1

I am trying to debug an executable that does not work properly (does not receive segmentation fault, it just doesn't do what he should do) using WinDbg. I would like to see a call stack with all the functions that are called while running the executable. Is this possible in WinDbg or any other debugger?

IGP
  • 37
  • 7
  • what is *all the functions that are called* ? – RbMm Nov 03 '20 at 17:07
  • all the functions that the program goes through – IGP Nov 03 '20 at 17:15
  • what is function on binary level ? in exe only ? windbg not do this. and even if some tool do - what this give you ? if you know some function which you think have problem - set bp here – RbMm Nov 03 '20 at 17:18
  • is an executable (.exe) that calls a function in a library and this function calls other functions in the library (exported functions). I want to know if windbg can find out what functions are then called by the called function in the executable. – IGP Nov 03 '20 at 17:31
  • no. and this is useless info anyway. exist thousand functions and so what ? how many time called every function, with which parameters ? in which order ? return values, etc . – RbMm Nov 03 '20 at 18:38
  • 1
    You can take a look at `wt` to start tracing your calls. Note that you'll only get function names when symbols can be resolved, otherwise you'll just get adresses. You can look at `tc` to dump a specific number of calls. It's not an entirly useless excercise. I have used it in the past to [trace a parameter passed to msg.exe](https://stackoverflow.com/a/40461255/52598) – Lieven Keersmaekers Nov 03 '20 at 19:00
  • 1
    Set a break point on return address and use wt or watch and trace it can give you a very detailed call flow summary – blabb Nov 04 '20 at 06:39
  • 1
    Even if RbMm may be right in the end, I guess there is a time when every developer wants to do this - and I think it's legitimate. Use `wt` as Lieven says. But - maybe do yourself a favor and try it with a simple app like calc.exe first. If you start doing this rigth from the initial breakpoint, you'll note it takes ~20 minutes to start up, instead of milliseconds – Thomas Weller Nov 05 '20 at 08:13

1 Answers1

2

yes as i commented use wt (watch and trace)
Read the docs it can be configured in several ways
like only first level calls
upto nth level calls only
only in specific modules
only in main module etc

below is a simple trace of a function in ntdll that crosses um-km boundary

0:000> u . l1
ntdll!LdrpInitializeProcess+0x11bf:
76ff6113 e870fffdff      call    ntdll!NtQueryInformationProcess (76fd6088)

0:000> bp .+5  //set a bp on return address
0:000> bl
 0 e 76ff6118     0001 (0001)  0:**** ntdll!LdrpInitializeProcess+0x11c4

0:000> wt
    2     0 [  0] ntdll!NtQueryInformationProcess
   27     0 [  0] aswhook
    1     0 [  1]   aswhook
   28     1 [  0] aswhook
    1     0 [  1]   0x6efc0480
    1     0 [  1]   0x6efc0485
    2     0 [  1]   ntdll!NtQueryInformationProcess
    2     0 [  2]     ntdll!KiFastSystemCall
    1     0 [  1]   ntdll!NtQueryInformationProcess
   46     8 [  0] aswhook
    3     0 [  1]   aswhook

Breakpoint 0 hit
eax=00000000 ebx=7ffdf000 ecx=e8cb8789 edx=ffffffff esi=ffffffff edi=00000000
eip=76ff6118 esp=0018f59c ebp=0018f6f4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpInitializeProcess+0x11c4:
76ff6118 85c0            test    eax,eax
0:000>
blabb
  • 8,674
  • 1
  • 18
  • 27
  • The only WT I can find are (1) Windows Terminal and (2) a library. Where is it? – Doug Royer Apr 13 '22 at 21:39
  • wt is a command in windbg / cdb the official windows debugger by Microsoft the link in the answer is still correct click it to read the documents as answered – blabb Apr 14 '22 at 00:47