My blog used to have ugly display of source code, and I've always been a bit jealous of sites with pretty syntax highlighting for their source code. Well jealous no longer, I've now started using SyntaxHighlighter in my blog. You can find howto directions here. Here' a small sample:
C Sharp:
Python:
If there is demand I'll go through some of the old posts and re-highlight them.
Thursday, December 31, 2009
Tuesday, December 29, 2009
Using wireshark to trace localhost traffic on windows.
(If you don’t care why this works and just need a recipe, switch to this post)
Capturing network packets on localhost doesn't work on windows. The reason is windows doesn't send loopback traffic far enough down the networking stack for wireshark to see it. To make sniffing work on localhost you can route your ip traffic to your default gateway. I'll walk you through this, and along the way you'll see:
- netcat - telnet on steroids (nc.exe)
- tshark - command line network sniffer from the wireshark package.
- powershell jobs - background jobs from the shell!
Step 1 - launch the server as a background job (Woohoo powershell)
PS C:\Users\igord> $server = start-job { \bin_drop\nc -L -p 8082 } Step 2 - Make client connection:
PS C:\Users\igord> \bin_drop\nc.exe 127.0.0.1 8082
Hello
You can see me
Step 3: See if we can see anything in tshark on port 8082.
C:\Program Files (x86)\Wireshark>tshark -i 4 -R "tcp.port == 8082"
Capturing on Microsoft
Step 4: Point netcat at our ip address that's external:
PS C:\Users\igord> ipconfig
Windows IP Configuration
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . : hsd1.state.comcast.net
Link-local IPv6 Address . . . . . : fe80::49a:2ea6:7757:db5%14
IPv4 Address. . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1PS
C:\Users\igord> \bin_drop\nc.exe 192.168.1.100 8082
Hello can you see me in tshark?
(Still nothing in netcat)
Step 5: Add a route for our local address to the router:
PS C:\Users\igord> route add 192.168.1.100 192.168.1.1
OK!
Step 6: Run netcat again - and check tshark:
PS C:\Users\igord> \bin_drop\nc.exe 192.168.1.100 8082
Hello Do you see me
Now we get our packets in tshark!
C:\Program Files (x86)\Wireshark>tshark -i 4 -R "tcp.port == 8082"
Capturing on Microsoft
107.838518 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [SYN] Seq=0 Win=8192 Len=0 MSS=1460
107.840456 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [SYN] Seq=0 Win=8192 Len=0 MSS=1460
107.841013 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
107.841988 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
107.842291 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [ACK] Seq=1 Ack=1 Win=64240 Len=0
107.844181 192.168.1.100 -> 192.168.1.100 TCP [TCP Dup ACK 449#1] 60080 > us-cli [ACK] Seq=1 Ack=1 Win=64240 Len=0
110.528557 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=20
110.530030 192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
110.530139 192.168.1.100 -> 192.168.1.100 TCP [TCP Out-Of-Order] 60080 > us-cli [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=20
110.730222 192.168.1.100 -> 192.168.1.100 TCP us-cli > 60080 [ACK] Seq=1 Ack=21 Win=64240 Len=0
110.731258 192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
110.731797 192.168.1.100 -> 192.168.1.100 TCP [TCP Dup ACK 480#1] us-cli > 60080 [ACK] Seq=1 Ack=21 Win=64240 Len=0
116.982412 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [RST, ACK] Seq=21 Ack=1 Win=0 Len=0
116.984259 192.168.1.1 -> 192.168.1.100 ICMP Redirect (Redirect for host)
116.984390 192.168.1.100 -> 192.168.1.100 TCP 60080 > us-cli [RST, ACK] Seq=21 Ack=1 Win=0 Len=0
For bonus points, why do you see 2 of each packet?
Step 7: Cleanup
PS C:\Users\igord> route delete 192.168.1.100 OK!
