script is runnig too slow

can some one check this out on a simple msgbox

i was trying to script out the argtochild to windbg command window ala
olllydbg style for an undefined function using a script but it was
taking too much time to deliver its output

so i made a prototype script for MessageBoxA function but this too
takes very long to finish
though the results are fine

in ollydbg you can see stack like this

CPU Stack
Comments
; /RETURN from user32.MessageBoxA to keymod.00401142
; |hOwner = 000C0374, class = SimpleWinClass, text = Our First Window
; |Text = “.foreach slash f (Arg2Child scriptresults temp.txt ){.if (
$t0 == 1 ){ dps @esp l1;r $t0 = $t0+1; }.elsif( $t0 == 2 ){ !hwnd
Arg2Child ;r $t0 = $t0+1; }.elsif( $t0 == 3 ){ da /c 100 Arg2Child;r
$t0 = $t0+1; }.elsif( $t0 == 4 ){ da /c 100 Ar”…
; |Caption = “This Is a Test Message Box For Windbg Script Evaluation”
; \Type = MB_YESNO|MB_ICONASTERISK|MB_DEFBUTTON1|MB_APPLMODAL

the script i used in windbg is like this
.foreach /pS 1 (place {dd /c 8 esp l5}) { .shell -ci “.echo place”
cat - >> scriptresults\temp.txt }
r $t0 = 1;
.foreach /f (Arg2Child “scriptresults\temp.txt”){ .if ( $t0 == 1 ){
dps @esp l1;r $t0 = $t0+1; }.elsif( $t0 == 2 ){ .load
sdbgext.dll;!hwnd Arg2Child ;r $t0 = $t0+1; }.elsif( $t0 == 3 ){ da /c
100 Arg2Child;r $t0 = $t0+1; }.elsif( $t0 == 4 ){ da /c 100
Arg2Child;r $t0 = $t0+1; }.elsif( $t0 == 5 ) {r $t1 = Arg2Child ;.if (
$t1 AND 44) { .echo MB_ICONEXCLAMATION | MB_YESNO} } }
.shell -x del scriptresults\temp.txt

the results are as follows

0:000> bl
0 e 7e4507ea 0001 (0001) 0:**** user32!MessageBoxA
0:000> dd esp l5
0013fdf4 00401142 0019022a 00403058 00403020
0013fe04 00000044
0:000> ln eip
(7e4507ea) user32!MessageBoxA | (7e450838) user32!MessageBoxExW
Exact matches:
user32!MessageBoxA =
0:000> $$>a< scripts\msgbstk.txt
.shell: Process exited
.shell: Process exited
.shell: Process exited
.shell: Process exited
.shell: Process exited
0013fdf4 00401142 image00400000+0x1142
Window 0019022a
Name Our First Window
Class SimpleWinClass
WndProc 00000000
Style WS_OVERLAPPED
ExStyle WS_EX_WINDOWEDGE WS_EX_LEFT WS_EX_LTRREADING WS_EX_RIGHTSCROLLBAR
HInstance 00400000
ParentWnd 00000000
Id 00000000
UserData 00000000
Unicode FALSE
ThreadId 00000a88
ProcessId 0000095c
00403058 “.foreach slash f (Arg2Child scriptresults temp.txt ){.if (
$t0 == 1 ){ dps @esp l1;r $t0 = $t0+1; }.elsif( $t0 == 2 ){ !hwnd
Arg2Child ;r $t0 = $t0+1; }.elsif( $t0 == 3 ){ da /c 100 Arg2Child;r
$t0 = $t0+1; }.elsif( $t0 == 4 ){ da /c 100 Arg2Child;r $t0”
00403158 " = $t0+1; }.elsif( $t0 == 5 ) {r $t1 = Arg2Child ;.if ( $t1
AND 44) { .echo MB_ICONEXCLAMATION | MB_YESNO} } }"
00403020 “This Is a Test Message Box For Windbg Script Evaluation”
MB_ICONEXCLAMATION | MB_YESNO
0:000> g
eax=00000000 ebx=00000000 ecx=7c800000 edx=64d2c1e8 esi=7c90de6e edi=00000000
eip=7c90e514 esp=0013fea8 ebp=0013ffa4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c90e514 c3 ret
0:000> g
^ No runnable debuggees error in ‘g’

but it is taking too long can some one hint why it is taking too long
if at all and what i can do to reduce its processing time

–
thanks and regards

raj_r

No Takers yet

anyway since script is taking too long i thought let me try writing an extension and see how it goes

i start with wdbgexts style extension

yes i read that dbgeng and engext are more powerful
yes i may try using them later not now

so i took the simpleext sample in windbg sdk and started modifying it

my exts.c contains so much now

#include “simple.h”
#include “malloc.h”

DECLARE_API( symstack ){

ULONG64 instptr,stkptr;
PCHAR Remainder = (PUCHAR) calloc(100,sizeof(PUCHAR));
PULONG64 pDisp = (PULONG64) calloc(100,sizeof(PULONG64));

instptr = GetExpression(“@eip”);
stkptr = GetExpression(“@esp”);
dprintf(“Eip is %I64X And Stack Pointer is %I64X\n”,instptr,stkptr);
GetSymbol(instptr,Remainder,pDisp);
dprintf(“Printing Buffer And Displacement %s \t %I64X \n”,Remainder,*pDisp);
free(Remainder);
free(pDisp);
}

DECLARE_API ( help ) {
dprintf(“usage !symstack\n”);
}

it seems to work
prints the follwing results

0:000> .load symstack.dll ; !symstack ; .unload symstack.dll
Eip is 7E4507F6 And Stack Pointer is 13FDF0
Printing Buffer And Displacement user32!MessageBoxA C
Unloading symstack.dll extension DLL

0:000> ? user32!MessageBoxA + 0xc
Evaluate expression: 2118453238 = 7e4507f6

0:000> ? eip
Evaluate expression: 2118453238 = 7e4507f6

0:000> ? esp
Evaluate expression: 1310192 = 0013fdf0

now my generic questions

1. is malloc / calloc / virtualalloc /virtualallocex / heapalloc/ localalloc /globalalloc and friends usable in extensions

2. if i alloc space how do i know iam allocating enough space ??

3. is there some mechanism like we call functions with 0 long buffer
   check return for required buff length and recall with buffer ??

Basic problem with using wdbg style extension - fewer people to answer
questions about them.

Mm
On Aug 30, 2011 2:19 AM, wrote:
> No Takers yet
>
> anyway since script is taking too long i thought let me try writing an
extension and see how it goes
>
> i start with wdbgexts style extension
>
> yes i read that dbgeng and engext are more powerful
> yes i may try using them later not now
>
> so i took the simpleext sample in windbg sdk and started modifying it
>
> my exts.c contains so much now
>
> #include “simple.h”
> #include “malloc.h”
>
> DECLARE_API( symstack ){
>
> ULONG64 instptr,stkptr;
> PCHAR Remainder = (PUCHAR) calloc(100,sizeof(PUCHAR));
> PULONG64 pDisp = (PULONG64) calloc(100,sizeof(PULONG64));
>
>
> instptr = GetExpression(“@eip”);
> stkptr = GetExpression(“@esp”);
> dprintf(“Eip is %I64X And Stack Pointer is %I64X\n”,instptr,stkptr);
> GetSymbol(instptr,Remainder,pDisp);
> dprintf(“Printing Buffer And Displacement %s \t %I64X
\n”,Remainder,*pDisp);
> free(Remainder);
> free(pDisp);
> }
>
> DECLARE_API ( help ) {
> dprintf(“usage !symstack\n”);
> }
>
>
> it seems to work
> prints the follwing results
>
> 0:000> .load symstack.dll ; !symstack ; .unload symstack.dll
> Eip is 7E4507F6 And Stack Pointer is 13FDF0
> Printing Buffer And Displacement user32!MessageBoxA C
> Unloading symstack.dll extension DLL
>
> 0:000> ? user32!MessageBoxA + 0xc
> Evaluate expression: 2118453238 = 7e4507f6
>
> 0:000> ? eip
> Evaluate expression: 2118453238 = 7e4507f6
>
> 0:000> ? esp
> Evaluate expression: 1310192 = 0013fdf0
>
>
> now my generic questions
>
> 1) is malloc / calloc / virtualalloc /virtualallocex / heapalloc/
localalloc /globalalloc and friends usable in extensions
>
> 2) if i alloc space how do i know iam allocating enough space ??
>
> 3) is there some mechanism like we call functions with 0 long buffer
> check return for required buff length and recall with buffer ??
>
>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Taking a brief step back, I’d use the modern IDebugClient based extension API here when starting out, preferably with the aid of engextcpp. You’ll save a fair amount of time way in general and the new API is generally more powerful.

Yes, the usual CRT and Win32 APIs are available from a debugger extension.

• S

-----Original Message-----
From: xxxxx@gmail.com
Sent: Monday, August 29, 2011 23:19
To: Kernel Debugging Interest List
Subject: RE:[windbg] script is runnig too slow

No Takers yet

anyway since script is taking too long i thought let me try writing an extension and see how it goes

i start with wdbgexts style extension

yes i read that dbgeng and engext are more powerful
yes i may try using them later not now

so i took the simpleext sample in windbg sdk and started modifying it

my exts.c contains so much now

#include “simple.h”
#include “malloc.h”

DECLARE_API( symstack ){

ULONG64 instptr,stkptr;
PCHAR Remainder = (PUCHAR) calloc(100,sizeof(PUCHAR));
PULONG64 pDisp = (PULONG64) calloc(100,sizeof(PULONG64));

instptr = GetExpression(“@eip”);
stkptr = GetExpression(“@esp”);
dprintf(“Eip is %I64X And Stack Pointer is %I64X\n”,instptr,stkptr);
GetSymbol(instptr,Remainder,pDisp);
dprintf(“Printing Buffer And Displacement %s \t %I64X \n”,Remainder,*pDisp);
free(Remainder);
free(pDisp);
}

DECLARE_API ( help ) {
dprintf(“usage !symstack\n”);
}

it seems to work
prints the follwing results

0:000> .load symstack.dll ; !symstack ; .unload symstack.dll
Eip is 7E4507F6 And Stack Pointer is 13FDF0
Printing Buffer And Displacement user32!MessageBoxA C
Unloading symstack.dll extension DLL

0:000> ? user32!MessageBoxA + 0xc
Evaluate expression: 2118453238 = 7e4507f6

0:000> ? eip
Evaluate expression: 2118453238 = 7e4507f6

0:000> ? esp
Evaluate expression: 1310192 = 0013fdf0

now my generic questions

1. is malloc / calloc / virtualalloc /virtualallocex / heapalloc/ localalloc /globalalloc and friends usable in extensions

2. if i alloc space how do i know iam allocating enough space ??

3. is there some mechanism like we call functions with 0 long buffer
   check return for required buff length and recall with buffer ??

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

I remembered reading somewhere that you cant call dbghelp functions
from Extensions

So I Asked if we can use crt and win32 apis
Thanks For Confirming Ken

stepping back and doing IDebug Whatever:: = s_ok looks like lot
better option

the sooner i start should yield better results i think coz wdbgexts
looks like it doesnt even touch the tip of iceberg that dbgeng holds
beneath the surface

anyway i wrote some simple code and tested it and the results appear in a jiffy
only the script is taking forever to complete

ill post below the code and results for the sake of completeness

//#define PRINTCRAP
#include “simple.h”
#include “malloc.h”
#include “stdio.h”
#include “windows.h”

PCHAR SplitFlags(ULONG64 Flags);

DECLARE_API( symstack ){

ULONG64 instptr,stkptr[0x11] = {0};
ULONG64 ptrstkptr[0x11] = {0};
ULONG lpCbReadBytes = {0};

PCHAR Remainder = (PCHAR) calloc(0x100,sizeof(PCHAR));
PCHAR Freebuff;

#ifdef PRINTCRAP
sprintf_s(Remainder,0x95,“This buffer is Allocated for symname\n”);
dprintf(“**************\nBuffer Address is %p and contains
%s**************\n”,Remainder,&Remainder);
#endif

PULONG64 pDisp = (PULONG64) calloc(0x100,sizeof(PULONG64));

#ifdef PRINTCRAP
sprintf_s((PCHAR)pDisp,0x95,“This buffer is Allocated for Displacement\n”);
dprintf(“**************\nBuffer Address is %p and contains
%s**************\n”,pDisp,&pDisp);
#endif

instptr = GetExpression(“@eip”);
GetSymbol(instptr,Remainder,pDisp);

#ifdef PRINTCRAP
dprintf(“**************\nAddress\t%x\tContents\t%s\n”,(ULONG)Remainder,Remainder);
dprintf(“Address\t%x\tContents\t%x\n***************\n”,(ULONG)pDisp,*pDisp);
#endif

dprintf(“Eip Is %08I64X\tPoints At %s+%x\n”,instptr,Remainder,*pDisp);

stkptr[0] = GetExpression(“@esp+(4*0)”);
ptrstkptr[0] = GetExpression(“poi(@esp+(4*0))”);
GetSymbol(ptrstkptr[0],Remainder,pDisp);
dprintf( “esp+00\t%08I64X\t%08I64X\tReturn to
%s+%x\n”,stkptr[0],ptrstkptr[0],Remainder,*pDisp);

stkptr[1] = GetExpression(“@esp+(4*1)”);
ptrstkptr[1] = GetExpression(“poi(@esp+(4*1))”);
GetClassName((HWND)ptrstkptr[1],Remainder,0x40);
dprintf( “esp+04\t%08I64X\t%08I64X\t%s\n”,stkptr[1],ptrstkptr[1],Remainder);

stkptr[2] = GetExpression(“@esp+(4*2)”);
ptrstkptr[2] = GetExpression(“poi(@esp+(4*2))”);
if (ReadMemory(ptrstkptr[2],Remainder,0x40,&lpCbReadBytes)) {
dprintf( “esp+08\t%08I64X\t%08I64X\tText=\t\t%s\n”,stkptr[2],ptrstkptr[2],Remainder);
} else {
dprintf(“ReadMemory @ %08I64X Failed\n”,ptrstkptr[2]);
}

stkptr[3] = GetExpression(“@esp+(4*3)”);
ptrstkptr[3] = GetExpression(“poi(@esp+(4*3))”);
if(ReadMemory(ptrstkptr[3],Remainder,0x40,&lpCbReadBytes)){
dprintf( “esp+0C\t%08I64X\t%08I64X\tCaption=\t%s\n”,stkptr[3],ptrstkptr[3],Remainder);
} else {
dprintf(“ReadMemory @ %08I64X Failed\n”,ptrstkptr[3]);
}

stkptr[4] = GetExpression(“@esp+(4*4)”);
ptrstkptr[4] = GetExpression(“poi(@esp+(4*4))”);
if(ReadMemory(stkptr[4],Remainder,0x40,&lpCbReadBytes)){
Freebuff = SplitFlags(ptrstkptr[4]);
dprintf( “esp+10\t%08I64X\t%08I64X\tFlags=\t%s\n”,stkptr[4],ptrstkptr[4],Freebuff);
} else {
dprintf(“ReadMemory @ %08I64X Failed\n”,ptrstkptr[4]);
}
free(Remainder);
free(pDisp);
free(Freebuff);
}

PCHAR SplitFlags(ULONG64 Flags) {

PCHAR Buff = (PCHAR) calloc(0x100,sizeof(PCHAR));
if (Buff == NULL) {
return NULL;
}

#ifdef PRINTCRAP
dprintf(“SplitFlags called Buffer Alloted =%p\n”,Buff);
sprintf_s(Buff,0x95,“This buffer is Allocated for symname\n”);
dprintf(“Buffer Address is %p and contains %s\n”,Buff,&Buff);
#endif
if (Flags & 0x40) {
strcpy_s(Buff,0x95,“MB_YESNO|”);
if(Flags & 0x4) {
strcat_s(Buff,0x95,“MB_ICONEXCLAMATION”);
}
}
#ifdef PRINTCRAP
dprintf(" returning Buffer Contents %s\n",Buff);
#endif
return Buff;
}

DECLARE_API ( help ) {
dprintf(“usage !symstack\n”);
}

built with Build -czMg on w2k8 serv env

results like

0:000> .load symstack.dll ;!symstack ; .unload symstack.dll
Eip Is 7E4507EA Points At user32!MessageBoxA+0
esp+00 0013FDF4 00401142 Return to image00400000+1142
esp+04 0013FDF8 000A020C SimpleWinClass
esp+08 0013FDFC 00403058 Text= .foreach slash f (Arg2Child
scriptresults temp.txt ){.if ( $t0
esp+0C 0013FE00 00403020 Caption= This Is a Test Message Box For
Windbg Script Evaluation
esp+10 0013FE04 00000044 Flags= MB_YESNO|MB_ICONEXCLAMATION
Unloading symstack.dll extension DLL

