OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: October 16, 2006 07:37 CDT by ghooti .

Hi,

I am really sorry if this isnt the correct place to ask this, but im at my wits end.

when tracing in windbg is it possible to show which thread you are in at the time? (i know ~ will show it, but if you trace 10000 instructions, can i check without breaking on create thread/etc?)

if not does anyone have any other suggestions? I am trying to trace a multithreaded app, all i really need is EIP, Thread and Command(s) [registers are irrelevant at this moment in time.] - and no, i dont know python, i do however know perl.

Thanks :)

gh.

anonymouse		October 16, 2006 10:54.19 CDT
threads mostly dont yield execution to another thread unless you execute them as far as ive seen yes using ~ tilde will show you the threads that are running at any point of time i havent understood your after tracing 10000 instruction can i check if you are talking about usage of ~ you can use it at any point of time whether at start or after tracing 10000 instructions also look at the prompt it normally shows 0.0000 1.0000 2.002 etc which will indicate process and thread that you are currently tracing

sa7ori		October 16, 2006 12:27.59 CDT
Hey, for win2k and early XP you might want to also keep in mind that TEB's are all aligned at about 1000h from PEB base. --sa7 > ghooti: Hi, > > I am really sorry if this isnt the correct place to ask this, but im at my wits end. > > when tracing in windbg is it possible to show which thread you are in at the time? (i know ~ will show it, but if you trace 10000 instructions, can i check without breaking on create thread/etc?) > > if not does anyone have any other suggestions? I am trying to trace a multithreaded app, all i really need is EIP, Thread and Command(s) [registers are irrelevant at this moment in time.] - and no, i dont know python, i do however know perl. > > > Thanks :) > > gh.

ghooti		October 17, 2006 05:24.34 CDT
> anonymouse: > i havent understood your after tracing 10000 instruction > can i check if you are talking about usage of ~ you can >use it at any point of time whether at start or after >tracing 10000 instructions Hi, thanks for the response, i explained that pretty badly. what I mean is this... yeah i was looking for during tracing, and there is no prompt when tracing, only before and after. 0:000> ~ . 0 Id: 898.59c Suspend: 1 Teb: 7ffde000 Unfrozen 1 Id: 898.22c Suspend: 1 Teb: 7ffdd000 Unfrozen 2 Id: 898.62c Suspend: 1 Teb: 7ffdc000 Unfrozen before the command thing is the active thread. when I trace though that disappears, all i want is that to appear in the trace [thread] 77f8afd9 e8be0e0200 call ntdll!RtlInitUnicodeString (77fabe9c) [thread] 77fabe9c 57 push edi [thread] 77fabe9d 8b7c240c mov edi,[esp+0xc] ss:0023:0006f7c8=00000000 [thread] 77fabea1 8b542408 mov edx,[esp+0x8] ss:0023:0006f7c4=7ffdf1dc This kinda happens if I only trace one command at a time. but not if i type "t 20" I am sure that I must be missing something..?

