SHORT:
I’m confused, because what you’ve posted doesn’t make sense in a few areas,
but assuming that you’re writing a wdbgext type extension and have just
screwed up the prototype for ‘GetContext(),’ my guess would be:
- if you’re writing a user mode debugger extension, then the first
parameter is the thread id of the thread which you wish to examine.
- if you’re writing a kernel mode debugger extension, then the first
parameter is the processor number.
As to where you get these numbers from, I have no idea, as I have no idea of
what you are trying to examine. They are in either (kernel or user) case
most definitely not random values.
LONG:
- Where are you getting your information from?
What you’re reporting would appear to indicate that you are trying to write
a Wdbgext based extension (v. DbgEng and EngExtCpp); however that’s not the
prototype for GetContext():
You have: PWNDBAG_GET_THREAD_CONTEXT_ROUTINE(ULONG Processor, PCONTEXT
lpContext, ULONG cbSizeOfContent)
Should be: ULONG GetContext (ULONG Target, PCONTEXT lpContext, ULONG
cbSizeOfContext);
I don’t know if you prototyped this yourself, got it somewhere off the web,
or had a copy & paste error, but ‘PWNDBAG_GET_THREAD_CONTEXT_ROUTINE’ is
definitely not part of any of the windbg api’s.
- What version of windbg are you using?
For best results, you really should be using the most recent version
available, which (unfortunately) comes bundled as part of the WDK (Win7 RTM
7.1.0.7600).
- What style of extension are you trying to write?
Your choices are: (a) Wdbgext; (b) DbgEng; or (c) EngExtCpp
(a) is the oldest model, and unless you have a good reason for using it
(like existing code), I’d strongly recommend that you use either (b) or (c).
(b) is the current base api for windbg extensions.
(c) is a C++ wrapper around (b). I prefer it to (b), but it provides the
same capabilities.
- You might want to start off by using one of the samples provided with
the WinDbg SDK as a base for development.
They are located here: /Debuggers/SDK/Samples (or under
/SDK/Samples> if you’re using a version that doesn’t come with
the WDK).
You might (don’t recall) have to specifically instruct the installer to
install the SDK, so if you don’t see the ‘SDK’ directory, I would try
reinstalling.
In particular:
- If you’re using style (a), you might want to take a look at the
‘simplext’ sample.
- If you’re suing style (b), you might want to take a look at the ‘ext’
sample.
- If you’re using style (c), you might want to take a look at the ‘extcpp’
sample.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Sunday, January 02, 2011 9:11 PM
To: Kernel Debugging Interest List
Subject: [windbg] WinDbg GetContext Extension Function
I’m trying to write a Wdbgexts extension for WinDbg and need to get the
value of EIP. It seems the easiest way to do this is to use the GetContext
function, which has a function prototype of ULONG
PWNDBAG_GET_THREAD_CONTEXT_ROUTINE(ULONG Processor, PCONTEXT lpContext,
ULONG cbSizeOfContent). What should I use as its first parameter?
I’ve tried a long list of numbers, and it seems that some seemingly random
numbers give correct results - such as 848, 849, 850, and 851 - but the
numbers 0 - 4 don’t return anything useful. I’ve tried searching Google, but
I can’t seem to find any examples of it being used. Same goes for Google
code and the SDK included with Debugging Tools for Windows.
Thanks.
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer