📄 wdbgexts.h
字号:
//
// This is a unique tag to identify the owner of the block.
// If your component only uses one pool tag, use it for this, too.
//
ULONG OwnerTag;
//
// This must be initialized to the size of the data block,
// including this structure.
//
ULONG Size;
} DBGKD_DEBUG_DATA_HEADER64, *PDBGKD_DEBUG_DATA_HEADER64;
//
// This structure is the same size on all systems. The only field
// which must be translated by the debugger is Header.List.
//
//
// DO NOT ADD OR REMOVE FIELDS FROM THE MIDDLE OF THIS STRUCTURE!!!
//
// If you remove a field, replace it with an "unused" placeholder.
// Do not reuse fields until there has been enough time for old debuggers
// and extensions to age out.
//
typedef struct _KDDEBUGGER_DATA64 {
DBGKD_DEBUG_DATA_HEADER64 Header;
//
// Base address of kernel image
//
ULONG64 KernBase;
//
// DbgBreakPointWithStatus is a function which takes an argument
// and hits a breakpoint. This field contains the address of the
// breakpoint instruction. When the debugger sees a breakpoint
// at this address, it may retrieve the argument from the first
// argument register, or on x86 the eax register.
//
ULONG64 BreakpointWithStatus; // address of breakpoint
//
// Address of the saved context record during a bugcheck
//
// N.B. This is an automatic in KeBugcheckEx's frame, and
// is only valid after a bugcheck.
//
ULONG64 SavedContext;
//
// help for walking stacks with user callbacks:
//
//
// The address of the thread structure is provided in the
// WAIT_STATE_CHANGE packet. This is the offset from the base of
// the thread structure to the pointer to the kernel stack frame
// for the currently active usermode callback.
//
USHORT ThCallbackStack; // offset in thread data
//
// these values are offsets into that frame:
//
USHORT NextCallback; // saved pointer to next callback frame
USHORT FramePointer; // saved frame pointer
//
// pad to a quad boundary
//
USHORT PaeEnabled:1;
//
// Address of the kernel callout routine.
//
ULONG64 KiCallUserMode; // kernel routine
//
// Address of the usermode entry point for callbacks.
//
ULONG64 KeUserCallbackDispatcher; // address in ntdll
//
// Addresses of various kernel data structures and lists
// that are of interest to the kernel debugger.
//
ULONG64 PsLoadedModuleList;
ULONG64 PsActiveProcessHead;
ULONG64 PspCidTable;
ULONG64 ExpSystemResourcesList;
ULONG64 ExpPagedPoolDescriptor;
ULONG64 ExpNumberOfPagedPools;
ULONG64 KeTimeIncrement;
ULONG64 KeBugCheckCallbackListHead;
ULONG64 KiBugcheckData;
ULONG64 IopErrorLogListHead;
ULONG64 ObpRootDirectoryObject;
ULONG64 ObpTypeObjectType;
ULONG64 MmSystemCacheStart;
ULONG64 MmSystemCacheEnd;
ULONG64 MmSystemCacheWs;
ULONG64 MmPfnDatabase;
ULONG64 MmSystemPtesStart;
ULONG64 MmSystemPtesEnd;
ULONG64 MmSubsectionBase;
ULONG64 MmNumberOfPagingFiles;
ULONG64 MmLowestPhysicalPage;
ULONG64 MmHighestPhysicalPage;
ULONG64 MmNumberOfPhysicalPages;
ULONG64 MmMaximumNonPagedPoolInBytes;
ULONG64 MmNonPagedSystemStart;
ULONG64 MmNonPagedPoolStart;
ULONG64 MmNonPagedPoolEnd;
ULONG64 MmPagedPoolStart;
ULONG64 MmPagedPoolEnd;
ULONG64 MmPagedPoolInformation;
ULONG64 Unused2;
ULONG64 MmSizeOfPagedPoolInBytes;
ULONG64 MmTotalCommitLimit;
ULONG64 MmTotalCommittedPages;
ULONG64 MmSharedCommit;
ULONG64 MmDriverCommit;
ULONG64 MmProcessCommit;
ULONG64 MmPagedPoolCommit;
ULONG64 MmExtendedCommit;
ULONG64 MmZeroedPageListHead;
