Debugging managed code.. from a newb for managed code debugging

Article
11/09/2009

Debugging managed code in WinDbg has never been my idea of fun. I wasn’t forcibly exposed to it enough I guess.

For example, if you look at https://blogs.msdn.com/spatdsg/archive/2009/02/23/there-and-back-again-the-life-of-a-bug-and-fix.aspx there is like a 5 step process for setting a breakpoint, instead of !bpmd. Well, the other day I dug deep into debugging some code to which I had no src or symbols, so I learned a bit – at least what I needed to in order to solve the issue :) – so this post is a bit of a bookmark or reminder for me, and maybe it will help someone else one day as well.

Load the magical debugger extensions..

Not sure which ones I need so I load a bunch..

C:\debuggers\clr10\sos.dll

C:\debuggers\sosex.dll

-- from https://www.stevestechspot.com/SOSEXV2NowAvailable.aspx

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sos.dll

Keepers:

!ip2md = instruction pointer to method descriptor

!savemodule = save binary from the debug

LOAD failures - see https://blogs.msdn.com/b/dougste/archive/2009/02/18/failed-to-load-data-access-dll-0x80004005-or-what-is-mscordacwks-dll.aspx

 0:024> !Threads
Failed to find runtime DLL (clr.dll), 0x80004005

 0:000> .loadby sos mscorwks
0:000> .cordll -ve -u -l
Automatically loaded SOS Extension
WARNING: Unable to register for CLR module notifications
CLRDLL: Loaded DLL c:\windows\microsoft.net\framework64\v2.0.50727\mscordacwks.dll
CLR DLL status: Loaded DLL c:\windows\microsoft.net\framework64\v2.0.50727\mscordacwks.dll
0:000> .load c:\windows\microsoft.net\framework64\v2.0.50727\sos.dll

 NOTE: or use .loadby sos clr

 0:000> !Threads
ThreadCount: 41
UnstartedThread: 0
BackgroundThread: 33
PendingThread: 0
DeadThread: 8
Hosted Runtime: no

 0:000> !Threads
ThreadCount: 41
UnstartedThread: 0
BackgroundThread: 33
PendingThread: 0
DeadThread: 8
Hosted Runtime: no
                                              PreEmptive                                                Lock
       ID OSID        ThreadOBJ     State   GC     GC Alloc Context                  Domain           Count APT Exception
XXXX    1 5394 00000000015ca840      8220 Enabled  0000000170194730:0000000170196388 00000000015bf510     0 Ukn
XXXX    2 5eac 00000000015f44b0      b220 Enabled  000000013fee6880:000000013fee87e0 00000000015bf510     0 MTA (Finalizer)
   0    3 8298 0000000001629480    80a220 Enabled  0000000000000000:0000000000000000 00000000015bf510     0 MTA (Threadpool Completion Port)
XXXX    4 549c 0000000001629f30      1220 Enabled  0000000000000000:0000000000000000 00000000015bf510     0 Ukn

 Find func or module references:

 !Name2EE *!foo

 dump module

 !DumpModule -mt 000007ff001768f8

Wishlist:

· Doesn't seem like I can do fancy breakpoints like:

o 0:026> bp 76df1bbb "?1;.echo THIS IS THE RET"

· Wish there was an easy "gu" command for managed code

· I am sure there were more I wished for but can’t recall now….

A few nice things:

Get the exception

0:011> !PrintException

Exception object: 0147f600

Exception type: System.DirectoryServices.DirectoryServicesCOMException

Message: There is no such object on the server.

InnerException: <none>

StackTrace (generated):

<none>

StackTraceString: <none>

HResult: 80072030

Dump an array:

0:011> !DumpArray 01473aa8

Name: System.Object[]

MethodTable: 7912254c

EEClass: 79122ac0

Size: 1072(0x430) bytes

Array: Rank 1, Number of elements 264, Type CLASS

Element Methodtable: 790f8a7c

[0] 0146f64c

[1] 0146f684

[2] 0146f6ac

[3] 0146f6e0

[4] 0146f714

[5] 0146f748

[6] 0146f790

[7] 0146f7c8

[8] 0146f814

[9] 0146f840

[10] 0146f870

[11] 0146f8ac

[12] 0146f8d0

[13] 0146f8f4

[14] 0146f91c

[15] 0146f950

[16] 0146f990

0:011> ! mdt 0146f64c

0146f64c (System.String: "accountNameHistory")

0:011> !mdt 01472644

01472644 (System.String: "securityIdentifier")

In order to get the raw IL:

