0
I have a console application that uses puTTY as a DLL and I need to debug the puTTY library in question.
On UNIX, I would do strace <command>.
strace ls ggg
Would print something like:
stat("ggg", 0x166b0d0) = -1 ENOENT (No such file or directory)
because I have no file or directory named ggg in my current directory. I need this for a windows console application.
I have searched online, downloaded the Windows SDK with debugging tools. I tried several programs, cdb seems to be the one I need.
doing cdb -o "!htrace -enable" <command> appears to be what I need but I think I am missing something, because it does not provide any hint to why the command is failing or failed file open attempts. (if <command> loads a file it "should" succeed, however, <command> wants a "sessions" name, not a file path, it then looks up a file or reg key with that session name):
CommandLine: <command>
Symbol search path is: srv*
Executable search path is:
ModLoad: 00400000 004a7000 image00400000
ModLoad: 77d00000 77e8d000 ntdll.dll
ModLoad: 77aa0000 77b70000 C:\WINDOWS\SysWOW64\KERNEL32.DLL
ModLoad: 748e0000 74ab7000 C:\WINDOWS\SysWOW64\KERNELBASE.dll
ModLoad: 779d0000 77a36000 C:\WINDOWS\SysWOW64\WS2_32.dll
ModLoad: 77b70000 77c2e000 C:\WINDOWS\SysWOW64\RPCRT4.dll
ModLoad: 74720000 74740000 C:\WINDOWS\SysWOW64\SspiCli.dll
ModLoad: 74710000 7471a000 C:\WINDOWS\SysWOW64\CRYPTBASE.dll
ModLoad: 74f00000 74f57000 C:\WINDOWS\SysWOW64\bcryptPrimitives.dll
ModLoad: 75d10000 75d53000 C:\WINDOWS\SysWOW64\sechost.dll
ModLoad: 757c0000 75838000 C:\WINDOWS\SysWOW64\ADVAPI32.dll
ModLoad: 776b0000 7776d000 C:\WINDOWS\SysWOW64\msvcrt.dll
(2f550.32120): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000010 ecx=44ce0000 edx=00000000 esi=00249000 edi=77d06964
eip=77dadbcf esp=00cafa0c ebp=00cafa38 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrInitShimEngineDynamic+0x6af:
77dadbcf cc int 3
0:000> cdb: Reading initial command '!htrace -enable'
Handle tracing enabled.
Handle tracing information snapshot successfully taken.
0:000>
Basically, I am trying to find out where pscp.exe (puTTY scp) loads the session from on Windows, in this case - answering that question will not help, I want to know how I can track handles, from my understanding, cdb enables htrace after the program has completed or I need to type something for the command to start (unsure), I even tried to create a new process with the options from withing the debugger, still get only DLL's loaded, nothing else.
I tried logger.exe <command> and logger.exe -o <command> as stackoverflow says it is closest to strace, it lists the DLL's, just like cdb, nothing more. In windbg, I get to see 8 file handles, however, no information on file paths ...
Sorry, I am a Linux guy, so spoiled, strace does the trick with no options.
I have read:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-handle
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-a-user-mode-process-using-cdb
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-create--create-process- (to try and launch <command> once the debugger was loaded)
... and a few more ...
user2531336
Posted 2018-02-06T22:05:29.940
Reputation: 183
1
The easier approach (as its likely either loading from file or registry) would be to use the appropriate sysinternals tool. You're currently on the hardcore debugging route which is probably a bit much for what you're actually trying to do.
– Seth – 2018-02-07T07:11:17.990handle seems to be the one the closest to what I am looking for, but it expects a process to remain ... here, the process exits after about 1 second ... even
while true;do handle -p <command>;donewhere command is part of the name sometimes prints a few file references, but nothing interesting (I had to enable higherst debug to slow program down) ... I found the reg key in question (was NOT puTTY's) searching the reg ... still looking for<debugger> [<options>] <command>so a Windows program that runs another and prints out all file/reg activities of the child, alastrace. – user2531336 – 2018-02-07T09:23:34.0001Process Monitor from that suite of tools would show you live data (and a record) of which files are touched by programs. You could filter it down to just one executable. It's not a console application though. Sorry, I haven't really touched the regular debugging tools for Windows. – Seth – 2018-02-07T09:39:07.170
I'm seeing a suggested edit in regards to my answer from you. It doesn't really make sense to add it to the answer as an edit though. After all I wouldn't know what your thoughts are. As it actually has some more input maybe consider posting it as an independent answer (referencing mine) or as (multiple) comments. One of these options would probably a good fit. – Seth – 2018-02-07T12:11:27.407