Early debugging is a wide topic, on a Windows PC it might be:
- Application startup
- Service startup
- CSRSS (Client/Server Runtime Subsystem)
- Windows Setup and OS Loader
- MBR (Master boot record)
- BIOS POST (Power-on self-test)
As we have demonstrated in the user mode debug event loop, when an application was launched from a debugger, the first debug event is CREATE_PROCESS_DEBUG_EVENT. Process creation event is the earliest point a user mode debugger could even reach to.
Windows debuggers by default would break at ntdll!LdrpDoDebuggerBreak, but we can alter this behavior:
cdb.exe -xe cpr -xe ld notepad.exe
CommandLine: notepad.exe ModLoad: 01000000 01014000 notepad.exe 0:000> lm start end module name 01000000 01014000 notepad (deferred) 0:000> !teb TEB at 7ffdf000 error InitTypeRead( TEB )...
As you can see, debugger extension complains since we are too early. However there are always workarounds as we discussed in Undocumented WinDBG:
0:000> .imgscan; * Where is Mark Zbikowski? MZ at 01000000, prot 00000002, type 01000000 - size 14000 Name: notepad.exe MZ at 7c900000, prot 00000002, type 01000000 - size b2000 Name: ntdll.dll 0:000> .reload /s /f ntdll.dll=7c900000 0:000> lm start end module name 01000000 01014000 notepad (deferred) 7c900000 7c9b2000 ntdll (pdb symbols) 0:000> !teb TEB at 7ffdf000 ExceptionList: ffffffff StackBase: 00080000 StackLimit: 0006f000 SubSystemTib: 00000000 FiberData: 00001e00 ArbitraryUserPointer: 00000000 Self: 7ffdf000 EnvironmentPointer: 00000000 ClientId: 000007d4 . 000005b4 RpcHandle: 00000000 Tls Storage: 00000000 PEB Address: 7ffd8000 LastErrorValue: 0 LastStatusValue: 0 Count Owned Locks: 0 HardErrorMode: 0
Most of the knowledge about application debugging applies to services, since they are both user mode processes. The only difference is that service can share a single hosting process (e.g. svchost.exe), and would normally start in a different session.
An excellent article about service debugging can be found at:
Windows Setup, OS Loader, CSRSS and WinLogon
The document shipped with Debugging Tools for Windows has some brief introduction.
MSDN also described these debugging tasks in Specialized Debugging Techniques.
POST and MBR
Most of these are real mode code (although MBR might switch CPU to protected mode) dealing with the low level hardware. Not many people are still working on the old memory models (e.g. TINY, SMALL, COMPACT, MEDIUM, LARGE and HUGE) and the A20 line (do you remember Tim Paterson and his debug program?).
MBR is relatively small, and can be simply debugged using a software emulator.
I have never worked on POST, but I think people would use software emulators in combination with ICE (In-circuit emulator).
WinDBG has limited support for real mode debugging.
(to be continued...)