[windbg] - 1

환경설정 기본 열기 
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe" -QY -WF "E:\OllyWindbg.WEW"


유형별 기본적으로 으로 체크할 사항

General:
 Symbol servers (.symfix)
 Internal database(s) search
 Google or Microsoft search for suspected components as this could be a known issue. Sometimes a simple search immediately points to the fix on a vendor’s site
 The tool used to save a dump (to flag false positive, incomplete or inconsistent dumps)
 OS/SP version (version)
 Language
 Debug time
 System uptime
 Computer name (dS srv!srvcomputername or !envvar COMPUTERNAME)
 List of loaded and unloaded modules (lmv or !dlls)
 Hardware configuration (!sysinfo)
 .kframes 1000

Application or service:
 Default analysis (!analyze -v or !analyze -v -hang for hangs)
 Critical sections (!cs -s -l -o, !locks) for both crashes and hangs
 Component timestamps, duplication and paths. DLL Hell? (lmv and !dlls)
 Do any newer components exist?
 Process threads (~*kv or !uniqstack) for multiple exceptions and blocking functions
 Process uptime
 Your components on the full raw stack of the problem thread
 Your components on the full raw stack of the main application thread
 Process size
 Number of threads
 Gflags value (!gflag)
 Time consumed by threads (!runaway)
252 PART 2: Professional Crash Dump Analysis
 Environment (!peb)
 Import table (!dh)
 Hooked functions (!chkimg)
 Exception handlers (!exchain)
 Computer name (!envvar COMPUTERNAME)
 Process heap stats and validation (!heap -s, !heap -s -v)
 CLR threads? (mscorwks or clr modules on stack traces) Yes: use .NET checklist below
 Hidden (unhandled and handled) exceptions on thread raw stacks
System hang:
 Default analysis (!analyze -v -hang)
 ERESOURCE contention (!locks)
 Processes and virtual memory including session space (!vm 4)
 Important services are present and not hanging (for example, terminal or IMA services for Citrix environments)
 Pools (!poolused)
 Waiting threads (!stacks)
 Critical system queues (!exqueue f)
 I/O (!irpfind)
 The list of all thread stack traces (!process 0 3f)
 LPC/ALPC chain for suspected threads (!lpc message or !alpc /m after search for "Waiting for reply to LPC" or "Waiting for reply to ALPC" in !process 0 3f output)
 Mutants (search for "Mutants - owning thread" in !process 0 3f output)
 Critical sections for suspected processes (!cs -l -o -s)
 Sessions, session processes (!session, !sprocess)
 Processes (size, handle table size) (!process 0 0)
 Running threads (!running)
 Ready threads (!ready)
 DPC queues (!dpcs)
 The list of APCs (!apc)
 Internal queued spinlocks (!qlocks)
 Computer name (dS srv!srvcomputername)
 File cache, VACB (!filecache)
 File objects for blocked thread IRPs (!irp -> !fileobj)
 Network (!ndiskd.miniports and !ndiskd.pktpools)
 Disk (!scsikd.classext -> !scsikd.classext class_device 2)
 Modules rdbss, mrxdav, mup, mrxsmb in stack traces
Crash Dump Analysis Checklist 253


BSOD:
 Default analysis (!analyze -v)
 Pool address (!pool)
 Component timestamps (lmv)
 Processes and virtual memory (!vm 4)
 Current threads on other processors
 Raw stack
 Bugcheck description (including ln exception address for corrupt or truncated dumps)
 Bugcheck callback data (!bugdump for systems prior to Windows XP SP1)
 Bugcheck secondary callback data (.enumtag)
 Computer name (dS srv!srvcomputername)
 Hardware configuration (!sysinfo)


.NET application or service:
 CLR module and SOS extension versions (lmv and .chain)
 Managed exceptions (~*e !pe)
 Nested managed exceptions (!pe -nested)
 Managed threads (!Threads -special)
 Managed stack traces (~*e !CLRStack)
 Managed execution residue (~*e !DumpStackObjects and !DumpRuntimeTypes)
 Managed heap (!VerifyHeap, !DumpHeap -stat and !eeheap -gc)
 GC handles (!GCHandles, !GCHandleLeaks)
 Finalizer queue (!FinalizeQueue)
 Sync blocks (!syncblk)



!locks
 - It use to find out any wait chains and deadlock conditions among threads.

 !analyze -v -hang
 - 데드락 조사

 !cs -l -o -s
- 모든 락걸린 크리티컬세션을 구함.

hiddenException
00000000`080dd7b8  00000000`77ef3202 ntdll!KiUserExceptionDispatcher+0×52 00000000`080dd7c0   00000000`0178070a
00000000`080dd7c8  00000000`080dd7c0 ; exception context
.cxr  00000000`080dd7c0 
 !heap -s [address] Heap Memory 유효성 체크

findstr 예제 
C:\Windows\system32>findstr /S /m /l hKFlt *.sys drivers\KbdMagic.sys DriverStore\FileRepository\KbdMagic.inf_c8736569\KbdMagic.sys


첫번재 문제된 메모리느 !pte 명령으로 확인
 ex) !pte f7a9a413

ndisk  !ndiskd.protocols
!stlStandard Template libary

0:000> dv /i /V prv local @ecx @ecx this = 0x0012fbdc prv local 0012fbf8 @ebp-0x2c MyName = class std::basic_string,std::allocator > 0:000> !stl MyName [da 0x12fbfc] 0012fbfc "COMPANY__NAME"



loadby sos mscorwks- NET 분석 할때...


32bit stack View
!wow64exts.info


Heap statistics check
!heap -s
모든 할당되는 힙의 위치를 포함 (stack)
!heap -s -k address


특정 스레드로 스위치 ~~
ex) ~~[000020d8]s

we use ~e to execute any command for thread 2)
ex) ~2e !teb


.imgscan
- for Searching Hidden Module
- MZ/PE Signature.


드라이버 EntryPointer BP
- sxe ld 드라이버파일이름


irp 의 context 값 확인
 !fltkd.irpctrl fffffa8016f64010

stack 재구성
 k L=0012f934 0012f934 00469583 ; EBP ESP EIP format