On 8/30/11, Skywing wrote:
> Taking a brief step back, I’d use the modern IDebugClient based extension
> API here when starting out, preferably with the aid of engextcpp. You’ll
> save a fair amount of time way in general and the new API is generally more
> powerful.
>
> Yes, the usual CRT and Win32 APIs are available from a debugger extension.
>
> - S
>
> -----Original Message-----
> From: xxxxx@gmail.com
> Sent: Monday, August 29, 2011 23:19
> To: Kernel Debugging Interest List
> Subject: RE:[windbg] script is runnig too slow
>
>
> No Takers yet
>
> anyway since script is taking too long i thought let me try writing an
> extension and see how it goes
>
> i start with wdbgexts style extension
>
> yes i read that dbgeng and engext are more powerful
> yes i may try using them later not now
>
> so i took the simpleext sample in windbg sdk and started modifying it
>
> my exts.c contains so much now
>
> #include “simple.h”
> #include “malloc.h”
>
> DECLARE_API( symstack ){
>
> ULONG64 instptr,stkptr;
> PCHAR Remainder = (PUCHAR)
> calloc(100,sizeof(PUCHAR));
> PULONG64 pDisp = (PULONG64)
> calloc(100,sizeof(PULONG64));
>
>
> instptr = GetExpression(“@eip”);
> stkptr = GetExpression(“@esp”);
> dprintf(“Eip is %I64X And Stack Pointer is %I64X\n”,instptr,stkptr);
> GetSymbol(instptr,Remainder,pDisp);
> dprintf(“Printing Buffer And Displacement %s \t %I64X
> \n”,Remainder,*pDisp);
> free(Remainder);
> free(pDisp);
> }
>
> DECLARE_API ( help ) {
> dprintf(“usage !symstack\n”);
> }
>
>
> it seems to work
> prints the follwing results
>
> 0:000> .load symstack.dll ; !symstack ; .unload symstack.dll
> Eip is 7E4507F6 And Stack Pointer is 13FDF0
> Printing Buffer And Displacement user32!MessageBoxA C
> Unloading symstack.dll extension DLL
>
> 0:000> ? user32!MessageBoxA + 0xc
> Evaluate expression: 2118453238 = 7e4507f6
>
> 0:000> ? eip
> Evaluate expression: 2118453238 = 7e4507f6
>
> 0:000> ? esp
> Evaluate expression: 1310192 = 0013fdf0
>
>
> now my generic questions
>
> 1) is malloc / calloc / virtualalloc /virtualallocex / heapalloc/ localalloc
> /globalalloc and friends usable in extensions
>
> 2) if i alloc space how do i know iam allocating enough space ??
>
> 3) is there some mechanism like we call functions with 0 long buffer
> check return for required buff length and recall with buffer ??
>
>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
thanks and regards

raj_r

“I remembered reading somewhere that you cant call dbghelp functions from Extensions”

That is not true. I use SymGetTypeInfo and SymSearch in my extension because I couldn’t find an alternative in the COM api.

Just because something appears to work does not make it reliable or recommended (especially when the docs explicitly say not to do that). For example accessing data without proper locking may ‘appear’ to work but you’ll get burned eventually.

Regarding type info navigation, look at IDebugAdvanced::Request(…DEBUG_REQUEST_EXT_TYPED_DATA_ANSI). Or better yet, use engextcpp’s wrappers.

• S (Msft)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@mcafee.com
Sent: Tuesday, August 30, 2011 2:47 PM
To: Kernel Debugging Interest List
Subject: RE:[windbg] script is runnig too slow

“I remembered reading somewhere that you cant call dbghelp functions from Extensions”

That is not true. I use SymGetTypeInfo and SymSearch in my extension because I couldn’t find an alternative in the COM api.