IL reference

https://www.ecma-international.org/publications/standards/Ecma-335.htm

0:026> !name2ee FooBar.DirectoryServices.dll FooBar.DirectoryServices.Server.getDomain

Module: 01d93da4 (FooBar.DirectoryServices.dll)

Token: 0x06000412

MethodDesc: 0ec510b0

Name: FooBar.DirectoryServices.Server.getDomain()

JITTED Code Address: 02594a00

0:026> !dumpil 0ec510b0

ilAddr = 0e835350

IL_0000: ldarg.0

IL_0001: ldfld FooBar.DirectoryServices.Server::initial

IL_0006: callvirt FooBar.DirectoryServices.LDAPInitialContext::get_Domain

IL_000b: ret

Get the method table from the class

0:026> !name2ee FooBar.DirectoryServices.dll FooBar.DirectoryServices.LDAPInitialContext

Module: 01d93da4 (FooBar.DirectoryServices.dll)

Token: 0x0200004d

MethodTable: 01d99d54

EEClass: 0ec21610

Name: FooBar.DirectoryServices.LDAPInitialContext

0:026> !dumpmt -md 01d99d54

EEClass: 0ec21610

Module: 01d93da4

Name: FooBar.DirectoryServices.LDAPInitialContext

mdToken: 0200004d (C:\WINDOWS\assembly\GAC_MSIL\FooBar.DirectoryServices\2.0.105.0__8cd3e6ab09a4c7bf\FooBar.DirectoryServices.dll)

BaseSize: 0x48

ComponentSize: 0x0

Number of IFaces in IFaceMap: 1

Slots in VTable: 45

--------------------------------------

MethodDesc Table

Entry MethodDesc JIT Name

7934cdcc 79137ab8 PreJIT System.Object.ToString()

7934bba0 79137ac0 PreJIT System.Object.Equals(System.Object)

7934bb90 79137ad8 PreJIT System.Object.GetHashCode()

793424c0 79137ae0 PreJIT System.Object.Finalize()

0ec1df50 01d99c60 JIT FooBar.DirectoryServices.LDAPInitialContext.get_Path()

01d999f5 01d99928 JIT FooBar.DirectoryServices.Context.getPathEx()

01d999fd 01d99938 NONE FooBar.DirectoryServices.Context.Contains(FooBar.DirectoryServices.Context)

01d99a01 01d99940 NONE FooBar.DirectoryServices.Context.IsParentOf(FooBar.DirectoryServices.Context)

01d99a05 01d99948 NONE FooBar.DirectoryServices.Context.GetRelativeDisplayName(FooBar.DirectoryServices.Context)

<snip>

Set a managed breakpoint?

0:027> !bpmd FooBar.WebDir.dll FooBar.WebDir.SecurityLevel.Evaluate

How do I set a breakpoint on the return address for a function? ( thanks Khalil ! )

Q: For example - I want to set a break on the return of the highlighted function..

A: Do a !u (managed command for unassemble) on the red highlighted. Set a bp, as you normally would, on the instruction after the call of interest.

0012ebd0 671663ae System.DirectoryServices.DirectoryEntry.Bind(Boolean)

0012ec28 67166245 System.DirectoryServices.DirectoryEntry.Bind()

0012ec38 67165870 System.DirectoryServices.DirectoryEntry.get_AdsObject()

0012ec48 67168ede System.DirectoryServices.DirectorySearcher.FindAll(Boolean)

0012ec64 67168d9b System.DirectoryServices.DirectorySearcher.FindOne()

0012ec9c 044e101d FooBar.DirectoryServices.ActiveDirectoryInitialContext.IsExchangeMixed()

0012ecb8 044e099e FooBar.DirectoryServices.ActiveDirectoryInitialContext.detectServerType()

0012ece0 0498f222 FooBar.DirectoryServices.ActiveDirectoryInitialContext.Connect(System.DirectoryServices.DirectoryEntry)

0012ecfc 0498e34c FooBar.DirectoryServices.ContextManager.Connect(FooBar.DirectoryServices.Credentials, System.String, Boolean)

0012ed14 0498d669 FooBar.DirectoryServices.Server.connect(FooBar.DirectoryServices.Credentials, System.String, System.String, System.String, Boolean, Boolean)

0012ed58 0498d506 FooBar.DirectoryServices.Server.connect(FooBar.DirectoryServices.Credentials, System.String, System.String, System.String)

0012ed68 044e419b FooBar.SystemConfiguration.GetAdminListDistinguishedName(System.String, System.String, System.String, System.Windows.Forms.Form)

0012ed88 044e4104 FooBar.ServerForm.cmdSelectHelpdeskDL_Click(System.Object, System.EventArgs)

Dump the object:

0:011> !mdt 014224ec

014224ec (System.DirectoryServices.PropertyValueCollection)

list:0142250c (System.Collections.ArrayList)

entry:013ffffc (System.DirectoryServices.DirectoryEntry)

propertyName:013fe734 (System.String: "DnsHostName")

updateType:0x3 (System.DirectoryServices.PropertyValueCollection+UpdateType)

changeList:014225c0 (System.Collections.ArrayList+SyncArrayList)

allowMultipleChange:true (System.Boolean)

needNewBehavior:true (System.Boolean)

Get the CLR Stack:

0:000> !CLRStack -a

OS Thread Id: 0x3b4 (0)

ESP EIP

ESP/REG Object Name

0012eca8 76f19255 [ComPlusMethodFrameGeneric: 0012eca8] System.DirectoryServices.Interop.UnsafeNativeMethods+IAds.GetEx(System.String, System.Object ByRef)

ESP/REG Object Name

0012ecbc 6716d109 System.DirectoryServices.PropertyValueCollection.PopulateList()

PARAMETERS:

this = 0x01736e38

LOCALS:

<CLR reg> = 0x0012ea30

ESP/REG Object Name

0012ecd0 6716cbc5 System.DirectoryServices.PropertyValueCollection..ctor(System.DirectoryServices.DirectoryEntry, System.String)

PARAMETERS:

this = 0x01736e38

entry = 0x017360f8

propertyName = <no data>

LOCALS:

ESP/REG Object Name

0012ecdc 013ab5f4 System.String defaultNamingContext

0012ece4 013ab5f4 System.String defaultNamingContext

0012ece8 6716bea4 System.DirectoryServices.PropertyCollection.get_Item(System.String)

PARAMETERS:

this = 0x01736ce8

propertyName = <no data>

LOCALS:

<CLR reg> = 0x01736dfc

ESP/REG Object Name

0012ecfc 0498e2a0 FooBar.DirectoryServices.ContextManager.Connect(FooBar.DirectoryServices.Credentials, System.String, Boolean)

PARAMETERS:

credentials = 0x01736044

serverName = 0x016fa234

newConn = 0x00000001

LOCALS:

<CLR reg> = 0x017360f8

Finding the call they made..

04a8eba8 8bf8 mov edi,eax

04a8ebaa 8b5624 mov edx,dword ptr [esi+24h] --- some offset member

04a8ebad 8bcf mov ecx,edi --- move some object instance in place

04a8ebaf ff150053df03 call dword ptr ds:[3DF5300h] --- call some method of that class instance

0:011> r

eax=014229e8 ebx=013ffffc ecx=03df5294 edx=01421b18 esi=01421bfc edi=014229e8

eip=04a8ebad esp=03ddf34c ebp=013ffffc iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

04a8ebad 8bcf mov ecx,edi

0:011> p

eax=014229e8 ebx=013ffffc ecx=014229e8 edx=01421b18 esi=01421bfc edi=014229e8

eip=04a8ebaf esp=03ddf34c ebp=013ffffc iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

04a8ebaf ff150053df03 call dword ptr ds:[3DF5300h] ds:0023:03df5300=03df5329

0:011> !dumpmt -md 03df5294

EEClass: 03cbacb4

Module: 00909394

Name: FooBar.DirectoryServices.Exchange.Site

mdToken: 0200009e (C:\WINDOWS\assembly\GAC_MSIL\FooBar.DirectoryServices\2.0.105.0__8cd3e6ab09a4c7bf\FooBar.DirectoryServices.dll)

BaseSize: 0x54

ComponentSize: 0x0

Number of IFaces in IFaceMap: 2

Slots in VTable: 20

--------------------------------------

MethodDesc Table

Entry MethodDesc JIT Name

7934cdcc 79137ab8 PreJIT System.Object.ToString()

...

03df5331 03df5268 NONE FooBar.DirectoryServices.Exchange.Site.IsGroupContainer()

03df5329 03df5258 NONE FooBar.DirectoryServices.Exchange.Site..ctor(System.String)

03df532d 03df5260 NONE FooBar.DirectoryServices.Exchange.Site..ctor(System.String, System.String)

03df5335 03df5270 NONE FooBar.DirectoryServices.Exchange.Site.isMixed()

Assembly walk back..

Here is a small portion of code we can walk through the managed stuff in

04a8ebad 8bcf mov ecx,edi

04a8ebaf ff150053df03 call dword ptr ds:[3DF5300h] -- call method as noted above. ( maybe gets some info? )

04a8ebb5 8d5638 lea edx,[esi+38h]

04a8ebb8 e8625b3e75 call mscorwks!JIT_Writeable_Thunks_Buf+0x11f (79e7471f) (mscorwks!JIT_Writeable_Thunks_Buf)

04a8ebbd 8b4e38 mov ecx,dword ptr [esi+38h]

04a8ebc0 3909 cmp dword ptr [ecx],ecx

04a8ebc2 ff150853df03 call dword ptr ds:[3DF5308h]

04a8ebc8 88464c mov byte ptr [esi+4Ch],al

04a8ebcb b94477df03 mov ecx,3DF7744h

04a8ebd0 e84734e6fb call 008f201c (JitHelp: CORINFO_HELP_NEWSFAST)

Moving the data back into the object instance

04a8ebb5 8d5638 lea edx,[esi+38h]

04a8ebb8 e8625b3e75 call mscorwks!JIT_Writeable_Thunks_Buf+0x11f (79e7471f) (mscorwks!JIT_Writeable_Thunks_Buf)

0:011> r

eax=014229e8 ebx=013ffffc ecx=01422ffc edx=0000508a esi=01421bfc edi=014229e8

eip=04a8ebb5 esp=03ddf34c ebp=013ffffc iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202

04a8ebb5 8d5638 lea edx,[esi+38h]

0:011> !do 01421bfc

Name: FooBar.DirectoryServices.ActiveDirectoryInitialContext

MethodTable: 03df6194

EEClass: 03cbb41c

Size: 88(0x58) bytes

GC Generation: 0

(C:\WINDOWS\assembly\GAC_MSIL\FooBar.DirectoryServices\2.0.105.0__8cd3e6ab09a4c7bf\FooBar.DirectoryServices.dll)

Fields:

MT Field Offset Type VT Attr Value Name

034c94cc 40001a4 4 ...es.InitialContext 0 instance 00000000 initialContext

790f9244 40001a5 8 System.String 0 instance 01254d68 distinguishedName

03df7240 40001a6 c ...veDs.IADsPathname 0 instance 01422100 adsPathName

790f9244 40001a7 10 System.String 0 instance 01422110 protocolPrefix

790fd8b4 40001a8 14 ...ections.Hashtable 0 instance 01422038 objectClassSchemas

034caad4 40001c1 18 ...vices.Credentials 0 instance 013db8f4 connectionCredentials

790f9244 40001c2 1c System.String 0 instance 012f9f74 serverName

790f9244 40001c3 20 System.String 0 instance 01422538 dnsHostName

790f9244 40001c4 24 System.String 0 instance 01421b18 defaultNamingContext

790f9244 40001c5 28 System.String 0 instance 01422680 configNamingContext

790f9244 40001c6 2c System.String 0 instance 014227d0 schemaNamingContext

03df7744 40001c7 30 ...veDirectoryDomain 0 instance 00000000 domain

03df7844 40001c8 34 ...ory.GlobalCatalog 0 instance 00000000 global

03df5294 40001c9 38 ...ces.Exchange.Site 0 instance 00000000 site

03df4a80 40001ca 3c ...ces.DirectoryItem 0 instance 00000000 config

790ffe7c 40001cb 40 System.Type 0 instance 00000000 providerType

034c30c0 40001c0 2a0 log4net.ILog 0 static 013fe5e4 debugLog

790f9244 40001cc 2a4 System.String 0 static 013fe330 TopContainerFormatter

79103c00 400025b 4c System.Boolean 1 instance 0 ntMixed

79103c00 400025c 4d System.Boolean 1 instance 0 mixed

79103c00 400025d 4e System.Boolean 1 instance 0 hasExchange

79103c00 400025e 4f System.Boolean 1 instance 0 hasExchange2003

79103c00 400025f 50 System.Boolean 1 instance 0 gcPresent

790f9244 4000260 44 System.String 0 instance 0142293c rootDomainNamingContext

790fd8b4 4000261 48 ...ections.Hashtable 0 instance 01421f70 detailedSchemaInfo

034c30c0 400025a 330 log4net.ILog 0 static 01421ef0 debugLog

04a8ebb8 e8625b3e75 call mscorwks!JIT_Writeable_Thunks_Buf+0x11f (79e7471f) (mscorwks!JIT_Writeable_Thunks_Buf)

-- > after this the FooBar.DirectoryServices.ActiveDirectoryInitialContext site is filled in