Log in

View Full Version : Problem with KD (Kernel debugger) from WinDBG pack.

Neitsa
September 24th, 2004, 06:34
Hello,

I have a problem with KD to display the whole structure of the TEB. In fact each time I'm trying to display these struct, KD tells me that it can't find the symbols file... (Note that the _PEB struct works well).

I've tried many commands but none seems to work. The "!teb" command works well, but the "dt _TEB" doesn't works. (I've also tried "dt -v -r ntdll!_TEB" or "dt nt! _TEB)

Sounds strange since I can display the _NT_TIB struct but not the entire _TEB.

My O.S is win2k with sp4. I've also tried to force the load of the ntsdexts.dll which is having the instruction to display the structure. I've set my symbols path to the symbols package, and I've even tried to set my symbols path to the web server from MS, and even downloading the whole symbols for my O.S, it won't works....

So what I'm doing wrong ? Do you have any clue ?

Thank you very much.

Regards, Neitsa.
Kayaker
September 24th, 2004, 16:56
Hi Neitsa,

Are you sure the TEB structure is fully recognized on Win2K? I thought that's what was determined in the thread you started, on why !teb doesn't recognize all the fields, and the circus of chaos and confusion it caused...

On XP as Bilbo showed, dt _TEB works fine, but on Win2K I only found

0: kd> .load kdex2x86
0: kd> !strct teb
Structure is not in database.

http://woodmann.net/forum/showthread.php?t=6258&highlight=teb


I was under the possibly mistaken assumption that the 'dt' command was for XP only, you get valid results on 2Ksp4? I get the same error as is discussed in the Anticrack thread on the same topic, about having invalid pdb symbol files even with Windbg connected to the MS symbol server.

Cheers,
Kayaker
Neitsa
September 24th, 2004, 19:05
Hello,

thank you very much for your answer Kayaker.

This afternoon I disassembled the "ntsdexts.dll" on the win2kfree directory. This dll holds the !TEB struct. What I've seen is that the DLL doesn't have the whole struct....(Also disasm kdex2x86.dll and no TEB fields there).

So you're right Kayaker, the whole _TEB struct isn't in win2k ! (damn, it's a shame !!!)

Quote:

I was under the possibly mistaken assumption that the 'dt' command was for XP only, you get valid results on 2Ksp4?


"dt _PEB" works well on 2k, but as explained before, not for the TEB...

So definitely, the whole TEB is missing for 2k (note that _NT_TIB is here). I wonder why MS doesn't put this struct on KD for Win2k ?!

Since I can have an access to a win XP, I think I'll dump the TEB on XP for a program that Ive coded, and do the same thing on win2k, and just compare the results...It will be long and maybe impossible to recover the meaning of all fields if there's too many differences, but I think it's worth the try...

Thanks for your reply Kayaker.

Regards, Neitsa.