Question

WinDbg how to get into a .exe to trace, and into a .dll to trace ?

Asked by: deleyd

I can never get WinDbg to get me inside an executable. Need some basic help getting started here. If I can just get inside I can start tracing and go to where I want to see what happens.

I have an executable, and a disassembly of the executable. I run WinDbg, tell WinDbg to run the executable (FILE -> OPEN EXECUTABLE), and start stepping (p & t).

But it doesn't look like I'm in the executable. I try stepping and eventually I come to a point where suddenly the program starts up and runs to completion and I've missed the whole thing.

This time I want to get into wscript.exe

so I start up WinDbg, do FILE -> OPEN EXECUTABLE, navigate to wscript.exe, add my test.vbs script as an argument, and I get the WinDbg Command window, which says 0:000>
and enter 'g', to go, it runs correctly and runs my brief test script to completion. Got it working this far.

Now repeat, and this time I want to get into wscript.exe so I can start tracing steps, and I'll most likely want to get into a *.dll that it will load, probably wshcon.dll, so my question is:

How can I get into wscript.exe to start tracing?
How can I trace into wshcon.dll which I think it will load and I think is where I'm interested in?
(I think the prompt 0:000> is telling me I'm not quite in the right thread somehow.)

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-08 at 19:28:30ID24637656
Topics

Debugging Software for Development

,

Assembly Programming Language

Participating Experts
1
Points
500
Comments
4

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Kernel debugging with Windbg
    I'm trying to set up a kernel debugging session with Windbg. On the target system I added /Debugport=com1 to boot.ini, and I get the target session started easily with "windbg -k". By using a simple serial reader program on the host I can see that windbg on the ta...
  2. Debug TRACE drivers with WinDbg or Softice
    Hello I am aware that some tracing tools are available to use such as for driver testing, Now I was wondering how I can do this I have a Copy of the new DDK and Softice. I haven't got a checked version of windows. I would like to use the DbgPint command but I heard WinDbg...
  3. Memory Dump (WinDbg Provided)
    This is the 1st Dump that I have not been able to figure out, and am also learning how to read them Using the [WinDbg] as well. Could someone please assist me with information on how to analyze these Dumps better? Basically, explain it to me better on what I am looking for? A...
  4. Windows debugging tool ( WINDBG)
    Hi Experts, When i use Windbg tool to debug my Blue screen errors i get to see these can any one help me in finding out what went bad on my server ******************************************************************************* * ...
  5. Tracing a memory leak in winlogon using windbg
    Hi all, I need some guidance in how to use windbg to track down a memory leak in winlogon.exe Heres the situation. 3 windows 2003 R2 enterprise servers (One an application server, one web front end, one SQL server) are all exhibiting a memory leak in winlogon.exe The 3 mach...
  6. help interpreting windbg memory dump log
    windows server 2003 sp2 received memory dump error 0x0000020 (0x00000000,0x00000fff1 ran windbg diagnostics. Was unable to interpert logs. windbg log attached.

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: roman2Posted on 2009-08-08 at 22:13:16ID: 25052934

Hello,
You can keep track of loading modules (dlls), for example:
sxe ld:wshcon.dll
this command breaks execution before that module (wshcon.dll) will be loaded
WinDbg (cdb) has useful command "wt" for trace, but, I am not sure I understand what you want

 

by: deleydPosted on 2009-08-09 at 09:59:38ID: 25054830

Let's start with a simpler example. I made a simple "Hello World" program:

int main(int argc, char* argv[])
{
   printf("Hello World!\n");
   return 0;
}

I compile this program (Microsoft Visual C++ 6.0) to make hello.exe

I disassemble hello.exe using PE Explorer (a disassembler).
00401010  55          push    ebp
00401011  8BEC        mov     ebp,esp
00401013  83EC40      sub     esp,00000040h
00401016  53          push    ebx
00401017  56          push    esi
00401018  57          push    edi
00401019  8D7DC0      lea     edi,[ebp-40h]
0040101C  B910000000  mov     ecx,00000010h
00401021  B8CCCCCCCC  mov     eax,CCCCCCCCh
00401026  F3AB        rep stosd
00401028  681C204200  push    SSZ0042201C_Hello_World__
0040102D  E82E000000  call    SUB_L00401060
00401032  83C404      add     esp,00000004h
00401035  33C0        xor     eax,eax
00401037  5F          pop     edi
00401038  5E          pop     esi
00401039  5B          pop     ebx
0040103A  83C440      add     esp,00000040h
0040103D  3BEC        cmp     ebp,esp
0040103F  E89C000000  call    SUB_L004010E0
00401044  8BE5        mov     esp,ebp
00401046  5D          pop     ebp
00401047  C3          retn
(the full disassembly listing is 119269 lines long. This is the part I'm interested in.)

