windows 何时以及如何使用windbg内核调试
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2085729/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
when and how to use windbg kernel debugging
提问by whunmr
I found Windbg is very useful during development and debugging. but mostly i use windbg in use mode debugging.
我发现 Windbg 在开发和调试过程中非常有用。但主要是我在使用模式调试中使用windbg。
What kernel debugging can do in windbg? or When should I use windbg's kernel debugging?
Is there a toturial about kernel debugging in windbg?
在windbg中可以做哪些内核调试?或者我什么时候应该使用windbg的内核调试?
在windbg 中是否有关于内核调试的教程?
Thanks in advance.
提前致谢。
采纳答案by Alon
you usually use kernel debugging when you need to debug low level device drivers interacting directly with the hardware.
It's more complicated to debug in kernel mode, among other things for a live kernel debug session you have to run the debugger on a different system than the one being debugged . for the majority of developers user mode is enough to do most of the work.
Advanced Windows Debuggingis a very good book about debugging with wndbg (includes discussions about kernel debugging).
当您需要调试直接与硬件交互的低级设备驱动程序时,您通常使用内核调试。
在内核模式下调试更复杂,除此之外,对于实时内核调试会话,您必须在与被调试系统不同的系统上运行调试器。对于广大开发者来说,用户模式足以做大部分的工作。
Advanced Windows Debugging是一本关于使用 wndbg 进行调试的好书(包括有关内核调试的讨论)。
the dump analysissite has many tutorials including kernel debugging scenarios
在转储分析网站有很多的教程包括内核调试方案
回答by Ivan Bohannon
the main difference between user mode and kernel mode WINDBG, is you can see EVERY process in kernel mode WINDBG, and all threads. You wont necessary get to see every stack frame since they get paged out frequently by the memory manager.
用户模式和内核模式 WINDBG 之间的主要区别在于,您可以看到内核模式 WINDBG 中的每个进程以及所有线程。您不需要查看每个堆栈帧,因为它们经常被内存管理器调出。
some common commands I use frequently.
我经常使用的一些常用命令。
!process 0 0 lists every running process:
!process 0 0 列出每个正在运行的进程:
**** NT ACTIVE PROCESS DUMP ****
PROCESS 80a02a60 Cid: 0002 Peb: 00000000 ParentCid: 0000
DirBase: 00006e05 ObjectTable: 80a03788 TableSize: 150.
Image: System
PROCESS 80986f40 Cid: 0012 Peb: 7ffde000 ParentCid: 0002
DirBase: 000bd605 ObjectTable: 8098fce8 TableSize: 38.
Image: smss.exe
PROCESS 80958020 Cid: 001a Peb: 7ffde000 ParentCid: 0012
DirBase: 0008b205 ObjectTable: 809782a8 TableSize: 150.
Image: csrss.exe
PROCESS 80955040 Cid: 0020 Peb: 7ffde000 ParentCid: 0012
DirBase: 00112005 ObjectTable: 80955ce8 TableSize: 54.
Image: winlogon.exe
PROCESS 8094fce0 Cid: 0026 Peb: 7ffde000 ParentCid: 0020
DirBase: 00055005 ObjectTable: 80950cc8 TableSize: 222.
Image: services.exe
PROCESS 8094c020 Cid: 0029 Peb: 7ffde000 ParentCid: 0020
DirBase: 000c4605 ObjectTable: 80990fe8 TableSize: 110.
Image: lsass.exe
PROCESS 809258e0 Cid: 0044 Peb: 7ffde000 ParentCid: 0026
DirBase: 001e5405 ObjectTable: 80925c68 TableSize: 70.
Image: SPOOLSS.EXE
.process {x} Select the process you want to make active, usually followed by the !threads command to list a processes current threads.
.process {x} 选择要激活的进程,通常跟在 !threads 命令之后列出进程当前线程。
!stacks 0x2 {foo.sys} searches ALL threads for call stacks that contain the specified driver.
