Native Debugging Now its time to look at the native side of …

Short Description
Windows 2003 SP1 adds. support for debugging POSIX applications, …. So far so good, but perhaps the nastiest hack is present in the code for DLL loading. …

Website: www.alex-ionescu.com | Filesize: 275kb

Content
Native Debugging
Now it’s time to look at the native side of things, and how the wrapper layer inside ntdll.dll communicates with the kernel. The advantage of having the DbgUi layer is that it allows better separation between Win32 and the NT Kernel, which has always been a part of NT design. NTDLL and NTOSKRNL are built together, so it’s normal for them to have intricate knowledge of each others. They share the same structures, they need to have the same system call IDs, etc. In a perfect world, the NT Kernel should have to know nothing about Win32.
Additionally, it helps anyone that wants to write debugging capabilities inside a native application, or to write a fully-featured native-mode debugger. Without DbgUi, one would have to call the Nt*DebugObject APIs manually, and do some extensive pre/post processing in some cases. DbgUi simplifies all this work to a simple call, and provides a clean interface to do it. If the kernel changes internally, DbgUi will probably stay the same, only its internal code would be modified.
We start our exploration with the function responsible for creating and associating a Debug Object with the current Process. Unlike…

Get the file Download here