Kernel Pool Monitor – the GUI Version

Wednesday, September 14, 2016

The Windows Driver Kit (WDK) comes with a well known and pretty old tool called PoolMon. PoolMon shows kernel allocations done with ExAllocatePoolWithTag, where the pool type is typically Paged or NonPaged and each allocations is attached by a ‘tag’ – a four byte value that should indicate the component making the allocation. This is useful for finding memory leaks, since kernel memory is never automatically freed (as opposed to user mode processes). If a kernel component or driver sees its tag with increasing memory consumption – that would indicate a leak (unless it’s a transient burst of allocations...
no comments

PE Explorer (Work in progress)

Saturday, July 16, 2016

The other day I wanted to take a look at a DLL file and see its imports, exports, resources and other interesting information. There are several tools out there that show part of this information, some of which are not free, so I thought why not create a Portable Executable (PE) Viewer for myself? If nothing else, at least to gain a better understanding of the PE format. The PE format is called "Portable" because it's not essentially tied to Windows and can represent files on any OS. The format has evolved over the years but still retains its backwards...
no comments

Code Injection with Image File Execution Options

Saturday, April 9, 2016

A well-known features of Windows is the Image File Execution Options registry key located in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Under that key, key names with executable files (e.g. Notepad.exe) can be created and various options can be set. These options are observed when a process with the key name (from any directory) is about to be created. A convenient tool to set these options is the Gflags.exe utility, available as part of the Debugging Tools for Windows. One of the useful values is "Debugger" that allows another process (typically a debugger) to be launched when the specific executable is...
3 comments

RegRenameKey – Hidden registry API

Tuesday, September 29, 2015

While working on a pet project called Registry Explorer (yes, I know there are a bunch of those floating around, most of them pretty old) to be yet another RegEdit.exe replacement, I wanted to add the option to rename a registry key (which RegEdit.exe allows as well). However, looking at the registry APIs (both managed and native) there seems to be no function to rename a key. The closest is the ability to copy a key (with its subkeys and values) via RegCopyTree, so that I can copy the original key with the new name and delete the original...
one comment

Writing a Simple Debugger with DbgEng.Dll

Monday, July 27, 2015

In my post on using CLRMD’s debugger engine wrappers to “debug” a dump file, I’ve shown how we can take advantage of the documented API of DbgEng.Dll – the debugger engine that drives the Microsoft debuggers – CDB, NTSD, KD and WinDbg. In this post, we’ll take a step further and create a basic functioning user mode debugger that is able to attach to a process and do “normal” debugging, somewhat similar to CDB/NTSD but with some small colorful bonuses. As you may recall, I’ve taken the CLRMD project and made some enhancements to the callback interop types...
no comments

Using CLRMD to replace KD/CDB/NTSD and maybe WinDbg?

Thursday, May 14, 2015

I’ve been using the WinDbg low level debugger for several years now when things get hairy such as looking inside a .NET process and searching for memory leaks and other nasties. Or investigating a dump file, sometimes a kernel crash dump file (created because of the infamous “blue screen of death”), or when faced with a production system where Visual Studio does not (and will not) exist. Anyone who’s ever used WinDbg (or its equivalent console based debuggers – CDB, NTSD and KD) knows the feeling of wanting to get at some information but not always sure how...
one comment

Build 2015 Impressions

Saturday, May 2, 2015

The Build 2015 conference just ended. It was one of the most important Build/PDC conferences since the Build/PDC inception. Most (if not all) sessions are available on channel 9, and even those that attended Build (myself included) were in only a fraction of the sessions since there were about 10 of them in each time slot. To get a good overview of the various announcements and get links to important downloads, you should head to this post in the Visual Studio blog. What follows are my own impressions and opinions on some of what I experienced at this year’s...
no comments

Tip: Enable Kernel Debug output on Vista and up

Wednesday, December 17, 2014

Those writing device drivers, or are interested in seeing outputs from a kernel driver’s calls to the KdPrint macro or the DbgPrint function may find that the messages don’t appear on Windows Vista or newer versions of Windows. Even when using a tool such as DebugView (from SysInternals), running with administrative privileges, with kernel capture turned on, nothing seem to appear from expected drivers: The reason is that in Vista and up kernel output is conditional, based on some flags that can be set in KdPrintEx, DbgPrintEx, etc. A complete explanation can be found in the MS...
2 comments

Debugger Visualizer for Non-Serializable Types

Wednesday, March 19, 2014

A debugger visualizer provides a rich way to “visualize” in some sense a .NET object within Visual Studio while debugging. Writing a basic debugger visualizer is simple enough: create a Class Library project with a class that derives from DialogDebuggerVisualizer and override the Show method. Inside the Show method, a call to IVisualizerObjectProvider.GetObject method (the interface is provided in an argument to Show) retrieves the object in question. The next step would be to create the actual “visualizer”and show it with a call to IDialogVisualizerService.ShowDialog method. To actually advertise the existence of the visualizer, an assembly level attribute...
no comments