Search notes:

Debugging Windows applications

Most Windows debuggers use the debug API that is provided by dbghelp.dll. The most interesting functions of this DLL are
Other functions that allow the debugger to interact with the target process include
A process can determine if it being debugged by calling IsDebuggerPresent().
If a process is being debugged, it can communicate with the debugger with functions like

Exceptions

When an application that is debugged encounters an exception in user mode, the kernel traps the exception and passes it to the (user mode) exception dispatcher.
the debugger. This seems to be the first chance exception.
If the debugger does not handle the exception, the user mode dispatcher checks for one (or more) installed vectored exception handlers (VEHs) and calls them until one handles the exception.
If none of the VEHs handled the exception, the chain of structured exception handlers is traversed until a SEH is found that handles the exception.
If none of the SEHs handles the exception, the exception is raised again

Kernel mode debugging

The two (Microsoft) debuggers that allow kernel mode debugging are kd.exe and windbg.exe.
Two computers, a target and a host, are needed for kernel mode debugging. These are connect by a
The target computer must be booted in debugging mode which can be configured with bcdedit.exe or msconfig.exe.
TODO: is the ability to connect to the debugged computer with a local network related to the kdnic.sys driver?

TODO

PSRVTABLE, KeServiceDescriptorTable (As found in RegMon source REGSYS.C).
DbgShell, a PowerShell front-end for the Windows debugger engine (dbgeng.dll).

CreateRemoteThread to inject a thread into a process

CreateRemoteThread is commonly used to inject a thread into a process that is being debugged in order to issue a break or query heap and other process information.
This technique is however not recommended because extra thread is confusing to the person debugging the application and there are several side effects to using this technique, including
  • Conversion of single thread applications to mutlithreaded ones
  • Changing the timing and memory layout of the process
  • Calling the entry point of each DLL in the process

LdrpDoDebuggerBreak

What's the thing with LdrpDoDebuggerBreak, as often seen when using Debugging tools for Windows: 
… ntdll!LdrpDoDebuggerBreak+0x30
… ntdll!LdrpInitializeProcess+0x1f42
… ntdll!LdrpInitialize+0x15f
… ntdll!LdrpInitialize+0x3b
… ntdll!LdrInitializeThunk+0xe

See also

the x86 instruction int 3, The cl intrinsic function __debugbreak() and the WinAPI function DebugBreak()
dbghelp.dll
The cl options /Z7, /Zi and /ZI.
Debugging Tools for Windows

Links

Debugging Tools for Windows (WinDbg, KD, CDB, NTSD), dbgeng.dll
The Sysinternals tool DebugView.

Index

Fatal error: Uncaught PDOException: SQLSTATE[HY000]: General error: 8 attempt to write a readonly database in /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php:78 Stack trace: #0 /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php(78): PDOStatement->execute(Array) #1 /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php(30): insert_webrequest_('/notes/Windows/...', 1745452017, '3.135.212.173', 'Mozilla/5.0 App...', NULL) #2 /home/httpd/vhosts/renenyffenegger.ch/httpsdocs/notes/Windows/development/WinAPI/Debugging/index(137): insert_webrequest() #3 {main} thrown in /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php on line 78