Symbols not detected

Hi all

I am a noob who is trying to learn how to debug kernel. I am
trying to learn how to debug minispy minifilter driver. My setup is through
Vmware as the debuggee and my host as the client. I have built the driver in
the virtual machine and have started the service . In my host I have set the
sympathy to look in the Microsoft servers and a folder is present on my
system to have also the copies on them whenever a symbol is loaded. When I
set the breakpoint at the DriverEntry I get

Module load completed but symbols could not be loaded for minispy.sys

Breakpoint 0’s offset expression evaluation failed.

Check for invalid symbols or bad syntax.

WaitForEvent failed

nt!wctomb+0x1c5:

80509bbf 5d pop ebp

I am running both server and client Windows XP . I have copied the pdb file
from the server onto the client in the sym search path but no success or
maybe I need to set a certain folder structure ??

Any help is appreciated.

Ahmed

What is the kd output of the following commands?

.sympath
!sym noisy
.reload /f minispy.sys

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ahmed Zaki
Sent: Saturday, October 18, 2008 8:17 PM
To: Kernel Debugging Interest List
Subject: [windbg] Symbols not detected

Hi all

I am a noob who is trying to learn how to debug kernel. I am trying to learn how to debug minispy minifilter driver. My setup is through Vmware as the debuggee and my host as the client. I have built the driver in the virtual machine and have started the service . In my host I have set the sympathy to look in the Microsoft servers and a folder is present on my system to have also the copies on them whenever a symbol is loaded. When I set the breakpoint at the DriverEntry I get

Module load completed but symbols could not be loaded for minispy.sys
Breakpoint 0’s offset expression evaluation failed.
Check for invalid symbols or bad syntax.
WaitForEvent failed
nt!wctomb+0x1c5:
80509bbf 5d pop ebp

I am running both server and client Windows XP . I have copied the pdb file from the server onto the client in the sym search path but no success or maybe I need to set a certain folder structure ??
Any help is appreciated.

Ahmed

__________ Information from ESET NOD32 Antivirus, version of virus signature database 3535 (20081018) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

.sympath

Symbol search path is:
SRV*d:\DebugSymbols*http://msdl.microsoft.com/download/symbols

!sym noisy

noisy mode - symbol prompts on

.reload /f minispy.sys

SYMSRV:
d:\DebugSymbols\minispy.pdb\4DC4EF7E3962419FB49450F12B64726A1\minispy.pdb
not found

SYMSRV:
http://msdl.microsoft.com/download/symbols/minispy.pdb/4DC4EF7E3962419FB4945
0F12B64726A1/minispy.pdb not found

DBGHELP:
c:\winddk\6001.18000\src\filesys\minifilter\minispy\filter\objchk_wxp_x86\i3
86\minispy.pdb - file not found

*** ERROR: Module load completed but symbols could not be loaded for
minispy.sys

DBGHELP: minispy - no symbols loaded

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jen-Lung Chiu
Sent: Sunday, October 19, 2008 4:41 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] Symbols not detected

What is the kd output of the following commands?

.sympath

!sym noisy

.reload /f minispy.sys

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ahmed Zaki
Sent: Saturday, October 18, 2008 8:17 PM
To: Kernel Debugging Interest List
Subject: [windbg] Symbols not detected

Hi all

I am a noob who is trying to learn how to debug kernel. I am
trying to learn how to debug minispy minifilter driver. My setup is through
Vmware as the debuggee and my host as the client. I have built the driver in
the virtual machine and have started the service . In my host I have set the
sympathy to look in the Microsoft servers and a folder is present on my
system to have also the copies on them whenever a symbol is loaded. When I
set the breakpoint at the DriverEntry I get

Module load completed but symbols could not be loaded for minispy.sys

Breakpoint 0’s offset expression evaluation failed.

Check for invalid symbols or bad syntax.

WaitForEvent failed

nt!wctomb+0x1c5:

80509bbf 5d pop ebp

I am running both server and client Windows XP . I have copied the pdb file
from the server onto the client in the sym search path but no success or
maybe I need to set a certain folder structure ??

