Hello everybody,

I know there has been lots of questions about which debugger is best. Everybody has their preference. I use OllyDdg but it doesn't debug vxd's. I know softice supports this but I put it on my wish list last christmas and I'm still waiting:) Is there any other debugger or method I can use? How do other people debug vxd's?


best regards,

czDrillard
Posted on 2002-08-16 02:20:41 by czDrillard
use wdeb386. Very stable and nice user interface :)
Posted on 2002-08-16 03:25:36 by japheth
If the VDD is not very long you can use a disassembler, and study it quietly somewhere, the park, the beach... :)
Posted on 2002-08-16 11:07:46 by slop
Thanks for answers,

japheth: That sounded like what I wanted and I've got wdeb386 in the DDK98. I was just reading the documentation and at the end under 'How to Get Started' is the following quote:
______________________________________________

You need a computer with a serial port, and you'll need to buy or make a null-modem cable. You only need a three-line null modem cable . . .
______________________________________________

Disappointing, this sounds like a job for a mechanic not a programmer:) Is there any more info about this anywhere?

sloppy: this a very small vxd, I'm writing it myself so I've got the source code. Maybe I'm not thinking clearly, but would it help me much to disassemble the exe when I've got the source code? I just got up so it's quite possible my brain is still disengaged:)

best regards,

czDrillard
Posted on 2002-08-16 12:27:07 by czDrillard
Ok, you're right, your brain is tuned I think, my answer was a little sloppy, as always ;)

If you have the code you can:

1) Use a VDD-debug uyility provided by microsoft:
http://msdn.microsoft.com/library/en-us/dbgtools/ hh/dbgtools/dev_name_2of9.asp

2)Send it to me and I?ll use my quiet and relaxing park-debugging (with a dissasembly list) ;)
Posted on 2002-08-16 12:36:36 by slop
Hi sloppy,

Your link is broken, I copied entire link and pasted but still page not found:( I searched MS and wdeb386 seems to be the only tool to use anyway.

I'm new to vxd writing and am working my way through Iczelion's tuts. I got to vxd tut 6 and there should be a message box displayed from within the vxd. This isn't happening and I wanted to check the value of edi. So when I say 'I'm writing it myself' I mean I'm re-writing Iczelion's tutorial:) Thanks anyway for the offer on the listing.

Btw, where do you live that there is quiet parks?

Eventually I want to write a vxd and use RO_SWAPPER_CALL SHR 8 It is my goal to clear contents of swap file.

best regards,

czDrillard
Posted on 2002-08-16 13:29:54 by czDrillard
If you don't have softice, a secondary computer or vmware... and even with softice, a secondary computer
is nice, and vmware can be a timesaver too.
Posted on 2002-08-16 15:35:31 by f0dder
Hi czDrillard,

How about converting the register values you want to find out about to ascii and using VWIN32_SysErrorBox to generate a Ring0 system modal message box to signal you of the ultimate demise of your code? ;) Up to 3 buttons can be defined in a VSEB structure, including 2 ascii buffers (message text and caption) you can use to relay information. Depending on your response you could then direct the code any of 3 ways.

The code below displays the register values of edi and at an arbitrary place in vxd code in a message box which allows user input. To be more useful for full debugging purposes, a complete module which accesses the CONTEXT structure in a self generated Interrupt Service Routine using an appropriate hook, and spits out the values wherever it's placed in code would be even better, but would likely be deemed inappropriate...



