Search code examples
windowswindbgdebug-symbolswdk

Cannot run extension commands in WinDBG

(Sorry for the analogous question I posted, I've modified it.) I'm trying to debug an excutable PE file on windows XP to see how PDE and PTE works in a real system. I've learned that windbg have some commands to see the details. It seems that !pte would be able to see the corresponding PDE and PTE of a virtual address. But I come across

0:000> !pte No export pte found

I did some google work and find that it is an extension command, but I don't see any description on how to enable these extensions. It seems that everybody is using it directly except me.

I wonder what I have missed but I couldn't figure out. Could anyone please give me some advice?

Thanks.

Solution

  • since you are using xp Local Kernel Debugging support is available without having to edit boot configuration and rebooting

    if you are on an operating system higher that xp you need to edit the boot configuration of the os with /debug on switch and reboot for local kernel debugging support

    bcdedit /debug on and reboot only then windbg -kl will work on os greater than XP

    if you don't want to edit your boot configuration download livekd     
from sysinternals and use it instead for local kernel debugging

    open windbg with this command-line 

    windbg -kl

    this will open windbg with the prompt lkd> instead of the 0:000>

    now you can use the !pte command

    substitute explorer.exe with the name of the binary that is running which you want to examine (be aware this is not usermode you are looking at the kernel mode part of your binary)
    in the example below i am using livekd in windows 7 x86 32 bit physical machine 

    C:\>livekd    
LiveKd v5.40 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2015 Mark Russinovich and Ken Johnson

Launching C:\Program Files\Windows Kits\8.1\Debuggers\x86\kd.exe:

Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86
Copyright (c) Microsoft Corporation. All rights reserved.

kd> !process 0 0 explorer.exe

PROCESS 864b2638  SessionId: 1  Cid: 05f8    Peb: 7ffde000  ParentCid: 05e4
    DirBase: 7e28c2c0  ObjectTable: 964ccad8  HandleCount: 1062.
    Image: explorer.exe

kd> .process /p /r 864b2638
Implicit process is now 864b2638
Loading User Symbols

kd> !pte explorer
                    VA 00400000
PDE at C0600010            PTE at C0002000
contains 000000000FFB2867  contains 80000000103F7025
pfn ffb2      ---DA--UWEV  pfn 103f7     ----A--UR-V

kd> $$ page table entry contains 103f7025
kd> dc c0002000 l1
c0002000  103f7025                             %p?.
kd> $$ the top 5 bytes are page frame nos lets see if the physical page contains MZ
kd> !dc 103f7000 l1
#103f7000 00905a4d MZ.......L`...ac
kd>