Let us take a moment to reflect on the organization of the display. A tree view on the left-hand side of the screen has been populated with several nodes -- this is the Index. From the Index you can quickly navigate to any module or memory item (the images give you a hint of what type they are) in the debuggee. Right now, you see nodes containing both modules and memory; remember setting the "View modules only in index?" That option controls what you initially see here. If you wish you can now expand any of the nodes and explore what was at first hidden inside the tree view.
In accessing the main menu when first starting the debugger, you might have noticed that most of the menu items were disabled, but enabled under the File menu. Now, that situation is quite different! The File menu now has many items disabled; the items under File in general control how you start a debugging session -- the notable exception is the Open UDS item, which will be discussed later. Skipping the Edit menu for the moment, take a look at the selection under View. The list of commands is quite large but can be lumped under the category: controlling the Index. Besides changing the behavior and appearance of the Index or searching it, you can use the commands here to open additional windows in the main display area. In order to enable and enter some of the commands you might need to select a module node in the Index beforehand. A few of the commands, e.g. Disassemble At or Dump At, allow you to open a new window at the address in the debugee you have specified. We will be looking at the Debug menu items later; the Help item merely presents an About dialog box (no moans, please, at this point about missing online help).
The next area to focus on is the main window display that now contains four (4) child windows -- yes, PEBrowse Interactive uses a classic MDI interface which should have been hinted at by the presence of the Window item in the main menu. The main reason for this design choice is that it allows one to open a virtually unlimited number of windows, to size individual windows as needed (the settings are preserved for the next session) and to occupy your screen's "real estate" with as much information in the smallest space possible. The Fab Four default child windows are:
- a debug log display containing debug messages such as module loading notifications, output from OutputDebugString calls, breakpoint visit counts, etc.;
- a registers display containing, well, the contents of the general purpose registers (and optionally the debug, floating-point, and segment registers) for the active thread ;
- a stack frame display with return addresses and the current EIP for the active thread;
- and a disassembly display showing instructions starting (and potentially reachable) from the current EIP.
What is meant here by the phrase, "potentially reachable?" If you left unchecked the "Disable analyze mode?" item in the Disassembly tab sheet configuration dialog box, you are requesting what might be termed a recursive traversal of all non-call statements, but including jumps, from the current EIP. This should explain why the display sometimes appears to be "somewhere in the middle" of the NTDLL routine, LdrInitializeThunk, with x86 instructions available both above and below the selected item and "gaps" between some instructions. On the other hand if the disable analysis checkbox was set, then you will see a linear sweep or sequential disassembling from the breakpoint address for a configurable number of instructions. This option can become useful on some occasions, especially when the recursive traversal technique consumes large amounts of time and/or memory. More windows might be displayed at the start depending on some options you may have set under the "Auto-Open" group in the Environment tab sheet in the configuration dialog box.
I have not forgotten the Edit command from the main menu. This item is context-sensitive and changes depending on which child window has current focus. With the disassembly window activated, try pressing Edit. You should see a rather impressive list of choices most of which we will not be visiting during this tutorial. Now, switch to, for instance, the registers window -- the list has shrunken quite a bit! Almost all of the commands are more quickly reached by pressing your mouse's right-button. In fact, the popup menus *may* change depending upon where you have positioned the mouse cursor. Try this with the disassembly window active. Press the right mouse button while the cursor is over the local variables list box at the top and then again when it is over the disassembly listing.
 prev page | 1st page | next page  |