message 1 of 9  
16 Mar 10 13:51
John Wong
xxxxxx@twinpeaksoft.com
Join Date: 03 Mar 2010
Posts To This List: 4
Unwanted windbg break points
Greetings, I have set up Windbg with a com1 port to debug a file system driver on a Targeted System. When I start the Windbg from the host system, the Windbg keep dropping into the following break points. How do I get rid of these annoying break points? Thanks for your advice in advance, John W. Break instruction exception - code 80000003 (first chance) 001b:74c30190 cc int 3 kd> g Single step exception - code 80000004 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. ntdll!KiUserExceptionDispatcher+0x4: 001b:7c90e480 8b1c24 mov ebx,dword ptr [esp] kd> g Break instruction exception - code 80000003 (first chance) 001b:74c30194 cc int 3 kd> g
  Message 2 of 9  
16 Mar 10 13:57
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 444
List Moderator
Re: Unwanted windbg break points
What process does !process -1 0 show? This is generally indicative of software with some sort of anti-debug mechanism built in (various A/V products are notorious for this, especially during the installation process). Great for them and all, but a total PITA if you're just trying to debug your stuff with their stuff running -scott -- Scott Noone Consulting Associate OSR Open Systems Resources, Inc. http://www.osronline.com <xxxxx@TwinPeakSoft.com> wrote in message news:62181@windbg... > Greetings, > > I have set up Windbg with a com1 port to debug a file system driver on a > Targeted System. When I start the > Windbg from the host system, the Windbg keep dropping > into the following break points. How do I get rid of these > annoying break points? > Thanks for your advice in advance, > > John W. <...excess quoted lines suppressed...>
  Message 3 of 9  
16 Mar 10 14:00
windbg member 19758
xxxxxx@evitechnology.com
Join Date:
Posts To This List: 504
RE: Unwanted windbg break points
This looks like it might be some sort of anti-re mechanism. mm
  Message 4 of 9  
16 Mar 10 14:27
John Wong
xxxxxx@twinpeaksoft.com
Join Date: 03 Mar 2010
Posts To This List: 4
Re:Unwanted windbg break points
Hi scott, kd> !process -1 0 NT symbols are incorrect, please fix symbols I followed the instructions in Kernel Debugging Tutorial to set up the symbols. What does this 'NT symbols are incorrect' mean? John W. > What process does !process -1 0 show? > > This is generally indicative of software with some sort of anti-debug > mechanism built in (various A/V products are notorious for this, > especially > during the installation process). Great for them and all, but a total PITA > if you're just trying to debug your stuff with their stuff running > > -scott <...excess quoted lines suppressed...> John W. Twin Peaks Software Innovation for business continuity E-mail: xxxxx@TwinPeakSoft.com Tel: (510) 438-0536
  Message 5 of 9  
16 Mar 10 14:34
windbg member 19758
xxxxxx@evitechnology.com
Join Date:
Posts To This List: 504
RE: Unwanted windbg break points
It means that you haven't set up your symbols correctly, which is the first thing you need to do. .symopt+ 0x80000000 .sympath srv*c:\sym*http://msdl.microsoft.com/download/symbols .reload -f -n lml In the second line, you may replace 'c:\sym' with the fullpath of a folder which you would like to use to store your symbols. If the error message doesn't go away, please post the results of the 'lml' command, along with any other error messages that you might receive. Good luck, mm
  Message 6 of 9  
16 Mar 10 14:49
John Wong
xxxxxx@twinpeaksoft.com
Join Date: 03 Mar 2010
Posts To This List: 4
RE:Unwanted windbg break points
Hi mm, Thanks, your instructions works. The Tutorial doesn't mention '.symopt+ 0x80000000' and that seems to be the problem in set up the symbols. Here is the output of '!process -1 0' kd> !process -1 0 PROCESS 828e7b78 SessionId: 0 Cid: 0920 Peb: 7ffd5000 ParentCid: 073c DirBase: 1e1bd000 ObjectTable: e31385b8 HandleCount: 454. Image: Skype.exe Is skype the culprit? John W. > It means that you haven't set up your symbols correctly, which is the > first thing you need to do. > > .symopt+ 0x80000000 > .sympath srv*c:\sym*http://msdl.microsoft.com/download/symbols > .reload -f -n > lml > > In the second line, you may replace 'c:\sym' with the fullpath of a folder <...excess quoted lines suppressed...> John W. Twin Peaks Software Innovation for business continuity E-mail: xxxxx@TwinPeakSoft.com Tel: (510) 438-0536
  Message 7 of 9  
16 Mar 10 15:04
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 444
List Moderator
Re: RE:Unwanted windbg break points
"skype anti debugging" brings up lots of articles on the measures Skype goes through to prevent debugging/reverse engineering, so I'd say you have your culprit. -scott -- Scott Noone Consulting Associate OSR Open Systems Resources, Inc. http://www.osronline.com "John Wong" <xxxxx@TwinPeakSoft.com> wrote in message news:62187@windbg... > Hi mm, > > Thanks, your instructions works. > The Tutorial doesn't mention '.symopt+ 0x80000000' and > that seems to be the problem in set up the symbols. > > Here is the output of '!process -1 0' > kd> !process -1 0 > PROCESS 828e7b78 SessionId: 0 Cid: 0920 Peb: 7ffd5000 ParentCid: > 073c <...excess quoted lines suppressed...>
  Message 8 of 9  
16 Mar 10 15:13
John Wong
xxxxxx@twinpeaksoft.com
Join Date: 03 Mar 2010
Posts To This List: 4
Re:RE:Unwanted windbg break points
Hi scott, mm, I removed the skype from the targeted system and windbg does not drop into the unwanted break points. Thanks for your help. John W. > "skype anti debugging" brings up lots of articles on the measures Skype > goes > through to prevent debugging/reverse engineering, so I'd say you have your > culprit. > > -scott > > > -- > Scott Noone <...excess quoted lines suppressed...> John W. Twin Peaks Software Innovation for business continuity E-mail: xxxxx@TwinPeakSoft.com Tel: (510) 438-0536
  Message 9 of 9  
16 Mar 10 18:08
Pavel A
xxxxxx@fastmail.fm
Join Date: 21 Jul 2008
Posts To This List: 124
Re: Unwanted windbg break points
These breakpoints come from usermode, so you can ignore them using kdbgctrl -du ( not supported on XP though, only from win2003 ). --pa <xxxxx@TwinPeakSoft.com> wrote in message news:62181@windbg... > Greetings, > > I have set up Windbg with a com1 port to debug a file system driver on a > Targeted System. When I start the > Windbg from the host system, the Windbg keep dropping > into the following break points. How do I get rid of these > annoying break points? > Thanks for your advice in advance, > > John W. <...excess quoted lines suppressed...>
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the windbg list to be able to post.

All times are GMT -5. The time now is 05:13.

Contact Us - Osr Online Homepage - Top

Copyright ©2012, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license