@ Alex carp
since you find that useful I assume you can also have a system where
you cant copy anything and you either can compile code
if that is so and the systems are > vista where powershell is in the
box you can leverage a c# code to call the dbgeng functions
powershell uses the .net framework csc.exe to compile c# code in
memory when you do Add-Type
sample code below (it is a hack so ignore everything except the
concept and the result )
implementing stuff properly was not the goal
$src = @"
using System;
using System.Text;
using System.Runtime.InteropServices;
using System.Reflection;
[assembly: ComVisible(false)] // to satisfy fxcop
[assembly: CLSCompliant(true)] // to satisfy fxcop
[assembly:AssemblyVersionAttribute(“1.0.0”)] // to satisfy fxcop
namespace Test
{
[ComImport, InterfaceType(ComInterfaceType.InterfaceIsIUnknown),
Guid(“27fe5639-8407-4f47-8364-ee118fb08ac8”)]
public interface IDebugClient
{
int D00(); int D01(); int D02(); int D03(); int D04(); int
D05(); int D06();
int D07(); int D08(); int D09(); int D10(); int D11(); int
D12(); int D13();
int D14(); int D15();
[PreserveSig]
int OpenDumpFile(
[In, MarshalAs(UnmanagedType.LPStr)] string DumpFile);
int D17(); int D18(); int D19(); int D20(); int D21(); int
D22(); int D23();
int D24(); int D25(); int D26(); int D27(); int D28(); int
D29(); int D30();
[PreserveSig]
int SetOutputCallbacks(
[In] IDebugOutputCallbacks callbacks);
}
[ComImport, InterfaceType(ComInterfaceType.InterfaceIsIUnknown),
Guid(“5182e668-105e-416e-ad92-24ef800424ba”)]
public interface IDebugControl
{
int D01(); int D02(); int D03(); int D04(); int D05(); int
D06(); int D07();
int D08(); int D09(); int D10(); int D11(); int D12(); int
D13(); int D14();
int D15(); int D16(); int D17(); int D18(); int D19(); int
D20(); int D21();
int D22(); int D23(); int D24(); int D25(); int D26(); int
D27(); int D28();
int D29(); int D30(); int D31(); int D32(); int D33(); int
D34(); int D35();
int D36(); int D37(); int D38(); int D39(); int D40(); int
D41(); int D42();
int D43(); int D44(); int D45(); int D46(); int D47(); int
D48(); int D49();
int D50(); int D51(); int D52(); int D53(); int D54(); int
D55(); int D56();
int D57(); int D58(); int D59(); int D60(); int D61(); int
D62(); int D63();
[PreserveSig]
int Execute(
[In] int outputControl,
[In, MarshalAs(UnmanagedType.LPStr)] string command,
[In] int flake);
int D65(); int D66(); int D67(); int D68(); int D69(); int
D70(); int D71();
int D72(); int D73(); int D74(); int D75(); int D76(); int
D77(); int D78();
int D79(); int D80(); int D81(); int D82(); int D83(); int
D84(); int D85();
int D86(); int D87(); int D88(); int D89(); int D90();
[PreserveSig]
int WaitForEvent(
[In] int wait,
[In] int timeout);
}
[ComImport, InterfaceType(ComInterfaceType.InterfaceIsIUnknown),
Guid(“4bf58045-d654-4c40-b0af-683090f356dc”)]
public interface IDebugOutputCallbacks
{
[PreserveSig]
int Output(
[In] int mask,
[In, MarshalAs(UnmanagedType.LPStr)] string text);
}
internal static class NativeMethods
{
internal static Test.IDebugClient g_Client = null;
internal static Test.IDebugControl g_Control = null;
internal static Test.IDebugOutputCallbacks g_Output = null;
[DllImport(“kernel32.dll” ,CharSet = CharSet.Ansi,
BestFitMapping=false,ThrowOnUnmappableChar=true)]
internal static extern IntPtr LoadLibrary( string dllpath);
[DllImport(“kernel32.dll”, CharSet = CharSet.Ansi,
BestFitMapping=false,ThrowOnUnmappableChar=true)]
internal static extern IntPtr GetProcAddress(IntPtr dllbase,
string functionname);
internal delegate uint DebugCreate(
ref Guid interfaceId,
[MarshalAs(UnmanagedType.IUnknown)] out object face);
}
class Text : Test.IDebugOutputCallbacks
{
public int Output(int Mask, string Text)
{
Console.Write(Text);
return 0;
}
}
public class Program
{
public static void Main()
{
Guid iid = new Guid(“27fe5639-8407-4f47-8364-ee118fb08ac8”);
Object iface = null;
System.IntPtr moduleHandle =
NativeMethods.LoadLibrary(“Dbgeng.dll”);
System.IntPtr hProc = NativeMethods.GetProcAddress(
moduleHandle, “DebugCreate”);
NativeMethods.DebugCreate debugCreate =
(NativeMethods.DebugCreate)Marshal.
GetDelegateForFunctionPointer(hProc,
typeof(NativeMethods.DebugCreate));
debugCreate(ref iid, out iface);
NativeMethods.g_Client = (Test.IDebugClient)iface;
NativeMethods.g_Control = (Test.IDebugControl)iface;
NativeMethods.g_Output = new Text();
int a =
NativeMethods.g_Client.SetOutputCallbacks(NativeMethods.g_Output);
a = NativeMethods.g_Client.OpenDumpFile(“memory.dmp”);
a = NativeMethods.g_Control.WaitForEvent(0,
System.Threading.Timeout.Infinite);
a = NativeMethods.g_Control.Execute(0, “.dumpdebug”, 0);
}
}
}
"@
Add-Type -TypeDefinition $src
and the resulting execution using powershell
powershell -f poshwind.ps1 | grep -iE “version|Loading|full”
Microsoft (R) Windows Debugger Version 6.1.7601.17514 X86
Loading Dump File [E:\chashdbg\memory.dmp]
Kernel Complete Dump File: Full address space is available
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
----- 32 bit Kernel Full Dump Analysis
MajorVersion 0000000f
MinorVersion 00000a28
KdSecondaryVersion 00000000
On 8/3/16, Alex Carp wrote:
> Thanks Ladislav and Raj!
>
> Ladislav, I should have been clearer, but I’m trying to build an automated
> system that runs on machines before I even to touch the machine at all, so
> no copying of the directory, it must be what’s available on the system. I
> know that’s going to be a very limited subset of the functionality that’s
> available in the latest libraries, but I’m not looking to do much more than
> what dumpchk.exe does.
>
> Raj, thanks for the suggestion and the code sample, that’s exactly what I
> was looking for!
>
> Thanks,
> Alex
>
> On Wed, Aug 3, 2016 at 6:10 AM, raj r wrote:
>
>> a basic dump checker is as below (this is standalone exe and can use
>> the dbgeng and dbghelp.dll from inbox )
>>
>>
>> #include “out.cpp” //copy from remmon sample
>> IDebugClient* g_Client = NULL;
>> IDebugControl* g_Control = NULL;
>> HRESULT Status = E_FAIL;
>> HRESULT CreateInterfaces(void)
>> {
>> Status = DebugCreate(__uuidof(IDebugClient), (void**)&g_Client);
>> if(S_OK == Status) {
>> Status =
>> g_Client->QueryInterface(__uuidof(IDebugControl),
>> (void**)&g_Control);
>> }
>> return Status;
>> }
>> int __cdecl main (int argc , char* argv)
>> {
>> if(argc != 2) {printf(“usage %s foo.dmp” , argv[0]);exit(0);}
>> Status = CreateInterfaces();
>> if(S_OK == Status) {
>> Status = g_Client->SetOutputCallbacks(&g_OutputCb);
>> }
>> if(S_OK == Status){
>> Status = g_Client->OpenDumpFile(argv[1]);
>> }
>> if(S_OK == Status){
>> Status = g_Control->WaitForEvent( DEBUG_WAIT_DEFAULT, INFINITE );
>> }
>> if(S_OK == Status){
>> Status =
>>
>> g_Control->Execute(DEBUG_OUTCTL_THIS_CLIENT,“.dumpdebug”,DEBUG_EXECUTE_DEFAULT);
>> }
>> }
>>
>>
>>
>> execution results
>>
>> >dengex.exe >> res.txt
>> >dengex.exe oktest.dmp >> res.txt
>> >dengex.exe MEMORY.DMP >> res.txt
>>
>> >grep Loading -A 1 res.txt
>> Loading Dump File [\oktest.dmp]
>> User Mini Dump File: Only registers, stack and portions of memory are
>> available << user mini
>> –
>> Loading Dump File [\MEMORY.DMP]
>> Kernel Complete Dump File: Full address space is available << kernel
>> full
>>
>> >grep “Debugger Version” res.txt
>> Microsoft (R) Windows Debugger Version 6.1.7601.17514 X86
>>
>> Microsoft (R) Windows Debugger Version 6.1.7601.17514 X86
>>
>> copy “winx\dbgeng.dll” .
