Hi there, I am connected to a kernel and I am writing a debug extension for a driver, I have loaded the symbols for the driver and there’s this global structure x which contains a pointer to an instance of a class y. I can dereference this pointer, typecast the pointer as the instance y and read it fine from the watch window of windg. But I have trouble doing it through the debug extension I am writing, I can read the symbol address for x using IDebugSymbols3::GetOffsetByName and get the pointer value using ReadTypedDataVirtual but am unable to access this instance of y since its not exactly a . Does anyone know how I can access this variable(instance of y) since it doesn’t actually have a symbol name? Thanks, I am trying to use dbgeng.h
Not sure I follow…Classes should have type information in the PDB (module!ClassName), though I’m not sure if that’s what you’re asking? A concrete example would help.
However, have you looked at the new Javascript interface to the debugger? Much easier than writing a C++ extension.
I would like to typecast a pointer as an instance of a class from within a windbg extension. Is it possible? Because it can be done from the watch window
I think ExtRemoteTyped from extengcpp is what you want.
I suspect Javascript will be way easier though. See host.createTypedObject
I am unable to Visualize your exactly a . sentence
but here is an extension code that uses ExtRemoteTyped
to cast a void * to a type * and print out the structured Data
#include <engextcpp.cpp>
class EXT_CLASS : public ExtExtension
{
public:
EXT_COMMAND_METHOD(mydt);
};
EXT_DECLARE_GLOBALS();
EXT_COMMAND( mydt, "mydt", "{;e,o,d=@$peb;!mydt;}" )
{
//if Address not given like !mydt 12345678 Address defaults to @$peb PseudoRegister
ExtRemoteTyped Peb("(ntdll!_PEB*)@$extin", GetUnnamedArgU64(0));
//will print only the Address of current _PEB
Peb.OutSimpleValue();
Out("\n");
if(Peb.HasField("ProcessHeap"))
{
ExtRemoteTyped ProcessHeap = Peb.Field("ProcessHeap");
// prints dt ntdll!_PEB ProcessHeap @$peb NoType Info as PVOID
ProcessHeap.OutFullValue();
if(ProcessHeap.m_ValidOffset)
{
ULONG64 v_off = ProcessHeap.m_Offset;
Out("%I64x\n" , v_off);
}
if(ProcessHeap.m_ValidData)
{
ULONG64 v_data = ProcessHeap.m_Data;
Out("%I64x\n" , v_data);
ExtRemoteTyped MyHeap("(ntdll!_HEAP*)@$extin", v_data);
ExtRemoteTyped MyHeapCounts = MyHeap.Field("Counters");
// print like dt ntdll!_HEAP Counters->* @@c++(@$peb->ProcessHeap)
MyHeapCounts.OutFullValue();
}
}
}
built using vs2017 community as x86 and win 10 18362 headers and libs
@echo off
set "INCLUDE= %INCLUDE%;E:\windjs\windbg_18362\inc"
set "LIB=%LIB%;E:\windjs\windbg_18362\lib\x86"
set "LINKLIBS=user32.lib kernel32.lib dbgeng.lib dbghelp.lib"
cl /LD /nologo /W4 /Od /Zi /EHsc mydt.cpp /link /nologo
/EXPORT:DebugExtensionInitialize /Export:mydt /Export:help /RELEASE
%linklibs%
executed results
>bld.bat
mydt.cpp
E:\windbg_18362\inc\engextcpp.cpp(1849): warning C4245: ItoI64 -/+ mismatch
Creating library mydt.lib and object mydt.exp
>cdb -c ".load .\mydt;!mydt;q" cdb
0:000> cdb: Reading initial command '.load .\mydt;!mydt;q'
0x7ffd8000 ->>> Peb
void * 0x00160000 ->>> ProcessHeap
7ffd8018 ->>> Peb + #FieldOffset("_PEB","ProcessHeap")
160000 ->>> ULONG64
struct _HEAP_COUNTERS
+0x000 TotalMemoryReserved : 0x100000
+0x004 TotalMemoryCommitted : 0xa000
+0x008 TotalMemoryLargeUCR : 0xf6000
+0x00c TotalSizeInVirtualBlocks : 0
+0x010 TotalSegments : 1
+0x014 TotalUCRs : 1
+0x018 CommittOps : 5
+0x01c DeCommitOps : 0
+0x020 LockAcquires : 0
+0x024 LockCollisions : 0
+0x028 CommitRate : 5
+0x02c DecommittRate : 0
+0x030 CommitFailures : 0
+0x034 InBlockCommitFailures : 0
+0x038 CompactHeapCalls : 0
+0x03c CompactedUCRs : 0
+0x040 AllocAndFreeOps : 0
+0x044 InBlockDeccommits : 0
+0x048 InBlockDeccomitSize : 0
+0x04c HighWatermarkSize : 0x9f88
+0x050 LastPolledSize : 0x9900
quit: