|
|
/*-----------------------------------------------------------------------------
Copyright (c) 2000 Microsoft Corporation
Module: exts.cpp
Sampe file showing couple of extension examples
-----------------------------------------------------------------------------*/#include "tsdbg.h"
bool IsUserDbg(){/*
// Specific types of kernel debuggees.
#define DEBUG_KERNEL_CONNECTION 0
#define DEBUG_KERNEL_LOCAL 1
#define DEBUG_KERNEL_EXDI_DRIVER 2
#define DEBUG_KERNEL_SMALL_DUMP DEBUG_DUMP_SMALL
#define DEBUG_KERNEL_DUMP DEBUG_DUMP_DEFAULT
#define DEBUG_KERNEL_FULL_DUMP DEBUG_DUMP_FULL
// Specific types of Windows user debuggees.
#define DEBUG_USER_WINDOWS_PROCESS 0
#define DEBUG_USER_WINDOWS_PROCESS_SERVER 1
#define DEBUG_USER_WINDOWS_SMALL_DUMP DEBUG_DUMP_SMALL
#define DEBUG_USER_WINDOWS_DUMP DEBUG_DUMP_DEFAULT
*/
/*
#define DEBUG_CLASS_UNINITIALIZED 0
#define DEBUG_CLASS_KERNEL 1
#define DEBUG_CLASS_USER_WINDOWS 2
*/
ULONG Class, Qualifier;
// Figure out if this is KD or NTSD piped to KD.
if (S_OK != g_ExtControl->GetDebuggeeType(&Class, &Qualifier)) { dprintf("*** GetDebuggeeType failed ***\n\n"); } if (Class == DEBUG_CLASS_USER_WINDOWS) return true; else return false;}
/*
Sample extension to demonstrace ececuting debugger command */HRESULT CALLBACK cmdsample(PDEBUG_CLIENT Client, PCSTR args){ CHAR Input[256]; INIT_API();
UNREFERENCED_PARAMETER(args);
//
// Output a 10 frame stack
//
g_ExtControl->OutputStackTrace(DEBUG_OUTCTL_ALL_CLIENTS | // Flags on what to do with output
DEBUG_OUTCTL_OVERRIDE_MASK | DEBUG_OUTCTL_NOT_LOGGED, NULL, 10, // number of frames to display
DEBUG_STACK_FUNCTION_INFO | DEBUG_STACK_COLUMN_NAMES | DEBUG_STACK_ARGUMENTS | DEBUG_STACK_FRAME_ADDRESSES); //
// Engine interface for print
//
g_ExtControl->Output(DEBUG_OUTCTL_ALL_CLIENTS, "\n\nDebugger module list\n"); //
// list all the modules by executing lm command
//
g_ExtControl->Execute(DEBUG_OUTCTL_ALL_CLIENTS | DEBUG_OUTCTL_OVERRIDE_MASK | DEBUG_OUTCTL_NOT_LOGGED, "lm", // Command to be executed
DEBUG_EXECUTE_DEFAULT ); //
// Ask for user input
//
g_ExtControl->Output(DEBUG_OUTCTL_ALL_CLIENTS, "\n\n***User Input sample\n\nEnter Command to run : "); GetInputLine(NULL, &Input[0], sizeof(Input)); g_ExtControl->Execute(DEBUG_OUTCTL_ALL_CLIENTS | DEBUG_OUTCTL_OVERRIDE_MASK | DEBUG_OUTCTL_NOT_LOGGED, Input, // Command to be executed
DEBUG_EXECUTE_DEFAULT ); EXIT_API(); return S_OK;}
/*
Sample extension to read and dump a struct on target This reads the struct _EXCEPTION_RECORD which is defined as: typedef struct _EXCEPTION_RECORD { NTSTATUS ExceptionCode; ULONG ExceptionFlags; struct _EXCEPTION_RECORD *ExceptionRecord; PVOID ExceptionAddress; ULONG NumberParameters; ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; } EXCEPTION_RECORD;*/HRESULT CALLBACK structsample(PDEBUG_CLIENT /*Client*/, PCSTR /*args*/){ /*
ULONG64 Address; INIT_API();
Address = GetExpression(args); DWORD Buffer[4], cb;
// Read and display first 4 dwords at Address
if (ReadMemory(Address, &Buffer, sizeof(Buffer), &cb) && cb == sizeof(Buffer)) { dprintf("%p: %08lx %08lx %08lx %08lx\n\n", Address, Buffer[0], Buffer[1], Buffer[2], Buffer[3]); }
//
// Method 1 to dump a struct
//
dprintf("Method 1:\n"); // Inititalze type read from the Address
if (InitTypeRead(Address, _EXCEPTION_RECORD) != 0) { dprintf("Error in reading _EXCEPTION_RECORD at %p", // Use %p to print pointer values
Address); } else { // read and dump the fields
dprintf("_EXCEPTION_RECORD @ %p\n", Address); dprintf("\tExceptionCode : %lx\n", (ULONG) ReadField(ExceptionCode)); dprintf("\tExceptionAddress : %p\n", ReadField(ExceptionAddress)); dprintf("\tExceptionInformation[1] : %I64lx\n", ReadField(ExceptionInformation[1])); // And so on...
