Set the kernel mode debugging
Kernel-mode debugging environment usually have two computers: a host and target computers. Debugger running on the host, you are debugging code running on the target computer. Debug host and target are connected by cable. Windows debugger supports the following types of cables debugging:
- Ethernet
- USB 2.0
- USB 3.0
- 1394
- Serial (also called null modem)
If the target computer is running Windows versions earlier than Windows 8, you can not use the Ethernet debugging; you must use USB, 1394 or serial. This figure illustrates the host and target computers connected via USB, 1394, or debug serial cable.
Build the kernel mode debugging session
Once set up the host and target computer and use the debug cable to connect them together, you can build a kernel mode debugging session in accordance with the same subject for setting instructions. For example, if you decide to set the host and target computer via Ethernet debugging, refer to " through the network cable to manually set the kernel-mode debugging ." Similarly, if you decide to set the host and target computer for debugging via USB 2.0, you can find the build kernel-mode debugging session description, refer to " via USB 2.0 cable to manually set the kernel-mode debugging "
Start Debugging
2, in windbg, select content from the Help menu. This will open the debugger documentation chm files. Debugger documents are also available online here.
3, when building the kernel mode debugging session, windbg may automatically into the target computer. If windbg not inserted, select "break" from the "Debug" menu.
4, in the vicinity of the bottom of the window windbg command line, enter the following command:
Symbol search path tells windbg search for symbols (pdb) files where. The debugger requires symbol files to obtain information about the code module (function name, variable names, etc.) are. Enter this command to find and load the initial notification windbg performs symbol file:
5, view a list of loaded modules, enter the following command:
6, so that the target computer is running, enter the following command: G
7, to interrupt again, select "break" from the "Debug" menu.
8, the command input module to check NT _FILE_OBJECT
9, the input command to check certain symbols NT module:
10, in order to enter this command MmCreateProcessAddressSpace : placing breakpoint:
bu nt!MmCreateProcessAddressSpace
Enter the target machine is running so that g
11, if the target computer does not immediately enter the debugger, perform some operations on the target computer (for example, open Notepad). When you call mmcreateProcessAddressSpace, the target computer will enter the debugger. To view the stack trace, enter the following command:
12, in the "View" menu, select "disassembly."
13, clear the breakpoint by entering the following command: bc *
14, see the list of all processes, enter the following command: ! 0 0 Process
15, a process of copying the address, and then enter the following command: ! Process Address 2
For example: !process ffffe00000d5290 2
16, copy the address of a thread, and then enter the following command: ! The Thread Address
For example: !thread ffffe00000e6d080
17, view all device nodes Plug and Play device tree, enter the following command: ! Devnode 0 1
18, see the device node and hardware resources, enter the following command: ! 0 9 devnode
19, see the service name for the device node disk, enter the following command: ! Devnode 0 1 Disk
20, copy devnode 0 1 output display node physical device object (PDO) of the address , and then enter the following command: ! Devstack PdoAddress
For example: PdoAddress!devstack 0xffffe00001159610
21, for information about the driver disk.sys, enter the following command: ! Drvobj Disk 2
22, ! drvobj output shows scheduling routine address: e.g., classpnp! Global Display category. To set a breakpoint on ClassGlobalDispatch and validation, enter the following command: ! Bu Classpnp ClassGlobalDispatch BL
23, the end of the debug session, enter the following command: qd