28

I can't make source code show in windbg when I pipe ntsd -d on the target through windbg -k, but it works when I debug locally.

I want to debug the very first code execution of Winlogon.exe and LSASS.exe. But to make it easy to reproduce the problem, I made up this setup:

  • I use the CrashMe sample application, with source and symbols pre-built, copied to C:\CrashMe on both the target and host
  • I use Windows Debugging tools for Windows (DTW) version 6.12.0002.633 everywhere.
  • The target is running Windows XP SP3, the host Windows 7 ultimate.
  • Every path and settings is the same on both machine : path to DTW and path to crashme.
  • I always use fully qualified path (like c:\dtw\ntsd.exe).
  • I run a XP in a VM, booted with /noexecute=optin /fastdetect /debug /debugport=com1 /baudrate=115200

I am able to debug locally with this command, launched from C:\CrashMe:

windbg -g -G -srcpath C:\CrashMe -y C:\CrashMe debug\CrashMe.exe

I can launch the Windows XP virtual machine and connect to it with this command:

windbg -n -k com:pipe,port=\\.\pipe\com_1,reconnect -srcpath SRV*;C:\CrashMe -y   
c:\windows\system32;c:\windows\symbols;C:\CrashMe\debug

But I need to debug a remote machine. On the target, I have these choices:

  1. Debug through -server and -remote
  2. Breaking in a running process
  3. Use Image File Execution Options (IFEO).

In each of these options I can see the symbols (x crashme!* works).

I cannot use #1 (-server) or #2 (breakin.exe <pid>), because I want to debug the startup code of an authentication provider, so I need LSASS.exe start under ntsd -d. I can't let it run and attach later on.

My understanding is that I need to use IFEO. Using gflags.exe instead of modifying the registry manually, I set executable options to 

c:\dtw\ntsd -d -G -lines -x -y c:\symcache;c:\windows\system32 -n -srcpath C:\CrashMe\
  • I can breakin the application, but breakpoints I set are never hit.
  • I can .open any file, but I can't use the file to set breakpoint.
  • I can x (examine) any symbol
  • I can not see the source code.

How can I see my DLL source code of a process running under ntsd -d through windbg -k?

Improve this question
9
  • I still haven't found the answer, but it might have something to do with ntsd not being a graphical debugger ?
    – ixe013
    Commented Jan 21, 2012 at 2:11
  • On a related note, on the exact same setup, I can debug a kernel driver with full source code in windbg.
    – ixe013
    Commented Jan 21, 2012 at 2:12
  • If you can debug a driver you already have a connection that can as well be used to debug user mode code (i.e. your application).
    – 0xC0000022L
    Commented Mar 29, 2012 at 1:37
  • 1
    You are right, and I do use it. But I can't get source to show !
    – ixe013
    Commented Mar 29, 2012 at 1:50
  • not even for the driver? In this case you haven't properly configured a.) a source server, b.) the driver was not compiled on the machine running the debugger (and thus paths differ) or c.) your WinDbg is not configured properly (start WinDbg then Ctrl+P to configure the source paths or -srcpath <path> at command line).
    – 0xC0000022L
    Commented Mar 29, 2012 at 1:58

1 Answer 1

Reset to default
2

TL;DR: Use -server <TRANSPORT> -ddefer and connect through a second windbg session that has .lsrcpath set to get what you want.

The rest: Source mode requires access from the system running the debugger to the source files. In the case of debugging user mode code over the kernel mode connection, this becomes tricky. Since the test is executing in the context of ntsd on the target machine, and that machine is broken into the debugger, loading source files generally doesn't work. I believe if you put a full source tree on the target machine or pointed the source path to a share, it might, but I haven't verified that.

What I did verify is that you can use this method to get source files loaded in your host machine.

This works by doing the following:

  1. Start your host kernel debugger
  2. Start ntsd on the target machine with (for example) `ntsd -server tcp:port=50000 -ddefer test.exe`
  3. Start a connection to your debug server (e.g. in WinDbg I use ctrl+r `tcp:port=50000,server=tawnos-target`)
  4. The connection will hang starting. Switch to your kernel debugger (which should be sitting at Input>) and run `.sleep 5000` to allow the connection to complete
  5. At this point, your remote connection should complete. You can now reload symbols as needed and use .lsrcpath to set a srcpath that windbg will use in order to view source code
Improve this answer
2
  • You are rigth, using -server works for regular user mode processes. I mentionned it in my (long) post. But how can I use the -server option to debug lsass or winlogon, which I can't start myself ?
    – ixe013
    Commented Jun 23, 2012 at 1:48
  • If I'm not mistaken, this will work (I can test this Monday). Combine -server with -ddefer, rather than just using ntsd -d. This will allow you to both get the benefits of breaking in to the initial process startup as well as the remote ability to see your source code. I will verify and report back to you if I don't hear more by Monday.
    – Tawnos
    Commented Jun 23, 2012 at 22:47

Not the answer you're looking for? Browse other questions tagged or ask your own question.