}
//
// Method 2 to read a struct
//
ULONG64 ExceptionInformation_1, ExceptionAddress, ExceptionCode; dprintf("\n\nMethod 2:\n"); // Read and dump the fields by specifying type and address individually
if (GetFieldValue(Address, "_EXCEPTION_RECORD", "ExceptionCode", ExceptionCode)) { dprintf("Error in reading _EXCEPTION_RECORD at %p\n", Address); } else { // Pointers are read as ULONG64 values
GetFieldValue(Address, "_EXCEPTION_RECORD", "ExceptionAddress", ExceptionAddress); GetFieldValue(Address, "_EXCEPTION_RECORD", "ExceptionInformation[1]", ExceptionInformation_1); // And so on..
dprintf("_EXCEPTION_RECORD @ %p\n", Address); dprintf("\tExceptionCode : %lx\n", ExceptionCode); dprintf("\tExceptionAddress : %p\n", ExceptionAddress); dprintf("\tExceptionInformation[1] : %I64lx\n", ExceptionInformation_1); }
ULONG64 Module; ULONG i, TypeId; CHAR Name[MAX_PATH]; //
// To get/list field names
//
g_ExtSymbols->GetSymbolTypeId("_EXCEPTION_RECORD", &TypeId, &Module); dprintf("Fields of _EXCEPTION_RECORD\n"); for (i=0; ;i++) { HRESULT Hr; ULONG Offset=0;
Hr = g_ExtSymbols2->GetFieldName(Module, TypeId, i, Name, MAX_PATH, NULL); if (Hr == S_OK) { g_ExtSymbols->GetFieldOffset(Module, TypeId, Name, &Offset); dprintf("%lx (+%03lx) %s\n", i, Offset, Name); } else if (Hr == E_INVALIDARG) { // All Fields done
break; } else { dprintf("GetFieldName Failed %lx\n", Hr); break; } }
//
// Get name for an enumerate
//
// typedef enum {
// Enum1,
// Enum2,
// Enum3,
// } TEST_ENUM;
//
ULONG ValueOfEnum = 0; g_ExtSymbols->GetSymbolTypeId("TEST_ENUM", &TypeId, &Module); g_ExtSymbols2->GetConstantName(Module, TypeId, ValueOfEnum, Name, MAX_PATH, NULL); dprintf("Testenum %I64lx == %s\n", ExceptionCode, Name); // This prints out, Testenum 0 == Enum1
//
// Read an array
//
// typedef struct FOO_TYPE {
// ULONG Bar;
// ULONG Bar2;
// } FOO_TYPE;
//
// FOO_TYPE sampleArray[20];
ULONG Bar, Bar2; CHAR TypeName[100]; for (i=0; i<20; i++) { sprintf(TypeName, "sampleArray[%lx]", i); if (GetFieldValue(0, TypeName, "Bar", Bar)) break; GetFieldValue(0, TypeName, "Bar2", Bar2); dprintf("%16s - Bar %2ld Bar2 %ld\n", TypeName, Bar, Bar2); }
EXIT_API(); */ return S_OK; }
/*
This gets called (by DebugExtensionNotify whentarget is halted and is accessible*/HRESULT NotifyOnTargetAccessible(PDEBUG_CONTROL /* Control */){/*
dprintf("Extension dll detected a break"); if (Connected) { dprintf(" connected to "); switch (TargetMachine) { case IMAGE_FILE_MACHINE_I386: dprintf("X86"); break; case IMAGE_FILE_MACHINE_AMD64: dprintf("AMD64"); break; case IMAGE_FILE_MACHINE_IA64: dprintf("IA64"); break; default: dprintf("Other"); break; } } dprintf("\n"); //
