Debug user mode application with kernel debugger
Apr 9, 2012 00:00 · 129 words · 1 minute read
Sometimes my colleagues ask me how to debug user mode application if kernel debugger (windbg) is attached to the system.
Very easy!
1: kd> !process 0 0 myproc.exe
PROCESS 867deb80 SessionId: 0 Cid: 0cac Peb: 7f9bb000 ParentCid: 0208
DirBase: bd23b540 ObjectTable: a1532c80 HandleCount: <Data Not Accessible>
Image: myproc.exe
1: kd> .process /i /r /p 867deb80
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
1: kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
81acdae0 cc int 3
1: kd> .reload /user
Loading User Symbols
..........................
1: kd> lmu
start end module name
00350000 0037c000 myproc (deferred)
...
After that you can set breakpoint (e.g. bp myproc!MyFunc ;)