What's New
Introduction
Usage
Hotkeys
Commands
INI file
Debug Symbols
Some Tests
Register

TRW2000 for Windows 9x

TRW2000 is an advanced system-level debugger which runs under Windows 9x. What does "system-level" mean? It means that TRW2000 sits between the Operating System and the your computer's hardware. Because of this, TRW2000 can debug and trace any code that is running under Windows (DOS .COM Programs, DOS .EXEs, DOS protected mode programs, old 16-bit "NE" executables, new 32-bit "PE" executables, and even executables that run at Ring 0 (the Windows Kernel, device drivers, VxDs, etc...) including other system-level debuggers!!!

TRW is constantly being improved and updated, so please visit our website http://www.knlsoft.com to get the latest version of TRW, as well as updated information.
Author:
Liutaotao, P.R.China

Zhunanhao, P.R.China
I very thank to the people that help me, yaodong, zoutao, Herz buren... Specially, I thank to my friend Zhangyl, he teach me a lot of background knowledge about GDI and Display, so the graphics driver could be made. And, I very miss the days that play Quake2 game with Zhangyl and lee and adrain...

If you're having any problems using TRW2000, please report them to us:

I'm having a problem, and I want report it!
TRW2000 version:
The problem occurs when:
If you selected "I run some command in the debug window", please tell us what command caused the problem:
Please tell us the details of the problem:
Please tell us your display adapter type, your Windows version, etc...

What's New
1999.12,25 First release version (1.00)
2000. 1.19 1.05

Usage

  1. When you download TRW2000, is comes packaged as a .ZIP file. Create a directory (ex. "\Program Files\TRW2000") and unzip the files in the package to that directory. For convenience, you might want to make a shortcut to TRW2000.EXE on either the START menu, the Quick Launch Bar (Win98), or on your desktop. You then simply run TRW2000.EXE. There is no additional installation required and there is no need to restart your computer when you want to use TRW2000.
  2. If your mouse is an Intellimouse , please be sure to put the line "INTELLIMOUSE=ON" in your TRW2000.INI file. (Found in the same directory with TRW2000.EXE)
  3. If you find your mouse isn't working or works erratically, you could try putting the line "WINMOUSE=ON" in TRW2000.ini, but this is not recommended because it may cause TRW2000 to become unstable.
  4. If you want to use the internal graphics driver (which causes TRW2000's output to appear as a window on your desktop), you should have the line "GRAPHICS=ON" to your TRW2000.INI file. Without that line, or with "GRAPHICS=OFF" instead, TRW2000 will open on its own screen. (Note: The default TRW2000.INI file has the GRAPHICS set to ON.)
  5. Put the line "HOTKEY=XXXX" (where XXXX = a scan code) in the INI file to change the default Ring-0 hotkey (Ctrl-M) to a different key (ex. HOTKEY=2004 changes the hotkey to Ctrl-D)
  6. Put the line "R3HOTKEY=XXXX" (where XXXX = a scan code) in the INI file to change the default Ring-3 hotkey (Ctrl-N) to a different key (ex. HOTKEY=250B changes the hotkey to Ctrl-K)

Introduction

  • TRW2000 is more powerful than SoftICE!
  • Designed based on an open-system... future versions will have support for plug-ins.
  • Dynamically loadable, dynamically unloadable! Run it when you need it. No need to reboot!
  • Automatically displays all 32-bit/and 16-bit export function names.
  • Supports all video adaptors.
  • Write out files instantly!
  • New commands: PDLL32, PNEWSEC, TRNEWTCB, TRNEWDOS, PMODULE, SUSPEND

Some Tests

Test 1: Debug a DOS Protected Mode App Using Conditional Commands

  1. Run TRW2000.
  2. Begin a dos window under Win9x.
  3. Select 'trnewdos' from TRW2000's menu.
  4. Run PMODE.EXE at the DOS command prompt.
  5. Switch back to TRW2000, and you will find you are at the beginning of the DOS program.
  6. Now you have 2 choices:

      Do the following in TRW2000:

    1. g 342
    2. t
    3. g 342
    4. Press <F8> a few times and you'll see the program enter 16bit protected mode!
    5. g 4dd
    6. Press <F8> a few more times, and now you'll see the program enter 32bit protected mode!