// show the top frame and execute dv to dump the locals here and return
//
Control->Execute(DEBUG_OUTCTL_ALL_CLIENTS | DEBUG_OUTCTL_OVERRIDE_MASK | DEBUG_OUTCTL_NOT_LOGGED, ".frame", // Command to be executed
DEBUG_EXECUTE_DEFAULT ); Control->Execute(DEBUG_OUTCTL_ALL_CLIENTS | DEBUG_OUTCTL_OVERRIDE_MASK | DEBUG_OUTCTL_NOT_LOGGED, "dv", // Command to be executed
DEBUG_EXECUTE_DEFAULT );*/ return S_OK;}
/*
A built-in help for the extension dll*/HRESULT CALLBACK help(PDEBUG_CLIENT Client, PCSTR args){ INIT_API();
UNREFERENCED_PARAMETER(args);
dprintf("Help for tsdbg.dll\n" " qwinsta - lists winstation data structures\n" " help = Shows this help\n" // " structsample <addr> - This dumps a struct at given address\n"
//" cmdsample - This does stacktrace and lists\n"
); EXIT_API();
return S_OK;}
void PrintBuildNumber(){ ULONG64 Address; Address = GetExpression("poi(nt!ntbuildnumber)");
if (Address & 0xf0000000) { Address &= 0x0fffffff; dprintf("Build Number = %d Free\n", Address); } else if (Address & 0xc0000000) { Address &= 0x0fffffff; dprintf("Build Number = %d Chk\n", Address); } else { dprintf("Error getting Build Number!\n"); }
}
HRESULT CALLBACK qwinsta(PDEBUG_CLIENT Client, PCSTR args){ ULONG64 winstationlisthead, FLink; ULONG64 TermSrvProcPerTermDD = 0;
bool bDebugMode = false;
INIT_API();
dprintf("qwinsta 1.2\n"); if (strstr(args, "debug")) bDebugMode = true;
if (bDebugMode) { dprintf("*** in debug mode *** \n"); }
if (bDebugMode) dprintf("IsUserDebugger = %s\n", (IsUserDbg() ? "true" : "false"));
dprintf("----------------------------------------------------------------------------------------------------\n"); //
// Find Termsrv proccess id.
//
if (!IsUserDbg()) { TermSrvProcPerTermDD = GetExpression("poi(termdd!g_TermServProcessID)"); dprintf("termsrv process = %p \n", TermSrvProcPerTermDD);
if (!TermSrvProcPerTermDD) { dprintf("ERROR:tsdbg failed to retrive the value for termdd!g_TermServProcessID\n"); dprintf("please make sure that the symbols are alright\n"); goto doneError; } ULONG64 ImpliciteProcess; g_ExtSysObjects2->GetImplicitProcessDataOffset(&ImpliciteProcess); dprintf("Implicit Process = %p \n", ImpliciteProcess);
ULONG64 CurrentProcess; g_ExtSysObjects2->GetCurrentProcessDataOffset(&CurrentProcess); dprintf("current Process = %p \n", CurrentProcess);
if (ImpliciteProcess != TermSrvProcPerTermDD) { dprintf("ERROR:tsdbg for this command to work current implicite process must be termsrv.\n"); dprintf("please do .process /p %p and then try again.\n", TermSrvProcPerTermDD); goto doneError; } }
//
// get active console session id.
