@Mm were you referring to IDiaFrameData::get_lengthParams
i just pieced together a hack to check this method and it seems to get
the number of bytes pushed into stack in 32 bit untested in 64 bit
#include <stdio.h>
#include <windows.h>
#include <dia2.h>
#define USAGE if (argc != 3) { printf( <br> “usage %s %s %s\n”,argv[0],“file.pdb”,“typename”); return 0;}
#define SHOUT(…) if(result!=S_OK){printf( VA_ARGS );exit(0);<br>}else{printf( VA_ARGS );}
#define QUIET( x ) result = x;if(result != S_OK){ <br> SHOUT(“%s %d\n” ,“failed on “, LINE );}
#define LOUD( x , … ) result = x;SHOUT( VA_ARGS );
#define RELICE( x ) if( x != NULL) { x ->Release(); }
#define MAKEVARIANT( x , y ) VARIANT y; y.vt = VT_BSTR; <br> y.bstrVal = SysAllocString( x );
#define DELVARIANT( y ) SysFreeString( y.bstrVal );
#define BUFFERSIZE 0x400
wchar_t pdb[BUFFERSIZE], type[BUFFERSIZE] = {0};
HRESULT result = E_FAIL;
IDiaDataSource *pSource = NULL;
IDiaSession *pSession = NULL;
IDiaSymbol *pSymbol = NULL;
IDiaEnumSymbols *pEnum = NULL;
IDiaEnumFrameData *pEnumFrameData = NULL;
IDiaFrameData *pFrameData = NULL;
IDiaEnumTables *pEnumTables = NULL;
IDiaTable pTable = NULL;
void relees( void) {
int main(int argc, char argv) {
swprintf(pdb, MAX_PATH,L”%S”,argv[1]);
swprintf(type, MAX_PATH,L"%S",argv[2]);
QUIET ( CoInitialize(NULL));
QUIET ( CoCreateInstance( __uuidof(DiaSource),NULL,
CLSCTX_INPROC_SERVER,__uuidof( IDiaDataSource ),(void ) &pSource));
QUIET ( pSource->loadDataFromPdb(pdb));
QUIET ( pSource->openSession(&pSession));
QUIET ( pSession->put_loadAddress(0x804d7000));
QUIET ( pSession->get_globalScope(&pSymbol));
QUIET ( pSession->getEnumTables(&pEnumTables));
MAKEVARIANT( DiaTable_FrameData , var );
QUIET ( pEnumTables->Item( var, &pTable ));
QUIET ( (pTable->QueryInterface(__uuidof(IDiaEnumFrameData),
(void) &pEnumFrameData)) );
QUIET ( pSymbol->findChildren(SymTagPublicSymbol,type,
LONG Count = 0;
QUIET ( pEnum->get_Count(&Count));
for (int i = 0; i < Count ; i++) {
IDiaSymbol *pSym = NULL;
DWORD pt32 = 0;
DWORD64 pt64 = 0;
QUIET ( pEnum->Item(i,&pSym));
BSTR name;
LOUD ( pSym->get_name(&name);,“%30s:%S\n”,“FunctionName”,name);
LOUD ( pSym->get_addressOffset(&pt32);,“%30s:%x\n”,“Offset”,pt32);
LOUD ( pSym->get_length(&pt64);,“%30s:%I64x\n”,“length”,pt64);
LOUD ( pSym->get_virtualAddress(&pt64);,“%30s:%I64x\n”,“VA”,pt64);
LOUD ( pSym->get_relativeVirtualAddress(&pt32);,“%30s:%x\n”,“RVA”,pt32);
QUIET(pEnumFrameData->frameByRVA(pt32, &pFrameData));
LOUD(pFrameData->get_lengthParams(&pt32);,“%30s: %d\n”,“args”,pt32/4);
return 0;
:>diatest32.exe ntkrnlpa.pdb _ntcreatefile
args: 11
output from compiled dia2dump sample
:>%d2dum% -fpo 0x972ee ntkrnlpa.pdb | grep -i len.*param
lengthParams: 0x2C
On 1/1/15, raj_r wrote:
> thanks Mm please do post back if you recall the name by luck
> my dates with lady dia in the past had been Cool
> wishing everyone who make osrlists OSRLISTS a very happy new year
> On 12/31/14, Martin O’Brien wrote:
>> There is a dia method for it (don’t recall the name), but it would
>> require
>> private symbols.
>> Mm
>> On Dec 31, 2014 5:19 AM, “raj_r” wrote:
>>> i have an x86 windbg extension that uses cdwParams from FPO_DATA
>>> grep -nHiA 10 FPO_DATA winnt.h | grep -i cdwp
>>> winnt.h-12430- WORD cdwParams; // # bytes in
>>> params/4
>>> is there an an equivalent method in x64 ?
>>> using .fnent command for an arbitrary function that has a public pdb
>>> available
>>> i can glean that this function takes n number of arguments in X86 i
>>> need to find the same information on a X64 for the same arbitrary
>>> function
>>> kd -kl -c “.fnent nt!ntCreateFile;q” | Findstr Params
>>> Params: 0n11 (0x2c bytes)
>>> in the output above windbg tells me NtCreateFile Takes 0n11 arguments in
>>> x86
>>> and i can programmatically get the same information from the dbgeng
>>> function
>>> GetFunctionEntryByOffset which returns FPO_DATA for the function in
>>> the buffer for x86
>>> but for x64 it returns an IMAGE_FUNCTION_ENTRY
>>> reading through the UnWindInfo Documentation i cant seem to find a
>>> reference to number of arguments a function may take
>>> all unWindInfo puts into .pdata section in a PE32 seems to be
>>> UWOP_XXXX entries that mainly balances the stack
>>> is there a Dia method that would return me the information if dbgeng
>>> cant return it
>>> are there any less preferable hacks that may work on x version updated
>>> to y level of windows which i can experiment with to get the number of
>>> argumets a function may take in X64 ?
