使用 WinDbgX 的时间旅行调试,如何启动它甚至提升?
Using Time Travel Debugging with WinDbgX, how to start it even elevated?
使用 WinDbg Preview(又名 WinDbgX)——即商店应用程序——我们可以选择在较旧的 Windows 10 点版本上使用 Time Travel Debugging (TTD). I have used the corresponding feature in GDB on Linux before and only tried the walkthrough 一次。
现在我正尝试在 Windows 10 20H2(已应用最新补丁)上执行此操作,当然它需要提升。然而,对于我的生活,我无法弄清楚如何为了使用 TTD 而启动它。
当我尝试时出现以下错误:
---------------------------
Fatal error
---------------------------
WindowsDebugger.WindowsDebuggerException: Could not load dbghelp.dll from C:\Program Files\WindowsApps\Microsoft.WinDbg_1.2103.1004.0_neutral__8wekyb3d8bbwe\amd64 : System.ComponentModel.Win32Exception (0x80004005): Access is denied
at DbgX.DbgEngModule.LoadLibraryFromDirectory(String directory, String library)
at DbgX.DbgEngModule.LoadDbgEngModule()
at DbgX.EngineThread.ThreadProc()
---------------------------
OK
---------------------------
... 哪个“有点”有意义,因为 C:\Program Files\WindowsApps 设置了限制性 ACL。但是,我是本地管理员组的成员,所以我希望它能工作。
如何解决 这个问题,才能在 Windows 10 20H2 上使用 TTD?
对于遇到此问题的任何其他人,有一个解决方法 - 但是 - 破坏了应用程序容器的整个想法(但它有效)。如果您使用 psexec 等工具以 nt authority\system 启动命令提示符,您可以将 WinDbgX 子目录从 C:\Program Files\WindowsApps 下复制到另一个位置,调整其 ACL 和 运行它来自新位置(海拔就像任何桌面应用程序一样,然后启动 DbgX.Shell.exe)。
这曾经有效但最近没有尝试过 ttd
按 windows 键 + s
输入 windbg 预览
右键单击 runas administrator
编辑
您也可以尝试使用 runas /user:{machine}\Administrator windbgx,如下所示
您可以在 %userpath% here
中阅读有关这些 ExecutionAlias 路径的重新分析点和添加的详细信息
使用 DeviceIoControl() 转储重分析点的示例代码
您还可以使用 fsutil reparsepoints query filename 来获取此数据
main()
#include <windows.h>
#include <stdio.h>
void hexdump(unsigned char *buff, int size);
int main(int argc, char *argv[])
{
if (argc == 2)
{
if (GetFileAttributesA(argv[1]) & FILE_ATTRIBUTE_REPARSE_POINT)
{
HANDLE hFile = CreateFileA(argv[1], GENERIC_READ, 0, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OPEN_REPARSE_POINT, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
printf("opened the reparse point %p\n", hFile);
unsigned char reparsebuff[0x1000] = {0};
DWORD bytesreturned = 0;
BOOL dcret = DeviceIoControl(hFile, FSCTL_GET_REPARSE_POINT, NULL, 0,
reparsebuff, 0x1000, &bytesreturned, NULL);
if (dcret)
{
printf("returned %x bytes\n", bytesreturned);
hexdump(reparsebuff, bytesreturned);
}
}
}
return 0;
}
printf("usage %s <path to a reparse file like windbgx.exe>", argv[0]);
ExitProcess(0);
}
hexdump()
void hexdump(unsigned char *buff, int size)
{
int j = 0;
while (j < size)
{
for (int i = j; i < j + 16; i++)
{
printf("%02x ", buff[i]);
}
printf("\t");
for (int i = j; i < j + 16; i++)
{
if (buff[i] < 32 || buff[i] > 126)
{
printf(". ");
}
else
{
printf("%c ", buff[i]);
}
}
printf("\n");
j = j + 16;
}
}
与 vs2017 社区编译链接并执行
:\>cl /Zi /analyze /W4 /EHsc /Od /nologo reparsedumper.cpp /link /release
reparsedumper.cpp
:\>reparsedumper.exe
usage reparsedumper.exe <path to a reparse file like windbgx.exe>
:\>reparsedumper.exe "c:\Users\xxxxx\AppData\Local\Microsoft\WindowsApps\WinDbgX.exe"
opened the reparse point 00000000000000A8
returned 172 bytes
1b 00 00 80 6a 01 00 00 03 00 00 00 4d 00 69 00 . . . . j . . . . . . . M . i .
63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 c . r . o . s . o . f . t . . .
57 00 69 00 6e 00 44 00 62 00 67 00 5f 00 38 00 W . i . n . D . b . g . _ . 8 .
