How can I create objects based on dump memory in the WinDbg extension?

Question

How can I create objects based on dump memory in the WinDbg extension?

I am working on a large application and often use WinDbg to diagnose problems based on a DMP file from a client. I wrote some small extensions for WinDbg, which turned out to be very useful for extracting bits of information from DMP files. In my expansion code, I find myself dereferencing C ++ class objects in the same way, time and time again, manually. For instance:

Address = GetExpression("somemodule!somesymbol");
ReadMemory(Address, &addressOfPtr, sizeof(addressOfPtr), &cb);

// get the actual address
ReadMemory(addressOfObj, &addressOfObj, sizeof(addressOfObj), &cb);

ULONG offset;
ULONG addressOfField;

GetFieldOffset("somemodule!somesymbolclass", "somefield", &offset);
ReadMemory(addressOfObj+offset, &addressOfField, sizeof(addressOfField), &cb);

This works well, but since I wrote more extensions, with more functionality (and access to more complex objects in our DMP application files), I really wanted to get a better solution. Of course, I have access to the source of our own application, so I think there should be a way to copy the object from the DMP file and use this memory to create the actual object in the debugger extender, to which I can call functions (by binding in the dll from our applications). This would save me having to pull things out of the DMP manually.

? , , ReadMemory DMP. , , , . , - ... , ++ - - vtable, ? :

SomeClass* thisClass = SomeClass::New();
ReadMemory(addressOfObj, &(*thisClass), sizeof(*thisClass), &cb);

FOLLOWUP: , POSSIBLY ExtRemoteTyped EngExtCpp - , ? - ? , .

FOLLOWUP 2: .
1) ExtRemoteTyped, , ReadMemory/GetFieldOffset. , ALOT, , DMP. , - . 2) ReadMemory , , DMP. , , sizeof (* thisClass), , , vtables .

+5

c++ object windbg minidump memory-dump

pj4533 04 . '10 1:23

4

dmp . , :

class SomeClassRemote : public SomeClass
{
protected:
    SomeClassRemote (void);
    SomeClassRemote (ULONG inRemoteAddress);

public:
    static  SomeClassRemote *       New(ULONG inRemoteAddress);
    virtual ~SomeClassRemote (void);

private:

    ULONG                   m_Address;

};

:

SomeClassRemote::SomeClassRemote (ULONG inRemoteAddress)
{
    ULONG cb;

    m_Address = inRemoteAddress;

    // copy in all the data to the new object, skipping the virtual function tables
    ReadMemory(inRemoteAddress + 0x4, (PVOID) ((ULONG)&(*this) +0x4), sizeof(SomeClass) - 4, &cb);
}

SomeClassRemote::SomeClassRemote(void)
{
}

SomeClassRemote::~SomeClassRemote(void)
{
}

SomeClassRemote* SomeClassRemote::New(ULONG inRemoteAddress)
{
    SomeClassRemote*x = new SomeClassRemote(inRemoteAddress);

    return (x);
}

, , dmp. , .

, SEEMS, - templatize... , , -, , vtables, .

+1

pj4533 06 . '10 20:50

, , ETW , , . MS , Windows VS.NET.

. , ETW , . .

0

Naveen 04 . '10 14:42

I came up with something similar, hacking the gdi tag expander for windbg. I used the stl container to store data in the client and needed a way to move data from the extension. I ended up implementing the hash_map parts that I needed directly on the extension side using ExtRemoteTyped, which was satisfactory, but it took me a while to figure out: o) Here is the source code.

0

deemok Apr 4 '10 at 22:27

source share

Michael Burr · Accepted Answer · 2010-04-04T02:18:34+0000

, . , ( vtables), .

"" , , , ReadMemory() . , , , , . , , , .

How can I create objects based on dump memory in the WinDbg extension?

More articles: