Break when ntdll.dll is mapped
When you debug a Win32 application, by default the debugger will stop after ntdll finishes initializing the application. (Initialization includes not not limited to loading the static dependencies of the applications and running the DllMain of those dlls.)
Usually this does not matter. But if you want to debug the process initialization, you will need something better.
You can use the following trick to break into debugger when ntdll.dll is mapped into the new process, and before any of ntdll's process initialization runs.
cdb -xe ld:ntdll <your-application>
If you can't remember the exact syntax, the following will also work:
cdb <your-application>
sxe ld ntdll.dll
.restart
You can even break before ntdll.dll is mapped.
cdb -xe cpr <your-application>
Comments
- Anonymous
November 30, 2005
Yes but can you explain what exactly the above command and commandline switches are and do.
What is -xe dl
sxe or the rest. - Anonymous
December 01, 2005
The comment has been removed