Sunday, December 27, 2009
That's fast
Geeks born before the 80's had wet dreams about getting a T1 line. A T1 was 1.5 Mbps ~ 0.19 MB/s. Here's a picture of a large download on my home wireless network which connects to the world via cable:
Gotta love technology. How long before 1 MB/s is slow?
Gotta love technology. How long before 1 MB/s is slow?
Friday, December 25, 2009
Why twitter can be awesome
If you were born before the 80's (heck maybe before the 90's) you have some idea what twitter is but can't understand what it is for. Well, I've been thinking about twitter and I have a few ideas.
A tweet (a message on twitter) is a short (140 char max) thought you broadcast to the world. Now the 'magic' of twitter is this: people can decide to listen to your message, only if they want to. If you think a tweet is stupid, it is because it isn't written for you, instead of complaining about the tweet, you ignore it '.' This should sounds familiar, it is how broadcast works in ethernet networks, and even how conversations work on public transit.
Since tweets are public, and arguably represent what people are thinking/doing, you can do something you could never do before: see what the world is thinking. From that starting point, you can join a conversation, or simply learn something interesting.
That said, as I'm looking at twitter, and I'm not finding any conversations I'm interested in joining, or even overhearing. Oh well I'll keep my eye on it.
A tweet (a message on twitter) is a short (140 char max) thought you broadcast to the world. Now the 'magic' of twitter is this: people can decide to listen to your message, only if they want to. If you think a tweet is stupid, it is because it isn't written for you, instead of complaining about the tweet, you ignore it '.' This should sounds familiar, it is how broadcast works in ethernet networks, and even how conversations work on public transit.
Since tweets are public, and arguably represent what people are thinking/doing, you can do something you could never do before: see what the world is thinking. From that starting point, you can join a conversation, or simply learn something interesting.
That said, as I'm looking at twitter, and I'm not finding any conversations I'm interested in joining, or even overhearing. Oh well I'll keep my eye on it.
Thursday, December 17, 2009
Pretty Printing XML on Windows.
It happens to the best of us, we get some ugly XML string with no formatting, and we need to view it, ideally in a formatted fashion. XMLLint is the answer. Ugly XML is the input, nicely formatted XML is the output. Finding a version of XMLLint for windows was a challenge till I found this project: http://code.google.com/p/xmllint. Unfortunately this xmllint requires an xml filename as input, and I wanted a version that takes xml on stdin, and produces pretty xml on stdout(*). Luckily this project had source code available and the pretty printing is trivial, here's the full code listing for 'my version' of XMLLint:
Example Usage(+):
NOTES:
(*) StdIn -> Filter -> StdOut is a common trick for VI folks. the syntax is: :%!
(+) Any guesses why I needed a screen shot for example usage?
Example Usage(+):
NOTES:
(*) StdIn -> Filter -> StdOut is a common trick for VI folks. the syntax is: :%!
(+) Any guesses why I needed a screen shot for example usage?
Tuesday, November 17, 2009
Using Vim and Ctags to edit Powershell
To use vim with a new language you need a few things firstly: indent, syntax and file type plugins. These can be found here .
Next, you need ctags support (this is how vim implements 'goto function'). Ctags doesn't natively support powershell yet, but luckily ctags supports adding languages dynamically. From the command line you can add powershell support to ctags via:
Alternatively you can pass this information into your ctags configuration file. Note that on the command line regexps are in quotes.
Happy PS1Viming.
Next, you need ctags support (this is how vim implements 'goto function'). Ctags doesn't natively support powershell yet, but luckily ctags supports adding languages dynamically. From the command line you can add powershell support to ctags via:
c:\> ctags.exe --langdef=powershell --langmap=powershell:.ps1 --regex-powershell="/^function[\t ]*([a-zA-Z0-9_]+)/\1/d,definition/" --regex-powershell="/^filter[\t ]*([a-zA-Z0-9_]+)/\1/d,definition/" *
Alternatively you can pass this information into your ctags configuration file. Note that on the command line regexps are in quotes.