VxD_PAGEABLE_DATA_SEG

pszText db 512 dup(?) ; buffer to contain message text
pszCaption db "Caption", 0 ; caption text
StringFmt db "%08X","-","%08X",0 ; format string for VMMCall _Sprintf

;--------------------------------------------------
; This is the vwin32.inc structure needed to display
; the system modal error box
;--------------------------------------------------
vseb_s struct
vseb_resp DD ?
vseb_b3 DW ?
vseb_b2 DW ?
vseb_b1 DW ?
vseb_pszCaption DD ?
vseb_pszText DD ?
vseb_s ends

MBInfo vseb_s <>

VxD_PAGEABLE_DATA_ENDS

;=================================

VxD_PAGEABLE_CODE_SEG

;==================================
; VMMCall _Sprintf, <pOutBuf, pFormat, Param1, Param2, ...>
; Formats a string in a manner analogous to the C procedure,
; Uses EAX, ECX, EDX and Flags. Returns length of string.
;
; VMMCall _Sprintf will output the values of EDI and [EDI]
; into the Message text buffer, defined in the format string
; as "register - dword ptr [register]"
;===================================
;...
push [edi] ; Param2
push edi ; Param1
push offset32 StringFmt
push offset32 pszText
VMMCall _Sprintf
add esp, 0Ch ; basic stack balance
pop eax ; add for extra params pushed

;===================================
; Create a Message box
;===================================

;-------------------------------------------------------------
; Fill vseb_s structure with MessageBox info
; (concatenate or use _Sprintf to create a longer string)
;-------------------------------------------------------------
mov eax, offset32 pszText ; main message box text
mov MBInfo.vseb_pszText, eax

mov eax, offset32 pszCaption ; caption text
mov MBInfo.vseb_pszCaption, eax

; define buttons
mov MBInfo.vseb_b1, 1 ; Button with "OK"
mov MBInfo.vseb_b2, 7 ; Button with "&Ignore
mov MBInfo.vseb_b3, 8 ; Button with "Close"

mov ebx, offset32 MBInfo
; pointer to start of vseb_s structure passed in EBX
VXDCall VWIN32_SysErrorBox

;-------------------------------------------------------------
; Check users response - vseb_resp indicates which button
; the user pressed. May be 1, 2 or 3
;-------------------------------------------------------------
mov eax, MBInfo.vseb_resp
.if eax == 1
...


ret
VxD_PAGEABLE_CODE_ENDS

;==========================================
; If you wanted to access the full CONTEXT structure from an ISR
; within a VxD_LOCKED_CODE_SEG, you could use these functions

;push offset32 ContextStruct
; Address of a CONTEXT structure
;VMMCall Get_Cur_Thread_Handle
;push edi
; Ptcb Ring 0 thread handle
;VXDCall _VWIN32_Get_Thread_Context
;==========================================



Hope this helps.

Cheers,
Kayaker
Posted on 2002-08-16 21:25:55 by Kayaker
:alright: Brilliant Kayaker, brilliant,

I am going to be busy for awhile playing around with your code. Who needs those expensive debuggers? (I will in the future, but not today) I was dragging around the idea of filling the lpOutBuffer of the DeviceIOControl api with data from say the edi register. Your methods cool. Thanks

best regards,

czDrillard
Posted on 2002-08-16 22:04:17 by czDrillard
yup! nice and handy one, Kayaker. but, it happened to me mostly, that the driver trigger a BSOD. i just disappointed why this BSOD doesnt show more infos, like what u said, ie _CONTEXT struct or CLIENT struct. besides its wasting whole screen filling it just with 2-3 line line info. and it worsen when i dont know the base address(coz dynamic loaded) and it halt my pc >(. i wonder how to patch this BSOD so that it shows more comprehensive one. do u know how to do that?

thanks
Posted on 2002-08-18 21:21:52 by dion
Hi

Thank you czDrillard, I hope it works out for you. What's handy is being able to redirect the code and possibly thwarting off a BSOD crash by sending it to a safe exit. I suppose there's also the possibility of using some of the VMM Debugging services in your code in conjunction with a debugger, such as _Debug_Out_Service, _Trace_Out_Service..., though I've never looked into it.

I'm glad you wrote dion, if you're having problems with this. The system modal message box is generated from Ring0, but it should look almost identical to a regular Win32 message box, expect on a white background with bad system font and regular buttons, and your desktop should be visible behind it. If you're getting a BSOD then there's a problem with the implementation of the code. I sense you may be having more basic problems with the vxd, how are you using the code? Understand that if you want the full CONTEXT information displayed, then you have to code that in yourself, the example was just to show the basic procedure on a single register. There are many ways this code could be used, and the strings are how you build them, though I don't know if there is a buffer maximum for the text and caption strings.

