Thursday, September 13, 2007

Lotus Notes 7 Functions Gallery (Part 1)

For the first part of this article, I want to perform brief explanation about some functions that is being used in Lotus Notes version 7.0 which is :

BootstrapCstrncmp
BootstrapMatchesKeyword
BootstrapCstrlen
BootstrapCmovmem
BootstrapCstrncpy
BootstrapCstrncat


The above functions is called at WinMain function in NLNOTES.EXE, and belongs to the BootStrap Group.
That's all folks and see you later :)

Wednesday, July 4, 2007

Visual Studio 2003 Debugging Problem

One clear sunny day, when I was tried to debug on to the remote computer using MS Visual Studio 2003, I came across this message :




The error message says, verify that you are an administrator or a member of the 'Debugger Users' group on the machine you are trying to debug.

Clearly, as member of administrator it is not an option, because of the server nature and also restricted priviledge given to the Application Developer Group, or also it violates the priviledge efficiency, to give the priviledge as required, not more than that, in this case, the priviledge to do the debugging of the application.

So, I followed the instruction to add my domain id to the Debugger Users Group on that remote computer, fire up the debugging windows, and still no success, the error is still as above.
After doing an indepth check using WinDBG and appropriate symbol files from Microsoft, I came to know that the problem resides in the routine sdm2!CDebugManager::GetMachine that is giving the 0x80040021 error code, which is ridiculous, because I ALREADY add my domain id to the member of "Debugger Users".

OK, now in the routine sdm2!CDebugManager::GetMachine gives error message 0x80040021, but exactly when it is happened ? The problem came up upon calling the routine :

518a84b8 e8393b0000 call sdm2!ATL::CComBSTR::operator+=+0x1e (518abff6)

Which in return calls :

518ac066 ff1538118951 call dword ptr [sdm2!_imp__CoCreateInstanceEx (51891138)]
518ac06c 689cc08a51 push 0x518ac09c
518ac071 8bf8 mov edi,eax


Which gives eax=0x80070005, and this means "Access Denied", and DEVENV.EXE then doing the additional checking and returns 0x80040021 with misleading above.

But, at exactly what sdm2!_imp__CoCreateInstanceEx that causes the "Access Denied" ?

518ac056 8d45f4 lea eax,[ebp-0xc]
518ac059 50 push eax ;;pResults
518ac05a 6a01 push 0x1 ;;cmq
518ac05c 8d45e4 lea eax,[ebp-0x1c]
518ac05f 50 push eax ;;pServerInfo
518ac060 6a14 push 0x14 ;;dwClsCtx
518ac062 56 push esi ;;punkOuter
518ac063 ff750c push dword ptr [ebp+0xc] ;;refClassID
518ac066 ff1538118951 call dword ptr [sdm2!_imp__CoCreateInstanceEx (51891138)]
518ac063 ff750c push dword ptr [ebp+0xc]{sdm2!CLSID_MsMachineDebugManager (5189742c)}
ss:0023:0012f270=5189742c
0023:5189742c fd 5f b2 73-01 f5-7b 43-8b 11-7f 0d e3 83 96 4f -> Reference Class ID
73B25FFD-F501-437B-118B-7F0DE383964F -> MDM.EXE (Machine Debug Manager)
0:000> d ds:eax
0023:0012f248 00 00 00 00 08 5a cb 06-2c f2 12 00 00 00 00 00 .....Z..,.......
0023:0012f258 78 ef 89 51 00 00 00 00-00 00 00 00 90 f2 12 00 x..Q............
0023:0012f268 bd 84 8a 51 08 5a cb 06-2c 74 89 51 78 ef 89 51 ...Q.Z..,t.Qx..Q
0023:0012f278 8c f2 12 00 01 00 00 00-74 f5 12 00 00 00 00 00 ........t.......
0023:0012f288 a8 7f 83 01 00 00 00 00-ac f2 12 00 9d 7b 89 51 .............{.Q
00000000 -> dwReserved1
06CB5A08 -> Machine Name
0012F22C -> pAuthInfo
Authentication Info Structure :
0023:0012f22c 0a 00 00 00 - 00 00 00 00 - 00 00 00 00 - 02 00 00 00
0023:0012f23c 03 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00 00 00 0A -> RPC_C_AUTHN_WINNT (Authentication Service to Use)
00 00 00 00 -> RPC_C_AUTHZ_NONE (Authorization Service to Use)
00 00 00 00 -> Server Principal Name (Must be NULL) if using RPC_C_AUTHN_WINNT
00 00 00 02 -> RPC_C_AUTHN_LEVEL_CONNECT (Authenticates the credentials of the client only when the client establishes a relationship with the server)
00 00 00 03 -> Impersonation Level (must be RPC_C_IMP_LEVEL_IMPERSONATE)
00 00 00 00 -> Client Identity (If NULL, the actual identity of the client is used)