//
LONG ActiveConsoleId = STATUS_UNSUCCESSFUL; if (GetFieldValue((ULONG64) MM_SHARED_USER_DATA_VA, "termsrv!KUSER_SHARED_DATA", "ActiveConsoleId", ActiveConsoleId)) ActiveConsoleId = STATUS_UNSUCCESSFUL; dprintf("ActiveConsoleId = %d \n", ActiveConsoleId);
//
// winstation list head.
//
winstationlisthead = GetExpression("termsrv!winstationlisthead"); if (!winstationlisthead) { dprintf("ERROR:tsdbg failed to retrive the value for termsrv!winstationlisthead\n"); dprintf("please make sure that the symbols are alright\n"); goto doneError; }
dprintf("winstationlisthead = %p \n", winstationlisthead);
if (GetFieldValue(winstationlisthead, "termsrv!LIST_ENTRY", "Flink", FLink)) { dprintf("failed to get winstationlisthead.flink\n\n"); goto doneError; }
UINT uiWinstations = 0;
//
// print winstation list.
//
dprintf("----------------------------------------------------------------------------------------------------\n"); dprintf("%8s", "Winsta"); dprintf(" "); dprintf("%7s", "LogonId"); dprintf(" "); dprintf("%-10s", "Name"); dprintf(" "); dprintf("%-22s", "State"); dprintf(" "); dprintf("%8s", "Flags"); dprintf(" "); dprintf("%8s", "SFlags"); dprintf(" "); dprintf("%-10s", "Starting"); dprintf(" "); dprintf("%-10s", "Terminating"); dprintf("\n"); while (winstationlisthead != FLink && uiWinstations < 500) { if (CheckControlC()) goto doneError;
uiWinstations++; ULONG ret = 0;
ULONG LogonId, State, Flags, StateFlags; WCHAR WinStationName[33]; UCHAR Starting, Terminating;
// InitTypeRead(FLink, Type)
ret += GetFieldValue(FLink, "termsrv!_WINSTATION", "LogonId", LogonId); ret += GetFieldValue(FLink, "termsrv!_WINSTATION", "WinStationName", WinStationName); ret += GetFieldValue(FLink, "termsrv!_WINSTATION", "State", State); ret += GetFieldValue(FLink, "termsrv!_WINSTATION", "Flags", Flags); ret += GetFieldValue(FLink, "termsrv!_WINSTATION", "Starting", Starting); ret += GetFieldValue(FLink, "termsrv!_WINSTATION", "LogonId", LogonId); ret += GetFieldValue(FLink, "termsrv!_WINSTATION", "Terminating", Terminating); ret += GetFieldValue(FLink, "termsrv!_WINSTATION", "StateFlags", StateFlags);
//
// get string value for the enum _WINSTATIONSTATECLASS.
//
ULONG64 Module; ULONG TypeId; char StateName[MAX_PATH]; g_ExtSymbols->GetSymbolTypeId("_WINSTATIONSTATECLASS", &TypeId, &Module); g_ExtSymbols2->GetConstantName(Module, TypeId, State, StateName, MAX_PATH, NULL);
if (ret) { dprintf("failed to get winstationlisthead.flink\n\n"); goto doneError; }
dprintf("%p", FLink); dprintf(" "); dprintf("%#7x", LogonId); dprintf(" "); dprintf("%-10S", WinStationName); dprintf(" "); dprintf("%1x:%-20s", State, StateName); dprintf(" "); dprintf("%08x", Flags); dprintf(" "); dprintf("%08x", StateFlags); dprintf(" "); dprintf("%-10s", (Starting ? "True" : "False")); dprintf(" "); dprintf("%-10s", (Terminating ? "True" : "False")); dprintf("\n"); //dprintf("%10p %7d %-10S %5d:%-20s %5d %10d %-8s %-11s\n", FLink, LogonId, WinStationName, State, StateName, Flags, StateFlags, (Starting ? "true" : "false"), (Terminating ? "true" : "false"));
if (GetFieldValue(FLink, "termsrv!LIST_ENTRY", "Flink", FLink)) { dprintf("failed to get winstationlisthead.flink\n\n"); goto doneError; }
} dprintf("----------------------------------------------------------------------------------------------------\n"); // dprintf("Total Winstations = %d\n", uiWinstations);
doneError:
EXIT_API(); return S_OK;}
|