>> 1 file(s) copied.
>> >copy “winx\dbghelp.dll” .
>> 1 file(s) copied.
>>
>> >dengex.exe oktest.dmp >> res.txt
>> >dengex.exe MEMORY.DMP >> res.txt
>>
>> >grep “Debugger Version” res.txt
>> Microsoft (R) Windows Debugger Version 6.1.7601.17514 X86 < used the
>> inbox
>> dll
>> Microsoft (R) Windows Debugger Version 6.1.7601.17514 X86
>> Microsoft (R) Windows Debugger Version 10.0.10586.567 X86 <<< using
>> the copied dll
>> Microsoft (R) Windows Debugger Version 10.0.10586.567 X86
>>
>>
>>
>> On 8/3/16, raj r wrote:
>> > the inbox dbgeng.dll tends to be quiet old but you can use it if you
>> > dont depend methods implemented on interfacesxx where xx > some
>> > default base
>> >
>> > here is a post where i implemented a standalone dumpchk clone
>> > http://www.osronline.com/showthread.cfm?link=224896
>> > i should be able to locate the project in some pen drive if you want it
>> >
>> > On 8/3/16, Ladislav Zezula wrote:
>> >> Perhaps the fastest way to do this would be just copy
>> >>
>> >> the entire WinDbg directory somewhere and use it.
>> >>
>> >> You don’t have to install it. This is what I do for years
>> >>
>> >> on customer machines.
>> >>
>> >>
>> >>
>> >> If, for some reason, you can’t do that, then yes, you could
>> >>
>> >> use the threesome dbgeng.dll-dbghelp.dll-symsrv.dll,
>> >>
>> >> but you will usually need one of the WinDbg extensions
>> >>
>> >> (as it implements the useful commands that you usually
>> >>
>> >> need for parsing, like „analyze“). You need to make absolutely
>> >>
>> >> sure that all the component match each other – i.e. don’t
>> >>
>> >> try to use newest WinDbg’s extensions with the built-in
>> >>
>> >> dbgeng/dbghelp/symsrv, as the internal structures may
>> >>
>> >> mismatch and you get weird kind of errors.
>> >>
>> >>
>> >>
>> >> L.
>> >>
>> >>
>> >>
>> >> From: xxxxx@lists.osr.com
>> >> [mailto:xxxxx@lists.osr.com] On Behalf Of Alex Carp
>> >> Sent: Wednesday, August 03, 2016 3:39 AM
>> >> To: Kernel Debugging Interest List
>> >> Subject: [windbg] parse kernel minidump
>> >>
>> >>
>> >>
>> >> Hi all,
>> >>
>> >>
>> >>
>> >> I’d like to parse a kernel minidump on the machine where it was
>> >> generated,
>> >> which doesn’t have the Windows Debugging Tools installed. I’ve tried
>> >> to
>> >> use
>> >> dbghelp.dll and MiniDumpReadDumpStream() never works, it seems it’s
>> >> only
>> >> for
>> >> user mode minidumps (there’s some hints about that in the
>> documentation).
>> >> So
>> >> I guess my questions are:
>> >>
>> >> 1. Are user mode minidumps and kernel minidumps different ?
>> >>
>> >> 2. Can I use dbghelp.dll to parse a kernel minidump ?
>> >>
>> >> 3. Can I use the dbgeng.dll that’s already on any windows machine to
>> >> do
>> >> some
>> >> quick parsing of kernel minidumps (using DebugCreate and the right
>> >> interfaces ?).
>> >>
>> >> 4. Any pointers ? Am I missing anything ?
>> >>
>> >>
>> >>
>> >> Thanks,
>> >>
>> >> Alex
>> >>
>> >> — WINDBG is sponsored by OSR OSR is hiring!! Info at
>> >> http://www.osr.com/careers MONTHLY seminars on crash dump analysis,
>> WDF,
>> >> Windows internals and software drivers! Details at To unsubscribe,
>> >> visit
>> >> the
>> >> List Server section of OSR Online at
>> >>
>> >>
>> >> —
>> >> WINDBG is sponsored by OSR
>> >>
>> >> OSR is hiring!! Info at http://www.osr.com/careers
>> >>
>> >>
>> >> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> >> software
>> >> drivers!
>> >> Details at http:
>> >>
>> >> To unsubscribe, visit the List Server section of OSR Online at
>> >> http:
>> >
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer>
>>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:</http:></http:></http:></http:></http:>