Download - Advanced Debugging with WinDbg and SOS
Sasha Goldshtein
CTOSela Group
@goldshtnblog.sashag.net
Advanced Debugging with
WinDbg and SOS
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
AN HOUR FROM NOW,YOU’LL KNOW HOW TO:
Capture crash and hang dumps Pinpoint basic crash causes from
dumps Inspect heap objects and graphs to find
memory leaks Identify deadlocked threads
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
DUMPS 101
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
A DUMP IS A SNAPSHOT OF A RUNNING PROCESS. YOU CAN
SAVE IT, MOVE IT AROUND, AND ANALYZE IT LATER. YOU CAN’T
“DEBUG” IT.
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
TWO TYPES OF DUMPS:
Crash Dump The program crashed
Hang Dump The program didn’t crash
Yet
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
SYSINTERNALS PROCDUMP: TAKE DUMPS EASILY, ANYWHERE, AND
WITH NO PUN INTENDED.
Procdump -ma -e MyApp.exeProcdump -h -x C:\temp\myapp.exeProcdump -c 90 -n 3 -s 5 MyApp.exeProcdump -e 1 1234
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
CRASH ROOT CAUSE FROM A DUMP
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
DRAG AND DROP A DUMP FILE INTO VISUAL STUDIO. CLICK THE
GREEN BUTTON. VOILA, IT WORKS.*
* NITPICKER’S CORNER: YOU NEED SYMBOLS AND SOURCES TO BE LINED UP PROPERLY.
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
“
”
YOU WILL INSTALL VISUAL STUDIO ON MY BOXEN OVER MY DEAD BODY. GOOD DAY.
I SAID “GOOD DAY”.
Joe the IT Admin
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
10
ENTER:
WinDbg Lightweight GUI debugger
Super-scriptable
Super-extensible
Knows nothing about .NET
SOS WinDbg extension for .NET
Ships with .NET Framework
Or on the symbol server*
Knows all about .NET
* As of CLR 4.0, for GDR versions
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
TAKE 2:
Drag and drop a dump file into WinDbg. Hmm. Now what?
!analyze -v !PrintException!CLRStack .load sosex!mk !mdt
.for (r $t0=@ebp; poi(@$t0)!=0; r $t0=poi(@$t0)) { !mln poi(@$t0+4) }
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
MEMORY LEAKS: THE EASY WAY
Not in this talk. Shell out $500 for a decent memory profiler.
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
MEMORY LEAKS: THE HARD WAY
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
WHAT WE NEED:
1. A list of all heap objects
2. A diff of heap objects between dumps
3. Why these heap objects won’t go away
!dumpheap -stat !objsize!gcroot !refs
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
DEADLOCKS
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
WHAT WE NEED:
1. What is thread X waiting for
2. (Suppose it’s sync object Y)
3. Which thread owns sync object Y
!syncblk !mwaits!mlocks !dlk
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
ADDITIONAL REFERENCES
www.devconnections.com
ADVANCED DEBUGGING WITH WINDBG AND SOS
18
THANK YOU!
Sasha Goldshtein@goldshtn
![WinDbg: trivial examining of the stack - Blackstorm Security · April 13, 2017 [WINDBG: TRIVIAL EXAMINING OF THE STACK] 1 WinDbg: trivial examining of the stack revision: 1 author:](https://cdn.vdocument.in/doc/165x107/5c68e4c609d3f290788c3d16/windbg-trivial-examining-of-the-stack-blackstorm-april-13-2017-windbg.jpg)