Any help is appreciated.

Ahmed

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3535 (20081018) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3535 (20081018) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

The easiest way to get symbols working, which is the very first thing you need to do - everything else is a complete waste of time
until you do - is to install the WDK & WinDbg on one machine, which you really should refer to as the ‘host’ in order to be
consistent with windbg terminology. Windbg’s terminology for this stuff is very confusing, but in order for all of us to know that
we are talking about the same thing, you should stick to it.

host - the machine that runs windbg
target - the machine that is being debugged.

and for our purposes:

build - the machine on which the wdk is installed and on which you build the driver

You definitely want to avoid the terms ‘client’ and ‘server,’ because they have specific windbg meanings, and also pretty much
everything that comes out of MSFT is expressed in terms of ‘client’ and ‘server.’ In the windbg context, a ‘client’ is part of a
remote debugging setup. It doesn’t sound like that’s what you mean, but if it is, my bad.

So, given those two definitions:

Does build == host?

If you setup things this way, everything should just ‘work,’ as long as you set .sympath to search the msft symbol server, which you
appear to do.

If not, given that you’re new to this, then you’re making your life more difficult than it needs to be, unless you have some other
reason. It appears that you are building on the target (build == target); you should never do that for kernel development, because
you will lose it all (source, et. c.) is you trash the target, which happens in kernel work.

If you still wish to to get this to work, the easiest way that I know of to accomplish this is to use ‘symstore’ to add the symbols
to your symbol store (‘d:\debugsymbols’). The command line would like something like this:

symstore add /s d:\debugsymbols /f c:\winddk\6001.18000\src\filesys\minifilter\minispy\filter\objchk_wxp_x86\i386 /r /p

- ‘/s’ specifies the root directory of the symbol store (d:\debugsymbols)

- ‘/f’ is the path of either the file to add to the symbol store or either the file to add or the folder whose contents should be
added. It’s easiest to just add the folder (as above) and let symstore sort out which files need to be added and which don’t.

- ‘/r’ tells symstore to process the directory specified with ‘/f’ recursively to include any appropriate files that are contained
in any subdirectories. In your case, it doesn’t matter (I think), but it doesn’t hurt to specify it (assuming you specified a
directory with ‘/f’), other than possibly increasing the size of the symbol server.

- ‘/p’ specifies the name of your product, which you must provide in place of ‘PRODUCT’ above. I have no idea of what the purpose
of this field is, so just make up something and use it consistently (though I don’t think that this matters either).

Good luck,

mm

Ahmed Zaki wrote:
> .sympath
>
>
>
> Symbol search path is:
> SRVd:\DebugSymbolshttp://msdl.microsoft.com/download/symbols
>
>
>
> !sym noisy
>
>
>
> noisy mode - symbol prompts on
>
>
>
> .reload /f minispy.sys
>
>
>
> SYMSRV:
> d:\DebugSymbols\minispy.pdb\4DC4EF7E3962419FB49450F12B64726A1\minispy.pdb
> not found
>
> SYMSRV:
> http://msdl.microsoft.com/download/symbols/minispy.pdb/4DC4EF7E3962419FB49450F12B64726A1/minispy.pdb
> not found
>
> DBGHELP:
> c:\winddk\6001.18000\src\filesys\minifilter\minispy\filter\objchk_wxp_x86\i386\minispy.pdb
> - file not found
>
> *** ERROR: Module load completed but symbols could not be loaded for
> minispy.sys
>
> DBGHELP: minispy - no symbols loaded
>
>
>
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] *On Behalf Of *Jen-Lung Chiu
> Sent: Sunday, October 19, 2008 4:41 AM
> To: Kernel Debugging Interest List
> Subject: RE: [windbg] Symbols not detected
>
>
>
> What is the kd output of the following commands?
>
>
>
> .sympath
>
> !sym noisy
>
> .reload /f minispy.sys
>
>
>
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] *On Behalf Of *Ahmed Zaki
> Sent: Saturday, October 18, 2008 8:17 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] Symbols not detected
>
>
>
> Hi all
>
>
>
> I am a noob who is trying to learn how to debug kernel.
> I am trying to learn how to debug minispy minifilter driver. My setup is
> through Vmware as the debuggee and my host as the client. I have built
> the driver in the virtual machine and have started the service . In my
> host I have set the sympathy to look in the Microsoft servers and a
> folder is present on my system to have also the copies on them whenever
> a symbol is loaded. When I set the breakpoint at the DriverEntry I get
>
>
>
> Module load completed but symbols could not be loaded for minispy.sys
>
> Breakpoint 0’s offset expression evaluation failed.
>
> Check for invalid symbols or bad syntax.
>
> WaitForEvent failed
>
> nt!wctomb+0x1c5:
>
> 80509bbf 5d pop ebp
>
>
>
> I am running both server and client Windows XP . I have copied the pdb
> file from the server onto the client in the sym search path but no
> success or maybe I need to set a certain folder structure ??
>
> Any help is appreciated.
>
>
>
> Ahmed
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 3535 (20081018)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 3535 (20081018)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>

>I have built the driver in the virtual machine
If you mean that your dev environment is in VM, that is not such a good idea
for a number of reasons.
There is no need to have any of the dev environment on the target, and in
fact windbg expects that all the debug information, like PDBs and source
tree are *not* on the target machine.

Also, you will eventually consume much more disk space that you want or need
on the VM. And you may have other VMs with other OS that you want to test
with so your dev environment should be on the host machine.

On Sat, Oct 18, 2008 at 11:17 PM, Ahmed Zaki wrote:

> Hi all
>
>
>
> I am a noob who is trying to learn how to debug kernel. I
> am trying to learn how to debug minispy minifilter driver. My setup is
> through Vmware as the debuggee and my host as the client. I have built the
> driver in the virtual machine and have started the service . In my host I
> have set the sympathy to look in the Microsoft servers and a folder is
> present on my system to have also the copies on them whenever a symbol is
> loaded. When I set the breakpoint at the DriverEntry I get
>
>
>
> Module load completed but symbols could not be loaded for minispy.sys
>
> Breakpoint 0’s offset expression evaluation failed.
>
> Check for invalid symbols or bad syntax.
>
> WaitForEvent failed
>
> nt!wctomb+0x1c5:
>
> 80509bbf 5d pop ebp
>
>
>
> I am running both server and client Windows XP . I have copied the pdb file
> from the server onto the client in the sym search path but no success or
> maybe I need to set a certain folder structure ??
>
> Any help is appreciated.
>
>
>
> Ahmed
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 3535 (20081018)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Thank you very much working fine now … I didn’t know that I had to have
WinDDK on my host …
Cheers

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Martin O’Brien
Sent: Sunday, October 19, 2008 1:01 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] Symbols not detected

The easiest way to get symbols working, which is the very first thing you
need to do - everything else is a complete waste of time
until you do - is to install the WDK & WinDbg on one machine, which you
really should refer to as the ‘host’ in order to be
consistent with windbg terminology. Windbg’s terminology for this stuff is
very confusing, but in order for all of us to know that
we are talking about the same thing, you should stick to it.

host - the machine that runs windbg
target - the machine that is being debugged.

and for our purposes:

build - the machine on which the wdk is installed and on which you build the
driver

You definitely want to avoid the terms ‘client’ and ‘server,’ because they
have specific windbg meanings, and also pretty much
everything that comes out of MSFT is expressed in terms of ‘client’ and
‘server.’ In the windbg context, a ‘client’ is part of a
remote debugging setup. It doesn’t sound like that’s what you mean, but if
it is, my bad.

So, given those two definitions:

Does build == host?

If you setup things this way, everything should just ‘work,’ as long as you
set .sympath to search the msft symbol server, which you
appear to do.

If not, given that you’re new to this, then you’re making your life more
difficult than it needs to be, unless you have some other
reason. It appears that you are building on the target (build == target);
you should never do that for kernel development, because
you will lose it all (source, et. c.) is you trash the target, which happens
in kernel work.

If you still wish to to get this to work, the easiest way that I know of to
accomplish this is to use ‘symstore’ to add the symbols
to your symbol store (‘d:\debugsymbols’). The command line would like
something like this:

symstore add /s d:\debugsymbols /f
c:\winddk\6001.18000\src\filesys\minifilter\minispy\filter\objchk_wxp_x86\i3
86 /r /p

- ‘/s’ specifies the root directory of the symbol store (d:\debugsymbols)

- ‘/f’ is the path of either the file to add to the symbol store or either
the file to add or the folder whose contents should be
added. It’s easiest to just add the folder (as above) and let symstore sort
out which files need to be added and which don’t.

- ‘/r’ tells symstore to process the directory specified with ‘/f’
recursively to include any appropriate files that are contained
in any subdirectories. In your case, it doesn’t matter (I think), but it
doesn’t hurt to specify it (assuming you specified a
directory with ‘/f’), other than possibly increasing the size of the symbol
server.

- ‘/p’ specifies the name of your product, which you must provide in place
of ‘PRODUCT’ above. I have no idea of what the purpose
of this field is, so just make up something and use it consistently (though
I don’t think that this matters either).

Good luck,

mm

Ahmed Zaki wrote:
> .sympath
>
>
>
> Symbol search path is:
> SRVd:\DebugSymbolshttp://msdl.microsoft.com/download/symbols
>
>
>
> !sym noisy
>
>
>
> noisy mode - symbol prompts on
>
>
>
> .reload /f minispy.sys
>
>
>
> SYMSRV:
> d:\DebugSymbols\minispy.pdb\4DC4EF7E3962419FB49450F12B64726A1\minispy.pdb
> not found
>
> SYMSRV:
>
http://msdl.microsoft.com/download/symbols/minispy.pdb/4DC4EF7E3962419FB4945
0F12B64726A1/minispy.pdb
> not found
>
> DBGHELP:
>
c:\winddk\6001.18000\src\filesys\minifilter\minispy\filter\objchk_wxp_x86\i3
86\minispy.pdb
> - file not found
>
> *** ERROR: Module load completed but symbols could not be loaded for
> minispy.sys
>
> DBGHELP: minispy - no symbols loaded
>
>
>
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] *On Behalf Of *Jen-Lung Chiu
> Sent: Sunday, October 19, 2008 4:41 AM
> To: Kernel Debugging Interest List
> Subject: RE: [windbg] Symbols not detected
>
>
>
> What is the kd output of the following commands?
>
>
>
> .sympath
>
> !sym noisy
>
> .reload /f minispy.sys
>
>
>
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] *On Behalf Of *Ahmed Zaki
> Sent: Saturday, October 18, 2008 8:17 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] Symbols not detected
>
>
>
> Hi all
>
>
>
> I am a noob who is trying to learn how to debug kernel.
> I am trying to learn how to debug minispy minifilter driver. My setup is
> through Vmware as the debuggee and my host as the client. I have built
> the driver in the virtual machine and have started the service . In my
> host I have set the sympathy to look in the Microsoft servers and a
> folder is present on my system to have also the copies on them whenever
> a symbol is loaded. When I set the breakpoint at the DriverEntry I get
>
>
>
> Module load completed but symbols could not be loaded for minispy.sys
>
> Breakpoint 0’s offset expression evaluation failed.
>
> Check for invalid symbols or bad syntax.
>
> WaitForEvent failed
>
> nt!wctomb+0x1c5:
>
> 80509bbf 5d pop ebp
>
>
>
> I am running both server and client Windows XP . I have copied the pdb
> file from the server onto the client in the sym search path but no
> success or maybe I need to set a certain folder structure ??
>
> Any help is appreciated.
>
>
>
> Ahmed
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 3535 (20081018)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 3535 (20081018)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>

—
You are currently subscribed to windbg as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com