anonymouse		October 17, 2006 13:46.47 CDT
> ghooti: > [thread] 77f8afd9 e8be0e0200 call ntdll!RtlInitUnicodeString (77fabe9c) > [thread] 77fabe9c 57 push edi > [thread] 77fabe9d 8b7c240c mov edi,[esp+0xc] ss:0023:0006f7c8=00000000 > [thread] 77fabea1 8b542408 mov edx,[esp+0x8] ss:0023:0006f7c4=7ffdf1dc oh you want windbg to print the tid it is currently tracing when you do t "count" well i dont know and maybe some garish unusable commandline do exist to make it print that index ill post back if i encounter anything like that but i can provide you one windbuggish commandline no one can in right frame of mind can either understand or probably attempt to put together these garish commandlines with help of that cryptic helpfile unless he has all the time in the world to do this kind of bs in windbg its plain pita with windbg :( i never tried to use t count syntax i was mostly interested stopping when some thread has finsihed its thingamagic and another thread starts to do its voodoo when i was poking around and i have this cryptic commandline that would trace through the entire thread and stop when it has finished its execution and yields control to next thread actually i am still not sure if this makes anysense at all this was saved somewhere in my harddisk if you can decipher and if it suits your need then iam more than pleased dont ask for clarifications i wouldnt know jack about why it may not work in your system :) the command line was something like this 0:002> 0:002> p; r eip ;? $tid ;z(@$tid == 7e8) ill explain a little bit the z is a execute while the expression is true format p = step over r eip = display eip register ? $tid is the thread index thats currently executing evaluation and z will keep on doing this till its true here is the output which was lying in my hardisk the application which i tried this was a codeproject multithreaded tutorial by john koppelin a port of some article and code from ddj 0:002> p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c90101c Evaluate expression: 2024 = 000007e8 redo [6] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c90101f Evaluate expression: 2024 = 000007e8 redo [7] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c901022 Evaluate expression: 2024 = 000007e8 redo [8] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c901029 Evaluate expression: 2024 = 000007e8 redo [9] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c90102b Evaluate expression: 2024 = 000007e8 redo [10] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c927357 Evaluate expression: 2024 = 000007e8 redo [11] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918db3 Evaluate expression: 2024 = 000007e8 redo [12] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918db9 Evaluate expression: 2024 = 000007e8 redo [13] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918dbf Evaluate expression: 2024 = 000007e8 redo [14] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918dc2 Evaluate expression: 2024 = 000007e8 redo [15] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918dc5 Evaluate expression: 2024 = 000007e8 redo [16] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918dc8 Evaluate expression: 2024 = 000007e8 redo [17] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918dce Evaluate expression: 2024 = 000007e8 redo [18] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918dd0 Evaluate expression: 2024 = 000007e8 redo [19] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918dd6 Evaluate expression: 2024 = 000007e8 redo [20] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918dd9 Evaluate expression: 2024 = 000007e8 redo [21] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918dde Evaluate expression: 2024 = 000007e8 redo [22] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918de2 Evaluate expression: 2024 = 000007e8 redo [23] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918de7 Evaluate expression: 