      Or, use TRW2000's powerful conditional commands

    1. g if cs<100 ;this will run to PM16!
    2. g if cs!=cs ;this will try to run to PM32
    3. g if cs!=cs ;do this again, and we are in PM32

Test 2: The "pmodule" command.

  1. Run the program NOTEPAD.EXE
  2. From the menu, select "Help" and then "About Notepad"
  3. When the "About" dialog displays, run TRW-2000.
  4. Press the Ring-3 hotkey (Ctrl-N) to activate TRW2000.
  5. We now have 2 choices:

      Using the "hwnd" list:

    1. From the hwnd list (use the command "hwnd"), find the window handle by '(Dialog)'
    2. Set a message breakpoint on the window to catch when it is destroyed ("bpmsg <the_hwnd> wm_destroy")
    3. Type the command "bl" to see our breakpoint list.
    4. Type "g" to continue execution.
    5. In NOTEPAD, press "OK", this will re-activate TRW2000 at the point that the dialog received the WM_DESTROY message.
    6. press F12 ("pret") several times, and we will finally find the point where this dialog box was called by

      shell32.dll
      call [DialogBoxParamA]
      notepad.exe
      call [ShellAboutA]

      Or, using the powerful "pmodule" command:

    1. Give TRW the "pmodule" command and it will skip ahead until we're back to the notepad.exe module, after the

      notepad.exe
      call [ShellAboutA]

Test3: The Ring 3 hotkey (Ctrl-N) and the command "SUSPEND"

  1. Run TRW2000.
  2. Run NOTEPAD.EXE.
  3. Press the Ring 3 hotkey (Ctrl-N) to activate TRW2000.
  4. Give TRW2000 the command "PMODULE" (run until finding a RET to module code).
  5. When TRW returns, we break in NOTEPAD.EXE's address context!
  6. Give TRW the command 'SUSPEND' and we'll return back to Windows, where you'll find that NOTEPAD is suspended!!!
  7. Now, you can do anything in Windows you need to do (read .doc files, run another program, etc...) except something that would cause NOTEPAD.EXE to close.
  8. Press Ctrl-N again, and you'll return to debugging NOTEPAD, right where you left off.

Test4: Catch a new thread

  1. Select 'trnewtcb' in TRW2000's menu.
  2. Now, you can run any 32-bit , or 16-bit app and TRW2000 will catch the new thread at the first opcode.

Test5:  Finding out how a program operates.

Let's say I'm writing a new program. When I right click on my program's icon in the system tray, I want it to show a popup menu (like TRW2000 does), but I'm not sure how to do it.

So I run TRW2000, right click on a user icon in system tray, and when its popup menu displays, I hit Ctrl-N to activate TRW. I then give TRW the command "pmodule" (which tells TRW to step through the program until it encounters a RET to module code). Then, I use the TRW command "X" to return to Windows from TRW. Next, I just click anywhere to make the user popup menu close. TRW2000 pops back up and tells me that it just returned from the system call "TrackPopupMenu".

Hotkeys

1.Ctrl-M

This is TRW2000's Ring-0 hotkey. It will break Win95 immediately, wherever it is currently executing code. More often than not, it will drop you into the middle of kernel routines.
Note: This is the same as Soft-ICE's hotkey Ctrl-D.

2.Ctrl-N

This is TRW2000's Ring-3 hotkey.

Most of the time, we needn't break at Ring-0 because we're not interested in stopping code execution in the middle of a routine (ie. the Window's kernel) running at Ring-0. <Ctrl-N> will break the foreground task (usually the active window) in ring3. This is most often the point that we really need.

If Ctrl-N is pressed while you're in a Win95 DOS window, TRW will break the current running DOS or DPMI program.

If Ctrl-N is pressed in full-screen DOS, nothing will happen.
If you press Ctrl-N and nothing happens, try pressing any key or moving the mouse. to see if anything happens

See also:

Command HotKey

The Code Window

In the code window,

  • Press <F9> to set a breakpoint at the current opcode. This is the same as

BPX cs:eip

  • Press <F7> to run to the current opcode. This is the same as

GOX cs:eip

Commands

.

?