C:\> type %USERPROFILE%\ctags.cnf
--langdef=powershell
--langmap=powershell:.ps1
--langmap=powershell:.psm1
--regex-powershell=/^function[\t ]*([a-zA-Z0-9_-]+)/\1/d,definition/
--regex-powershell=/^filter[\t ]*([a-zA-Z0-9_-]+)/\1/d,definition/
Happy PS1Viming.
Saturday, November 14, 2009
The Performance of Everyday Things
I've spent much time fixing code optimizations that added no business value (with often matching performance value). Please do not try to make your code faster unless you need to. The way I handle performance issues on my projects:
To be explicit: I'm comfortable using slower patterns if they are clear and simple. As soon as I've hit my acceptable performance bar - I'm done.
With that out of the way, let me discuss a performance riddle I hit this week. I was wandering through some powershell code that processed slews of objects (over 200K of 'em):
I'm a real fan of succinct code so I replaced the code with the following and it was much faster:
I prefer the succinct version of the code, but why is this one liner so much faster? The answer lies in the type of $interestingObjects:
$interestingObjects is an array, so when we add an item, we could end up doing an expensive operation - for example:
BTW - in .NET List is implemented via an ArrayList. ArrayList is an Array with the helpful property that Add is mostly O(1):
- Define acceptable performance.
- Write my code as simply as possible.
- Measure performance: against definition, if performance > acceptable - goto DONE.
- /*Performance not acceptable*/ Profile; Fix as simply as possible; goto Measure.
- DONE
To be explicit: I'm comfortable using slower patterns if they are clear and simple. As soon as I've hit my acceptable performance bar - I'm done.
With that out of the way, let me discuss a performance riddle I hit this week. I was wandering through some powershell code that processed slews of objects (over 200K of 'em):
$interestingObjects = @()
foreach ($object in $inputObjects)
{
if ($object.IsInteresting)
{
$interestingObjects += $objects
}
}
$interestingObjects
I'm a real fan of succinct code so I replaced the code with the following and it was much faster:
$inputObjects| where {$_.IsInteresting}I prefer the succinct version of the code, but why is this one liner so much faster? The answer lies in the type of $interestingObjects:
PS C:\Users\igord> $interestingObjects.GetType()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True True Object[] System.Array
$interestingObjects is an array, so when we add an item, we could end up doing an expensive operation - for example:
$Array + $item :=
$newArray = new Object[$array.Length+1]
$array.CopyTo(newArray,0) # O(N) copy - nasty for large datasets.
$newArray[$array.Length] = item
return $newArray
BTW - in .NET List
- If Count already equals Capacity, the capacity of the list is doubled by automatically reallocating the internal array and copying the existing elements to the new array before the new element is added.
- If Count is less than Capacity, this method is an O(1) operation. If the capacity needs to be increased to accommodate the new element, this method becomes an O(n) operation, where n is Count.
Friday, October 23, 2009
Do your certificate management in Powershell
I do a lot of security work, and that means lots of time poking at certificates. Tooling for certificates was never something I was happy with until I stumbled upon powershell. Let me give you a demo:
PS C:\> cd cert:Does the output of $cert.ToString() look familiar? It's actually the ToString() on X509Certificate2. This means as well as having a great certificate store browser, you also get to access the CLR certificate classes interactively - Yeehaw!
PS cert:\> cd .\LocalMachine\My
PS cert:\LocalMachine\My> dir
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
4EE3FDE4FFF422935CAA0CA2783EF2CA601D6DE5 CN=NonSecretGlobalEncryptKey
272BDAC53C26CC5A8067FE6076D2F74797F69AF7 CN=igordm1, OU=Workstations, OU=Machines, DC=redmond, DC=corp, DC=microsof...
PS cert:\LocalMachine\My> cd\
PS cert:> cd .\CurrentUser\Root
PS cert:\CurrentUser\Root> dir | where {$_.Subject -like "*Veri*"}
Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\Root
Thumbprint Subject
---------- -------
18F7C1FCC3090203FD5BAA2F861A754976C8DD25 OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stampin...
85371CA6E550143DCE2803471BDE3A09E8F8770F OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized us...
742C3192E607E424EB4549542BE1BBC53E6174E2 OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
4F65566336DB6598581D584A596C87934D5F2AB4 OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2...
24A40A1F573643A67F0A4B0749F6A22BF28ABB6B OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Internet
PS cert:\CurrentUser\Root> $cert = gi 24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
PS cert:\CurrentUser\Root> $cert.ToString()
[Subject]
OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Internet
[Issuer]
OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Internet
[Serial Number]
03C78F37DB9228DF3CBB1AAD82FA6710
[Not Before]
4/8/1996 5:00:00 PM
[Not After]
1/7/2004 3:59:59 PM
[Thumbprint]
24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
PS cert:\CurrentUser\Root>
Wednesday, October 21, 2009
Need another monitor? Try a USB Video Card.
In 2014, I retired the below USB video card. I've replaced with the Plugable USB 3.0 to DisplayPort 4K UHD
, which runs fine at 2560x1600. ----
I use 3 monitors at work and it is awesome. My laptop only drives two monitors so for the 3rd monitor I picked up a USB video card, the EVGA 100-US-UV16A1 . This thing works (*). The device installs drivers automatically and works like a charm on Windows 7. It only supports upto 1600x1200. Also, I don't play games so I can't tell you how well that works, but for reading email and viewing OneNote I can't tell this is a USB video card.
(*) If you're not impressed this thing works, you should be. A back of the envelope bandwidth analysis:
Required Bandwidth:
= 1600pixels x 1200pixels x 24 bits per pixel x 30 frames/second
= 1.38 Gbps
Actual USB 2.0 bandwidth:
= 480Mbps
Saturday, October 17, 2009
Using TShark
Today I realized this blog lost its google analytics (GA) tracking. Ooops, I accidentally erased the javascript that talks to Google Analytics in my blog template. I fixed the template on my blog, and wanted to verify my browser was sending data to GA. It takes the GA UI a while to show you data is coming in, so I decided to use tshark to see if my tracker code is working.
Tshark is the command line version of Wireshark, an Ethernet level packet sniffer. Lets see what HTTP GETs occur when I connect to one of my posts:
What is that __utm.gif we GET in frame 3? How strange that it includes my screen resolution. A quick bing search finds this is indeed the connection to GA. So, my tracking code is good, and you should go learn how to use tshark.
Tshark is the command line version of Wireshark, an Ethernet level packet sniffer. Lets see what HTTP GETs occur when I connect to one of my posts:
C:\Program Files\Wireshark>tshark.exe | findstr GET
Capturing on Microsoft
1) 67.936320 192.168.1.100 -> 64.233.169.191 HTTP GET /2009/07/finding-clr-exceptions-with-visual.html HTTP/1.1
2) 68.211983 192.168.1.100 -> 64.233.169.191 HTTP GET /dyn-css/authorization.css?targetBlogID=7821316&zx=defa99ec-5585-4463-a42d-a32bf4868482 HTTP/1.1
3) 68.393167 192.168.1.100 -> 64.233.169.139 HTTP GET /__utm.gif?utmwv=4.5.8&utmn=1895005015&utmhn=ig2600.blogspot.com&utmcs=UTF-8&utmsr=1600x1200&utmsc=32-bit&ut
mul=en-us&utmje=1&utmfl=10.0%20r32&utmdt=Igor%27s%20Computer%20Blog%3A%20Finding%20CLR%20exceptions%20without%20visual%20studio&utmhid=396081822&utmr=0&utmp=%2F
2009%2F07%2Ffinding-clr-exceptions-with-visual.html&utmac=UA-6806517-1&utmcc=__utma%3D91978370.809539203.1241314101.1255744665.1255763228.10%3B%2B__utmz%3D91978
370.1255744665.9.3.utmcsr%3Dblogger.com%7Cutmccn%3D(referral)%7Cutmcmd%3Dreferral%7Cutmcct%3D%2Fhtml%3B HTTP/1.1
4) 68.393325 192.168.1.100 -> 64.233.169.191 HTTP GET /navbar.g?targetBlogID=7821316&blogName=Igor%27s+Computer+Blog&publishMode=PUBLISH_MODE_BLOGSPOT&navbarType=
BLUE&layoutType=LAYOUTS&searchRoot=http%3A%2F%2Fig2600.blogspot.com%2Fsearch&blogLocale=en_US&homepageUrl=http%3A%2F%2Fig2600.blogspot.com%2F&targetPostID=61412
67244510925043 HTTP/1.1
5) 68.517559 192.168.1.100 -> 64.233.169.191 HTTP GET /2009/07/finding-clr-exceptions-with-visual.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseTyp
e=js&postID=6141267244510925043 HTTP/1.1
6) 68.601057 192.168.1.100 -> 64.233.169.118 HTTP GET /gadgets/ifr?url=http%3A%2F%2Fwww.google.com%2Ffriendconnect%2Fgadgets%2Fmembers.xml&container=peoplesense&p
arent=http%3A%2F%2Fig2600.blogspot.com%2F&mid=0&view=profile&libs=opensocial-0.8%3Askins%3Adynamic-height%3Agoogle.blog&v=0.463.3〈=en&country=US&communityId
=02722510552710003866&caller=http%3A%2F%2Fig2600.blogspot.com%2F2009%2F07%2Ffinding-clr-exceptions-with-visual.html HTTP/1.1
7) 68.807944 192.168.1.100 -> 64.233.169.118 HTTP GET /gadgets/deps.js HTTP/1.1
What is that __utm.gif we GET in frame 3? How strange that it includes my screen resolution. A quick bing search finds this is indeed the connection to GA. So, my tracking code is good, and you should go learn how to use tshark.
Wednesday, September 30, 2009
Query the windows event logs via the command line
Today someone told me "You can find if bibblebob happened by looking in the event viewer". I automate things so I went hunting for a CLI tool to accomplish this task. wevtutil is its name-o.
The query language for wevtutil is confusing. I recommend using the eventvwr.exe GUI to build a custom query, and then pass that query to wevtutil.
Here's an example of finding all the times DHCP started:
Good Hunting!
The query language for wevtutil is confusing. I recommend using the eventvwr.exe GUI to build a custom query, and then pass that query to wevtutil.
Here's an example of finding all the times DHCP started:
C:\Windows\System32>wevtutil qe System /rd:true /f:text /q:"*[System[(EventID=50036)]]" |more
Event[0]:
Log Name: System
Source: Microsoft-Windows-Dhcp-Client
Date: 2009-09-22T17:42:54.667
Event ID: 50036
Task: Service State Event
Level: Information
Opcode: ServiceStart
Keyword: N/A
User: S-1-5-19
User Name: NT AUTHORITY\LOCAL SERVICE
Computer: igordm1.redmond.corp.microsoft.com
Description:
DHCPv4 client service is started
Event[1]:
Log Name: System
Source: Microsoft-Windows-Dhcp-Client
Date: 2009-09-17T20:46:36.179
Event ID: 50036
Task: Service State Event
Level: Information
Opcode: ServiceStart
Keyword: N/A
User: S-1-5-19
User Name: NT AUTHORITY\LOCAL SERVICE
Computer: igordm1.redmond.corp.microsoft.com
Description:
DHCPv4 client service is started
Good Hunting!
Friday, September 25, 2009
Use cdb to see what files your application is opening.
In this post I'll show you how to use CDB to intercept CreateFile and see what files your application is opening. For this problem, Process Monitor is often a better tool, but the techniques I demonstrate work for any API you should learn them.
This won't take much time, so if you've never done this before I recommend you follow along.
First Load CDB against cmd:
Next find something like CreateFile to breakpoint:
Set the breakpoint on Kernel32!CreateFileW (You can figure that out by looking on MSDN)
Lets open a file and make sure our function is called!
Our breakpoint is hit. Lets figure out the filename being opened. To do this, we lookup the parameter list of CreateFile on MSDN. Filename is the first parameter. Next we look up the calling convention. On AMD64, the first paramater lives in rcx. Lets dump rcx as a unicode string:
Awesome - it worked. Lets make our breakpoint automatically print, and continue execution so it's non-intrusive.
Notice the debugger spew intersperesed with cmd output. Anytime we open a file we'll see it in the spew! Use this approach to debug all sorts of I wonder what's going on problems.
This won't take much time, so if you've never done this before I recommend you follow along.
First Load CDB against cmd:
C:\Program Files\Debugging Tools for Windows (x64)>cdb.exe cmd.exe
Microsoft (R) Windows Debugger Version 6.12.0000.526 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: cmd.exe
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00000000`49fc0000 00000000`4a018000 cmd.exe
ModLoad: 00000000`77c10000 00000000`77db8000 ntdll.dll
ModLoad: 00000000`779f0000 00000000`77b0e000 C:\Windows\system32\kernel32.dll
ModLoad: 000007fe`fde90000 000007fe`fdef9000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 000007fe`febd0000 000007fe`fec6f000 C:\Windows\system32\msvcrt.dll
ModLoad: 000007fe`fc850000 000007fe`fc858000 C:\Windows\system32\WINBRAND.dll
ModLoad: 00000000`77b10000 00000000`77c0b000 C:\Windows\system32\USER32.dll
ModLoad: 000007fe`fee70000 000007fe`feed7000 C:\Windows\system32\GDI32.dll
ModLoad: 000007fe`febc0000 000007fe`febce000 C:\Windows\system32\LPK.dll
ModLoad: 000007fe`fe2b0000 000007fe`fe37a000 C:\Windows\system32\USP10.dll
(1268.1dfc): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
ntdll!CsrSetPriorityClass+0x40:
00000000`77cbb790 cc int 3
0:000> g
ModLoad: 000007fe`fe640000 000007fe`fe66e000 C:\Windows\system32\IMM32.DLL
ModLoad: 000007fe`fe530000 000007fe`fe639000 C:\Windows\system32\MSCTF.dll
Microsoft Windows [Version 6.1.7110]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Program Files\Debugging Tools for Windows (x64)>
(1268.1c1c): Control-C exception - code 40010005 (first chance)
First chance exceptions are reported before any exception handling.
Next find something like CreateFile to breakpoint:
0:001> x *!*CreateFile*
00000000`779fd6a0 kernel32!CreateFileMappingA ()
00000000`779ffb30 kernel32!CreateFileMappingW ()
00000000`77a02740 kernel32!CreateFileW ()
00000000`77a124b0 kernel32!CreateFileA ()
00000000`77a3b980 kernel32!CreateFileMappingNumaW ()
00000000`77a54d50 kernel32!CreateFileMappingNumaA ()
00000000`77a63740 kernel32!LZCreateFileW ()
00000000`77a66450 kernel32!CreateFileTransactedW ()
00000000`77a665f0 kernel32!CreateFileTransactedA ()
00000000`77c5ea20 ntdll!NtCreateFile ()
00000000`77c5ea20 ntdll!ZwCreateFile ()
000007fe`fde94990 KERNELBASE!CreateFileW ()
000007fe`fde96270 KERNELBASE!CreateFileMappingNumaW ()
000007fe`fdea3120 KERNELBASE!CreateFileMappingW ()
000007fe`fdec9cc0 KERNELBASE!CreateFileA ()
Set the breakpoint on Kernel32!CreateFileW (You can figure that out by looking on MSDN)
0:001> bm kernel32!CreateFileW
breakpoint 1 redefined
1: 00000000`77a02740 @!"kernel32!CreateFileW"
Lets open a file and make sure our function is called!
0:002> g
C:\Program Files\Debugging Tools for Windows (x64)>type c:\foo.txt
Breakpoint 1 hit
kernel32!CreateFileW:
00000000`77a02740 48895c2408 mov qword ptr [rsp+8],rbx ss:00000000`0024e180=000000000031df00
0:000>
Our breakpoint is hit. Lets figure out the filename being opened. To do this, we lookup the parameter list of CreateFile on MSDN. Filename is the first parameter. Next we look up the calling convention. On AMD64, the first paramater lives in rcx. Lets dump rcx as a unicode string:
0:000> du rcx
00000000`0031a310 "c:\foo.txt"
0:000>
Awesome - it worked. Lets make our breakpoint automatically print, and continue execution so it's non-intrusive.
0:000> bm kernel32!CreateFileW "du @rcx;g"
breakpoint 1 redefined
1: 00000000`77a02740 @!"kernel32!CreateFileW"
0:000> g
C:\Program Files\Debugging Tools for Windows (x64)>type c:\fo2.txt
00000000`0031a310 "c:\fo2.txt"
The system cannot find the file specified.
C:\Program Files\Debugging Tools for Windows (x64)>type c:\IgorOpenedThisFile.txt
00000000`0031b9e0 "c:\IgorOpenedThisFile.txt"
The system cannot find the file specified.
C:\Program Files\Debugging Tools for Windows (x64)>
Notice the debugger spew intersperesed with cmd output. Anytime we open a file we'll see it in the spew! Use this approach to debug all sorts of I wonder what's going on problems.
Tuesday, September 8, 2009
Copying files across parallel directory structures.
It happens to all of us, you've made a change in branch2, now you need to copy it to branch1. Here's a trick I use to accomplish this task:
How'd that work? Use echo to find out what happened:
For more information run help set.
C:\src\branch1\mydir\mydir2\mydir3\mydir4>xcopy %cd:branch1=branch2%\foo*
Overwrite C:\src\branch1\mydir\mydir2\mydir3\mydir4\foo.txt (Yes/No/All)? y
C:\src\branch2\mydir\mydir2\mydir3\mydir4\foo.txt
1 File(s) copied
How'd that work? Use echo to find out what happened:
C:\src\branch1\mydir\mydir2\mydir3\mydir4>echo %cd:branch1=branch2%
C:\src\branch2\mydir\mydir2\mydir3\mydir4
For more information run help set.
Thursday, July 30, 2009
Finding CLR exceptions without visual studio
(If you want to understand what exception code 0xe0434352 is, read this post)
Often exceptions are thrown and caught and you don't see them. You probably know how to debug this in Visual Studio, so let me show you how to do it in cdb.
Sample Code:
Often exceptions are thrown and caught and you don't see them. You probably know how to debug this in Visual Studio, so let me show you how to do it in cdb.
Sample Code:
class ProgramOutput of the application:
{
static void Main(string[] args)
{
foreach (var x in Enumerable.Range(0,2000))
{
Thread.Sleep(TimeSpan.FromSeconds(1));
Console.WriteLine("Hello World");
ThrowAndCatchException();
}
}
private static void ThrowAndCatchException()
{
try
{
throw new NotImplementedException();
}
catch(Exception)
{
}
}
}
Hello WorldNothing about an exception, but you're sure it's happening behind the covers -- fire up cdb:
Hello World
Hello World
C:\Program Files\Debugging Tools for Windows (x64)>cdb -pn consoleapplication3.exeContinue debugging:
<SNIP>
ModLoad: 000007fe`f7e90000 000007fe`f7eb4000 C:\Windows\Microsoft.NET\Framework64\v4.0.20506\culture.dll
(ff8.17a8): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
ntdll!DbgBreakPoint:
00000000`77b7d7b0 cc int 3
0:004> gExceptions - lots of them:
(ff8.16dc): CLR exception - code e0434352 (first chance)Break on CLR exceptions:
(ff8.16dc): CLR exception - code e0434352 (first chance)
(ff8.16dc): CLR exception - code e0434352 (first chance)
(ff8.16dc): CLR exception - code e0434352 (first chance)
(ff8.16dc): CLR exception - code e0434352 (first chance)
(ff8.16dc): CLR exception - code e0434352 (first chance)
(ff8.1860): Break instruction exception - code 80000003 (first chance)
0:004> sxe clrLoad sos ( in .Net 2/3 use use !loadby sos mscorwks):
0:004> g
(ff8.16dc): CLR exception - code e0434352 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
KERNELBASE!RaiseException+0x3d:
000007fe`fdb8bb5d 4881c4c8000000 add rsp,0C8h
0:000> !loadby sos clrView Stack:
0:000> !CLRStackView Exception:
PDB symbol for clr.dll not loaded
OS Thread Id: 0x16dc (0)
Child SP IP Call Site
000000000096e6a8 000007fefdb8bb5d [HelperMethodFrame: 000000000096e6a8]
000000000096e7c0 000007ff00170360 ConsoleApplication3.Program.ThrowAndCatchException()
000000000096e810 000007ff001701fb ConsoleApplication3.Program.Main(System.String[])
000000000096ec90 000007feef474ca4 [GCFrame: 000000000096ec90]
0:000> !PrintExceptionPretty neat - eh?
Exception object: 0000000002c88c18
Exception type: System.NotImplementedException
Message: The method or operation is not implemented.
InnerException: <none>
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80004001
0:000>
Saturday, July 18, 2009
Why write programs that don't modify variables?
Slews of bugs happen because variable have values you aren't expecting. To minimize this class of bugs I use a technique a lot of people find surprising. I try to only assign and never modify variables. In C++, I make almost all my variables const.
C++ people are now saying -- Um if all your values are const how do you write a for loop?
In C++ I can't help myself, I'm stuck with a variable modification eg:
for (size_t x=0;x<6;x++) printf("%d",x) In python the for loop naturally iterates over a sequence so you don't need to modify a value: for x in range(6): print xIn C#, you can use either the C++ syntax or a more python syntax via foreach:
for (int x=0;x<6;x++) Console.WriteLine(x);or
foreach (var x in Enumerable.Range(0,6)) Console.WriteLine(x)
I use the foreach syntax which people initially find confusing. But its value starts to shine when using non zero starting values. Assume I need to generate 113 numbers starting at 27. Which statement do you find expresses it better.
for (int x=27;x<=139;x++) Console.WriteLine(x)
or
foreach (var x in Enumerable.Range(27,113)) Console.WriteLine(x)
Saturday, July 4, 2009
How to attach to an already running debugger target using cdb.
For the last year when I wanted to attach to a process using cdb, I'd attach by PID. This meant i'd need to the following dance:
If there are multiple instances of your process, you'll still need to use tlist
to find the PID you're interested in.
C:\Program Files\Debugging Tools for Windows (x64)>tlist |findstr firefoxIt turns out you can just do:
9128 cmd.exe findstr firefox
276 firefox.exe Restore Session - Vimperator
C:\Program Files\Debugging Tools for Windows (x64)>cdb -p 276
C:\Program Files\Debugging Tools for Windows (x64)>cdb -pn firefox.exe
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
If there are multiple instances of your process, you'll still need to use tlist
to find the PID you're interested in.
Subscribe to:
Posts (Atom)