I simply want to dump memory and/or disassemble code from win32k.sys. I am kernel debugging with Windbg and VMWare with WinXp and Vista. Under Vista everything works fine, but under XP I have a strange problem:
I delete all local symbols for “win32k.sys / win32k.pdb”. Then
0: kd> !sym noisy
noisy mode - symbol prompts on
0: kd> .reload win32k.sys
0: kd> lm
start end module name
804d7000 80700000 nt (pdb symbols) d:\localsymbols\ntkrnlmp.pdb\C76896EACEB5438798AF82B4E5860F382\ntkrnlmp.pdb
bf800000 bf9c3000 win32k (deferred)
0: kd> u bf800000
SYMSRV: win32k.sys from http://msdl.microsoft.com/download/symbols: 925259 bytes - copied
DBGHELP: d:\localsymbols\win32k.sys\49E875721c3000\win32k.sys - OK
DBGENG: Partial symbol load found image d:\localsymbols\win32k.sys\49E875721c3000\win32k.sys.
SYMSRV: win32k.pdb from http://msdl.microsoft.com/download/symbols: 1172175 bytes - copied
DBGHELP: win32k - public symbols
d:\localsymbols\win32k.pdb\7B63B0820AB6420F929213DA2D175B9E2\win32k.pdb
win32k!CheckPwndFilter (win32k+0x0): bf800000 ?? ??? ^ Memory access error in ‘u bf800000’
After that the win32k.sys is marked with a “#” at the “lm” command, which means that the symbols are not matching the binary.
(1) Why can’t the correct symbols be retrieved? (2) Why can’t the memory of win32k.sys simply be dumped (without using symbols)? I have dd’ed the whole win32k range, so this is not a problem of a discarded PE header or similar …
When looking at session space you need to switch to a process from the appropriate session. If you just want to disassemble win32k code, any interactive process will do (e.g. explorer.exe):
!process 0 0 explorer.exe
.process /P
– Pavel Lebedinsky/Windows Kernel Test This posting is provided “AS IS” with no warranties, and confers no rights.
tried .reload win32k.sys /f ? without the /f command it will default to
deffered load, /f will force the symbols to be loaded immediately.
On Wed, Sep 9, 2009 at 2:04 PM, wrote:
> Hi, > > I simply want to dump memory and/or disassemble code from win32k.sys. I am > kernel debugging with Windbg and VMWare with WinXp and Vista. Under Vista > everything works fine, but under XP I have a strange problem: > > I delete all local symbols for “win32k.sys / win32k.pdb”. Then > > 0: kd> !sym noisy > noisy mode - symbol prompts on > 0: kd> .reload win32k.sys > 0: kd> lm > start end module name > 804d7000 80700000 nt (pdb symbols) > d:\localsymbols\ntkrnlmp.pdb\C76896EACEB5438798AF82B4E5860F382\ntkrnlmp.pdb > bf800000 bf9c3000 win32k (deferred) > > > 0: kd> u bf800000 > SYMSRV: win32k.sys from http://msdl.microsoft.com/download/symbols: > 925259 bytes - copied > DBGHELP: d:\localsymbols\win32k.sys\49E875721c3000\win32k.sys - OK > DBGENG: Partial symbol load found image > d:\localsymbols\win32k.sys\49E875721c3000\win32k.sys. > SYMSRV: win32k.pdb from http://msdl.microsoft.com/download/symbols: > 1172175 bytes - copied > DBGHELP: win32k - public symbols > > d:\localsymbols\win32k.pdb\7B63B0820AB6420F929213DA2D175B9E2\win32k.pdb > win32k!CheckPwndFilter (win32k+0x0): > bf800000 ?? ??? > ^ Memory access error in ‘u bf800000’ > > > After that the win32k.sys is marked with a “#” at the “lm” command, which > means that the symbols are not matching the binary. > > 0: kd> !lmi win32k > Loaded Module Info: [win32k] > Cannot read Image header @ bf800000 > Load Report: public symbols , not source indexed > > d:\localsymbols\win32k.pdb\7B63B0820AB6420F929213DA2D175B9E2\win32k.pdb > 0: kd> dd bf800000 > bf800000 ??? ??? ??? ??? > bf800010 ??? ??? ??? ??? > > > What I don’t understand: > > (1) Why can’t the correct symbols be retrieved? > (2) Why can’t the memory of win32k.sys simply be dumped (without using > symbols)? I have dd’ed the whole win32k range, so this is not a problem of a > discarded PE header or similar … > > Can someone help me with that problem? > > Thanks a lot > Carsten > > — > WINDBG is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
this works …