2024 = 000007e8 redo [24] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918dec Evaluate expression: 2028 = 000007ec 0:003> p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c901230 Evaluate expression: 1928 = 00000788 0:004> p; r eip ;? $tid ;z(@$tid == 788) eip=7c901231 Evaluate expression: 1928 = 00000788 redo [1] p; r eip ;? $tid ;z(@$tid == 788) eip=7c9507a8 Evaluate expression: 1928 = 00000788 redo [2] p; r eip ;? $tid ;z(@$tid == 788) eip=7c9507bb Evaluate expression: 1928 = 00000788 redo [3] p; r eip ;? $tid ;z(@$tid == 788) eip=7c9507bf Evaluate expression: 1928 = 00000788 redo [4] p; r eip ;? $tid ;z(@$tid == 788) (cf0.7e8): Break instruction exception - code 80000003 (first chance) eip=7c901230 Evaluate expression: 2024 = 000007e8 0:002> p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c901231 Evaluate expression: 2024 = 000007e8 redo [1] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c918def Evaluate expression: 2028 = 000007ec 0:003> p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c918df5 Evaluate expression: 2028 = 000007ec redo [1] p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c918dfa Evaluate expression: 2028 = 000007ec redo [2] p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c90eac7 Evaluate expression: 2028 = 000007ec redo [3] p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c90eac9 Evaluate expression: 2028 = 000007ec redo [4] p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c9507a8 Evaluate expression: 2024 = 000007e8 0:002> p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c9507bb Evaluate expression: 2024 = 000007e8 redo [1] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c9507bf Evaluate expression: 2024 = 000007e8 redo [2] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c9507c1 Evaluate expression: 2024 = 000007e8 redo [3] p; r eip ;? $tid ;z(@$tid == 7e8) eip=7c90eaca Evaluate expression: 2028 = 000007ec 0:003> p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c9507c1 Evaluate expression: 1928 = 00000788 0:004> p; r eip ;? $tid ;z(@$tid == 788) (cf0.7ec): Break instruction exception - code 80000003 (first chance) eip=7c901230 Evaluate expression: 2028 = 000007ec 0:003> p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c901231 Evaluate expression: 2028 = 000007ec redo [1] p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c9507a8 Evaluate expression: 2028 = 000007ec redo [2] p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c9507bb Evaluate expression: 2028 = 000007ec redo [3] p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c9507bf Evaluate expression: 2028 = 000007ec redo [4] p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c9507c1 Evaluate expression: 2028 = 000007ec redo [5] p; r eip ;? $tid ;z(@$tid == 7ec) WARNING: Step/trace thread exited eip=7c90eb94 Evaluate expression: 2028 = 000007ec redo [6] p; r eip ;? $tid ;z(@$tid == 7ec) eip=7c901230 Evaluate expression: 1192 = 000004a8 0:005> p; r eip ;? $tid ;z(@$tid == 4a8) eip=7c901231 Evaluate expression: 1192 = 000004a8 redo [1] p; r eip ;? $tid ;z(@$tid == 4a8) eip=7c9507a8 Evaluate expression: 1192 = 000004a8 redo [2] p; r eip ;? $tid ;z(@$tid == 4a8) eip=7c9507bb Evaluate expression: 1192 = 000004a8 redo [3] p; r eip ;? $tid ;z(@$tid == 4a8) eip=7c9507bf Evaluate expression: 1192 = 000004a8 redo [4] p; r eip ;? $tid ;z(@$tid == 4a8) eip=7c9507c1 Evaluate expression: 1192 = 000004a8 redo [5] p; r eip ;? $tid ;z(@$tid == 4a8) WARNING: Step/trace thread exited eip=7c90eb94 Evaluate expression: 1192 = 000004a8 redo [6] p; r eip ;? $tid ;z(@$tid == 4a8) eip=7c901230 Evaluate expression: 536 = 00000218 0:011> p; r eip ;? $tid ;z(@$tid == 218) eip=7c901231 Evaluate expression: 536 = 00000218 redo [1] p; r eip ;? $tid ;z(@$tid == 218) eip=7c9507a8 Evaluate expression: 536 = 00000218 redo [2] p; r eip ;? $tid ;z(@$tid == 218) eip=7c9507bb Evaluate expression: 536 = 00000218 redo [3] p; r eip ;? $tid ;z(@$tid == 218) eip=7c9507bf Evaluate expression: 536 = 00000218 redo [4] p; r eip ;? $tid ;z(@$tid == 218) eip=7c9507c1 Evaluate expression: 536 = 00000218 redo [5] p; r eip ;? $tid ;z(@$tid == 218) eip=7c901230 Evaluate expression: 1888 = 00000760 0:012> p; r eip ;? $tid ;z(@$tid == 760) eip=7c901231 Evaluate expression: 1888 = 00000760 redo [1] p; r eip ;? $tid ;z(@$tid == 760) eip=7c9507a8 Evaluate expression: 1888 = 00000760 redo [2] p; r eip ;? $tid ;z(@$tid == 760) eip=7c9507bb Evaluate expression: 1888 = 00000760 redo [3] p; r eip ;? $tid ;z(@$tid == 760) eip=7c9507bf Evaluate expression: 1888 = 00000760 redo [4] p; r eip ;? $tid ;z(@$tid == 760) eip=7c9507c1 Evaluate expression: 1888 = 00000760 redo [5] p; r eip ;? $tid ;z(@$tid == 760) WARNING: Step/trace thread exited eip=7c90eb94 Evaluate expression: 1888 = 00000760 redo [6] p; r eip ;? $tid ;z(@$tid == 760) eip=7c901230 Evaluate expression: 1264 = 000004f0 0:015> p; r eip ;? $tid ;z(@$tid == 4f0) eip=7c901231 Evaluate expression: 1264 = 000004f0 redo [1] p; r eip ;? $tid ;z(@$tid == 4f0) eip=7c9507a8 Evaluate expression: 1264 = 000004f0 redo [2] p; r eip ;? $tid ;z(@$tid == 4f0) eip=7c9507bb Evaluate expression: 1264 = 000004f0 redo [3] p; r eip ;? $tid ;z(@$tid == 4f0) eip=7c9507bf Evaluate expression: 1264 = 000004f0 redo [4] p; r eip ;? $tid ;z(@$tid == 4f0) eip=7c9507c1 Evaluate expression: 1264 = 000004f0 redo [5] p; r eip ;? $tid ;z(@$tid == 4f0) WARNING: Step/trace thread exited eip=7c90eb94 Evaluate expression: 1264 = 000004f0 redo [6] p; r eip ;? $tid ;z(@$tid == 4f0) eip=7c901230 Evaluate expression: 1276 = 000004fc 0:013> ~ 0 Id: cf0.eb8 Suspend: 1 Teb: 7ffdf000 Unfrozen 6 Id: cf0.98 Suspend: 1 Teb: 7ffd4000 Unfrozen 7 Id: cf0.48c Suspend: 1 Teb: 7ffab000 Unfrozen 8 Id: cf0.1f8 Suspend: 1 Teb: 7ffaa000 Unfrozen 9 Id: cf0.478 Suspend: 1 Teb: 7ffa8000 Unfrozen 10 Id: cf0.21c Suspend: 1 Teb: 7ffa4000 Unfrozen . 13 Id: cf0.4fc Suspend: 1 Teb: 7ffd8000 Unfrozen 14 Id: cf0.10c Suspend: 1 Teb: 7ffae000 Unfrozen 16 Id: cf0.484 Suspend: 1 Teb: 7ffaf000 Unfrozen 17 Id: cf0.6d0 Suspend: 1 Teb: 7ffad000 Unfrozen 18 Id: cf0.f94 Suspend: 1 Teb: 7ffa6000 Unfrozen 19 Id: cf0.684 Suspend: 1 Teb: 7ffa2000 Unfrozen 20 Id: cf0.3b4 Suspend: 1 Teb: 7ffa0000 Unfrozen 21 Id: cf0.204 Suspend: 1 Teb: 7ff9e000 Unfrozen 22 Id: cf0.a8 Suspend: 1 Teb: 7ffa9000 Unfrozen 23 Id: cf0.4f8 Suspend: 1 Teb: 7ffac000 Unfrozen 24 Id: cf0.434 Suspend: 1 Teb: 7ffa7000 Unfrozen 25 Id: cf0.43c Suspend: 1 Teb: 7ffa5000 Unfrozen 26 Id: cf0.7f4 Suspend: 1 Teb: 7ffa3000 Unfrozen 27 Id: cf0.4c4 Suspend: 1 Teb: 7ffa1000 Unfrozen 28 Id: cf0.3c0 Suspend: 1 Teb: 7ff9f000 Unfrozen 29 Id: cf0.7c Suspend: 1 Teb: 7ff9d000 Unfrozen 30 Id: cf0.81c Suspend: 1 Teb: 7ff9c000 Unfrozen 31 Id: cf0.f04 Suspend: 1 Teb: 7ff9a000 Unfrozen 32 Id: cf0.2b8 Suspend: 1 Teb: 7ff98000 Unfrozen 33 Id: cf0.748 Suspend: 1 Teb: 7ff96000 Unfrozen 34 Id: cf0.834 Suspend: 1 Teb: 7ff93000 Unfrozen 35 Id: cf0.368 Suspend: 1 Teb: 7ff99000 Unfrozen 36 Id: cf0.804 Suspend: 1 Teb: 7ff9b000 Unfrozen 0:013> p; r eip ;? $tid ;z(@$tid == 4f0) eip=7c901231 Evaluate expression: 1276 = 000004fc 0:013> p; r eip ;? $tid ;z(@$tid == 4fc) eip=7c9507a8 Evaluate expression: 1276 = 000004fc redo [1] p; r eip ;? $tid ;z(@$tid == 4fc) eip=7c9507bb Evaluate expression: 1276 = 000004fc redo [2] p; r eip ;? $tid ;z(@$tid == 4fc) eip=7c9507bf Evaluate expression: 1276 = 000004fc redo [3] p; r eip ;? $tid ;z(@$tid == 4fc) eip=7c9507c1 Evaluate expression: 1276 = 000004fc redo [4] p; r eip ;? $tid ;z(@$tid == 4fc) WARNING: Step/trace thread exited eip=7c90eb94 Evaluate expression: 1276 = 000004fc redo [5] p; r eip ;? $tid ;z(@$tid == 4fc) eip=7c901230 Evaluate expression: 152 = 00000098 0:006> ~ as you can see there are lots of threads running and you can also see the prompt getting changed and the redo numbers restarting from 1 again on new expressions

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit