Comments (6)
JsHuang
commented on June 5, 2024
Add details
Microsoft Windows [Version 10.0.19042.1165]
(c) Microsoft Corporation. All rights reserved.
C:\Users\OS>BugId.cmd -v %WinDir%\system32\rundll32.exe -- advapi32 CloseThreadWaitChainSession
┌─ Warning ────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ You are running Python 2.7.15, which is outdated.
│ Please update Python to the latest version!
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
* Command line: C:\Windows\system32\rundll32.exe advapi32 CloseThreadWaitChainSession
log>helper thread started (Thread: Thread #2648 [cdb.exe stdin/out thread] <bound method cCdbWrapper.fCdbStdInOutHelperThread of <cBugId.cCdbWrapper.cCdbWrapper object at 0x0000000006B63CF8>>())
log>helper thread started (Thread: Thread #2040 [cdb.exe stderr thread] <bound method cCdbWrapper.fCdbStdErrHelperThread of <cBugId.cCdbWrapper.cCdbWrapper object at 0x0000000006B63CF8>>())
log>helper thread started (Thread: Thread #7284 [cleanup thread] <bound method cCdbWrapper.fCleanupHelperThread of <cBugId.cCdbWrapper.cCdbWrapper object at 0x0000000006B63CF8>>())
log>Starting application (Binary path: C:\Windows\system32\rundll32.exe, Arguments: advapi32 CloseThreadWaitChainSession)
log>Started process (Command line: C:\Windows\system32\rundll32.exe advapi32 CloseThreadWaitChainSession, Process id: 4512/0x11A0, Binary name: rundll32.exe)
+ Sub process 4512/0x11A0 (rundll32.exe): Started; command line = C:\Windows\system32\rundll32.exe advapi32 CloseThreadWaitChainSession.
log>helper thread started (Thread: Thread #5376 [Application stderr thread for process 4512/0x11A0] <bound method cCdbWrapper.fApplicationStdOutOrErrHelperThread of <cBugId.cCdbWrapper.cCdbWrapper object at 0x0000000006B63CF8>>(<mWindowsAPI.cConsoleProcess.cConsoleProcess object at 0x0000000006C8FEF0>, <mWindowsAPI.cPipe.cPipe object at 0x0000000006C8FAC8>))
log>helper thread started (Thread: Thread #7268 [Application stdout thread for process 4512/0x11A0] <bound method cCdbWrapper.fApplicationStdOutOrErrHelperThread of <cBugId.cCdbWrapper.cCdbWrapper object at 0x0000000006B63CF8>>(<mWindowsAPI.cConsoleProcess.cConsoleProcess object at 0x0000000006C8FEF0>, <mWindowsAPI.cPipe.cPipe object at 0x0000000006C8FCF8>))
stdout>
stdout>Microsoft (R) Windows Debugger Version 10.0.22000.194 AMD64
stdout>Copyright (c) Microsoft Corporation. All rights reserved.
stdout>
stdout>CommandLine: C:\Windows\system32\cmd.exe /K "ECHO OFF"
stdout>
stdout>************* Path validation summary **************
stdout>Response Time (ms) Location
stdout>Deferred cache*
stdout>Deferred srv*http://msdl.microsoft.com/download/symbols
stdout>Deferred cache*C:\mysymbols
stdout>Deferred srv*https://msdl.microsoft.com/download/symbols
stdout>Symbol search path is: cache*;srv*http://msdl.microsoft.com/download/symbols;cache*C:\mysymbols;srv*https://msdl.microsoft.com/download/symbols
stdout>Executable search path is:
stdout>ModLoad: 00007ff7`49370000 00007ff7`493d7000 cmd.exe
stdout>ModLoad: 00007fff`2eb70000 00007fff`2ed65000 ntdll.dll
stdout>ModLoad: 00007fff`2d8b0000 00007fff`2d96d000 C:\Windows\System32\KERNEL32.DLL
stdout>ModLoad: 00007fff`2c7f0000 00007fff`2cab9000 C:\Windows\System32\KERNELBASE.dll
stdout>ModLoad: 00007fff`2d4e0000 00007fff`2d57e000 C:\Windows\System32\msvcrt.dll
stdout>ModLoad: 00007fff`2d0f0000 00007fff`2d445000 C:\Windows\System32\combase.dll
stdout>ModLoad: 00007fff`2c3d0000 00007fff`2c4d0000 C:\Windows\System32\ucrtbase.dll
stdout>ModLoad: 00007fff`2e6b0000 00007fff`2e7da000 C:\Windows\System32\RPCRT4.dll
stdout>(1c20.1fc0): Break instruction exception - code 80000003 (first chance)
stdout>ntdll!LdrpDoDebuggerBreak+0x30:
stdout>00007fff`2ec40770 cc int 3
stdout>0:000>
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ .prompt_allow -dis -ea -reg -src -sym; }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Display only the prompt
stdout><☺[☻{
stdout>Allow the following information to be displayed at the prompt:
stdout>(Other settings can affect whether the information is actually displayed)
stdout> None
stdout>Do not allow the following information to be displayed at the prompt:
stdout> sym - Symbol for current instruction
stdout> dis - Disassembly of current instruction
stdout> ea - Effective address for current instruction
stdout> reg - Register state
stdout> src - Source info for current instruction
stdout>}☻]☺>
stdout>0:000>
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ .pcmd -s ".printf \"\\r\\n\";"; }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Output a CRLF after running the application
stdout><☺[☻{
stdout>Set prompt command
stdout>Per-prompt command is '.printf "\r\n";'
stdout>}☻]☺>
stdout>0:000>
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ .lastevent; }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Get information about last event
stdout><☺[☻{
stdout>Last event: 1c20.1fc0: Break instruction exception - code 80000003 (first chance)
stdout> debugger time: Tue Mar 8 10:41:42.705 2022 (UTC + 8:00)
stdout>}☻]☺>
stdout>0:000>
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ sxd *; sxi ibp; sxi ld; sxi ud; sxi 0x80000007; sxd 0xC0000420; sxe cpr; sxe epr; sxe aph; sxe 0xC0000005; sxe 0x80000003; sxe 0xC000008C; sxe 0x80000002; sxe 0xC0000602; sxe 0x80000001; sxe 0xC000001D; sxe 0xC0000006; sxe 0xC0000096; sxe 0xC0000409; sxe 0xC00000FD; sxe 0x4000001F; sxe out; sxe 0x80070008; sxe 0x8007000E; sxe 0x8007046A; sxe 0x80073623; sxe 0xC0000017; sxe 0xE0000008; }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Setup exception handling
stdout><☺[☻{
stdout>}☻]☺>
stdout>0:000>
log>Utility process created (Process id: 7200/0x1C20)
log>Attaching to process (Process: 4512/0x11A0)
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ .attach 0x11A0; }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Attach to process 4512
stdout><☺[☻{
stdout>Attach will occur on next execution
stdout>}☻]☺>
stdout>0:000>
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ .time; }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Get debugger time
stdout><☺[☻{
stdout>Debug session time: Tue Mar 8 10:41:42.798 2022 (UTC + 8:00)
stdout>System Uptime: 0 days 0:28:48.560
stdout>Process Uptime: 0 days 0:00:00.123
stdout> Kernel time: 0 days 0:00:00.015
stdout> User time: 0 days 0:00:00.000
stdout>}☻]☺>
stdout>0:000>
<stdin<gh;
log>helper thread started (Thread: Thread #6256 [cdb.exe interrupt on timeout thread] <bound method cCdbWrapper.fCdbInterruptOnTimeoutHelperThread of <cBugId.cCdbWrapper.cCdbWrapper object at 0x0000000006B63CF8>>())
stdout>*** wait with pending attach
log>StdOut output (Line: *** wait with pending attach)
stdout>
stdout>************* Path validation summary **************
log>StdOut output (Line: ************* Path validation summary **************)
stdout>Response Time (ms) Location
log>StdOut output (Line: Response Time (ms) Location)
stdout>Deferred cache*
log>StdOut output (Line: Deferred cache*)
stdout>Deferred srv*http://msdl.microsoft.com/download/symbols
log>StdOut output (Line: Deferred srv*http://msdl.microsoft.com/download/symbols)
stdout>Deferred cache*C:\mysymbols
log>StdOut output (Line: Deferred cache*C:\mysymbols)
stdout>Deferred srv*https://msdl.microsoft.com/download/symbols
log>StdOut output (Line: Deferred srv*https://msdl.microsoft.com/download/symbols)
stdout>Symbol search path is: cache*;srv*http://msdl.microsoft.com/download/symbols;cache*C:\mysymbols;srv*https://msdl.microsoft.com/download/symbols
log>StdOut output (Line: Symbol search path is: cache*;srv*http://msdl.microsoft.com/download/symbols;cache*C:\mysymbols;srv*https://msdl.microsoft.com/download/symbols)
stdout>Executable search path is:
log>StdOut output (Line: Executable search path is: )
stdout>
stdout>1:003>
log>helper thread terminated (Thread: Thread #6256 [cdb.exe interrupt on timeout thread] <bound method cCdbWrapper.fCdbInterruptOnTimeoutHelperThread of <cBugId.cCdbWrapper.cCdbWrapper object at 0x0000000006B63CF8>>())
<stdin<
stdout>1:003>
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ .lastevent; }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Get information about last event
stdout><☺[☻{
stdout>Last event: 11a0.17f8: Create process 1:11a0
stdout> debugger time: Tue Mar 8 10:41:42.830 2022 (UTC + 8:00)
stdout>}☻]☺>
stdout>1:003>
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ |~[0x11A0]s; }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Select process
stdout><☺[☻{
stdout>
stdout>}☻]☺>
stdout>1:003>
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ r @$tid; }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Get current thread id
stdout><☺[☻{
stdout>$tid=00000000000017f8
stdout>}☻]☺>
stdout>1:003>
log>Process attached (Command line: C:\Windows\system32\rundll32.exe advapi32 CloseThreadWaitChainSession, Is main process: yes, Process id: 4512/0x11A0, Binary name: rundll32.exe)
+ Main process 4512/0x11A0 (rundll32.exe): Attached; command line = C:\Windows\system32\rundll32.exe advapi32 CloseThreadWaitChainSession.
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ .childdbg 1; }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Debug child processes
stdout><☺[☻{
stdout>Processes created by the current process will be debugged
stdout>}☻]☺>
stdout>1:003>
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ ~*m }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Resume threads for process 4512/0x11A0
stdout><☺[☻{
stdout>}☻]☺>
stdout>1:003>
<stdin<.printf "%c%c%c%c%c\r\n", 0x3C, 0x1, 0x5B, 0x2, 0x7B; .block{ lmov a 0x7FF7C8290000; }; .printf "%c%c%c%c%c\r\n", 0x7D, 0x2, 0x5D, 0x1, 0x3E; $$ Get module information
stdout><☺[☻{
stdout>start end module name
stdout>00007ff7`c8290000 00007ff7`c82a7000 rundll32 (deferred)
stdout> Image path: rundll32.exe
stdout> Image name: rundll32.exe
stdout> Image was built with /Brepro flag.
stdout> Timestamp: FB4A9A6B (This is a reproducible build file hash, not a timestamp)
stdout> CheckSum: 00018F8D
stdout> ImageSize: 00017000
stdout> File version: 10.0.19041.746
stdout> Product version: 10.0.19041.746
stdout> File flags: 0 (Mask 3F)
stdout> File OS: 40004 NT Win32
stdout> File type: 1.0 App
stdout> File date: 00000000.00000000
stdout> Translations: 0409.04b0
stdout> Information from resource tables:
stdout> CompanyName: Microsoft Corporation
stdout> ProductName: Microsoft® Windows® Operating System
stdout> InternalName: rundll
stdout> OriginalFilename: RUNDLL32.EXE
stdout> ProductVersion: 10.0.19041.746
stdout> FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
stdout> FileDescription: Windows host process (Rundll32 LegalCopyright: © Microsoft Corporation. All rights reserved.
from bugid.
SkyLined
commented on June 5, 2024
Hi, thanks for the bug report!
It looks like Microsoft Windows debugger (cdb.exe) is either stuck trying to output information about a DLL, or it is failing to properly output the "I'm done" string after outputing the information (which is }☻]☺>, as can be seen in the output). In either case, BugId is waiting indefinitely for cdb.exe to output }☻]☺> before it can continue.
Can you please check that you have the latest version of Debugging Tools for Windows installed? I newer version may not have this issue, which would resolve the problem.
Ideally, I'd remove the dependency on cdb.exe, so I won't have to deal with its buggy code that I cannot fix. This means implementing code to collect information about loaded modules directly. This will require calling Windows APIs to gather the info, or reading remote memory and parsing the PE headers.
Unfortunately, implementing a proper fix for this is going to take a while, as I do not have enough time to get it done quickly.
from bugid.
JsHuang
commented on June 5, 2024
Can you please check that you have the latest version of Debugging Tools for Windows installed? I newer version may not have this issue, which would resolve the problem.
The version of Debugging Tools for Windows I used was 10.0.22000.194 , which is the latest I guess(Download just a few days ago)
from bugid.
SkyLined
commented on June 5, 2024
That is frustrating. I cannot reproduce the issue on my machine unfortunately. I have the same version of cdb.exe as you.
from bugid.
SkyLined
commented on June 5, 2024
Over the past months I have updated the code to get most of the module information directly and no longer through cdb.exe. Can you still reproduce this issue with the latest release?
from bugid.
SkyLined
commented on June 5, 2024
As far as I can tell, I have removed all dependency on lmov: it is no longer used, so this issues should no longer reproduce.
from bugid.
Related Issues (20)
- Undefined variable sFastFailCodeDescription. HOT 1
- NameError("name 'u0NumberOfRepeats' is not defined") HOT 2
- Why is including the offset beyond buffer in the bug id needed? HOT 2
- Unrecognised instruction disassembly line HOT 10
- mDebugOutput must use `inspect.signature` instread of `inspect.getargspec` HOT 3
- Handle non-internal, non-product modules better HOT 4
- BugId fails with error: "Command output does not start with marker b'=<[{START}]>=': b'*** ERROR: Sy'" HOT 11
- Fatal exceptions.AttributeError Exception HOT 4
- BugId fails with error: "No module for cdb id 'ntdll'" HOT 6
- BugId fails with error: "Numeric expression missing" HOT 1
- Question: Why does a process need to be suspended before bugid can attach to it? HOT 1
- BugId occasionally hangs when a child process is invoked
- stat: path should be string, bytes, os.PathLike or integer, not NoneType HOT 4
- BugId as a JIT Debugger not working HOT 3
- BugId fails with error: Unrecognized !heap output HOT 3
- BugId fails with Assertion: uAddress is not a valid 32-bit pointer!
- BugId fails with error: "NoneType instance has no attribute bAllocated" HOT 1
- BugId generates error when disassembly has more than 4 tsbArguments HOT 1
- Where can I get an invoice for my license? HOT 1
- Request for Response to Commercial License Inquiry HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bugid.