This happens when the client tries to create the RPC to the server using COM Interface. So, using the WinDBG, what happens at the server is :

7c822583 cc int 3
0:014> bm /a rpcss!RemoteInterfaceOnlySecCallback
breakpoint 1 redefined
1: 76d6595d @!"rpcss!RemoteInterfaceOnlySecCallback"
0:014> g
ModLoad: 76c90000 76cb7000 C:\WINDOWS\system32\msv1_0.dll
ModLoad: 76cf0000 76d0a000 C:\WINDOWS\system32\iphlpapi.dll
Breakpoint 1 hit
eax=0063fd70 ebx=0009b4a8 ecx=0009b5a4 edx=00000002 esi=0009b5a4 edi=0063fd80
eip=76d6595d esp=0063fd4c ebp=0063fda0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
rpcss!RemoteInterfaceOnlySecCallback:
76d6595d 8bff mov edi,edi
0:009> bp 76d35026
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll -
0:009> bp 76d35050
0:009> g
Breakpoint 0 hit
eax=0063fce8 ebx=0008f870 ecx=000004f4 edx=7c82ed54 esi=000edd18 edi=00000000
eip=76d35026 esp=0063fcb8 ebp=0063fcf0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
rpcss!CheckForAccess+0x1f:
76d35026 50 push eax
0:009> d ds:eax
0023:0063fce8 30 3d 08 00 01 16 d3 76-48 fd 63 00 66 5a d6 76 0=.....vH.c.fZ.v
0023:0063fcf8 f4 04 00 00 e8 f7 08 00-04 00 00 00 a8 b4 09 00 ................
0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............
0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............
0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M
0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...
0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....
0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.
0:009> g
Breakpoint 2 hit
eax=00000001 ebx=0008f870 ecx=0063fcd8 edx=0063fce8 esi=00000001 edi=00000000
eip=76d35050 esp=0063fcbc ebp=0063fcf0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
rpcss!CheckForAccess+0x49:
76d35050 85c0 test eax,eax
0:009> d ds:0063fce8
0023:0063fce8 fc f7 08 00 01 00 00 00-48 fd 63 00 66 5a d6 76 ........H.c.fZ.v
0023:0063fcf8 f4 04 00 00 e8 f7 08 00-04 00 00 00 a8 b4 09 00 ................
0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............
0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............
0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M
0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...
0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....
0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.
0:009> !acl 0008f7fc
ACL is:
ACL is: ->AclRevision: 0x2
ACL is: ->Sbz1 : 0x0
ACL is: ->AclSize : 0x48
ACL is: ->AceCount : 0x3
ACL is: ->Sbz2 : 0x0
ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[0]: ->AceFlags: 0x0
ACL is: ->Ace[0]: ->AceSize: 0x14
ACL is: ->Ace[0]: ->Mask : 0x00000007
ACL is: ->Ace[0]: ->SID: S-1-5-7
ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[1]: ->AceFlags: 0x0
ACL is: ->Ace[1]: ->AceSize: 0x18
ACL is: ->Ace[1]: ->Mask : 0x00000007
ACL is: ->Ace[1]: ->SID: S-1-5-32-562
ACL is: ->Ace[2]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[2]: ->AceFlags: 0x0
ACL is: ->Ace[2]: ->AceSize: 0x14
ACL is: ->Ace[2]: ->Mask : 0x00000007
ACL is: ->Ace[2]: ->SID: S-1-1-0
0:009> !acl 0008f7fc 1
ACL is:
ACL is: ->AclRevision: 0x2