ULONG64 MmFreePageListHead;
ULONG64 MmStandbyPageListHead;
ULONG64 MmModifiedPageListHead;
ULONG64 MmModifiedNoWritePageListHead;
ULONG64 MmAvailablePages;
ULONG64 MmResidentAvailablePages;
ULONG64 PoolTrackTable;
ULONG64 NonPagedPoolDescriptor;
ULONG64 MmHighestUserAddress;
ULONG64 MmSystemRangeStart;
ULONG64 MmUserProbeAddress;
ULONG64 KdPrintCircularBuffer;
ULONG64 KdPrintCircularBufferEnd;
ULONG64 KdPrintWritePointer;
ULONG64 KdPrintRolloverCount;
ULONG64 MmLoadedUserImageList;
} KDDEBUGGER_DATA64, *PKDDEBUGGER_DATA64;
#endif
#define DBG_DUMP_NO_INDENT 0x00000001
#define DBG_DUMP_NO_OFFSET 0x00000002
#define DBG_DUMP_VERBOSE 0x00000004
#define DBG_DUMP_CALL_FOR_EACH 0x00000008
#define DBG_DUMP_LIST 0x00000020
#define DBG_DUMP_NO_PRINT 0x00000040
#define DBG_DUMP_GET_SIZE_ONLY 0x00000080
#define DBG_DUMP_RECUR_LEVEL(l) ((l & 0xf) << 8)
#define DBG_DUMP_PRINT_TYPE_NAME 0x00004000
#define DBG_DUMP_ARRAY 0x00008000
#define DBG_DUMP_COMPACT_OUT 0x00200000
// Dump and callback optons for fields
#define DBG_DUMP_FIELD_CALL_BEFORE_PRINT 0x00000001
#define DBG_DUMP_FIELD_NO_CALLBACK_REQ 0x00000002
#define DBG_DUMP_FIELD_RECUR_ON_THIS 0x00000004
#define DBG_DUMP_FIELD_FULL_NAME 0x00000008
#define DBG_DUMP_FIELD_ARRAY 0x00000010
#define DBG_DUMP_FIELD_COPY_FIELD_DATA 0x00000020
#define DBG_DUMP_FIELD_RETURN_ADDRESS 0x00001000
#define DBG_DUMP_FIELD_DEFAULT_STRING 0x00010000
#define DBG_DUMP_FIELD_WCHAR_STRING 0x00020000
#define DBG_DUMP_FIELD_MULTI_STRING 0x00040000
#define DBG_DUMP_FIELD_GUID_STRING 0x00080000
#define DBG_DUMP_FIELD_STRING 0x000F0000
#define DBG_DUMP_FIELD_PRINT_ULONG 0x00400000
typedef
ULONG
(WDBGAPI*PSYM_DUMP_FIELD_CALLBACK)(
struct _FIELD_INFO *pField,
PVOID UserContext
);
typedef struct _FIELD_INFO {
UCHAR fName[256]; // Name of the field
UCHAR printName[80]; // Name to be printed at dump
ULONG size; // Size of the field
ULONG fOptions; // Dump Options for the field
ULONG64 address; // address of the field
PVOID fieldCallBack; // Return info or callBack routine for the field
} FIELD_INFO, *PFIELD_INFO;
typedef struct _SYM_DUMP_PARAM {
ULONG size; // size of this struct
PUCHAR sName; // type name
ULONG Options; // Dump options
ULONG64 addr; // Address to take data for type
PFIELD_INFO listLink; // fName here would be used to do list dump
PVOID Context; // Usercontext passed to CallbackRoutine
PSYM_DUMP_FIELD_CALLBACK CallbackRoutine;
// Routine called back
ULONG nFields; // # elements in Fields
PFIELD_INFO Fields; // Used to return information about field
} SYM_DUMP_PARAM, *PSYM_DUMP_PARAM;
#ifdef __cplusplus
#define CPPMOD extern "C"
#else
#define CPPMOD
#endif
#ifndef NOEXTAPI
#if defined(KDEXT_64BIT)
#define WINDBG_EXTENSION_APIS WINDBG_EXTENSION_APIS64
#define DECLARE_API(s) DECLARE_API64(s)
#elif defined(KDEXT_32BIT)
#define WINDBG_EXTENSION_APIS WINDBG_EXTENSION_APIS32
#define DECLARE_API(s) DECLARE_API32(s)
#else
#define DECLARE_API(s) \
CPPMOD VOID \
s( \
HANDLE hCurrentProcess, \
HANDLE hCurrentThread, \
ULONG dwCurrentPc, \
ULONG dwProcessor, \
PCSTR args \
)
#endif
#define DECLARE_API32(s) \
CPPMOD VOID \
s( \
HANDLE hCurrentProcess, \
HANDLE hCurrentThread, \
ULONG dwCurrentPc, \
ULONG dwProcessor, \
PCSTR args \
)
#define DECLARE_API64(s) \
CPPMOD VOID \
s( \
HANDLE hCurrentProcess, \
HANDLE hCurrentThread, \
ULONG64 dwCurrentPc, \
ULONG dwProcessor, \
PCSTR args \
)
extern WINDBG_EXTENSION_APIS ExtensionApis;
