Windows Server debugging: view User Mode Stack in WDM Kernel Mode Driver Breakpoint
NickName:Tiago Castro Ask DateTime:2014-12-03T20:10:15

Windows Server debugging: view User Mode Stack in WDM Kernel Mode Driver Breakpoint

I'm debugging a WDM Kernel driver IOCTL using Visual Studio Kernel Mode Debugger via pipe Serial connection to a Hyper-V VM running Windows Server 2012 R2. Once I hit a breakpoint inside the Driver IOControl is it possible to view the user mode call stack?

At the moment I can only see the kernel stack, eg:

    SIoctl!SioctlDeviceControl+0x14b [d:\workspace\ioctl\c++\sys\sioctl.c @ 320]    C/C++/ASM
    nt!IovCallDriver+0x3cd  C/C++/ASM
    nt!IopXxxControlFile+0x8d2  C/C++/ASM
    nt!NtDeviceIoControlFile+0x56   C/C++/ASM
    nt!KiSystemServiceCopyEnd+0x13  C/C++/ASM
    ntdll!NtDeviceIoControlFile+0xa C/C++/ASM
    KERNELBASE!DeviceIoControl+0x73 C/C++/ASM
    KERNEL32!DeviceIoControl+0x80   C/C++/ASM
    0x9c402408  C/C++/ASM
>   0x0000005e`2f5af9c8 C/C++/ASM


Copyright Notice:Content Author:「Tiago Castro」,Reproduced under the CC 4.0 BY-SA copyright license with a link to the original source and this disclaimer.
Link to original article:https://stackoverflow.com/questions/27271462/windows-server-debugging-view-user-mode-stack-in-wdm-kernel-mode-driver-breakpo

Answers
Remus Rusanu 2014-12-03T12:26:15

Yes, you need to switch to the desired process first and then you have access to it's stack(s). See .process:\n\n\n The .process command instructs the kernel debugger to use a specific user-mode process as the process context. This usage has several effects, but the most important is that the debugger has access to the virtual address space of this process. The debugger uses the page tables for this process to interpret all user-mode memory addresses, so you can read and write to this memory.\n \n Note If you are performing live debugging, you should use the /i or the /p parameter. Without one of these parameters, you cannot correctly display user-mode or session memory.\n The /i parameter activates the target process. When you use this option, you must execute the target once for this command to take effect. If you execute again, the process context is lost.\n The /p parameter enables the forcedecodeuser setting. (You do not have to use /p if the forcedecodeuser option is already active.) The process context and the forcedecodeuser state remain only until the target executes again.\n\n\nI am aware you asked about Visual Studio and I answered about WinDbg. I think you should use a tool appropriate for the job. WinDbg is infinitely more flexible and more powerful when it comes to debugging. I think in VS you would use the Process context, but I would recommend, again, use WinDbg.",

Products recommended by Amazon
More >>>
SanDisk 128GB microSDXC-Card, Licensed for Nintendo-Switch - SDSQXAO-128G-GNCZN
SanDisk 128GB microSDXC-Card, Licensed for Nintendo-Switch - SDSQXAO-128G-GNCZN
 HUANUO Dual Monitor Stand - Adjustable Spring Monitor Desk Mount Swivel Vesa Bracket with C Clamp, Grommet Mounting Base for 13 to 27 Inch Computer Screens - Each Arm Holds 4.4 to 14.3lbs
HUANUO Dual Monitor Stand - Adjustable Spring Monitor Desk Mount Swivel Vesa Bracket with C Clamp, Grommet Mounting Base for 13 to 27 Inch Computer Screens - Each Arm Holds 4.4 to 14.3lbs
 AMD Ryzen 5 5600X 6-core, 12-Thread Unlocked Desktop Processor with Wraith Stealth Cooler
AMD Ryzen 5 5600X 6-core, 12-Thread Unlocked Desktop Processor with Wraith Stealth Cooler
 Timberland Men's 6-Inch Premium Waterproof Boot
Timberland Men's 6-Inch Premium Waterproof Boot
More about “Windows Server debugging: view User Mode Stack in WDM Kernel Mode Driver Breakpoint” related questions
Windows Server debugging: view User Mode Stack in WDM Kernel Mode Driver Breakpoint

I'm debugging a WDM Kernel driver IOCTL using Visual Studio Kernel Mode Debugger via pipe Serial connection to a Hyper-V VM running Windows Server 2012 R2. Once I hit a breakpoint inside the Driver

Show Detail
Why is there no WDM kernel-mode driver template in Windows Driver Kit?

I came across kernel-mode drivers with very little experience. Here's what I am trying to do: Have a user-mode application that loads the driver. Have the user-mode application write to it, in ord...

Show Detail
How to do hybrid user-mode/kernel-mode debugging?

Basically, I have a user mode program that calls kernel32.CreateProcessA() which internally calls kernel32.CreateProcessInternalW(). Within this function, I'm interested in what is happening inside

Show Detail
Process IDs are the same in User mode and Kernel mode

I was shocked that I got the same PID between User mode and Kernel mode in an IOCTL request from my application to my kernel driver(WDM) via DeviceIoControl() Win32 API. As far as I know, drivers ...

Show Detail
Is it necessary to set a breakpoint in kernel-mode driver to debug a function in its user-mode counter-part (using Windbg)?

I'm using Windbg for debugging my user-mode driver (consider USB). My driver-package (debug build, 64 bit) has both kernel-mode and user-mode code.The package was successfully installed in my target

Show Detail
Windows Filtering Platform user mode or kernel mode?

I am using the Windows Filtering Platform. I want to create a traffic filter, security manager, which monitors packets and network events or blocks urls... I know most of the WFP functions can be c...

Show Detail
User Mode to Kernel Mode debugging in GDB

I was debugging a program in which I hit int 0x80 I know this means a system call and then the kernel executed it. However, GDB does not allow me to look at the instructions run by the kernel w...

Show Detail
How to start a user mode program from kernel mode in windows

I have a driver (kernel mode)(KMDF) and i have a user preferences form. i need to start the activity from the driver code and get the preferences. so how do i start that user mode program from kern...

Show Detail
Debugging a kernel mode driver

I want to deploy and debug a kernel mode driver with the kernel debugger in Visual Studio 2019. Deploying and installing works and I also can start and stop the driver. But when I try to debug it, ...

Show Detail
User mode driver with NDIS

Windows Filtering Platform provides API to develop both Kernel mode and User mode network filter driver. Is it possible to develop User mode Network filter driver on NDIS using Windows API?

Show Detail