How to break into WinDBG when ntdll.dll is mapped into the new process

Question

I want to use the following command to break into WinDBG when ntdll.dll is mapped into the new process, and before any of ntdll's process initialization runs.

sxe ld ntdll.dll ;g

However, the trick doesn't work at all,

ModLoad: 7c900000 7c9b0000   ntdll.dll
eax=010043af ebx=7ffde000 ecx=020f18f5 edx=00000034 esi=00c2f720 edi=00c2f6f2
eip=7c810867 esp=0006fffc ebp=00000720 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000200
7c810867  ??              ???
Processing initial command 'sxe ld ntdll.dll ;g'
0:000> sxe ld ntdll.dll ;g
(ae8.6f4): Break instruction exception - code 80000003 (first chance)
eax=00181eb4 ebx=7ffde000 ecx=00000001 edx=00000002 esi=00181f48 edi=00181eb4
eip=7c901230 esp=0006fb20 ebp=0006fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c901230 cc              int     3

So, How to break into WinDBG when ntdll.dll is mapped into the new process? thanks

[UPDATE]

I exactly followed the steps as mentioned by jcopenha, but I don't know why Windbg gives a strange error(Memory access error) where Notepad.exe is running .

Please give me a hand!Thanks a lot!

0:000> .restart /f
CommandLine: C:\WINDOWS\NOTEPAD.EXE
Symbol search path is: D:\Symbols\Symbols;SRV*D:\Symbols\MySymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 01000000 01014000   notepad.exe
eax=0100739d ebx=7ffd9000 ecx=020f18f5 edx=0000004e esi=00f7f73a edi=00f7f6f2
eip=7c810867 esp=0007fffc ebp=0000024c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000200
7c810867 ??              ???
0:000> u 7c810867
7c810867 ??              ???
            ^ Memory access error in 'u 7c810867'

[UPDATE2] I found an odd instruction displayed at 7c810867, but p command still can work.

Is it a bug in WinDBG?

Answer 1

If you go to Debug->Event Filters and change "Create process" to "enabled" then restart the application it will start before ntdll.dll shows up in the module list. If you then do sxe ld ntdll.dll;g it will stop in ntdll!RtlUserThreadStart.

0:000> .restart /f
CommandLine: C:\Windows\System32\notepad.exe
Symbol search path is: SRV*d:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 00000000`ffe00000 00000000`ffe35000   notepad.exe
00000000`7790c500 4883ec48        sub     rsp,48h
0:000> sxe ld ntdll.dll;g
ModLoad: 00000000`778e0000 00000000`77a89000   ntdll.dll
ntdll!RtlUserThreadStart:
00000000`7790c500 4883ec48        sub     rsp,48h

Answer 2

Regarding the loading of ntdll, I recommend reading this. You can break into the process before any code runs with:

windbg -xe cpr notepad

Or

windbg -xe ld:ntdll notepad

ntdll will still be mapped into the process at this point -- you can't break in before this happens.

As for the memory access error, kernel32 is not loaded into the process yet. The initial thread is queued to run at kernel32!BaseProcessStartThunk, but since kernel32 isn't loaded into the address space yet, you aren't going to see anything at that address.

The reason the thread's start address is able to begin in unmapped memory is because before the thread begins its execution, the very first thing that happens is a user APC runs in the context of that initial thread that takes care of all the process initialization, including loading kernel32. You can see this event occur if you set a similar event, like:

sxe ld kernel32

You will need to load symbols to get the internal functions names in the stack trace.

In addition to the first link, you can read more about process initialization here. Hope this helps.