Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

extension access to UM debuggee

Paul_AttrydePaul_Attryde Member Posts: 14

From a wdbgexts-type extension, how do I get the name of the user mode process being debugged, and it's list of loaded DLLs (modules)? Is there a specific debugger API for this, or do I use regular API calls?
(For context this extension is only ever used with 32bit user mode applications, in case that makes it easier)

Comments

  • raj_rraj_r Member - All Emails Posts: 983

    DECLARE_API macro provides you the hCurrentProcess Handle
     
    which was the handle returned when windbg opened the debuggee for CreateProcess
     
    You can use it in GetProcessId(); and QueryFullProcessImageFileName();
     
    to get Debugees PID and Name
     
    and there is a wdbgext Api GetPebAddress() use it to retrieve the PEB
     
    and get the the Modules from one of the Ldr->xxxxmodlist
     
    find below some code that does what is described above
     

    #include <windows.h>
    #define KDEXT_64BIT
    #include <wdbgexts.h>
    EXT_API_VERSION Apv = {1, 1, EXT_API_VERSION_NUMBER64, 0};
    WINDBG_EXTENSION_APIS ExtensionApis;
    ULONG SavedMajorVersion;
    ULONG SavedMinorVersion;
    __declspec(dllexport) VOID WinDbgExtensionDllInit(
        PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT Mave, USHORT Mive)
    {
        ExtensionApis = *lpExtensionApis;
        SavedMajorVersion = Mave;
        SavedMinorVersion = Mive;
        return;
    }
    __declspec(dllexport) LPEXT_API_VERSION ExtensionApiVersion(VOID)
    {
        return &Apv;
    }
    __declspec(dllexport) VOID CheckVersion(VOID)
    {
        return;
    }
    __declspec(dllexport) DECLARE_API(exttest)
    {
        dprintf("==========================Wdgbexttest Extension=======================\n");
        dprintf("args = %s\ndwProcessor = %x\n", args, dwProcessor);
        dprintf("EIP/RIP = %I64x\[email protected] = %p\[email protected] = %p\n", dwCurrentPc, hCurrentThread, hCurrentProcess);
        dprintf("pid == %x\n", GetProcessId(hCurrentProcess));
        char exename[MAX_PATH] = {0};
        DWORD nsize = MAX_PATH;
        BOOL res = QueryFullProcessImageNameA(hCurrentProcess, 0, exename, &nsize);
        dprintf("error=%x\tres = %x\tnsize = %x\t Debugee = %s\n", GetLastError(), res, nsize, exename);
        dprintf("=========================Module List==================================\n");
        ULONG64 ThreadAddr = 0;
        GetCurrentThreadAddr(dwProcessor, &ThreadAddr);
        ULONGLONG curPEB = 0;
        GetPebAddress(ThreadAddr, &curPEB);
        InitTypeRead(curPEB, _PEB);
        ULONG64 m1 = ReadField(Ldr->InLoadOrderModuleList);
        LIST_ENTRY64 mylist;
        ReadListEntry(m1, &mylist);
        InitTypeRead(mylist.Flink, _LDR_DATA_TABLE_ENTRY);
        dprintf("%mu\n", ReadField(FullDllName.Buffer));
        m1 = mylist.Flink;
        ULONG64 m2 = mylist.Blink;
        while (m1 != m2)
        {
            ReadListEntry(m1, &mylist);
            InitTypeRead(mylist.Flink, _LDR_DATA_TABLE_ENTRY);
            dprintf("%mu\n", ReadField(FullDllName.Buffer));
            m1 = mylist.Flink;
        }
    }
    

     
    compiled and executed
     

    :\>dir /b & bldext.bat
    bldext.bat
    exttest.c
    
    :\>cl /Zi /W4 /analyze /Od /nologo /LD exttest.c /link /release /nologo
    exttest.c
       Creating library exttest.lib and object exttest.exp
    
    :\>cdb -c ".load exttest;!exttest Hi Paul;q" calc | awk "/Reading/,/quit/"
    0:000> cdb: Reading initial command '.load exttest;!exttest Hi Paul;q'
    ==========================Wdgbexttest Extension=======================
    args = Hi Paul
    dwProcessor = 1db
    EIP/RIP = 7ffae3342dbc
    @thread = 00000000000001dc
    @Proc = 00000000000001e0
    pid == 2f08
    error=7f        res = 1 nsize = 1c       Debugee = C:\Windows\System32\calc.exe
    =========================Module List==================================
    C:\Windows\SYSTEM32\calc.exe
    C:\Windows\SYSTEM32\ntdll.dll
    C:\Program Files\AVAST Software\Avast\aswhook.dll
    C:\Windows\System32\KERNEL32.DLL
    C:\Windows\System32\KERNELBASE.dll
    C:\Windows\System32\SHELL32.dll
    C:\Windows\System32\msvcrt.dll
    C:\Windows\System32\cfgmgr32.dll
    C:\Windows\System32\ucrtbase.dll
    C:\Windows\System32\shcore.dll
    C:\Windows\System32\RPCRT4.dll
    C:\Windows\System32\combase.dll
    C:\Windows\System32\bcryptPrimitives.dll
    C:\Windows\System32\windows.storage.dll
    C:\Windows\System32\msvcp_win.dll
    C:\Windows\System32\sechost.dll
    C:\Windows\System32\advapi32.dll
    C:\Windows\System32\profapi.dll
    C:\Windows\System32\powrprof.dll
    C:\Windows\System32\shlwapi.dll
    C:\Windows\System32\GDI32.dll
    C:\Windows\System32\gdi32full.dll
    C:\Windows\System32\USER32.dll
    C:\Windows\System32\win32u.dll
    C:\Windows\System32\kernel.appcore.dll
    C:\Windows\System32\cryptsp.dll
    quit:
    
  • Paul_AttrydePaul_Attryde Member Posts: 14

    Thanks, that helps a bunch!

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 20 Apr 2020 LIVE ONLINE
Writing WDF Drivers 11 May 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA