How to resolve CoCreateInstance in windbg while debugging an windows process

Question

Getting following error while trying to setup a breakpoint as below in Windbg.

0:032> bp ole32!CoCreateInstance
Couldn't resolve error at 'ole32!CoCreateInstance'

Looking at dumpbin exports for ole32.dll I see following: Any idea how I can resolve CoCreateInstance symbol and set a breakpoint successfully.

CoCreateInstance (forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance)
CoCreateInstanceEx (forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstanceEx)

Thanks

Answer 1

try setting the breakpoint at combase!CoCreateInstance. Also, have you set up the debugger to use symbol files?

Answer 2

Thanks, Got it. Any documentation on these API symbols, like the dll where the symbols available.

Answer 3

@RLWA32

@MaybeCompletelyW

Using script from following to do logging the API calls through windbg. https://learn.microsoft.com/en-us/archive/blogs/debuggingtoolbox/windbg-script-tracing-api-calls

I see following in windbg when I execute this script:

0:000> $$><C:\logs\script.txt
Windows API Logging Extensions v4.02, new process 0x296C: notepad.exe
Logging enabled
logc needs rewritting
Debugger Disabled
Text file Enabled
Verbose log Disabled
Break on depth: 0

However I don't see any logfile generated. Can somebody help what I am missing here?

Following is my WinDbg/WIndows version:

Seems logger.exe does not work too, I tried for notepad.exe and filled in the options in enable dialog, however seems the target process exits. Here is screenshot for logger

Answer 4

Probably a matter of versions
Windows Version 20H2 (Build 19042.630)
Debugger/Logger.exe from
Windows Driver Kit Windows 10.0.19041.1

I am getting *.lgx file from Logger.exe:

Fumbling around with Windbg:10.0.19041.1 AMD64 :

(2888.2790): Break instruction exception - code 80000003 (first chance)  
ntdll!DbgBreakPoint:  
00007ffd`3eeef890 cc              int     3  
0:007> !logexts.logi  
Windows API Logging Extensions v4.02, new process 0x2888: notepad.exe  
LogExts hijacking current thread @ PC=0x00007FFD3EEEF890 with:  
    InjectDll  @ 0x000002273A200000  
    Data       @ 0x000002273A7E0000  
0:007> !logexts.logc e *  
logc needs rewritting  
0:007> !logexts.logo e v  
  Debugger            Disabled  
  Text file           Disabled  
  Verbose log         Enabled  
0:007> !logexts.logb p  
Break on depth: 0  
0:007> !logexts.loge  
Logging enabled  
0:007> g  
ModLoad: 00007ffd`00be0000 00007ffd`00c2d000   C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\logexts.dll  
0x2888 Logexts Process Attach  
logexts.dll initializing for C:\Windows\notepad.exe  
[Logger]: WARNING - Could not hook module inside ntdll.dll, no base IAT!?   
[Logger]: WARNING - Could not hook module inside win32u.dll, no base IAT!?   
Logexts Initialization Complete  
LogExts!logi succeeded, logging is now enabled, do logd/loge, then logir  
(2888.2790): Break instruction exception - code 80000003 (first chance)  
00000227`3a200046 cc              int     3  
0:007> !logexts.loge  
Logging enabled  
0:007> !logexts.logir  
Thread state restored, was at 000002273A200046 now back to 00007FFD3EEEF890  
0:007> g  
ModLoad: 00007ffd`3d650000 00007ffd`3d72a000   C:\WINDOWS\System32\comdlg32.dll  
ModLoad: 00007ffd`3d760000 00007ffd`3d88a000   C:\WINDOWS\System32\ole32.dll  
ModLoad: 00007ffc`de140000 00007ffc`de2ee000   C:\WINDOWS\System32\DUI70.dll  

Maybe you can try to set Manifest file:

Manifest="C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\LogManifest.lgm"  

in
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Logexts.ini

No luck with e.g. Logger 3.01

Answer 5

I copied manifest file to following directory and that worked for me Debuggers\x64\