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

On 8/31/11, xxxxx@mcafee.com wrote:
> “I remembered reading somewhere that you cant call dbghelp functions from
> Extensions”
>
>
> That is not true. I use SymGetTypeInfo and SymSearch in my extension
> because I couldn’t find an alternative in the COM api.

i remembered right what not to do not what can be done

http://msdn.microsoft.com/en-us/library/ff561492(VS.85).aspx

read the Note in that link

it says using either dbghelp or Imagehlp Functions in Extension can
cause "VARIETY" of PROBLEMS**

i am trying to keep all my extension writing shenanigans in one thread
so sorry for awakening this thread

so how does one send a Dml Command

EXT_COMMAND(foo,“”,“”)
{
Dml( “ HELLO BABY”);
}

if i dont escape %s\n it doesnt compile
if i escape windbg growls barks and spits

0:000> .load extcpp.dll ; !symst ; .unload extcpp.dll
HELLO BABYUnloading extcpp.dll extension DLL
0:000> .printf ?M???8

^ Quotes required in '.printf ?M???8 ’
0:000> .printf ?M???8

it doesnt seem to take "
it doent seem to take \0x22

any bright hackdeas

On 8/31/11, raj_r wrote:
> On 8/31/11, xxxxx@mcafee.com
> wrote:
>> “I remembered reading somewhere that you cant call dbghelp functions from
>> Extensions”
>>
>>
>> That is not true. I use SymGetTypeInfo and SymSearch in my extension
>> because I couldn’t find an alternative in the COM api.
>
> i remembered right what not to do not what can be done
>
> http://msdn.microsoft.com/en-us/library/ff561492(VS.85).aspx
>
> read the Note in that link
>
> it says using either dbghelp or Imagehlp Functions in Extension can
> cause "VARIETY" of PROBLEMS**
>

–
thanks and regards

raj_r

EXT_COMMAND(foo,“”,“”)
{
Dml( “HELLO
BABY\n\n\n\n”);
Dml( “ HELLO BABA\n”);
}

and both links in windbg now outputs Hello Baba

but in status bar (lower most below cmd window bar)

i can see .printf /D and .echo Hello baba

output copy pasted

alternate clicks on hello baby and hello baba

0:000> .load extcpp.dll ; !foo ; .unload extcpp.dll
HELLO BABY

HELLO BABA
Unloading extcpp.dll extension DLL
0:000> .echo Hello Baba
Hello Baba
0:000> .echo Hello Baba
Hello Baba
0:000> .echo Hello Baba
Hello Baba
0:000> .echo Hello Baba
Hello Baba
0:000> .echo Hello Baba
Hello Baba
0:000> .echo Hello Baba
Hello Baba
0:000> .echo Hello Baba
Hello Baba
0:000> .echo Hello Baba
Hello Baba
0:000> .echo Hello Baba
Hello Baba
0:000> .echo Hello Baba
Hello Baba
0:000> .echo Hello Baba
Hello Baba

On 9/7/11, raj_r wrote:
> i am trying to keep all my extension writing shenanigans in one thread
> so sorry for awakening this thread
>
> so how does one send a Dml Command
>
> EXT_COMMAND(foo,“”,“”)
> {
> Dml( “
HELLO
> BABY”);
> }
>
> if i dont escape %s\n it doesnt compile
> if i escape windbg growls barks and spits
>
>
> 0:000> .load extcpp.dll ; !symst ; .unload extcpp.dll
> HELLO BABYUnloading extcpp.dll extension DLL
> 0:000> .printf ‹MÀ‹‘8
>
> ^ Quotes required in '.printf ‹MÀ‹‘8 '
> 0:000> .printf ‹MÀ‹‘8
>
> it doesnt seem to take "
> it doent seem to take \0x22
>
> any bright hackdeas
>
>
>
> On 8/31/11, raj_r wrote:
>> On 8/31/11, xxxxx@mcafee.com
>> wrote:
>>> “I remembered reading somewhere that you cant call dbghelp functions
>>> from
>>> Extensions”
>>>
>>>
>>> That is not true. I use SymGetTypeInfo and SymSearch in my extension
>>> because I couldn’t find an alternative in the COM api.
>>
>> i remembered right what not to do not what can be done
>>
>> http://msdn.microsoft.com/en-us/library/ff561492(VS.85).aspx
>>
>> read the Note in that link
>>
>> it says using either dbghelp or Imagehlp Functions in Extension can
>> cause "VARIETY" of PROBLEMS**
>>
>
>
> –
> thanks and regards
>
> raj_r
>

–
thanks and regards

raj_r

Engextcpp’s Dml() takes a printf-like format string (see the debugger documentation for ControlledOutputVaList for details). You’re telling it that you have a char* to expand into the output string with your %s, but you’re not passing one, so instead whatever happened to be on the stack at the time is being used.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Tuesday, September 06, 2011 12:48 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] script is runnig too slow

i am trying to keep all my extension writing shenanigans in one thread so sorry for awakening this thread

so how does one send a Dml Command

EXT_COMMAND(foo,“”,“”)
{
Dml( “ HELLO BABY”); }

if i dont escape %s\n it doesnt compile if i escape windbg growls barks and spits

0:000> .load extcpp.dll ; !symst ; .unload extcpp.dll HELLO BABYUnloading extcpp.dll extension DLL 0:000> .printf ?M???8

^ Quotes required in '.printf ?M???8 ’
0:000> .printf ?M???8

it doesnt seem to take "
it doent seem to take \0x22

any bright hackdeas

On 8/31/11, raj_r wrote:
> On 8/31/11, xxxxx@mcafee.com
> wrote:
>> “I remembered reading somewhere that you cant call dbghelp functions
>> from Extensions”
>>
>>
>> That is not true. I use SymGetTypeInfo and SymSearch in my extension
>> because I couldn’t find an alternative in the COM api.
>
> i remembered right what not to do not what can be done
>
> http://msdn.microsoft.com/en-us/library/ff561492(VS.85).aspx
>
> read the Note in that link
>
> it says using either dbghelp or Imagehlp Functions in Extension can
> cause "VARIETY" of PROBLEMS**
>

–
thanks and regards

raj_r

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

sorry Ken it seems %s is not supported thats the error i get if i do
it in windbg command window

from extension i changed to something like below still no cigar

EXT_COMMAND(foo,“making windbg bark and growl”,“”)
{
Dml( “%s\n” , “Some Thing
Like This Ken”);
Dml( “%s\n” , “I cant
get it Dumb Me ”);
}

0:000> .load extcpp.dll ; !foo ; !help foo; .unload extcpp.dll
Some Thing Like This Ken
I cant get it Dumb Me
!foo
making windbg bark and growl
Unloading extcpp.dll extension DLL
0:000> .printf /D
^ Quotes required in '.printf /D ’
0:000> .printf /D
^ Quotes required in '.printf /D ’

On 9/7/11, Skywing wrote:
> Engextcpp’s Dml() takes a printf-like format string (see the debugger
> documentation for ControlledOutputVaList for details). You’re telling it
> that you have a char* to expand into the output string with your %s, but
> you’re not passing one, so instead whatever happened to be on the stack at
> the time is being used.
>
> - S
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
> Sent: Tuesday, September 06, 2011 12:48 PM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] script is runnig too slow
>
> i am trying to keep all my extension writing shenanigans in one thread so
> sorry for awakening this thread
>
> so how does one send a Dml Command
>
> EXT_COMMAND(foo,“”,“”)
> {
> Dml( “
HELLO
> BABY”); }
>
> if i dont escape %s\n it doesnt compile if i escape windbg growls barks and
> spits
>
>
> 0:000> .load extcpp.dll ; !symst ; .unload extcpp.dll HELLO BABYUnloading
> extcpp.dll extension DLL 0:000> .printf ‹MÀ‹‘8
>
> ^ Quotes required in '.printf ‹MÀ‹‘8 '
> 0:000> .printf ‹MÀ‹‘8
>
> it doesnt seem to take "
> it doent seem to take \0x22
>
> any bright hackdeas
>
>
>
> On 8/31/11, raj_r wrote:
>> On 8/31/11, xxxxx@mcafee.com
>> wrote:
>>> “I remembered reading somewhere that you cant call dbghelp functions
>>> from Extensions”
>>>
>>>
>>> That is not true. I use SymGetTypeInfo and SymSearch in my extension
>>> because I couldn’t find an alternative in the COM api.
>>
>> i remembered right what not to do not what can be done
>>
>> http://msdn.microsoft.com/en-us/library/ff561492(VS.85).aspx
>>
>> read the Note in that link
>>
>> it says using either dbghelp or Imagehlp Functions in Extension can
>> cause "VARIETY" of PROBLEMS**
>>
>
>
> –
> thanks and regards
>
> raj_r
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
thanks and regards