ACL is: ->Sbz1 : 0x0
ACL is: ->AclSize : 0x48
ACL is: ->AceCount : 0x3
ACL is: ->Sbz2 : 0x0
ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[0]: ->AceFlags: 0x0
ACL is: ->Ace[0]: ->AceSize: 0x14
ACL is: ->Ace[0]: ->Mask : 0x00000007
ACL is: ->Ace[0]: ->SID: S-1-5-7 (Well Known Group: NT AUTHORITY\ANONYMOUS LOGON)
ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[1]: ->AceFlags: 0x0
ACL is: ->Ace[1]: ->AceSize: 0x18
ACL is: ->Ace[1]: ->Mask : 0x00000007
ACL is: ->Ace[1]: ->SID: S-1-5-32-562 (Alias: BUILTIN\Distributed COM Users)
ACL is: ->Ace[2]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[2]: ->AceFlags: 0x0
ACL is: ->Ace[2]: ->AceSize: 0x14
ACL is: ->Ace[2]: ->Mask : 0x00000007
ACL is: ->Ace[2]: ->SID: S-1-1-0 (Well Known Group: localhost\Everyone)
0:009> g
Breakpoint 0 hit
eax=0063fce8 ebx=0008f7d0 ecx=000004f4 edx=7c82ed54 esi=0063fd80 edi=00000000
eip=76d35026 esp=0063fcb8 ebp=0063fcf0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
rpcss!CheckForAccess+0x1f:
76d35026 50 push eax
0:009> d ds:eax
0023:0063fce8 30 3d 08 00 01 16 d3 76-48 fd 63 00 fa 5a d6 76 0=.....vH.c..Z.v
0023:0063fcf8 f4 04 00 00 60 f7 08 00-10 00 00 00 a8 b4 09 00 ....`...........
0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............
0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............
0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M
0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...
0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....
0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.
0:009> g
Breakpoint 2 hit
eax=00000001 ebx=0008f7d0 ecx=0063fcd8 edx=0063fce8 esi=00000001 edi=00000000
eip=76d35050 esp=0063fcbc ebp=0063fcf0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
rpcss!CheckForAccess+0x49:
76d35050 85c0 test eax,eax
0:009> d ds:0063fce8
0023:0063fce8 74 f7 08 00 01 00 00 00-48 fd 63 00 fa 5a d6 76 t.......H.c..Z.v
0023:0063fcf8 f4 04 00 00 60 f7 08 00-10 00 00 00 a8 b4 09 00 ....`...........
0023:0063fd08 80 fd 63 00 a4 b5 09 00-01 00 00 00 05 00 00 00 ..c.............
0023:0063fd18 70 fd 63 00 01 00 00 00-e8 84 0b 00 a0 01 00 00 p.c.............
0023:0063fd28 00 00 00 00 c0 00 00 00-00 00 00 46 b8 4a 9f 4d ...........F.J.M
0023:0063fd38 1c 7d cf 11 86 1e 00 20-af 6e 7c 57 32 fd 00 00 .}..... .nW2...
0023:0063fd48 a0 fd 63 00 3b 17 c7 77-70 fd 63 00 18 dd 0e 00 ..c.;..wp.c.....
0023:0063fd58 18 dd 0e 00 b0 83 0c 00-00 00 00 00 88 fd 63 00 ..............c.
0:009> !acl 0008f774 1
ACL is:
ACL is: ->AclRevision: 0x2
ACL is: ->Sbz1 : 0x0
ACL is: ->AclSize : 0x34
ACL is: ->AceCount : 0x2
ACL is: ->Sbz2 : 0x0
ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[0]: ->AceFlags: 0x0
ACL is: ->Ace[0]: ->AceSize: 0x18
ACL is: ->Ace[0]: ->Mask : 0x0000001f
ACL is: ->Ace[0]: ->SID: S-1-5-32-562 (Alias: BUILTIN\Distributed COM Users)
ACL is: ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
ACL is: ->Ace[1]: ->AceFlags: 0x0
ACL is: ->Ace[1]: ->AceSize: 0x14
ACL is: ->Ace[1]: ->Mask : 0x0000000b
ACL is: ->Ace[1]: ->SID: S-1-1-0 (Well Known Group: localhost\Everyone)


