Windbg never enters the process being debugged

StackOverflow https://stackoverflow.com/questions/22582464

  •  19-06-2023
  •  | 
  •  

Вопрос

I have a fresh copy of Windbg (x86) and wrote a simple Hello World program to test out the debugger. There is a problem when loading the executable or attaching the process, the debugger never steps into the process.

Here for example are the addresses:

ModLoad: 013c0000 013c6000   Hello World.exe
ModLoad: 76eb0000 77030000   ntdll.dll
ModLoad: 75ab0000 75bc0000   C:\Windows\syswow64\kernel32.dll
ModLoad: 74d60000 74da7000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 70980000 70a6e000   C:\Windows\SysWOW64\MSVCR120.dll

After loading the process, I step through with F11 (Step into) to see every instruction being executed. From what I've noticed, Windbg never shows the instructions for Hello World.exe even though it does execute it.

What could be the problem and how would I go about solving it?

Это было полезно?

Решение

If you start stepping Open Executable you will have a “long way to go”, because it starts inside windows code. Use the X command to find the main address, the names can vary a bit depending on the tool you use to make the program, but try with wildcard *main*

You can set a break in main in your program and enter g (go), from here you can step insider your code. Here is a sample for my SimpleCrash.exe

000> x SimpleCrash!*main*
*** WARNING: Unable to verify checksum for SimpleCrash.exe
011e8020 SimpleCrash!__native_dllmain_reason = 0xffffffff
011e8138 SimpleCrash!mainret = 0n0
011e1a00 SimpleCrash!wmain (int, wchar_t **)
0:000> bp 011e1a00 
0:000> g
Breakpoint 0 hit
eax=00419ed8 ebx=7efde000 ecx=00417f10 edx=00000001 esi=00000000 edi=00000000
eip=011e1a00 esp=0030f9dc ebp=0030fa28 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
SimpleCrash!wmain:
011e1a00 55              push    ebp

Here I’m in my SimpleCrash main function and can observe the stack into windows code 

0:000> k
ChildEBP RetAddr  
0030f9d8 011e1959 SimpleCrash!wmain 
0030fa28 011e1b4d SimpleCrash!__tmainCRTStartup+0x199 [f:\dd\vctools\crt_bld\s
0030fa30 7548336a SimpleCrash!wmainCRTStartup+0xd [f:\dd\vctools\crt_bld\self_
0030fa3c 77859f72 kernel32!BaseThreadInitThunk+0xe
0030fa7c 77859f45 ntdll!__RtlUserThreadStart+0x70
0030fa94 00000000 ntdll!_RtlUserThreadStart+0x1b
Лицензировано под: CC-BY-SA с атрибуция
Не связан с StackOverflow
scroll top