How to use Visual Studio debugger with CIS [v5]

The following bug report became useful as a FAQ, thanks to Wxman’s excellent posts.

The topic is presented below without editing, as debugger users will surely be more than able to extract what they need from it!

Best wishes, and many thanks to Wxman.

Mouse

The bug/issue

1. What you did: Debugging the code below in VS2010
2. What actually happened or you actually saw: The application hangs, and if tracing in VS (F10), VS hangs also
3. What you expected to happen or see: Normal execution
4. How you tried to fix it & what happened: Nothing changed
5. If its an application compatibility problem have you tried the application fixes?: Yes
6. Details (exact version) of any application involved with download link: MS Visual Studio 2010 ver. 10.0.30319.1
7. Whether you can make the problem happen again, and if so exact steps to make it happen: Just make a project and copy/paste the code below. Then execute it.
8. Any other information (eg your guess regarding the cause, with reasons): No.

Files appended. (Please zip unless screenshots).

1. Screenshots illustrating the bug: Nothing special
2. Screenshots of related CIS event logs and the Defense+ Active Processes List: No
3. A CIS config report or file: No
4. Crash or freeze dump file: No

Your set-up

1. CIS version, AV database version & configuration used: CIS 5.0.163652.1142
2. a) Have you updated (without uninstall) from CIS 3 or 4: No
   b) if so, have you tried reinstalling (if not please do)?:
3. a) Have you imported a config from a previous version of CIS: No
   b) if so, have U tried a preset config (if not please do)?:
4. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. ) No
5. Defense+ and Sandbox OR Firewall security level: D+ Safe Mode, FW Custom Policy, SB Enabled
6. OS version, service pack, no of bits, UAC setting, & account type: Win.7.32.7600 all updates installed, UAC disabled, admin
7. Other security and utility software installed: None, windows fw is disabled
8. Virtual machine used (Please do NOT use Virtual box): None

Dim MyWebClient As WebClient = New WebClient()
            Dim ur As New Uri("http://my.testserver.com/")

            With MyWebClient
                With .Headers <-- IT HANGS IN THIS LINE!!!!
                    .Add("Connection", "keep - alive")
                    .Add("Keep-Alive", "115")
                    .Add("Accept", "text/html,image/jpg")
                    .Add("Accept-Charset", "ISO-8859-1,utf-8;")
                    .Add("Accept-Encoding", "gzip,deflate")
                End With

                AddHandler .DownloadDataCompleted, AddressOf DownloadDataCallback
                .DownloadDataAsync(ur)
            End With

I have no problems debugging in VS2008 w/CIS v5.0.163652.1135 using proactive security (paranoid mode), SB enabled (unrecognized = untrusted).

I have the following Defense+ rules - all rules use custom policy by default (except the last one) - ask all (click allow + ‘remember this’ as alerts manifest themselves - then modify pathnames with wildcards to make rules universal x-project as appropriate):

%VS_install_dir%\Common\IDE\devenv.exe (%VS_install_Dir% = path to VS install folder)

run executable: %doc_folder%\VS2008\Projects**\bin\Debug*
%windir%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Interprocess Memory Access:
%windir%\explorer.exe

Windows/WinEvent Hooks:
%VS_install_dir%\Common\IDE\msenv.dll

Process’ Termination:
%doc_folder%\VS2008\Projects**\bin\Debug*

Protected COM Interfaces:

Allowed:
LocalSecurityAuthority.Debug
%doc_folder%\VS2008\Projects**\bin\Debug*.vshost.exe
%ProgramFiles%\Internet Explorer\IEXPLORER.EXE
%windir%\explorer.exe

Blocked:
%appdir%\boincmgr.exe
LocalSecurityAuthority.Shutdown

(Dunno why the debugger asks for access to these. The first won’t be relevent unless you have BOINC installed. The latter, dunno either; debugger doesn’t need shutdown privelege)

Protected Registry Keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup

HKUS[user specific sub-key]\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup

Protected FIles/Folders:
\Device\Afd\Endpoint
%doc_folder%\VS2008\Projects**\bin\Debug*
%doc_folder%\VS2008\Projects**\obj\Debug*

File group: %doc_folder%\VS2008\Projects**\bin\Debug*.vshost.exe

Protected COM Interfaces
LocalSecurityAuthority.Debug
%path_to_VS%\Common7\IDE\devenv.exe

File group - predefined installer\updater privelege (prevents CIS from phoning home /sandboxing every time app is executed during development: %doc_folder%\VS2008\Projects**\bin\Debug*.exe

project specific path: %doc_folder%\VS2008\Projects[projName][projName]\bin\Debug[projName].vshost.exe

Protected Files\Folders
specified per to any arbitrary application access requirements

Keeping Defense+ rules organized in some rational fashion will facilitate maintenance (delete the last ruleset defined above as appropriate, e.g., development of project is complete.

NOTE: I’m making reference to environmental vars as placeholders for posting purposes only. Substitute absolute paths as appropriate on your system.

i was able to debug it without problem with Visual studio 2010 (10.0.30319.1)
but the program hav to add a sub to be able to run it, see screenshot.

[attachment deleted by admin]

Hi Wizard

Have your tried these fixes and do they work?

If so I’m inclined to do a FAQ (basically copy the above plus some intro text with credits to you) on them rather than regard this as a bug, as debugging is a specialist task.

Arguably a good security package should require special setting to allow debug level privs. Else it would create vulnerabilities.

What do you guys think? You are the experts!

