Complex objects in debugger extensions

This is my first rodeo with debugger extensions. I want to write extension
commands for some of our internal objects. these objects are in C++ and are
very complex internally, some of them might even contain other compelx
objects.

when I write the command to parse and dump such objects, would I have toe
rewrite the object library again or will linking the one I already have to
the debugger DLL work? The answer probably is a compile of the object
library, as the extension works in user land and the lbrary is for kernel?

also, I see that we use readMemory inside the debugger to grab memory, does
this mean the object internally has to change API calls to actually read
memory and parse?

Al

I’m not clear on why you need to link the object library to the debugger
extension.

Debugger extensions usually use symbols to do their work, so you don’t need
the object library.

What would the object library do for you in the debugger extension?

I think I might be missing something here.

If you’re new to debugger extensions, I recommend using the EngExtCpp
model, btw.

Good luck,

mm

On Mon, May 9, 2016 at 10:23 AM, A P wrote:

> This is my first rodeo with debugger extensions. I want to write extension
> commands for some of our internal objects. these objects are in C++ and are
> very complex internally, some of them might even contain other compelx
> objects.
>
> when I write the command to parse and dump such objects, would I have toe
> rewrite the object library again or will linking the one I already have to
> the debugger DLL work? The answer probably is a compile of the object
> library, as the extension works in user land and the lbrary is for kernel?
>
> also, I see that we use readMemory inside the debugger to grab memory,
> does this mean the object internally has to change API calls to actually
> read memory and parse?
>
> Al
> — WINDBG is sponsored by OSR OSR is hiring!! Info at
> http://www.osr.com/careers MONTHLY seminars on crash dump analysis, WDF,
> Windows internals and software drivers! Details at To unsubscribe, visit
> the List Server section of OSR Online at

For C++ objects you might also want to try using Natvis instead of a
debugger extension:

https://www.osr.com/blog/2015/11/06/fun-windbg-natvis-support/

More here:

https://msdn.microsoft.com/en-us/library/jj620914.aspx

-scott
OSR
@OSRDrivers

“Martin O’Brien” wrote in message
news:xxxxx@windbg…
I’m not clear on why you need to link the object library to the debugger
extension.

Debugger extensions usually use symbols to do their work, so you don’t need
the object library.

What would the object library do for you in the debugger extension?

I think I might be missing something here.

If you’re new to debugger extensions, I recommend using the EngExtCpp model,
btw.

Good luck,

mm

On Mon, May 9, 2016 at 10:23 AM, A P wrote:

This is my first rodeo with debugger extensions. I want to write extension
commands for some of our internal objects. these objects are in C++ and are
very complex internally, some of them might even contain other compelx
objects.

when I write the command to parse and dump such objects, would I have toe
rewrite the object library again or will linking the one I already have to
the debugger DLL work? The answer probably is a compile of the object
library, as the extension works in user land and the lbrary is for kernel?

also, I see that we use readMemory inside the debugger to grab memory, does
this mean the object internally has to change API calls to actually read
memory and parse?

Al
— WINDBG is sponsored by OSR OSR is hiring!! Info at
http://www.osr.com/careers MONTHLY seminars on crash dump analysis, WDF,
Windows internals and software drivers! Details at To unsubscribe, visit the
List Server section of OSR Online at

@scott…my understanding is that NatVis is for Win10 WDK, we are on VS2012

  • Win8WDK as of now.

@mm - maybe I didnt explian properly. assume a complex object like say a
JSON parser, or am xml serializer. i was thinking that even to parse the
object memory back to retrieve th individual entries, I would need to link
with with the actual parser logic inside the kernel mode DLL/lib. isnt that
true?

On Mon, May 9, 2016 at 10:51 AM, Scott Noone wrote:

