yrp604 / bdump Goto Github PK

View Code? Open in Web Editor NEW

44.0 44.0 12.0 16 KB

JavaScript 81.04% Python 18.96%

bdump's People

Contributors

Stargazers

Watchers

Forkers

gavz zoniony wumb0 donghyunlee00 richinseattle ch4rli3kop gangaji15519 ch3rn0byl grypwn ganbarutobi jackery001 hugsy

bdump's Issues

Could not recover cs!

Hi, I tried to dump an application under windbg:

File-Open executable
bp CMakeProject1!main
.scriptload bdump.js
press F5 until stop on bp0
!bdump "E:\dump"

And I got the next error:

What I'm doing wrong?

CR8/IRQL Register

The CR8 register ist set to 0xf when WinDBG is in a breakpoint. Consequently, this value is stored to the regs.json file. However, this is not the correct value before the breakpoint was hit

kd> r cr8
cr8=000000000000000f
kd> !irql
Debugger saved IRQL for processor 0x0 -- 0 (LOW_LEVEL)

Error: Unknown exception [at bdump (line 128 col 5)]

Hi. I'm dumping user process using !bdump "C:\temp\dump"
While saving register data, Error: Unknown exception [at bdump (line 128 col 5)] occurs
line 128 is const User = host.currentThread.Registers.User; in __collect_user function.
With some debugging, I figured out host.currentThread occurs the error.(on running var curThread = host.currentThread;, it raises same error)
add) host.currentProcess too

kd> dx -r1 Debugger.State.Scripts.test.Contents.host
Debugger.State.Scripts.test.Contents.host                 : [object Object]
    currentApiVersionSupported : [object Object]
    currentApiVersionInitialized : [object Object]
    diagnostics      : [object Object]
    metadata         : [object Object]
    namespace       
    currentSession   : Remote KD: KdSrv:Server=@{<Local>},Trans=@{NET:Port=55555,Key=1pq9apo3ygxuf.3alfsb0xnsp1g.1j12s4iuq947e.3e7nv6a7o7t7y,Target}
    currentProcess   : Unknown exception
    currentThread    : Unknown exception
    memory           : [object Object]
    typeSystem       : [object Object]

Test Environment

Windows 10, x86/x64 (tested on both arch VM)
- 1 vCPU, 4G RAM, Hyper-V enabled
using 'windbg x86' / 'windbg preview' (tested both)
- used kdnet
dumps x86 user-process

Steps

!process 0 0 testprogram.exe
.process /i [proc]
g
bp testprogram+0x1234
g
.scriptload C:\temp\bdump.js
!bdump "C:\\temp\\dump"

Full logs

kd> !process 0 0 testprogram.exe
PROCESS af60f840  SessionId: 1  Cid: 1554    Peb: 07e37000  ParentCid: 0bb8
    DirBase: bffff880  ObjectTable: a138fbc0  HandleCount: 712.
    Image: testprogram.exe

kd> .process /i af60f840
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
8537cdc4 cc              int     3
kd> .reload
Connected to Windows 10 19041 x86 compatible target at (Thu Nov  4 15:03:21.843 2021 (UTC + 9:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
...............................................
Loading User Symbols
................................................................
................................................................
........
Loading unloaded module list
...........
kd> bp 0x1234+testprogram
kd> g
Breakpoint 0 hit
testprogram+0x1234:
001b:xxxxxxxx 8bff            mov     edi,edi
kd> .scriptload C:\temp\bdump.js
[bdump] Usage: !bdump "C:\\path\\to\\dump"
[bdump] Usage: !bdump_full "C:\\path\\to\\dump"
[bdump] Usage: !bdump_active_kernel "C:\\path\\to\\dump"
[bdump] This will create a dump directory and fill it with a memory and register files
[bdump] NOTE: you must include the quotes and escape the backslashes!
JavaScript script successfully loaded from 'C:\temp\bdump.js'
kd> !bdump "C:\\temp\\dump"
[bdump] creating dir...
[bdump] saving regs...
Error: Unknown exception [at bdump (line 128 col 5)]

Related issue: microsoft/WinDbg-Samples#13

Wrong regs.json

Hi, I run it with my Win10 + Hyper-V (win10) and execute
!bdump "C:\\dump"

But it generate a wrong regs.json file
There are output from windbg

0: kd> r
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000038
rdx=00007ff618179d40 rsi=0000000000000000 rdi=0000005533cffbef
rip=00007ff618171531 rsp=0000005533cffa90 rbp=0000000000000000
 r8=00000000000000f8  r9=fefefefefefefefe r10=0000000000000000
r11=0000005533cffaf7 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
CMakeProject1!main+0x71:
0033:00007ff6`18171531 488d542460      lea     rdx,[rsp+60h]

Also I attached the regs.json file
regs.txt

That's because WTF didn't work with it

could not recover cs (different line failure than previous issue)

0:000> !bdump "C:\Users\demo\Desktop\bdump\dump"
!bdump "C:\Users\demo\Desktop\bdump\dump"
[bdump] creating dir...
[bdump] saving regs...
[bdump] could not recover cs!
Error: Unknown exception [at bdump (line 82 col 5)]
0:000> dg cs
dg cs
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags

0033 Unable to get descriptor

I dont see what I'm possibly doing wrong. I am connected over a remote kernel Debugger from my Host Win10 x64 to my Hyper-V VM Win10 x64 machine. I launch the target application on my target VM using the command "ntsd -d MYAPP".
Does it possibly have to do anything with my symbols? (I'm having a hard time to set them up propberly using the documented way from examples given by Microsoft) I'm kinda completly lost right here.

Help much appreciated.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.