Extension stepping

Matthew_Molyett · January 21, 2014, 2:20pm

I am trying to write an extension function that will run to the next call and then print out information about the next instruction.

I am using IDebugControl::Execute to run “tc”. As noted in the documentation, this call returns before the tracing has actually occurred. Sleeping or calling DispatchCallbacks does not see the “tc” trace occur before my extension returns. How can I allow the trace to happen without returning from the call?

If I add my own DebugEventCallback then I can get notified of the triggered DebuggeeState and EngineState changes, but can’t reach back into the engine from those callbacks.

raj_r · January 22, 2014, 12:21am

iirc g_Control->Execute is documented to take arbitrarily long time
and does not return until all commands have been executed

anyway i use this code sometimes to do tc sometimes see if this of any
help to you

0:000> .shell type XXXXXXXXX\exec_c.cpp
#include <dbgeng.h>
#include <stdio.h>
PDEBUG_CLIENT g_ExtClient = NULL;
PDEBUG_CONTROL g_ExtControl = NULL;
HRESULT CALLBACK DebugExtensionInitialize(PULONG Version, PULONG Flags)
{
*Version = DEBUG_EXTENSION_VERSION(1, 0);
*Flags = 0;
return S_OK;
}
HRESULT CALLBACK dmlexec(PDEBUG_CLIENT Client, PCSTR args)
{
UNREFERENCED_PARAMETER(args);
HRESULT Status;
if ((Status = Client->QueryInterface(__uuidof(IDebugControl),
(void **)&g_ExtControl)) != S_OK)
{
return Status;
}
g_ExtClient = Client;
g_ExtControl->Execute( DEBUG_OUTCTL_THIS_CLIENT,“tc; u @eip
l1”,DEBUG_EXECUTE_DEFAULT);
g_ExtClient = NULL;
g_ExtControl = NULL;
return S_OK;
}

the code above traces the executin till next call disassembles the
line and prints it out

0:000> !grep -c “version” -e “command line:”
command line: ‘“f:\windbg\612windbg\windbg.exe” calc’ Debugger Process 0xF7C

0:000> .load exec_c

0:000> !grep -c “.chain” -e “exec_c”
exec_c: API 1.0.0, built Wed Jan 22 10:27:48 2014
[path: f:\windbg\612windbg\winext\exec_c.dll]

0:000> u eip l1
ntdll!RtlpFindUnicodeStringInSection+0x238:
7c9160ff e8eff0ffff call ntdll!bsearch (7c9151f3)

0:000> !dmlexec
ntdll!bsearch+0x7e:
7c9154cb ff5518 call dword ptr [ebp+18h]
0:000>
ntdll!RtlFindActivationContextSectionString+0xd9:
7c9155e8 e8fb000000 call
ntdll!RtlFindNextActivationContextSection (7c9156e8)
0:000>
ntdll!RtlFindNextActivationContextSection+0x41:
7c91573d e881fbffff call
ntdll!RtlpFindNextActivationContextSection (7c9152c3)
0:000>
ntdll!RtlpFindNextActivationContextSection+0x5c:
7c915345 e83e000000 call
ntdll!RtlpLocateActivationContextSection (7c915388)
0:000>
ntdll!RtlpLocateActivationContextSection+0x155:
7c915426 e8c8fdffff call ntdll!bsearch (7c9151f3)
0:000>
ntdll!bsearch+0x3f:
7c915236 ff5518 call dword ptr [ebp+18h]

On 1/22/14, xxxxx@gmail.com wrote:
> I am trying to write an extension function that will run to the next call
> and then print out information about the next instruction.
>
> I am using IDebugControl::Execute to run “tc”. As noted in the
> documentation, this call returns before the tracing has actually occurred.
> Sleeping or calling DispatchCallbacks does not see the “tc” trace occur
> before my extension returns. How can I allow the trace to happen without
> returning from the call?
>
> If I add my own DebugEventCallback then I can get notified of the triggered
> DebuggeeState and EngineState changes, but can’t reach back into the engine
> from those callbacks.
>
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></stdio.h></dbgeng.h>