> For C++ objects you might also want to try using Natvis instead of a
> debugger extension:
>
> https://www.osr.com/blog/2015/11/06/fun-windbg-natvis-support/
>
> More here:
>
> https://msdn.microsoft.com/en-us/library/jj620914.aspx
>
> -scott
> OSR
> @OSRDrivers
>
> “Martin O’Brien” wrote in message
> news:xxxxx@windbg…
> I’m not clear on why you need to link the object library to the debugger
> extension.
>
> Debugger extensions usually use symbols to do their work, so you don’t
> need the object library.
>
> What would the object library do for you in the debugger extension?
>
> I think I might be missing something here.
>
> If you’re new to debugger extensions, I recommend using the EngExtCpp
> model, btw.
>
>
>
> Good luck,
>
> mm
>
> On Mon, May 9, 2016 at 10:23 AM, A P wrote:
>
> This is my first rodeo with debugger extensions. I want to write extension
> commands for some of our internal objects. these objects are in C++ and are
> very complex internally, some of them might even contain other compelx
> objects.
>
> when I write the command to parse and dump such objects, would I have toe
> rewrite the object library again or will linking the one I already have to
> the debugger DLL work? The answer probably is a compile of the object
> library, as the extension works in user land and the lbrary is for kernel?
>
> also, I see that we use readMemory inside the debugger to grab memory,
> does this mean the object internally has to change API calls to actually
> read memory and parse?
>
> Al
> — WINDBG is sponsored by OSR OSR is hiring!! Info at
> http://www.osr.com/careers MONTHLY seminars on crash dump analysis, WDF,
> Windows internals and software drivers! Details at To unsubscribe, visit
> the List Server section of OSR Online at
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

AP, sorry, I’m still not sure I understand exactly what you’re trying to
do, but have you looked at ExtRemoteTyped in the windbg docs?

I think that’s a start at what you seek.

On Mon, May 9, 2016 at 1:15 PM, A P wrote:

> @scott…my understanding is that NatVis is for Win10 WDK, we are on
> VS2012 + Win8WDK as of now.
>
> @mm - maybe I didnt explian properly. assume a complex object like say a
> JSON parser, or am xml serializer. i was thinking that even to parse the
> object memory back to retrieve th individual entries, I would need to link
> with with the actual parser logic inside the kernel mode DLL/lib. isnt that
> true?
>
> On Mon, May 9, 2016 at 10:51 AM, Scott Noone wrote:
>
>> For C++ objects you might also want to try using Natvis instead of a
>> debugger extension:
>>
>> https://www.osr.com/blog/2015/11/06/fun-windbg-natvis-support/
>>
>> More here:
>>
>> https://msdn.microsoft.com/en-us/library/jj620914.aspx
>>
>> -scott
>> OSR
>> @OSRDrivers
>>
>> “Martin O’Brien” wrote in message
>> news:xxxxx@windbg…
>> I’m not clear on why you need to link the object library to the debugger
>> extension.
>>
>> Debugger extensions usually use symbols to do their work, so you don’t
>> need the object library.
>>
>> What would the object library do for you in the debugger extension?
>>
>> I think I might be missing something here.
>>
>> If you’re new to debugger extensions, I recommend using the EngExtCpp
>> model, btw.
>>
>>
>>
>> Good luck,
>>
>> mm
>>
>> On Mon, May 9, 2016 at 10:23 AM, A P wrote:
>>
>> This is my first rodeo with debugger extensions. I want to write
>> extension commands for some of our internal objects. these objects are in
>> C++ and are very complex internally, some of them might even contain other
>> compelx objects.
>>
>> when I write the command to parse and dump such objects, would I have toe
>> rewrite the object library again or will linking the one I already have to
>> the debugger DLL work? The answer probably is a compile of the object
>> library, as the extension works in user land and the lbrary is for kernel?
>>
>> also, I see that we use readMemory inside the debugger to grab memory,
>> does this mean the object internally has to change API calls to actually
>> read memory and parse?
>>
>> Al
>> — WINDBG is sponsored by OSR OSR is hiring!! Info at
>> http://www.osr.com/careers MONTHLY seminars on crash dump analysis, WDF,
>> Windows internals and software drivers! Details at To unsubscribe, visit
>> the List Server section of OSR Online at
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>
>
> — WINDBG is sponsored by OSR OSR is hiring!! Info at
> http://www.osr.com/careers MONTHLY seminars on crash dump analysis, WDF,
> Windows internals and software drivers! Details at To unsubscribe, visit
> the List Server section of OSR Online at</http:>

Is there any reason you’re restricted to the Windows 8 WDK for installing WinDbg? The Windows 10 kits version of WinDbg and the NatVis support works down to Windows 7.

A P wrote:

@mm - maybe I didnt explian properly. assume a complex object like say
a JSON parser, or am xml serializer. i was thinking that even to parse
the object memory back to retrieve th individual entries, I would need
to link with with the actual parser logic inside the kernel mode
DLL/lib. isnt that true?

Whether it is true or not, it’s impossible. The debugger and the kernel
code are running on two completely different computers. If you need to
deserialize something, you will have to extract the code into a
user-mode library that you can link with your extension.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

may be offtopic so sorry for that but since i see the answer is about
using Natvis i thought ill put out a few question regarding that

yes natvis works on windows 7

is natvis usable only as a display or can it be dumped into an expression

if i need to use the Size below into some script how can i use the
natvis expression is it possible can the result be stuck into some
Pseudo Register ?

like r?? $xxxx = Debugger…Size ?

