PEBrowse Profession/PEBrowse Interactive FAQ Sheet An effort will be made to keep the contents of this document as accurate and up-to-date as possible. If this is not good enough for you, see FAQ #1. Russell Osterlund - 11/29/2003. FAQ #1: Why is there no help file or FAQ sheet? Documentation is too much work and under-appreciated. This file is an attempt to address this question. It explains how to perform tasks with the programs and points out some of the tricks that are possible. It does not explain or describe the contents of a Portable Executable file or how to work with a debugger. There are many good references out there that provide reasonable answers to these questions. If this answer is not good enough for you and working with my utilities is confusing, then maybe you should go elsewhere. FAQ #2: Why are there so many updates and version changes? I use my own tools for my work. While using them, I think of/discover new ideas for features and try to add them to the programs. I also try to fix bugs as soon as they are uncovered. I make every effort to maintain backward compatibility (except with major version changes). If you do not like to use tools that "constantly change", then try to restrain your impulse to have "the latest and greatest" and wait longer between downloads. On the other hand, if you like to be "at the cutting edge", then join me for the ride! FAQ #3: Is the source code available? Why is the source code not "open source"? The total line count of my source code is well over one hundred thousand lines. These tools and others that you find on my website share a tremendous amount of code. If I give away the source, then I might as well give away over six years of hard work. Now, this not to say that if someone were to offer me a sufficiently large pile of money, that I would never give away the fruits of my labors. But, the tools are free -- if this is not good enough for you, then "shop" elsewhere. FAQ #4: My specific question has not been answered in this document. Where can I find further information? You can always email me your questions. If they are sufficiently intelligent enough, I will respond (and maybe add the question to this FAQ file.) FAQ #5: I do not like the settings that are the default installation values. Where do I change them? Look under the main menu option, "Tools/Configure..." You will find that there are a large number of options available to you for customizing the tools according to your personal preferences. Some of these changes take effect immediately; others will only show up the next time you use the program. Also, each window has its own set of settings that can be changed by accessing the main menu option "Edit". Altering values here though do not "persist" for the next time you open a window or use the tool. I encourage you to experiment. FAQ #6: I have loaded a file or started a debugging session. Now what do I do? Read FAQ #1 and #4. You will notice that the index (the treeview on the left-hand side of the display) displays a number of branches; some of these branches or nodes contain sub-branches. Display options will vary according to the different nature of the selected node. Look under the main menu item, "View". (Also, the bitmaps on the tool bar will become enabled/disabled as you select different nodes.) By clicking on the right-button of your mouse, you will also display a context-sensitive menu of options. Again, I encourage you to experiment. FAQ #7: I am not sure where to look for a certain command. How are the menu options organized? In general, the View menu option will contain commands that act on the treeview/index. Some of these actions will force the index to be recreated or redrawn. If you are displaying a particular type of window, e.g., a disassembly window, then look for an option under the Edit item -- the choices will change depending upon which window has focus. There also may be available a context-sensitive menu by clicking on the right- button of your mouse. Most of the useful commands can also be accessed here. The choices may also change depending upon which control has focus. For example, the disassembly window contains 2 (or 3) sub-windows -- one displays the disassembly listing, the second, local variables. (The third window displays a "stack" of addresses as you drill down into the code by opening up new subroutines.) I have attempted to make the placement of commands as intuitive as I can, but, then "beauty is in the eye of the beholder" and you may find my choices confusing. Send an email and try to convince me. FAQ #8: Why don't I see symbols in display? How do I display as much information as I can for a particular executable? The tools have been designed to degrade as gracefully as possible. If you do not have access to symbol files (generally, files with an extension of PDB or DBG), then you will see only general symbols, i.e., those that can be discovered because they are publically exported. If you do have the symbol