!stacks 0x2 {foo.sys} 在所有线程中搜索包含指定驱动程序的调用堆栈。
!poolused useful when debugging low kernel memory situations and all you have is a kernel crash dump
!poolused 在调试低内核内存情况时很有用,您所拥有的只是内核崩溃转储
.crash Useful for when you are debugging live via serial cable and you want to make the target machine write a crash dump
.crash 当您通过串行电缆进行实时调试并且想让目标机器写入故障转储时很有用
!vm 1 Useful display of the memory managers statistics, example:
!vm 1 有用的内存管理器统计信息显示,例如:
*** Virtual Memory Usage ***
Physical Memory: 16270 ( 65080 Kb)
Page File: \??\E:\pagefile.sys
Current: 98304Kb Free Space: 61044Kb
Minimum: 98304Kb Maximum: 196608Kb
Available Pages: 5543 ( 22172 Kb)
ResAvail Pages: 6759 ( 27036 Kb)
Locked IO Pages: 112 ( 448 Kb)
Free System PTEs: 45089 ( 180356 Kb)
Free NP PTEs: 5145 ( 20580 Kb)
Free Special NP: 336 ( 1344 Kb)
Modified Pages: 714 ( 2856 Kb)
NonPagedPool Usage: 877 ( 3508 Kb)
NonPagedPool Max: 6252 ( 25008 Kb)
PagedPool 0 Usage: 729 ( 2916 Kb)
PagedPool 1 Usage: 432 ( 1728 Kb)
PagedPool 2 Usage: 436 ( 1744 Kb)
PagedPool Usage: 1597 ( 6388 Kb)
PagedPool Maximum: 13312 ( 53248 Kb)
Shared Commit: 1097 ( 4388 Kb)
Special Pool: 229 ( 916 Kb)
Shared Process: 1956 ( 7824 Kb)
PagedPool Commit: 1597 ( 6388 Kb)
Driver Commit: 828 ( 3312 Kb)
Committed pages: 21949 ( 87796 Kb)
Commit limit: 36256 ( 145024 Kb)
And don't forget the ALL MIGHTY !locks
并且不要忘记 ALL MIGHTY !locks
absolutely essential for troubleshooting a deadlocked machine,
对死锁机器进行故障排除绝对必不可少,
kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks......
Resource @ 0x80e97620 Shared 4 owning threads
Threads: ff688da0-01<*> ff687da0-01<*> ff686da0-01<*> ff685da0-01<*>
KD: Scanning for held locks.......................................................
Resource @ 0x80e23f38 Shared 1 owning threads
Threads: 80ed0023-01<*> *** Actual Thread 80ed0020
KD: Scanning for held locks.
Resource @ 0x80d8b0b0 Shared 1 owning threads
Threads: 80ed0023-01<*> *** Actual Thread 80ed0020
2263 total locks, 3 locks currently held
using this command you can track down threads that are stuck waiting for another thread to release an ERESOURCE
使用此命令,您可以跟踪卡在等待另一个线程释放ERESOURCE 的线程
回答by Mike Kale
Probably, you'll only want to debug in kernel mode when your code is running in kernel mode, ie when you're writing a drivers or something else that runs in the kernel. Or possibly if you're trying to learn more about Windows itself at a very low level by exploring around in the kernel and poking and prodding at things.
可能,当您的代码在内核模式下运行时,您可能只想在内核模式下进行调试,即当您编写驱动程序或在内核中运行的其他东西时。或者,如果您试图通过在内核中进行探索并戳戳并刺激事物,在非常低的层次上了解有关 Windows 本身的更多信息。
When looking for tutorials and other reference material, you might look for "kd" references as well as they are likely to be very similar. (kd is a command line kernel debugging tool.)
在寻找教程和其他参考资料时,您可能会寻找“kd”参考资料,它们可能非常相似。(kd 是一个命令行内核调试工具。)