raj_r

> -----Original Message-----

From: xxxxx@lists.osr.com [mailto:bounce-473571-
xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Tuesday, September 06, 2011 4:31 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] script is runnig too slow

sorry Ken it seems %s is not supported thats the error i get if i do
it in windbg command window

from extension i changed to something like below still no cigar

EXT_COMMAND(foo,“making windbg bark and growl”,“”)
{
Dml( “%s\n” , “Some Thing
> Like This Ken”);
Dml( “%s\n” , “I cant
> get it Dumb Me ”);
}

0:000> .load extcpp.dll ; !foo ; !help foo; .unload extcpp.dll
Some Thing Like This Ken
I cant get it Dumb Me
!foo
making windbg bark and growl
Unloading extcpp.dll extension DLL
0:000> .printf /D
^ Quotes required in '.printf /D ’
0:000> .printf /D
^ Quotes required in '.printf /D ’

Haven’t been following this thread, but this post caught my eye, somehow. I just checked the docs for .printf, there is no documented “/D”, just “/oD”. I have no idea if this is an oversight in the docs, or the root of your problem, just thought I’d point it out, FWIW.

Phil

Philip D. Barila

you can see /D mentioned in dml.doc in windbg folder

and you can use it plainly in windbg command window like

below

0:000> .printf /D “"lm"> %C%C%C%C%C%C%C%C%C \n” , ‘P’,‘h’,‘i’,‘l’,‘i’,‘p’,’
',‘D’,‘B’
Philip DB
0:000> lm
start end module name
01000000 01097000 windbg (pdb symbols)
f:\symbols\windbg.pdb\744A702981D440C799B9B945255EA20F1\windbg.pdb
02000000 0239b000 dbgeng (pdb symbols)
f:\symbols\dbgeng.pdb\8E721C041CD54A73AD24619FA799AE2F1\dbgeng.pdb
03000000 03141000 dbghelp (pdb symbols)
f:\symbols\dbghelp.pdb\24F6937D663140A2AFF3210434AFBA901\dbghelp.pdb
64d00000 64d34000 snxhk C (export symbols) C:\Program
Files\Alwil Software\Avast5\snxhk.dll
71b20000 71b32000 MPR (pdb symbols)
f:\symbols\mpr.pdb\A9B542306C364AA2BAF25EFE9F3C2B5A2\mpr.pdb

and if you click the outPut Philip DB you will execute LM

On 9/7/11, Philip D Barila wrote:
>> -----Original Message-----
>> From: xxxxx@lists.osr.com [mailto:bounce-473571-
>> xxxxx@lists.osr.com] On Behalf Of raj_r
>> Sent: Tuesday, September 06, 2011 4:31 PM
>> To: Kernel Debugging Interest List
>> Subject: Re: [windbg] script is runnig too slow
>>
>> sorry Ken it seems %s is not supported thats the error i get if i do
>> it in windbg command window
>>
>> from extension i changed to something like below still no cigar
>>
>> EXT_COMMAND(foo,“making windbg bark and growl”,“”)
>> {
>> Dml( “%s\n” , “Some Thing
>> Like This Ken”);
>> Dml( “%s\n” , “I cant
>> get it Dumb Me ”);
>> }
>>
>>
>> 0:000> .load extcpp.dll ; !foo ; !help foo; .unload extcpp.dll
>> Some Thing Like This Ken
>> I cant get it Dumb Me
>> !foo
>> making windbg bark and growl
>> Unloading extcpp.dll extension DLL
>> 0:000> .printf /D
>> ^ Quotes required in '.printf /D '
>> 0:000> .printf /D
>> ^ Quotes required in '.printf /D '
>
> Haven’t been following this thread, but this post caught my eye, somehow. I
> just checked the docs for .printf, there is no documented “/D”, just “/oD”.
> I have no idea if this is an oversight in the docs, or the root of your
> problem, just thought I’d point it out, FWIW.
>
> Phil
>
> Philip D. Barila
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
thanks and regards

raj_r