I run WinDbg. FILE -> OPEN EXECUTABLE, hello.exe:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Documents and Settings\Owner\My Documents\C++\hello\Debug\hello.exe"
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 0042c000   hello.exe
ModLoad: 7c900000 7c9b2000   ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
(948.1424): Break instruction exception - code 80000003 (first chance)
eax=00241eb4 ebx=7ffd8000 ecx=00000000 edx=00000001 esi=00241f48 edi=00241eb4
eip=7c90120e esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
ntdll!DbgBreakPoint:
7c90120e cc              int     3
0:000> .symfix
0:000> .reload
Reloading current modules
...
0:000> u
ntdll!DbgBreakPoint:
7c90120e cc              int     3
7c90120f c3              ret
7c901210 8bff            mov     edi,edi
ntdll!DbgUserBreakPoint:
7c901212 cc              int     3
7c901213 c3              ret
7c901214 8bff            mov     edi,edi
ntdll!DbgBreakPointWithStatus:
7c901216 8b442404        mov     eax,dword ptr [esp+4]
ntdll!RtlpBreakWithStatusInstruction:
7c90121a cc              int     3
0:000> k
ChildEBP RetAddr
0012fb1c 7c940442 ntdll!DbgBreakPoint
0012fc94 7c9210af ntdll!LdrpInitializeProcess+0xffa
0012fd1c 7c90e457 ntdll!_LdrpInitialize+0x183
00000000 00000000 ntdll!KiUserApcDispatcher+0x7

stack trace doesn't show my program

0:000> ~
.  0  Id: 948.1424 Suspend: 1 Teb: 7ffdf000 Unfrozen

I START STEPPING...
0:000> p
eax=00241eb4 ebx=7ffde000 ecx=00000000 edx=00000001 esi=00241f48 edi=00241eb4
eip=7c90120f esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint+0x1:
7c90120f c3              ret
0:000> p
eax=00241eb4 ebx=7ffde000 ecx=00000000 edx=00000001 esi=00241f48 edi=00241eb4
eip=7c940442 esp=0012fb24 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!LdrpInitializeProcess+0xffa:
7c940442 8b4368          mov     eax,dword ptr [ebx+68h] ds:0023:7ffde068=00000070
0:000> pt
eax=00000000 ebx=00000000 ecx=00005f00 edx=00241ebc esi=7ffde000 edi=7ffdd000
eip=7c9211ff esp=0012fc98 ebp=0012fd1c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpInitializeProcess+0x11d6:
7c9211ff c21400          ret     14h
0:000> p
eax=00000000 ebx=00000000 ecx=00005f00 edx=00241ebc esi=7ffde000 edi=7ffdd000
eip=7c9210af esp=0012fcb0 ebp=0012fd1c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!_LdrpInitialize+0x183:
7c9210af 8bf8            mov     edi,eax
0:000> pt
eax=00000000 ebx=7ffde000 ecx=7c91b02a edx=7c90e514 esi=017df7b2 edi=0012fd30
eip=7c91b02a esp=0012fd20 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!_LdrpInitialize+0x246:
7c91b02a c20c00          ret     0Ch
0:000> p
eax=00000000 ebx=7ffde000 ecx=7c91b02a edx=7c90e514 esi=017df7b2 edi=0012fd30
eip=7c90e457 esp=0012fd30 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiUserApcDispatcher+0x7:
7c90e457 6a01            push    1
0:000> p
eax=00000000 ebx=7ffde000 ecx=7c91b02a edx=7c90e514 esi=017df7b2 edi=0012fd30
eip=7c90e459 esp=0012fd2c ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiUserApcDispatcher+0x9:
7c90e459 57              push    edi
0:000> p
eax=00000000 ebx=7ffde000 ecx=7c91b02a edx=7c90e514 esi=017df7b2 edi=0012fd30
eip=7c90e45a esp=0012fd28 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiUserApcDispatcher+0xa:
7c90e45a e8ffebffff      call    ntdll!NtContinue (7c90d05e)
0:000> p
eax=00000000 ebx=00000000 ecx=7c800000 edx=7c97e120 esi=7c90de6e edi=00000000
eip=7c90e514 esp=0012fe54 ebp=0012ff50 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c90e514 c3              ret

My program ran but I never managed to get into to my actual program. I want to somehow get to that assembly code I listed above that pushes "Hello World" and makes a call.

 

by: roman2Posted on 2009-08-09 at 20:04:44ID: 25056949

Hello,
debugging without symbols in WinDbg is difficult. You can set breakpoint "bp kernel32!BaseProcessStart" for EXE module, and trace into CRT until call to something like "wmain" is appear. I've attached debug session about that. Though, "wt" command is very useful for understanding what's happening inside. In addition, you can simply set breakpoint to address in module (from disassembled) if its imagebase address matchs with base address.

 

by: deleydPosted on 2009-08-10 at 19:05:40ID: 31613339

yes that's got me going. Thank you. A lot of good info in those working examples.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...