0:000> dx Debugger.Sessions[0].Processes.First().Modules[0].Name
Debugger.Sessions[0].Processes.First().Modules[0].Name : calc.exe
Length : 0x8
0:000> dx Debugger.Sessions[0].Processes.First().Modules[0].BaseAddress
Debugger.Sessions[0].Processes.First().Modules[0].BaseAddress : 0xca0000
0:000> dx Debugger.Sessions[0].Processes.First().Modules[0].BaseAddress,x
Debugger.Sessions[0].Processes.First().Modules[0].BaseAddress,x : 0xca0000
0:000> dx Debugger.Sessions[0].Processes.First().Modules[0].Size,d
Debugger.Sessions[0].Processes.First().Modules[0].Size,d : 786432
0:000> dx Debugger.Sessions[0].Processes.First().Modules[0].Size,x
Debugger.Sessions[0].Processes.First().Modules[0].Size,x : 0xc0000
0:000>

also win10 windbg sdk (the one in enterprise wdk .zip ) version
10.xxxx doesnt seem to have the engextcpp.lib included

the vcxproj file in samples directory still points to engextcpp.lib

Windows
dbgeng.lib;engextcpp.lib
and it s platform toolset is v110

any pointers how to build some old srcs with this windows10 windbg
sdk/wdk / universal crt ? on commandline not with visual studio and
templates

i kinda built one extension using this command line and by including
the engextcpp.cpp inside my source file like #include <engextcpp.cpp>
seems to work ( i know ms doesnt support either sources or hacks like
this but still any pointers would be helpfful)

the extension dll size compared to one built with wdk7 is huge <100 kd
versus > 800 kb )

pushd …
cd /d E:\ewdk
@call launchbuildenv.cmd
popd

IF “%INCLUDE%” == “” ( set
“INCLUDE=%vcinstalldir%include;%windowssdkdir%Include\10.0.10586.0\ucrt;%windowssdkdir%Include\10.0.10586.0\um;%windowssdkdir%Include\10.0.10586.0\shared;%windowssdkdir%Debuggers\inc;”
)
IF “%LIB%” == “” ( set
“LIB=%vcinstalldir%\LIB;%WINDOWSSDKDIR%Lib\10.0.10586.0\ucrt\x86;%WINDOWSSDKDIR%Lib\10.0.10586.0\um\x86;%windowssdkdir%Debuggers\lib\x86”)
IF “%LINKLIBS%” == “” ( set “LINKLIBS=user32.lib kernel32.lib
dbgeng.lib dbghelp.lib” )

cl /LD /nologo /W4 /Ox /Zi /EHsc fnproto.cpp /link /DEF:fnproto.def
/DEBUG /RELEASE %linklibs%

/analyze throws several warnings on sal_annnotations ins ms include
files disabling /analyze i still see one warning in an ms include
file

one example of sal defect in xlocinfo.h



e:\ewdk\program files\microsoft visual studio
14.0\vc\include</filepath>
xlocinfo.h
143
23

28252
Inconsistent annotation for ‘_Wcsftime’: Param(5)
has ‘SAL_pre SAL_notref SAL_null(__maybe) SAL_pre SAL_valid SAL_pre
SAL_notref SAL_deref SAL_notref SAL_access(0x1)’ on the prior
instance. See e:\ewdk\program files\windows
kits\10\include\10.0.10586.0\ucrt\locale.h(163).
_Wcsftime
_Wcsftime
143



also the extension command for searching unicode strings seems to have some bug

s -su calc 0x100 returns results upto calc+0x200 and all of them are
question marks unusable results

the search for disassembly pattern # pattern range seems to be
returning memory access violation error inconsistently (works some
times doesn’t work several times )

some pointers from those reading this thread will certainly be helpful.

On 5/10/16, Tim Roberts wrote:
> A P wrote:
>>
>> @mm - maybe I didnt explian properly. assume a complex object like say
>> a JSON parser, or am xml serializer. i was thinking that even to parse
>> the object memory back to retrieve th individual entries, I would need
>> to link with with the actual parser logic inside the kernel mode
>> DLL/lib. isnt that true?
>
> Whether it is true or not, it’s impossible. The debugger and the kernel
> code are running on two completely different computers. If you need to
> deserialize something, you will have to extract the code into a
> user-mode library that you can link with your extension.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:</http:></http:></engextcpp.cpp>