Best wishes

Mouse

In the code snippet supplied by Wizard, Webclient is undefined w/out importing System.Net. Moreover, they’re not valid in namespace “”; they must be part of some class. Furthermore, the statements can’t appear outside of a method body. That notwithstanding, DownloadDataCallback ultimately becomes unreferenced. Kinemitor’s solution addresses all those problems. I fingered all that was implied, andr that the method is declared in an instantiated shared class, or standard module. How else could implicit reference to the method be made (especially given the addressof parameter), i.e., without a dot prefix?

What’s odd is that Wizard intimated that the module executes fine ‘standalone’; that in the original thread where he originally mentioned the problem. He stated that when he disabled both FW & D+ the problem remained with respect to debugging.

What I posted was confguring CIS D+ so as to allow the VS IDE and debugger to function x-project. My perception was that he was utilizing the debug mode of the VS IDE for a project solution.

However, this link: cannot-step-into-net-framework-source-with-vs2008-sp1 suggests the issue is a horse of an entirely different color. That issue pertains to utilizing the debugger to step through an image and requires loading the proper symbol set for that.

Here’s another link pertaining to that: Configuring Visual Studio to Debug .NET Framework Source Code

i dont know if it is relevant but every application i made in visual basic, even if it dont have any code, try to create a file wicht is blocked by comodo
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new
what is the risk for these files?

Just goes to show you: you learn something new everyday. I never knew anything about that (nor did I ever see an alert from CIS concerning that). In fact, I don’t even have a ‘config’ folder in that .NET framework.

In any case, research suggests I don’t think you want to block that.

security.config.cch files, and variations of them (security.config.cch.new, security.config.cch.[random numbers] etc.) are security resolution cache files.

These files are essentially a cache of the CAS (Code Access Security) demands of your application’s code. They allow the in-built security system of the CLR to resolve the security demands of your code slightly quicker.

You can safely delete these files, and this will result in your application’s initial performance next time around to be slightly slower, however, the CLR security sub-system will eventually re-generate these files.

There was a known issue that could arise from this process, "FIX: Error message when you try to run a Web application that was built by using the .NET Framework 2.0: “Overwhelming changes have occurred” however, this applies to .NET Framework 2.0 and may or may not still apply with .NET Framework 3.5 SP1 (which you’re using with VS2008 SP1).

It’s perfectly normal for there to be many reads/writes to these files, however, if the reads/writes seem excessive and to the point where you’re experiencing lock-ups I would look into either reviewing your code (assuming you have many calls to demand specific security actions or equivalent), or examining the configuration of your Runtime Security Policy as set within the .NET Framework Configuration Tool (Mscorcfg.msc).

SOURCE: what-does-the-file-security-config-cch-do-with-the-clr

Hi guys

This is technically beyond me, so can someone make a judgement on whether there is a problem here that cannot be resolved by settings changes.

Also, would anyone be kind enough to bring this material together into a draft FAQ post? If you can do this and post it here, I will top and tail it, make sure you are credited, and move it to the faqs.

Many thanks in anticipation

Mouse

PM sent

Thanks wxm1 for writing this great article

adi

Yes thanks WXMan for a very thorough job on behalf of all debugger users!

Best thing is to move complete topic to create a FAQ in D+ help I think.

Doing this now

Mouse

I’ll be watching this space to see what other useful information shows up (for real, like, man.).

In any case, its unclear if Wizard’s orgiginal issue arose in release mode or in debugging mode. Inquiring minds need to know, you know? Given that its been established that Wizard’s code snippet - as Wizard provided - can not be stand-alone, ChrisF’s post (why-does-f10-step-over-in-visual-studio-not-work) seems particularly salient:

“Without knowing more about your application it’s difficult to say, but usually this sort of thing happens when the process starts a thread or otherwise goes into code where there isn’t any debug information.”

Its worth noting - can-i-debug-a-compiled-assembly - there are potentially three issues at play:

Wizard needs to disable default IDE debugging settings - Tools → Options → Debugging → general section → “Enable Just My Code” - and then load the PDB (symbol set) for the compiled assembly he’s debugging.

OR attach to the assembly process already running using Debug → “Attach to Process” in the VS IDE. As long as a copy of the running source code (along with the associated .pdb in Visual Studio, you can debug normally.

Wizard made reference to using IDE hotkey - F10 - step over. Per R. Bemrose comment at the first link cited:

“F10 is Step Over. This means that any methods called by your current method will not be shown in the debugger. If these throw an uncaught exception or somehow end execution, debugging will just end…”

ALL of that notwithstanding, nevertheless, and what not, I originally indicated that I block LocalSecurityAuthority.Shutdown in the ‘Protected COM Interfaces’ access right for %VS_install_dir%\Common\IDE\devenv.exe (where %VS_install_Dir% = path to VS install folder)

FWIW: Given that I’ve seen apps ask for DNS access rights - the log shows RPC to be intimated as the target - and the app makes no attempt whatsoever to access the internet (based on lack of any firewall alert), makes me lean towards the idea that shutdown should not be unilaterally be blocked; doing so will probably break some arcane VS IDE functionality that will be virtually impossible to debug if shutdown privilege is blocked; I believe that this is CIS’ mechanism to address ‘God’ access-rights / privileges; leave it alone and grant such privilege on case-by-case basis.

OBTW: the proper format to the Ancient Egyptian Get-CIS-to-work-with-Arcane-Visual-Studio-Functionality Dance:

Wabbee-wabbee, wabbee-wabbee
head-thrust
foot-stomp
head-thrust
foot-stomp
wabbee-wabbee, wabbee-wabbee

Just, you know, throwin’ that out there (got burned by that once). Its all too easy for the inexperienced to be going off on very similiar (although vastly different affect) rituals, e.g., Ancient Egyptian Laser-Printer-repair OR Ancient Phoenecian Snowfall-to-Grimace-Proportions dance-rituals.

O0