Windows debug and troubleshoot

windows debug and troubleshoot

一。 使用windbg 调试应用的三种方式：

1. 附件到已经运行的进程；
2. 从windbg运行新的程序；
3. 从windbg分析程序的dump 文件；

二。 计算机架构（x86,x64 ）

三。 虚拟内存

1. 通过分页管理虚拟内存;
2. 最小页大小为4kb;

四。 线程和进程

1. 进程，（一个应用实例）
   a container that includes a private virtual address space ,executable code and data Contains at least one unit of execution, a thread

2. Thread, a unit of execution within the system
   Includes the contents of a volatile set of registers that represent the state of the processor Scheduled by the Windows kernel for execution

3. A unique identifier is assigned to both
   Allocated from a shared table within system address space.

五。 Displaying Thread and Process

1. Using the !teb debugger command
   Each thread within a process contains a Thread Environment Block,linked the process block Viewable using the !teb debugger command.

2. Using the !peb debugger command
   Each process contains a single Process Environment Block,viewable using the !peb command.

3. Using the inbulit ~ command
   The ~ command is used to identify threads, ~* represents all the threads within a process
   The ~s command can be used to swith between threads in a debugger.

六。 Thread Stacks

1. A storage location used by threads.
   Used to store information such as parameters,local variables and return address
   The amount of storage per thread is configurable by the applicaion developer

2. Useful to identify the flow of code in an applicaion
   Understanding the flow of code can assist in troubleshooting why an applicaion crashed or is hung.
   Using the stack pointer register as a base is useful when viewing a stack trace is not successful

3. A uniqued stack is allocated to each thread
   Two stack are assigned to applicaion threads,the other in system address space

七。 Displaying Thread stacks

1. Accessible using the k debugger command

2. 查看模块加载区间
   选中区间，右击，

八。 Why Windows Applicaions Crash

1. The result of an unhandled exception
   An event occurs that requires the execution of code outside the normal flow of control
   Can be initiated by either software or hardware during execution

2. Windows uses structed exception handling
   Raising an exception causes the exception dispather to search for an exception handle
   Allows the appliation to be given control when an exception occurs.

3. Unhandled exceptions are passed to a system filter
   The kernel filter UnhandledExceptionFilter,attempts to report the fault to the system.

九。 Attaching to a Crashed Applicaion

1. Application not termimated until the filter returns
   In most cases thre's a window in which a debugger can be attached to the process

2. Must know the name or the PID of the applicaion

3. Allows a user to create a dump of the applicaion
   Useful when the system isn't configured by default to save crashes or the default crash options
   don't contain enough information to diagnose the issue you're attempting to troubleshoot.

lm v m modelname : 查看模块modelname的信息

十。 Taking a Dump of an applicaion

1. Possible to force dump creation of an application
   Taking a dump is useful as it allows you to restart the application while you perform further analysis.

2. Using the built in Windows Task Manager
   Select the Processes tab ,right-click on the application and select Create Dump File
   The resulting dump file is written to the directory defined by the user's TEMP variable

3. Using the Debugging Tools for Windows
   After attaching to the process, create a dump using one of the .dump commands
   Allows for more control over whate information is included, e.g. .dump /ma notepad.dmp

十一。 Further Information

book

1. Windows Internals, Russinovich
2. Advacend Windows Debugging , Hewardt,Mario
3. Windows via c/c++, Richter,Jeffrey

site:

1. http://dumpanalysis.org
2. http://blogs.msdn.com/ntdebugging