You don't need this system modal message box if all you're trying to do is relay information to the user, you can also pass a pointer to a structure back to Win32 with lpOutBuffer and extract any information you want from the vxd. You need to address this BSOD before you can continue. Start with a basic vxd skeleton that works and I think a VxD_PAGEABLE_CODE_SEG something like this should work?



VxD_PAGEABLE_CODE_SEG

BeginProc OnDeviceIoControl
assume esi:ptr DIOCParams
.IF [esi].dwIoControlCode==DIOC_Open
; called on vxd loading by CreateFile
xor eax,eax

.ELSEIF [esi].dwIoControlCode == 1
mov pDIOC,esi
; save pointer to DIOC params struct

; CODE POSTED ABOVE, WITH VARIABLES
; DECLARED IN VxD_PAGEABLE_DATA_SEG
ret

;-----------------END---------------
.ELSE
xor eax,eax
.ENDIF
ret
EndProc OnDeviceIoControl

VxD_PAGEABLE_CODE_ENDS


If you want to pass information from your vxd to your Win32 GUI, you can easily create a structure to hold any and all variables, pointers, strings, flags, etc., and pass a pointer to the structure back via lpOutBuffer of DeviceIoControl.



; In VxD_PAGEABLE_DATA_SEG:
DRIVER_INFO struct
strBuffer1 db 16 dup(?)
strBuffer2 db 512 dup(?)
PID DWORD ?
DRIVER_INFO ends

Pass2ring3 DRIVER_INFO <>

; In VxD_PAGEABLE_CODE_SEG:
; Fill structure variables with whatever...

.ELSEIF [esi].dwIoControlCode == 2
; Can be a separate call

;------------------------------------------
; Pass starting address of DRIVER_INFO
; structure to Win32 via lpvOutBuffer of
; DIOC params structure of DeviceIOControl.
;------------------------------------------

;mov pDIOC,esi ; save pointer to DIOC params struct
mov eax, OFFSET32 Pass2ring3
; start of DRIVER_INFO structure

mov edx, [esi].lpvOutBuffer
mov [edx], eax
; Pass address of our variable structure
.endif

clc
ret


In Win32 you could access the structure in vxd code with
something like

	

invoke DeviceIoControl,hVxD,2,NULL, NULL,\
OFFSET lpOutBuffer, 4, lpBytesReturned,NULL

.IF lpOutBuffer != 0

; strBuffer1
invoke SendDlgItemMessage, hWnd, IDC_EDIT1,\
WM_SETTEXT, 0, lpOutBuffer

; strBuffer2
mov edi, lpOutBuffer
add edi, 16
invoke SendDlgItemMessage, hWnd, IDC_EDIT2, \
WM_SETTEXT, 0, edi

; PID
add edi, 512
mov edi, [edi]
invoke wsprintf, ADDR StringBuff, ADDR StringFmt, edi
invoke SendDlgItemMessage, hWnd, IDC_EDIT3,\
WM_SETTEXT, 0, ADDR StringBuff

.ENDIF


Kayaker
Posted on 2002-08-19 01:48:32 by Kayaker
Chapeau Kayaker!
Posted on 2002-08-19 11:14:56 by slop
hmm... before all, thanks Kayaker. maybe i'm not explain it clearly. firstly, i dont want to use debugger . then, i dont want to code a counterpart in win32 gui just for displaying it . then... the most important info i need is like error msgbox in win32 gui, that display bytes at current EIP, so that i could find those byte pattern and knowing which code gets f*** up. the other one like registers contents is just complementary, if could, then better. i wonder maybe this thing can be done with SEH/PM_Fault hooking or whatever to alter BSOD callback. if it cant, then... never mind. just take some minutes to restart computer several times and take a time to think what have i ate before ;p.

thx
Posted on 2002-08-20 03:12:18 by dion