A

ADD

ADDR

ADDW

BC

BD

BE

BL

BP

BPE

BPINT3

BPIO

BPM

BPMSG

BPMX

BPX

CLEARDR

CMT

CODE

D

E

EC

 EXP

EXP16

EXP32

FKEY

FILE

FONT

G

GDT

H

HEAP

HBOOT

HELP

HotKey

HWND

IDT

LDT

LINES

MakePE

MOD16

MOD32

NAME

P

 PAGE

PageIn

PDLL32

PEDump

PHYS

PMODULE

PNEWSEC

PRET

PROC

R

RS

S

SRC

SRCLINES

SS

Suspend

SYM

T

TABLE

task

 thread

TRNEWDOS

TRNEWTCB

TRTCB

U

VCALL

VER

VM

VXD

VXDSYM

W

WC

WD

WMSG

WR

WS

X

 
? This is the expression evaluation command. Try your expression in decimal first. If that fails, try it in hex.
 ? 123+34
 ? 4d2h+9
 ? esi/4
A [address]
 Assemble code
ADDW [pos] L|R|T|B REG|DATA|DASM
 Add a reg/data/disassembler window in the current CPU window.
 Position is of the form Left|Right|Top|Bottom
 ex:
 ADDW 2 L DATA
 ADDW 2 2 T REG
 ADDW R DASM
BPINT3 address
 Set a break point by inserting an int 3 into user code.
BPIO port
 Set a debug register breakpoint on port I/O.
 See also: BreakPoint Overview
BMSG hwnd [msg]
 BPMSG hwnd [msg]
 Set a breakpoint on a window message.
 See also:
 WMSG
 BreakPoint Overview
 Ex:
 BMSG 12c wm_destroy
BPM address R
BPM address W
BPM address X
 Sets a hardware breakpoint with DRx.
 See also: BreakPoint Overview
BPMX address
 Sets an executive breakpoint with DRx.
 This is the same as 'BPM address X'
BP [[seg:]address]
BPX [[seg:]address]
 Set a breakpoint on execute
 TRW will try Debug register first. If that fails, it will insert a int3(0xcc) into the user code.
See also:
 BreakPoint Overview BPMX
 BPINT3
D [address]
D range >filename
 Perform a memory dump to the data window, or save a memory dump to file.
 d 401000
 d cs:402000
 d 401000,402000 >myfile
 d 401000 L 100 >myfile
E [address [partern]]
 Edit memory
 E ds:edi 'nothing',0
EXP !
Exp module-name!
Exp partial_export_name
 Display all matching exported API calls.
 Searches all of the exported API function names in all referenced modules.
 EXP !
 Exp kernel32!
 Exp *
 Exp Get*
 Exp *window*
FILE [source-filename]
 Select/Display source file
FKEY [function-key strings]
 Display/Set Function keys
 ex:
 FKEY
 FKEY f10 "d 2;U 3;"
G
 Run.
 G address ;run to address, same as 'gox address'
 G if conditions ;run with conditions
H [command]
HELP [command]
 Display help for all commands, or the referenced command in detail.
HOTKEY
 Display current hot keys, and allow you press a new key to display.
 See also:
 Hot Keys
HWND [HWND]
 Display window handle information.
PageIn <address>
 Load the not present page to memory.
 PageIn cs:401000
LINES [25 | 43 | 50 | 60]
 Set/Display screen lines
 ex: lines 43
 See also:
 Ini file
MOD16 [hmod|mod_name]
 Display 16bit module list,
 or display detail info for specified module.
 Usage:
 MOD16
 MOD16 1cf
 MOD16 KERNEL
 MOD16 . ;for current module
MOD32 [hmod|mod_name]
 Display 32bit module list,
 or display detail info for specified module.
 Usage:
 MOD32
 MOD32 1cf
 MOD32 KERNEL32
 MOD32 . ;for current module
MAKEPE
 Make a copy of a PE program 'newpe.exe' from memory.
 Always 'del newpe.exe' before 'MKPE', or TRW2000 will append it!
 Current EIP will be the new entrypoint.