Conclusion, at least in this case :

Error message from DEVENV.EXE is misleading, and it is not conform to the fact on operational side. That COM service is handled by RPCSS.EXE on server side, and RPCSS.EXE checks to BUILTIN\Distributed COM Users, NOT BUILTIN\Debugger Users.

The relevant information about DCOM Security and its relationshipb with CoCreateInstanceEx is here :

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/html/1917834c-5216-4ef3-a0c2-d8ca63cef53d.asp

Summary of important command in WinDBG as below :

x (examine symbol)
kv (view callstack)
uf (dissasemble function)
!dh (Display Header, it is used to get information of executable property of certaion module in action)
!acl (Display Access Control List of Given Access Control List Pointer)

Saturday, June 30, 2007

Which W3WP.EXE to Debug ?

Here is the scenario. Some Web Service program runs in IIS 6.0 having cryptic error, and you have to figured it out using MS Visual Studio 2003 debugger. As you may all already know, to debug some Web Application Process in remote computer, you have to debug process that is resides in W3WP.EXE.

Well, after you fire out the Debug Process screen, to your dismay, you found more than one W3WP.EXE with different Process ID. The question is, which W3WP.EXE to be the debugger attached to ?



You can find it using command line utility called IISApp :



The AppPoolId refers to the Application Pool where your web application resides. Usually it resides in DefaultAppPool. To verify that your application is indeed resides in certain Application Pool, you can use IIS Manager 6.0 snap in :



In the above example, the gear below the "DefaultAppPool" is all of the web application that resides in that particular Application Pool.

After determining which application pool that your web application resides, you can write down the PID shown by IISApp, and perform the right choose, and hence, your debugger will break to your desired location.

Whereas about precisely how you do the debugging, you can consult another posting in this blog. Wish you a happy web service debugging :) !

How to Do Web Service Debug in Remote Computer (Visual Studio 2003) ?

This works on MS Visual Studio 2003, and assuming that the remote server is running the IIS 6.0.

First, find W3WP.EXE process that is associated with that Web Service, if there are many W3WP.EXE in the process list, you can find it using the IISAPP command line. If you don't know how to to it, you can find it in another article in my blog :)

Please note that the "SPS" in this screen refers to the Remote Computer name. You have to be member of Debugger Users in that remote computer, if successful, the process on the Remote Computer will be displayed as shown :



What if instead an error message is show up ? Well, no problem, that is already solved in yet another article in this blog :)

Next, set the Project that contanis the Web Service as default, then using the Break to the Web Service Method that will be debug. You have to type the method completely (i.e. start from outermost parent, such as Aaaa.Bbbb.MethodName and case sensitively. Sorry, I can't show you exact function name in this screen because of the proprietary nature of this application. You can inquire more about this using comment that is is provided in this blog.



Run application (using your favorite web browser) that use that Web Service Method, and you're done :)





Friday, June 29, 2007

Which Service that is Hosted by SVCHOST.EXE ?

If you view the tasklist using MS Windows 2003, you would seeing typical screen like this :












To show which service that is hosted by SVCHOST.EXE, you can use the /svc in the tasklist command line as shown in this picture :