#define dprintf (ExtensionApis.lpOutputRoutine)
#define GetExpression (ExtensionApis.lpGetExpressionRoutine)
#define CheckControlC (ExtensionApis.lpCheckControlCRoutine)
#define GetContext (ExtensionApis.lpGetThreadContextRoutine)
#define SetContext (ExtensionApis.lpSetThreadContextRoutine)
#define Ioctl (ExtensionApis.lpIoctlRoutine)
#define Disasm (ExtensionApis.lpDisasmRoutine)
#define GetSymbol (ExtensionApis.lpGetSymbolRoutine)
#define ReadMemory (ExtensionApis.lpReadProcessMemoryRoutine)
#define WriteMemory (ExtensionApis.lpWriteProcessMemoryRoutine)
#define StackTrace (ExtensionApis.lpStackTraceRoutine)
#define GetKdContext(ppi) \
Ioctl( IG_KD_CONTEXT, (PVOID)ppi, sizeof(*ppi) )
//
// BOOL
// GetDebuggerData(
// ULONG Tag,
// PVOID Buf,
// ULONG Size
// )
//
#define GetDebuggerData(TAG, BUF, SIZE) \
( (((PDBGKD_DEBUG_DATA_HEADER64)(BUF))->OwnerTag = (TAG)), \
(((PDBGKD_DEBUG_DATA_HEADER64)(BUF))->Size = (SIZE)), \
Ioctl( IG_GET_DEBUGGER_DATA, (PVOID)(BUF), (SIZE) ) )
// Check if LocalAlloc is prototyped
//#ifdef _WINBASE_
__inline VOID
ReadPhysical(
ULONG64 address,
PVOID buf,
ULONG size,
PULONG sizer
)
{
PPHYSICAL phy;
phy = (PPHYSICAL)LocalAlloc(LPTR, sizeof(*phy) + size );
ZeroMemory( phy->Buf, size );
phy->Address = address;
phy->BufLen = size;
Ioctl( IG_READ_PHYSICAL, (PVOID)phy, sizeof(*phy) + size );
*sizer = phy->BufLen;
CopyMemory( buf, phy->Buf, *sizer );
LocalFree( phy );
}
__inline VOID
WritePhysical(
ULONG64 address,
PVOID buf,
ULONG size,
PULONG sizew
)
{
PPHYSICAL phy;
phy = (PPHYSICAL)LocalAlloc(LPTR, sizeof(*phy) + size );
ZeroMemory( phy->Buf, size );
phy->Address = address;
phy->BufLen = size;
CopyMemory( phy->Buf, buf, size );
Ioctl( IG_WRITE_PHYSICAL, (PVOID)phy, sizeof(*phy) + size );
*sizew = phy->BufLen;
LocalFree( phy );
}
__inline VOID
ReadMsr(
ULONG MsrReg,
ULONGLONG *MsrValue
)
{
PREAD_WRITE_MSR msr;
msr = (PREAD_WRITE_MSR)LocalAlloc(LPTR, sizeof(*msr));
msr->Msr = MsrReg;
Ioctl( IG_READ_MSR, (PVOID)msr, sizeof(*msr) );
*MsrValue = msr->Value;
LocalFree( msr );
}
__inline VOID
WriteMsr(
ULONG MsrReg,
ULONGLONG MsrValue
)
{
PREAD_WRITE_MSR msr;
msr = (PREAD_WRITE_MSR)LocalAlloc(LPTR, sizeof(*msr));
msr->Msr = MsrReg;
msr->Value = MsrValue;
Ioctl( IG_WRITE_MSR, (PVOID)msr, sizeof(*msr) );
LocalFree( msr );
}
__inline VOID
SetThreadForOperation(
ULONG_PTR * Thread
)
{
Ioctl(IG_SET_THREAD, (PVOID)Thread, sizeof(PULONG));
}
__inline VOID
SetThreadForOperation32(
ULONG Thread
)
{
Ioctl(IG_SET_THREAD, (PVOID)LongToPtr(Thread), sizeof(PULONG));
}
__inline VOID
SetThreadForOperation64(
PULONG64 Thread
)
{
Ioctl(IG_SET_THREAD, (PVOID)Thread, sizeof(PULONG));
}
__inline VOID
ReadControlSpace(
USHORT processor,
ULONG address,
PVOID buf,
ULONG size
)
{
PREADCONTROLSPACE prc;
prc = (PREADCONTROLSPACE)LocalAlloc(LPTR, sizeof(*prc) + size );
ZeroMemory( prc->Buf, size );
prc->Processor = processor;
prc->Address = address;
prc->BufLen = size;
Ioctl( IG_READ_CONTROL_SPACE, (PVOID)prc, sizeof(*prc) + size );
CopyMemory( buf, prc->Buf, size );
LocalFree( prc );
}
__inline VOID
ReadControlSpace32(
USHORT processor,
ULONG address,
PVOID buf,
ULONG size
)
{
PREADCONTROLSPACE32 prc;
prc = (PREADCONTROLSPACE32)LocalAlloc(LPTR, sizeof(*prc) + size );
ZeroMemory( prc->Buf, size );
prc->Processor = processor;
prc->Address = address;
prc->BufLen = size;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -