Debug user mode application with kernel debugger

Apr 9, 2012 00:00 · 129 words · 1 minute read WinDbg Windows Developer

Sometimes my colleagues ask me how to debug user mode application if kernel debugger (windbg) is attached to the system.

Very easy!

1: kd> !process 0 0 myproc.exe
PROCESS 867deb80  SessionId: 0  Cid: 0cac    Peb: 7f9bb000  ParentCid: 0208
    DirBase: bd23b540  ObjectTable: a1532c80  HandleCount: <Data Not Accessible>
    Image: myproc.exe

1: kd> .process /i /r /p 867deb80
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.

1: kd> g
Break instruction exception - code 80000003 (first chance)
81acdae0 cc              int     3

1: kd> .reload /user
Loading User Symbols

1: kd> lmu
start    end        module name
00350000 0037c000   myproc    (deferred)   

After that you can set breakpoint (e.g. bp myproc!MyFunc ;)