files (and have a connection to the Internet), look under "Tools/Configure" and find the "Debug Symbols" tabsheet for PEBrowse Professional or the "Environment" tabsheet for PEBrowse Interactive. Select the "Default" radio-button in the "Debug Symbols Location" group to enable symbol server support; the other options allow you to customize the placement of your debug symbols. If you have source code, then that will be displayed as well. FAQ #9: What are session files? Why do the remarks/comments that I have added to a disassembly disappear? PEBrowse Professional will create session files (with the extension, PBS); PEBrowse Interactive will save files with the extension, PBI. Session files allow information to persist between separate program launches. Your open windows will be remembered; comments that you have added to a disassembly will be saved (this feature is available only with PEBrowse Professional); breakpoints will be applied the next time you debug the same executable. In short, I try to make a reasonable effort to allow you to stop work and then pick it up at a later time at the same point where you left it. FAQ #10: Why are there two utilities, PEBrowse Professional and PEBrowse Interactive? PEBrowse Interactive is a debugger -- this is the source of the "Interactive" moniker. PEBrowse Professional is a static executable analyzer. For example, you can examine device drivers and/or system files with it. This means that you do not need to "debug" a program in order to learn more about it. You can use the static analyzer to "scope out" the territory before attempting to progress further with the debugger and your explorations. Note: the debugger is a user-mode debugger, i.e., it does not support kernel-mode debugging. FAQ #11: What do I need to do in order to use PEBrowse Interactive to debug my ASP.NET page(s)? There are 4 tasks you need to perform in order to start debugging ASP.NET pages with PEBrowse Interactive and 4 additional tasks when you wish to stop debugging. In order to start debugging: 1) Add the Microsoft.NET directory to your path, e.g., PATH=%PATH%;%SystemRoot%\Microsoft.NET\v1.1.4322;%SystemRoot%\Microsoft.NET\v1.1.3705 This will require you to reboot your system if it is not already present. (InetInfo.exe needs to pick up the updated path information.) 2) Change the IIS Admin service to interact with the desktop. You can find this under Administrative Tools/Services. Restart IIS if this change is required. 3) Edit the file, MACHINE.CONFIG, found in the directory, %Systemroot%\Microsoft.NET\Framework\(Framework Version)\CONFIG. I make a backup copy so I can switch back to the original. Search in the file for the "processModel" entry and change: userName="machine" to userName="SYSTEM" Restart IIS and the ASP worker process if this change is needed. 4) Add under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Exceution Options a new entry for aspnet_wp.exe. Add a string-value item named "Debugger" and change its value to PEBrowse Interactive's full path name, e.g., "C:\Program Files\SmidgeonSoft\PEBrowsePro\PEBrowseDbg.exe" Launch your webpage and you should see PEBrowse Interactive starting up and debugging the ASP worker process. Note: If you see a "ghost" present on your screen, this means that PEBrowse Interactive is not communicating with the correct desktop. Review the previous instructions and reapply them. In order to stop debugging: 1) Rename or delete the Image File Execution Options key for aspnet_wp.exe. 2) Inside PEBrowse Interactive, select Debug/Break Into, and then Debug/Terminate Process. And, if you are finished with your debugging efforts, 3) Restore the MACHINE.CONFIG to its original values (if you do not, then your ASP.NET pages will be operating at an elevated privilege level thereby exposing them to possible exploits.) 4) Restart IIS. FAQ #12: A dialog-box is displaying with the text, "Unable to load driver (xxxxxxxx). Some functions will be unavailable" or ".NET Profiling is disable. .NET symbols and breakpoints will be unavailable." What does this mean? If you see either one of these two displays, this means that PEBrowse Interactive has been started with either the driver loading disabled and/or the .NET profiler loading disabled. In order to enable these items (and avoid the dialogbox(es)), locate the menu item "Tools/Configure" and navigate to the checkboxes "Enable driver?" and "Enable .NET profiler?" Adding a checkmark to these questions will reenable these items. If the driver is disabled, then you will not be able to attach to running processes nor will you be able to display process information. Otherwise, the debugger will behave normally. If the .NET profiler is disabled, you will not be able to set breakpoints on .NET methods nor will you see .NET symbols when you step into managed code. Note that when the .NET profiler is enabled, this will force a re-jit of all .NET methods loaded by your executable and slow down the overall performance of your program.