Best IT Recipes

How to use WinDbg to analyze a crash dump for a VC ++ application?

How to use WinDbg to analyze a dump file?

+32
c ++ visual-c ++ windbg crash-dumps
Apr 09 '09 at 13:38
source share
4 answers

Here are some general steps to help you:

First, you must change the settings of your compiler so that it creates PDB files, even for releases. Later versions of the Visual C ++ compiler do this by default, but in many versions of Visual C ++ you have to do it yourself. Create the program database files, and then save an archive of these files along with each assembly of your application. It is very important that each assembly of your applications has its own set of PDBs. You cannot just reuse the same ones that you did with assembly 10, for example, to examine the dumps generated by assembly 15. You will have a ton of PDB in the life of your project, so be prepared for this.

Then you will need to determine the exact version of your application that generated the dump file. If you create your own MiniDumps (for example, by calling MiniDumpWriteDump () ), perhaps the easiest way to do this is simply to make the filename part of MiniDump the full version number of your application. To do this, you will need a reasonable version numbering scheme. In my store, we increase the number of assemblies on all branches each time a car object creates an assembly.

Now that you have received the dump file from the client, you know the exact version of the application that created the dump, and you have found the PDB files for this assembly.

Now you need to go through the history of version control and find the source code for this exact version of the software. The best way to do this is to apply “tags” to your branches every time you build. Set the tag value to the exact version number, and it is easy to find in the history.

You are almost ready to run WinDbg / Visual C ++:

  • Get the complete source tree for this version of your application. Put it in a separate place on your hard drive, say c:\app_build_1.0.100 for application version 1.0 build # 100.
  • Get the binaries for this exact version of your application and put them somewhere on your hard drive. The easiest way is to simply install this version of the application to receive binary files.
  • Place the PDB files in the same place as the binary files in step 2.

You now have two options for viewing the dump file. You can use Visual Studio or WinDbg. Using Visual Studio is simpler, but WinDbg is much more powerful. In most cases, the functionality in Visual Studio will be sufficient.

To use Visual Studio, all you have to do is open a dump file, for example, a project. After opening the "run" dump file ( F5 by default), and if all the paths are set correctly, you will get the right to the code that crashed, give you a call stack, etc.

To use WinDbg, you need to jump over a couple of hoops:

  • Launch WinDbg
  • Open the dump file. ( Ctrl + D by default)
  • Tell WinDbg to get the correct MicroSoft character files. Enter .symfix . This may take several minutes, as it will pull a ton of things from the Internet.
  • Tell WinDbg where the characters are (PDB files). Enter .sympath+ c:\pdblocation , replacing everything where you put the PDB files for the path name. Make sure you get a plus sign where there are no spaces between the .sympath and the + sign, otherwise you will click step 3.
  • Tell WinDbg where the source code is. Enter .srcpath c:\app_build_1.0.100 , replacing the path where you received the code from the source control for this software version.
  • Tell WinDbg to analyze the dump file. Type !analyze -v

After a few minutes, if everything is configured correctly, WinDbg will return you to the place of your failure. At the moment, you have a million possibilities for deepening into the space of your application memory, the state of critical sections, windows, etc. But this is beyond the scope of this publication.

Good luck

+57
Apr 17 '09 at 3:05
source share

(see Dump sections below)

Key Lessons and Demos Using WinDbg

Different Ways to Run / Attach WinDBG

Workspaces

Understanding how workspaces work ...

Cmdtree

"cmdtree" allows you to define a "menu" of debugger commands for easy access to frequently used commands without having to remember short command names.

You don’t need to paste all the definitions of commands into the same cmdtree text file .... you can save them separately and load several if you want (they then get their own window).

Script commissioning

You can use the -c option on the command line to automatically launch the WinDBG script when starting WinDBG.

Provides the ability to enable DML (Debugger markup language) markup mode, load certain extensions, set .NET breakpoints, set kernel flags (for example, when debugging the kernel, you may need to change the DbgPrint mask so that you can track information .... ed nt! Kd_DEFAULT_Mask 0xffffffff), load cmdtrees, etc.

Sample script:

 $$ Include a directory to search for extensions $$ (point to a source controlled or UNC common directory so that all developers get access) .extpath+"c:\svn\DevTools\WinDBG\Extensions" $$ When debugging a driver written with the Windows Driver Framework/KMDF $$ load this extension that comes from the WinDDK. !load C:\WinDDK\7600.16385.1\bin\x86\wdfkd.dll !wdftmffile C:\WinDDK\7600.16385.1\tools\tracing\i386\wdf01009.tmf $$ load some extensions .load msec.dll .load byakugan.dll .load odbgext.dll .load sosex .load psscor4 $$ Make commands that support DML (Debugger Markup Language) use it .prefer_dml 1 .dml_start $$ Show NTSTATUS codes in hex by default .enable_long_status 1 $$ Set default extension .setdll psscor4 $$ Show all loaded extensions .chain /D $$ Load some command trees .cmdtree c:\svn\DevTools\WinDBG\cmdtree\cmdtree1.txt .cmdtree c:\svn\DevTools\WinDBG\cmdtree\cmdtree2.txt $$ Show some help for the extensions !wdfkd.help !psscor4.help .help /D

Team Cheats

Extensions

"Extensions" allow you to expand the range of commands / functions supported inside WinDBG.

Enter your own extension

Using WinDBG to Debug Managed Code

Scripts (C #, PS, Python, WinDBG)

Debuggers / Tools that use the dbgeng.dll API / WinDBG Tools

Different ways to create crash dump files for analysis after morphemes

Dump Analysis Tools

Dump related tools

  • Citrix dumpcheck - checks the consistency of the dump file (it looks like it's left a link + link )
  • dumpchk (part of the debugging tools) - checks the consistency of the Dump file
  • MoonSols Windows Memory Toolkit (formerly windd ) - converts various raw memory dump files to dmp files compatible with WinDBG.
  • vm2dmp - Microsoft Hyper-V VM State to Memory Dump Converter
  • vmss2core - converts a VMWare snapshot file to a kernel dump file ( download ), ( instructions )

Debugging kernel virtual machines

  • VMKD - KD Virtual Machine Extensions
  • VirtualKD - (kernel debugger support for OS hosted in VMWare / VirtualBox)

Video

Blogs

Some blogs (a mixture of native and managed code debugging).

Advanced articles and study materials

Alternative debuggers

Other links

  • RCE Collaborative Tool Library
    - huge collection of debugger tools and system level
  • cr4zyserb
    - huge collection of plugins and other debugging tools
  • How to write Windows debugger links (Devon Straw)
    - A large set of links in which you will find detailed information that you will need if you wanted to write your own debugger, for example, PDB file format, DMP file formats, PE file structure, how to record stack traces, etc. Etc.
  • Tuts4you
    - unpackers, IDA, OllyDBG, Immunity debugging plugins, etc.
+25
Aug 09 '14 at 21:02
source share

This is a very broad question.

  • The first step is to load the dump file into the WinDbg instance.
  • Then you need to make sure that you have character customization.
  • Finally, you can run the !analyze -v command to perform basic analysis. You need to have character information available for your code to make dump files worthwhile.

The website “Memory Dump”, “Software Trace”, “Debugging”, “Malicious Software”, “Sacrifice and Analytical Analysis Portal” was very informative for me. I also really liked the book Advanced Windows Debugging by Mario Hewardt and Daniel Pravat.

+4
Apr 09 '09 at 16:23
source share

Tess Ferrandez is a great set of basic tutorials and labs to get started with Windbg. I highly recommend them.

+3
Apr 11 '09 at 4:27
source share


More articles:


All Articles