77 00 65 00 6b 00 79 00 62 00 33 00 64 00 38 00 w . e . k . y . b . 3 . d . 8 .
62 00 62 00 77 00 65 00 00 00 4d 00 69 00 63 00 b . b . w . e . . . M . i . c .
72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 57 00 r . o . s . o . f . t . . . W .
69 00 6e 00 44 00 62 00 67 00 5f 00 38 00 77 00 i . n . D . b . g . _ . 8 . w .
65 00 6b 00 79 00 62 00 33 00 64 00 38 00 62 00 e . k . y . b . 3 . d . 8 . b .
62 00 77 00 65 00 21 00 4d 00 69 00 63 00 72 00 b . w . e . ! . M . i . c . r .
6f 00 73 00 6f 00 66 00 74 00 2e 00 57 00 69 00 o . s . o . f . t . . . W . i .
6e 00 44 00 62 00 67 00 00 00 43 00 3a 00 5c 00 n . D . b . g . . . C . : . \ .
50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 P . r . o . g . r . a . m . .
46 00 69 00 6c 00 65 00 73 00 5c 00 57 00 69 00 F . i . l . e . s . \ . W . i .
6e 00 64 00 6f 00 77 00 73 00 41 00 70 00 70 00 n . d . o . w . s . A . p . p .
73 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 s . \ . M . i . c . r . o . s .
6f 00 66 00 74 00 2e 00 57 00 69 00 6e 00 44 00 o . f . t . . . W . i . n . D .
62 00 67 00 5f 00 31 00 2e 00 32 00 30 00 30 00 b . g . _ . 1 . . . 2 . 0 . 0 .
37 00 2e 00 36 00 30 00 30 00 31 00 2e 00 30 00 7 . . . 6 . 0 . 0 . 1 . . . 0 .
5f 00 6e 00 65 00 75 00 74 00 72 00 61 00 6c 00 _ . n . e . u . t . r . a . l .
5f 00 5f 00 38 00 77 00 65 00 6b 00 79 00 62 00 _ . _ . 8 . w . e . k . y . b .
33 00 64 00 38 00 62 00 62 00 77 00 65 00 5c 00 3 . d . 8 . b . b . w . e . \ .
44 00 62 00 67 00 58 00 2e 00 53 00 68 00 65 00 D . b . g . X . . . S . h . e .
6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 30 00 l . l . . . e . x . e . . . 0 .
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . . . . . . . . . .
:\>
使用 WinDbg Preview(又名 WinDbgX)——即商店应用程序——我们可以选择在较旧的 Windows 10 点版本上使用 Time Travel Debugging (TTD). I have used the corresponding feature in GDB on Linux before and only tried the walkthrough 一次。
现在我正尝试在 Windows 10 20H2(已应用最新补丁)上执行此操作,当然它需要提升。然而,对于我的生活,我无法弄清楚如何为了使用 TTD 而启动它。
当我尝试时出现以下错误:
---------------------------
Fatal error
---------------------------
WindowsDebugger.WindowsDebuggerException: Could not load dbghelp.dll from C:\Program Files\WindowsApps\Microsoft.WinDbg_1.2103.1004.0_neutral__8wekyb3d8bbwe\amd64 : System.ComponentModel.Win32Exception (0x80004005): Access is denied
at DbgX.DbgEngModule.LoadLibraryFromDirectory(String directory, String library)
at DbgX.DbgEngModule.LoadDbgEngModule()
at DbgX.EngineThread.ThreadProc()
---------------------------
OK
---------------------------
... 哪个“有点”有意义,因为 C:\Program Files\WindowsApps 设置了限制性 ACL。但是,我是本地管理员组的成员,所以我希望它能工作。
如何解决 这个问题,才能在 Windows 10 20H2 上使用 TTD?
对于遇到此问题的任何其他人,有一个解决方法 - 但是 - 破坏了应用程序容器的整个想法(但它有效)。如果您使用 psexec 等工具以 nt authority\system 启动命令提示符,您可以将 WinDbgX 子目录从 C:\Program Files\WindowsApps 下复制到另一个位置,调整其 ACL 和 运行它来自新位置(海拔就像任何桌面应用程序一样,然后启动 DbgX.Shell.exe)。
这曾经有效但最近没有尝试过 ttd
按 windows 键 + s
输入 windbg 预览
右键单击 runas administrator
编辑
您也可以尝试使用 runas /user:{machine}\Administrator windbgx,如下所示
您可以在 %userpath% here
中阅读有关这些 ExecutionAlias 路径的重新分析点和添加的详细信息使用 DeviceIoControl() 转储重分析点的示例代码
您还可以使用 fsutil reparsepoints query filename 来获取此数据
main()
#include <windows.h>
#include <stdio.h>
void hexdump(unsigned char *buff, int size);
int main(int argc, char *argv[])
{
if (argc == 2)
{
if (GetFileAttributesA(argv[1]) & FILE_ATTRIBUTE_REPARSE_POINT)
{
HANDLE hFile = CreateFileA(argv[1], GENERIC_READ, 0, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OPEN_REPARSE_POINT, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
printf("opened the reparse point %p\n", hFile);
unsigned char reparsebuff[0x1000] = {0};
DWORD bytesreturned = 0;
BOOL dcret = DeviceIoControl(hFile, FSCTL_GET_REPARSE_POINT, NULL, 0,
reparsebuff, 0x1000, &bytesreturned, NULL);
if (dcret)
{
printf("returned %x bytes\n", bytesreturned);
hexdump(reparsebuff, bytesreturned);
}
}
}
return 0;
}
printf("usage %s <path to a reparse file like windbgx.exe>", argv[0]);
ExitProcess(0);
}
hexdump()
void hexdump(unsigned char *buff, int size)
{
int j = 0;
while (j < size)
{
for (int i = j; i < j + 16; i++)
{
printf("%02x ", buff[i]);
}
printf("\t");
for (int i = j; i < j + 16; i++)
{
if (buff[i] < 32 || buff[i] > 126)
{
printf(". ");
}
else
{
printf("%c ", buff[i]);
}
}
printf("\n");
j = j + 16;
}
}
与 vs2017 社区编译链接并执行
:\>cl /Zi /analyze /W4 /EHsc /Od /nologo reparsedumper.cpp /link /release
reparsedumper.cpp
:\>reparsedumper.exe
usage reparsedumper.exe <path to a reparse file like windbgx.exe>
:\>reparsedumper.exe "c:\Users\xxxxx\AppData\Local\Microsoft\WindowsApps\WinDbgX.exe"
opened the reparse point 00000000000000A8
returned 172 bytes
1b 00 00 80 6a 01 00 00 03 00 00 00 4d 00 69 00 . . . . j . . . . . . . M . i .
63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 c . r . o . s . o . f . t . . .
57 00 69 00 6e 00 44 00 62 00 67 00 5f 00 38 00 W . i . n . D . b . g . _ . 8 .
77 00 65 00 6b 00 79 00 62 00 33 00 64 00 38 00 w . e . k . y . b . 3 . d . 8 .
62 00 62 00 77 00 65 00 00 00 4d 00 69 00 63 00 b . b . w . e . . . M . i . c .
72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 57 00 r . o . s . o . f . t . . . W .
69 00 6e 00 44 00 62 00 67 00 5f 00 38 00 77 00 i . n . D . b . g . _ . 8 . w .
65 00 6b 00 79 00 62 00 33 00 64 00 38 00 62 00 e . k . y . b . 3 . d . 8 . b .
62 00 77 00 65 00 21 00 4d 00 69 00 63 00 72 00 b . w . e . ! . M . i . c . r .
6f 00 73 00 6f 00 66 00 74 00 2e 00 57 00 69 00 o . s . o . f . t . . . W . i .
6e 00 44 00 62 00 67 00 00 00 43 00 3a 00 5c 00 n . D . b . g . . . C . : . \ .
50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 P . r . o . g . r . a . m . .
46 00 69 00 6c 00 65 00 73 00 5c 00 57 00 69 00 F . i . l . e . s . \ . W . i .
6e 00 64 00 6f 00 77 00 73 00 41 00 70 00 70 00 n . d . o . w . s . A . p . p .
73 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 s . \ . M . i . c . r . o . s .
6f 00 66 00 74 00 2e 00 57 00 69 00 6e 00 44 00 o . f . t . . . W . i . n . D .
62 00 67 00 5f 00 31 00 2e 00 32 00 30 00 30 00 b . g . _ . 1 . . . 2 . 0 . 0 .
37 00 2e 00 36 00 30 00 30 00 31 00 2e 00 30 00 7 . . . 6 . 0 . 0 . 1 . . . 0 .
5f 00 6e 00 65 00 75 00 74 00 72 00 61 00 6c 00 _ . n . e . u . t . r . a . l .
5f 00 5f 00 38 00 77 00 65 00 6b 00 79 00 62 00 _ . _ . 8 . w . e . k . y . b .
33 00 64 00 38 00 62 00 62 00 77 00 65 00 5c 00 3 . d . 8 . b . b . w . e . \ .
44 00 62 00 67 00 58 00 2e 00 53 00 68 00 65 00 D . b . g . X . . . S . h . e .
6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 30 00 l . l . . . e . x . e . . . 0 .
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . . . . . . . . . . . . . . . .
:\>