 The file is created in the current directory.
 The file's Import table already rebuilt.
PDLL32
 Run until 32bit DLL entrypoint.
 Usage:
 PDLL32 mydll32.dll
PEDUMP
 Dump PE image memory direct to file 'DUMP1.EXE'.
 You can use G_Rom's MakePE to rebuild a valid PE.
BP if condition
 Set a breakpoint on a condition
 bp if (eax>=3456787)
 bp if (dx<543)
 bp if (ch==23)
 go if (ah!=34)
PNEWSEC
 Go until entering a new section in PE image
PMODULE
 'pret' until CS:EIP in the module.
PRET
 Run until RET,RETF,IRET.
 shortcut key: F12
RS
 View User Screen. (F4).
S
 Search in memory
 S 0 L -1 'window'
 S 100,200 'bug12',34
SRC
 Toggle source mode, can be Source|Mixed|Code
SUSPEND
 Suspend current thread, and leave TRW2000. Hot keys to back.
SYM
 List all debug symbols
TABLE [table name]
 Select/Display a symbol table
TASK
 Display a task list
THREAD
 Display available thread infomation
 Usage:
 THREAD [TCB]
 THREAD . ;for current thread
TRNEWDOS
 Catch next DOS program.
TRNEWTCB
 Catch next new thread at the first opcode.
 Supports 32-bit and 16-bit apps.
 Note: Do not run a Windows app from a DOS command prompt, or TRW2000 will catch START.EXE.
TRTCB <thread_handle>
 Trace a existing thread
U [address]
U range >filename
 Disassemble in Code Window, or save disassembly output to a file.
 u 401000
 u cs:402000
 u 401000,402000 >myfile
 u 401000 L 100 >myfile
VCALL
 Usage:
 Vcall * -display all VxD calls
 Vcall num -if num<10000h, diaplay all VxDid calls
 -if num>10000h, diaplay the VxD call
 Vcall partial-name
 Ex:
 Vcall 0d
 Vcall 100001
 Vcall *sys*
W range filename
 Write memory to file
 w ds:401000,402000 myfile
 w 401000 L 100 c:\myfile.bin
WC [codewindow_lines]
 Set the length, in lines, of the code window. No parameter will turn it on/off.
 ex:
 wc 25
 wc
WD [datawindow_lines]
 Set the length, in lines, of the data window. No parameter will turn it on/off.
 ex:
 wd 25
 wd
WMSG - Display windows messages
 usage:
 WMSG [partial-name] [WMSG-number]
 Ex:
 WMSG 12
 WMSG wm_destroy

BreakPoint Overview

For almost all breakpoints, the setting command takes the format:

BP?? <parameters> [IF (conditions)] [DO "statement"]

and the first 2 character 'BP' can be replaced with 'GO':

GO?? <parameters> [IF (conditions)] [DO "statement"]

to set a single instance breakpoint. TRW2000 will set the breakpoint, go, and clear it after the break.

conditions:

Conditions must be enclosed in (). The condition can be

>,<,==,>=,<=,!=

Do statement:

The <statement> can be any valid TRW2000 command. It must enclosed in quotation marks.

Ex:

BPX cs:401000 if (eax>200) do "d eax"
GOX 401000 if (cs!=28) do "d ss:esp"
G if (eip<1000)

Ini File Put file trw2000.ini with TRW2000.EXE.

This is a sample: 

; TRW2000 Initialize file

; Please modify it as your habit .

;PLUGS=C:\MY_PLUGS\HELLO.SYS

F1=^HELP ; Command length CAN'T be longer than 15 characters !
 ; This command length is 5 charcaters .
F3=^SRC
F4=^RS
F5=^X
F6=^EC
F7=^HERE
F8=^T
F9=^BPX
F10=^P
F12=^PRET

;HOTKEY=320D ;Ctrl+M
;R3HOTKEY=310E ;Ctrl-N

GRAPHICS=ON
;INTELLIMOUSE=OFF
WINMOUSE=ON

LINES=50 ;in dec

Debug Symbols:
TRW2000 will automatically load any *.SYM file that it finds in its directory. You can also load a new .SYM file with the 'LOAD' button on the TRW main window. If the .SYM file contains line number information, TRW2000 will try to load the source files. Use Microsoft MAPSYM 6.0 to make .SYM files.

TRW2000 supports COFF debug information in PE files.

See also:

commands TABLE,FILE,SRC,SYM

MailList Mail to trw2000-subscribe@egroups.com to join our maillist.

Register Please visit http://www.knlsoft.com to see how to register. 

 ----- the end -----