12/08/2008

Dumping NT_TIB

When a thread is crashed without any clue at all(eg. all registers are set to invalid value or something), you might try to get stack trace by manually pointing esp/ebp to some probable value inside stack. In that case, you need to get valid stack range. It can be achieved with following windbg command. Check out StackBase,StackLimit field from NT_TIB structure.

0:005> dt -r ntdll!_NT_TIB poi(fs:18h)

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3fecc _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3ff2c _EXCEPTION_REGISTRATION_RECORD

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3fecc _EXCEPTION_REGISTRATION_RECORD

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB




12/02/2008

Dumping Kernel Service Table From Windbg

You can use following commands from windbg to dump system service table nicely. Of course, you need to be connected to remote system kernel or load kernel dump file.

Dumping KeServiceDescriptorTable

0:kd> dds poi(nt!KeServiceDescriptorTable) L poi(nt!KeServiceDescriptorTable+8)

808341b0 8092023a nt!NtAcceptConnectPort

808341b4 8096b71e nt!NtAccessCheck

808341b8 8096f9be nt!NtAccessCheckAndAuditAlarm

...

80834640 80994ea4 nt!NtWaitForKeyedEvent

80834644 80944e6c nt!NtQueryPortInformationProcess

80834648 8094546e nt!NtGetCurrentProcessorNumber

8083464c 809390f8 nt!NtWaitForMultipleObjects32



Dumping KeServiceDescriptorTableShadow

0:kd> dds poi(nt!KeServiceDescriptorTableShadow+10) L poi(nt!KeServiceDescriptorTableShadow+18)

bf9a3000 bf92bf8c win32k!NtGdiAbortDoc

bf9a3004 bf941589 win32k!NtGdiAbortPath

bf9a3008 bf818ddf win32k!NtGdiAddFontResourceW

bf9a300c bf936c02 win32k!NtGdiAddRemoteFontToDC

...

bf9a3a50 bf9515d6 win32k!NtGdiBRUSHOBJ_DeleteRbrush

bf9a3a54 bf94ec39 win32k!NtGdiUMPDEngFreeUserMem

bf9a3a58 bf944082 win32k!NtGdiDrawStream

bf9a3a5c bf9459a0 win32k!UMPDDrvQuerySpoolType

bf9a3a60 bf929d4d win32k!NtGdiMakeObjectUnXferable