|
|
#include "windows.h"
#include "sxstypes.h"
#define KDEXT_64BIT
#include "wdbgexts.h"
#include "fusiondbgext.h"
#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_RELEASE_ON_DEACTIVATION (0x00000001)
#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_NO_DEACTIVATE (0x00000002)
#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_ON_FREE_LIST (0x00000004)
#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_HEAP_ALLOCATED (0x00000008)
BOOL DumpActivationContextStackFrame( PCSTR pcsLineHeader, ULONG64 ulStackFrameAddress, ULONG ulDepth, DWORD dwFlags ) {
ULONG64 ulPreviousPtr = 0; ULONG64 ulActivationContextPointer = 0; ULONG ulFrameFlags = 0;
if (!pcsLineHeader) pcsLineHeader = "";
GetFieldValue(ulStackFrameAddress, "nt!_RTL_ACTIVATION_CONTEXT_STACK_FRAME", "Previous", ulPreviousPtr); GetFieldValue(ulStackFrameAddress, "nt!_RTL_ACTIVATION_CONTEXT_STACK_FRAME", "ActivationContext", ulActivationContextPointer); GetFieldValue(ulStackFrameAddress, "nt!_RTL_ACTIVATION_CONTEXT_STACK_FRAME", "Flags", ulFrameFlags);
dprintf( "%sActivation stack frame @ 0x%p (depth %ld):\n" "%s Previous : 0x%p\n" "%s ActivationContext : 0x%p\n" "%s Flags : 0x%08lx ", pcsLineHeader, ulStackFrameAddress, ulDepth, pcsLineHeader, ulPreviousPtr, pcsLineHeader, ulActivationContextPointer, pcsLineHeader, ulFrameFlags);
if (ulFrameFlags != 0) { dprintf("("); if (ulFrameFlags & RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_RELEASE_ON_DEACTIVATION) dprintf("ReleaseOnDeactivate ");
if (ulFrameFlags & RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_NO_DEACTIVATE) dprintf("NoDeactivate ");
if (ulFrameFlags & RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_ON_FREE_LIST) dprintf("OnFreeList");
if (ulFrameFlags & RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_HEAP_ALLOCATED) dprintf("HeapAllocated ");
dprintf(")"); } dprintf ("\n");
return 0;
}
BOOL DumpActCtxStackFullStack( ULONG64 ulFirstStackFramePointer ) { ULONG ulDepth = 0; ULONG64 ulStackFramePtr = ulFirstStackFramePointer;
while (ulStackFramePtr) { DumpActivationContextStackFrame(" ", ulStackFramePtr, ulDepth++, 0xffff); GetFieldValue(ulStackFramePtr, "nt!_RTL_ACTIVATION_CONTEXT_STACK_FRAME", "Previous", ulStackFramePtr); if (CheckControlC() || (ulStackFramePtr == 0)) break; }
return TRUE; }
BOOL DumpActCtxData( PCSTR LineHeader, const ULONG64 ActCtxDataAddressInDebugeeSpace, ULONG ulFlags ) { //
// ACTIVATION_CONTEXT_DATA is a self-referential type, so dumping it is
// easy once it's all in memory.
//
ACTIVATION_CONTEXT_DATA ActData; BYTE *pbActualData = NULL; BOOL fOk = FALSE; ULONG cbRead = 0;
if (!LineHeader) LineHeader = "";
if (!ReadMemory(ActCtxDataAddressInDebugeeSpace, &ActData, sizeof(ActData), &cbRead) || (cbRead != sizeof(ActData))) { dprintf( "%sFailed reading ACTIVATION_CONTEXT_DATA @ %p , or wrong kind of block is there.\n", LineHeader, ActCtxDataAddressInDebugeeSpace); goto Exit; }
//
// Let's create a blob of memory that can hold the whole thing, then
//
pbActualData = new BYTE[ActData.TotalSize]; if (!pbActualData) { dprintf( "%sUnable to allocate %d bytes to store activation context data\n", LineHeader, ActData.TotalSize); goto Exit; }
//
// And re-read from the debugee
//
if (!ReadMemory(ActCtxDataAddressInDebugeeSpace, pbActualData, ActData.TotalSize, &cbRead) || (cbRead != ActData.TotalSize)) { dprintf( "%sUnable to read in %d bytes from %p as an activation context object?\n", LineHeader, ActData.TotalSize, ActCtxDataAddressInDebugeeSpace); goto Exit; }
DbgExtPrintActivationContextData( (ulFlags & DUMPACTCTXDATA_FLAG_FULL) == DUMPACTCTXDATA_FLAG_FULL, (PCACTIVATION_CONTEXT_DATA)pbActualData, L" " );
fOk = TRUE; Exit: if (pbActualData) delete[] pbActualData;
return fOk;
}
BOOL DumpActCtx( const ULONG64 ActCtxAddressInDebugeeSpace, ULONG ulFlags ) { ULONG64 ActCtxAddr = ActCtxAddressInDebugeeSpace; ULONG64 ulSymbolOffset = 0; PRIVATE_ACTIVATION_CONTEXT prvContextFilled = { 0 }; CHAR NotificationSymbol[1024] = { 0 }; BOOL fOk = FALSE; int i = 0;
#define GET_FIELD(a, fn, dst) { GetFieldData((a), "nt!_ACTIVATION_CONTEXT", #fn, sizeof((dst).##fn), (PVOID)&((dst).##fn)); }
GET_FIELD(ActCtxAddr, Flags, prvContextFilled); GET_FIELD(ActCtxAddr, RefCount, prvContextFilled); GET_FIELD(ActCtxAddr, ActivationContextData, prvContextFilled); GET_FIELD(ActCtxAddr, NotificationRoutine, prvContextFilled); GET_FIELD(ActCtxAddr, NotificationContext, prvContextFilled); // GET_FIELD(ActCtxAddr, SentNotifications, prvContextFilled);
// GET_FIELD(ActCtxAddr, DisabledNotifications, prvContextFilled);
// GET_FIELD(ActCtxAddr, StorageMap, prvContextFilled);
// GET_FIELD(ActCtxAddr, InlineStorageMapEntries, prvContextFilled);
#undef GET_FIELD
dprintf( "Activation context structure @ 0x%p\n" " RefCount %d\n" " Flags 0x%08x\n" " ActivationContextData 0x%p\n", ActCtxAddressInDebugeeSpace, (LONG)prvContextFilled.RefCount, (ULONG)prvContextFilled.Flags, (PVOID)prvContextFilled.ActivationContextData);
if (ulFlags & DUMPACTCTX_DATA) { // if (!DumpActCtxData(" ", (ULONG64)prvContextFilled.ActivationContextData, ulFlags))
// goto Exit;
DumpActCtxData(" ", (ULONG64)prvContextFilled.ActivationContextData, ulFlags); }
//
// This icky gunk is to print out a symbol name properly...
//
dprintf(" NotificationRoutine 0x%p ", prvContextFilled.NotificationRoutine); GetSymbol((ULONG64)prvContextFilled.NotificationRoutine, NotificationSymbol, &ulSymbolOffset); if (strlen(NotificationSymbol)) { dprintf("(%s" , NotificationSymbol); if (ulSymbolOffset) dprintf("+0x%p", ulSymbolOffset); dprintf(")"); } dprintf("\n");
dprintf(" NotificationContext 0x%p\n", prvContextFilled.NotificationContext);
dprintf(" SentNotifications ["); for (i = 0; i < NUMBER_OF(prvContextFilled.SentNotifications); i++) { if (i) dprintf(" "); dprintf("%d", prvContextFilled.SentNotifications[i]); } dprintf("]\n");
dprintf(" DisabledNotifications ["); for (i = 0; i < NUMBER_OF(prvContextFilled.DisabledNotifications); i++) { if (i) dprintf(" "); dprintf("%d", prvContextFilled.DisabledNotifications[i]); } dprintf("]\n");
{ ULONG ulFlags, ulCount; ULONG64 ulMapAddress;
GetFieldValue(ActCtxAddressInDebugeeSpace, "_ACTIVATION_CONTEXT", "StorageMap.Flags", ulFlags); GetFieldValue(ActCtxAddressInDebugeeSpace, "_ACTIVATION_CONTEXT", "StorageMap.AssemblyCount", ulCount); GetFieldValue(ActCtxAddressInDebugeeSpace, "_ACTIVATION_CONTEXT", "StorageMap.AssemblyArray", ulMapAddress); dprintf( " StorageMap (Flags = 0x%08lx Count = %d MapArray = %p)\n", ulFlags, ulCount, ulMapAddress); }
fOk = TRUE;
return fOk; }
BOOL GetActiveActivationContextData( PULONG64 pulActiveActCtx ) { ULONG64 ulTebAddress = 0, ulPebAddress = 0; ULONG64 ulTebActiveFrameAddress = 0; //
// The algorithm is like this:
// - Look at Teb.ActivationContextStack.ActiveFrame.ActivationContext. If this is
// nonzero, stop looking.
// - Now look at the process default activation context in Peb.ActivationContextData.
// If this is nonzero, stop looking.
// - Look at the system default act ctx data, in Peb.SystemDefaultActivationContextData
// If this is nonzero, stop looking.
// - Didn't find any active activation context data? Fooey.
//
*pulActiveActCtx = 0;
GetTebAddress(&ulTebAddress); GetPebAddress(0, &ulPebAddress);
if (ulTebAddress != NULL) { // Look at the active stack frame in the teb
GetFieldValue(ulTebAddress, "nt!TEB", "ActivationContextStack.ActiveFrame", ulTebActiveFrameAddress); if (ulTebActiveFrameAddress) { ULONG64 ulActivationContextFrame;
// Get the pointer to the active activation context itself
GetFieldValue( ulTebActiveFrameAddress, "nt!_RTL_ACTIVATION_CONTEXT_STACK_FRAME", "ActivationContext", ulActivationContextFrame); // If that was valid, then ask for the pointer to the activation context data
if (ulActivationContextFrame) { GetFieldValue( ulActivationContextFrame, "nt!ACTIVATION_CONTEXT", "ActivationContextData", *pulActiveActCtx); return TRUE; } // Is this really requesting the process default?
else if (ulActivationContextFrame == NULL) { // Then get it and return
GetFieldValue(ulPebAddress, "nt!PEB", "ActivationContextData", *pulActiveActCtx); return TRUE; } } }
//
// Still nothing, so go look at the process default directly
//
GetFieldValue(ulPebAddress, "nt!PEB", "ActivationContextData", *pulActiveActCtx); if (*pulActiveActCtx) { return TRUE; }
//
// Otherwise...
//
GetFieldValue(ulPebAddress, "nt!PEB", "SystemDefaultActivationContextData", *pulActiveActCtx); return (*pulActiveActCtx ? TRUE : FALSE);
}
|