Archive

Archive for December, 2011

Reading x32 stack – Learned two new commands!!!

December 25th, 2011 No comments

Learned two new commands while working on an issue. I have Windows 7 x64 OS and was troubleshooting an issue… I took a process dump and tried opening in WinDbg…

As you can see stack is not showing properly… after some searching on web I found some useful articles… it looks as processes are x32 but dump is taken on x64, therefore, I can’t read it. Further browsing through the help (.hh) of Windbg, I found below two commands: -

0:000> .load wow64exts
0:000> .effmach x86 Read more…

Merry Christmas!!!

December 25th, 2011 No comments

Merry Christmas to Visitors!!! Wonderful day, no rain and no snow is Dublin… that’s the time (festival periods) when I missed my Motherland, India…

Debugging for Starters – III

December 13th, 2011 1 comment

Debugging for Starters – III

First two blog posts in this series are -> http://blog.lkctx.com/debugging-for-starters-i

http://blog.lkctx.com/debugging-for-starters-ii/

We already discussed different terminologies, different types of dumps, tools to create dumps and also, how to check if they are good for analysis or not. In next couple of articles, I will document steps require to open a dump in Windbg. I will also try to document  steps require to troubleshoot some common issues related to :-

  1. Application\Server crash
  2. Application\Server hangs
  3. CPU Spikes, etc;

and will add some more tools as and when require.The main tool that we are going to use is Windbg.

http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx

The installation of Windbg is pretty simple, anyone who has ever installed any software on Windows , can do it. However, before opening the dump, you need to configure the symbol server.

Symbols – In simplest way, Symbols (.pdb files, generated during application compilations) convert 01010101 to ‘human readable’ English. There are more technical definitions exist on internet but this is the simplest I can think of. Symbols are provided by the application vendors, usually they have their Public facing Symbols server. For example: -

Read more…

SmartCard APIs

December 11th, 2011 No comments

SmartCard APIs call sequence – SCardEstablishContext, SCardConnect, SCardTransmit, etc

Some days ago, I was working on one very interesting case related to Smartcard behaviour on XenApp. While I can’t disclosed all the findings but still would like to share some of the learnings. It is very important to understand the behaviour of SmartCard APIs, how they work, etc. (check MSDN). MS has released documentations related to different protocols, one that interest me a lot (as I work on mainly Smart card, Authentication, etc issues) is related to ‘Remote Desktop Protocol: Smart Card Virtual Channel Extension’.

Ref: – http://msdn.microsoft.com/en-us/library/cc242596(v=PROT.10).aspx

This example shows the messages sent to perform a simple querying of a card in the TS client machine. It assumes that a channel has already been set up on the between the TS client and the TS server. In addition, a PC/SC-compatible resource manager is running on the TS client and there exists a smart card reader with a smart card inserted. The following figure represents the program flow. Read more…

Memory Dump Analysis Anthology – Wow!

December 1st, 2011 No comments

One of the best book on Dump Analsysis, the whole series worth reading along with Windows Internal. Just got Vol-1 signed by its author, Dmitry Vostokov.

http://www.dumpanalysis.org/Memory+Dump+Analysis+Anthology+Volume+1

http://www.dumpanalysis.org/Forthcoming+Memory+Dump+Analysis+Anthology+Volume+2

http://www.dumpanalysis.org/Memory+Dump+Analysis+Anthology+Volume+3

http://www.dumpanalysis.org/Memory+Dump+Analysis+Anthology+Volume+4

http://www.dumpanalysis.org/Memory+Dump+Analysis+Anthology+Volume+5

Dmitry Vostokov has a very informative blog, http://www.dumpanalysis.org , where he shares his experience and knowledge…bookmark it if you want to learn and would like go deeper in debugging… He is also a developer of many useful utilities like DumpCheck, TestWER, etc.

Debugging for Starters – II

December 1st, 2011 3 comments

Debugging for Starters – II

First blog in this series is -> http://blog.lkctx.com/debugging-for-starters-i/

So we already discussed some terms in above blog, now let’s see how we can create a dump (as we are going to concentrate more on Dump analysis then live-debugging techniques).

Creating a Dump – There are different ways to create User dumps – automatically andor manually.

This will help to capture the dump in case application crash. From Windows Vista onwards, you can use Task Manager to create a dump of any process. This will be helpful if you are troubleshooting issues related CPU spikes in a process. Read more…