From a wdbgexts-type extension, how do I get the name of the user mode process being debugged, and it’s list of loaded DLLs (modules)? Is there a specific debugger API for this, or do I use regular API calls?
(For context this extension is only ever used with 32bit user mode applications, in case that makes it easier)
DECLARE_API macro provides you the hCurrentProcess Handle
which was the handle returned when windbg opened the debuggee for CreateProcess
You can use it in GetProcessId(); and QueryFullProcessImageFileName();
to get Debugees PID and Name
and there is a wdbgext Api GetPebAddress() use it to retrieve the PEB
and get the the Modules from one of the Ldr->xxxxmodlist
find below some code that does what is described above
#include <windows.h>
#define KDEXT_64BIT
#include <wdbgexts.h>
EXT_API_VERSION Apv = {1, 1, EXT_API_VERSION_NUMBER64, 0};
WINDBG_EXTENSION_APIS ExtensionApis;
ULONG SavedMajorVersion;
ULONG SavedMinorVersion;
__declspec(dllexport) VOID WinDbgExtensionDllInit(
PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT Mave, USHORT Mive)
{
ExtensionApis = *lpExtensionApis;
SavedMajorVersion = Mave;
SavedMinorVersion = Mive;
return;
}
__declspec(dllexport) LPEXT_API_VERSION ExtensionApiVersion(VOID)
{
return &Apv;
}
__declspec(dllexport) VOID CheckVersion(VOID)
{
return;
}
__declspec(dllexport) DECLARE_API(exttest)
{
dprintf("==========================Wdgbexttest Extension=======================\n");
dprintf("args = %s\ndwProcessor = %x\n", args, dwProcessor);
dprintf("EIP/RIP = %I64x\n@thread = %p\n@Proc = %p\n", dwCurrentPc, hCurrentThread, hCurrentProcess);
dprintf("pid == %x\n", GetProcessId(hCurrentProcess));
char exename[MAX_PATH] = {0};
DWORD nsize = MAX_PATH;
BOOL res = QueryFullProcessImageNameA(hCurrentProcess, 0, exename, &nsize);
dprintf("error=%x\tres = %x\tnsize = %x\t Debugee = %s\n", GetLastError(), res, nsize, exename);
dprintf("=========================Module List==================================\n");
ULONG64 ThreadAddr = 0;
GetCurrentThreadAddr(dwProcessor, &ThreadAddr);
ULONGLONG curPEB = 0;
GetPebAddress(ThreadAddr, &curPEB);
InitTypeRead(curPEB, _PEB);
ULONG64 m1 = ReadField(Ldr->InLoadOrderModuleList);
LIST_ENTRY64 mylist;
ReadListEntry(m1, &mylist);
InitTypeRead(mylist.Flink, _LDR_DATA_TABLE_ENTRY);
dprintf("%mu\n", ReadField(FullDllName.Buffer));
m1 = mylist.Flink;
ULONG64 m2 = mylist.Blink;
while (m1 != m2)
{
ReadListEntry(m1, &mylist);
InitTypeRead(mylist.Flink, _LDR_DATA_TABLE_ENTRY);
dprintf("%mu\n", ReadField(FullDllName.Buffer));
m1 = mylist.Flink;
}
}
compiled and executed
:\>dir /b & bldext.bat
bldext.bat
exttest.c
:\>cl /Zi /W4 /analyze /Od /nologo /LD exttest.c /link /release /nologo
exttest.c
Creating library exttest.lib and object exttest.exp
:\>cdb -c ".load exttest;!exttest Hi Paul;q" calc | awk "/Reading/,/quit/"
0:000> cdb: Reading initial command '.load exttest;!exttest Hi Paul;q'
==========================Wdgbexttest Extension=======================
args = Hi Paul
dwProcessor = 1db
EIP/RIP = 7ffae3342dbc
@thread = 00000000000001dc
@Proc = 00000000000001e0
pid == 2f08
error=7f res = 1 nsize = 1c Debugee = C:\Windows\System32\calc.exe
=========================Module List==================================
C:\Windows\SYSTEM32\calc.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Program Files\AVAST Software\Avast\aswhook.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\windows.storage.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\advapi32.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\shlwapi.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\cryptsp.dll
quit:
Thanks, that helps a bunch!