📄 windbgkd.h
字号:
UIP(MmSystemCacheWs);
UIP(MmPfnDatabase);
UIP(MmSystemPtesStart);
UIP(MmSystemPtesEnd);
UIP(MmSubsectionBase);
UIP(MmNumberOfPagingFiles);
UIP(MmLowestPhysicalPage);
UIP(MmHighestPhysicalPage);
UIP(MmNumberOfPhysicalPages);
UIP(MmMaximumNonPagedPoolInBytes);
UIP(MmNonPagedSystemStart);
UIP(MmNonPagedPoolStart);
UIP(MmNonPagedPoolEnd);
UIP(MmPagedPoolStart);
UIP(MmPagedPoolEnd);
UIP(MmPagedPoolInformation);
CP(MmPageSize);
UIP(MmSizeOfPagedPoolInBytes);
UIP(MmTotalCommitLimit);
UIP(MmTotalCommittedPages);
UIP(MmSharedCommit);
UIP(MmDriverCommit);
UIP(MmProcessCommit);
UIP(MmPagedPoolCommit);
UIP(MmExtendedCommit);
UIP(MmZeroedPageListHead);
UIP(MmFreePageListHead);
UIP(MmStandbyPageListHead);
UIP(MmModifiedPageListHead);
UIP(MmModifiedNoWritePageListHead);
UIP(MmAvailablePages);
UIP(MmResidentAvailablePages);
UIP(PoolTrackTable);
UIP(NonPagedPoolDescriptor);
UIP(MmHighestUserAddress);
UIP(MmSystemRangeStart);
UIP(MmUserProbeAddress);
UIP(KdPrintCircularBuffer);
UIP(KdPrintCircularBufferEnd);
UIP(KdPrintWritePointer);
UIP(KdPrintRolloverCount);
UIP(MmLoadedUserImageList);
#undef UIP
#undef CP
}
__inline
void
DebuggerData64To32(
IN PKDDEBUGGER_DATA64 Dd64,
OUT PKDDEBUGGER_DATA32 Dd32
)
{
#define UIP(f) Dd32->f = (ULONG)Dd64->f
#define CP(f) Dd32->f = Dd64->f
DebuggerDataHeader64To32(&Dd64->Header, &Dd32->Header);
UIP(KernBase);
UIP(BreakpointWithStatus);
UIP(SavedContext);
CP(ThCallbackStack);
CP(NextCallback);
CP(FramePointer);
CP(PaeEnabled);
UIP(KiCallUserMode);
UIP(KeUserCallbackDispatcher);
UIP(PsLoadedModuleList);
UIP(PsActiveProcessHead);
UIP(PspCidTable);
UIP(ExpSystemResourcesList);
UIP(ExpPagedPoolDescriptor);
UIP(ExpNumberOfPagedPools);
UIP(KeTimeIncrement);
UIP(KeBugCheckCallbackListHead);
UIP(KiBugcheckData);
UIP(IopErrorLogListHead);
UIP(ObpRootDirectoryObject);
UIP(ObpTypeObjectType);
UIP(MmSystemCacheStart);
UIP(MmSystemCacheEnd);
UIP(MmSystemCacheWs);
UIP(MmPfnDatabase);
UIP(MmSystemPtesStart);
UIP(MmSystemPtesEnd);
UIP(MmSubsectionBase);
UIP(MmNumberOfPagingFiles);
UIP(MmLowestPhysicalPage);
UIP(MmHighestPhysicalPage);
UIP(MmNumberOfPhysicalPages);
UIP(MmMaximumNonPagedPoolInBytes);
UIP(MmNonPagedSystemStart);
UIP(MmNonPagedPoolStart);
UIP(MmNonPagedPoolEnd);
UIP(MmPagedPoolStart);
UIP(MmPagedPoolEnd);
UIP(MmPagedPoolInformation);
UIP(MmPageSize);
UIP(MmSizeOfPagedPoolInBytes);
UIP(MmTotalCommitLimit);
UIP(MmTotalCommittedPages);
UIP(MmSharedCommit);
UIP(MmDriverCommit);
UIP(MmProcessCommit);
UIP(MmPagedPoolCommit);
UIP(MmExtendedCommit);
UIP(MmZeroedPageListHead);
UIP(MmFreePageListHead);
UIP(MmStandbyPageListHead);
UIP(MmModifiedPageListHead);
UIP(MmModifiedNoWritePageListHead);
UIP(MmAvailablePages);
UIP(MmResidentAvailablePages);
UIP(PoolTrackTable);
UIP(NonPagedPoolDescriptor);
UIP(MmHighestUserAddress);
UIP(MmSystemRangeStart);
UIP(MmUserProbeAddress);
UIP(KdPrintCircularBuffer);
UIP(KdPrintCircularBufferEnd);
UIP(KdPrintWritePointer);
UIP(KdPrintRolloverCount);
UIP(MmLoadedUserImageList);
#undef UIP
#undef CP
}
typedef struct _DBGKD_SEARCH_MEMORY {
union {
ULONG64 SearchAddress;
ULONG64 FoundAddress;
};
ULONG64 SearchLength;
ULONG PatternLength;
} DBGKD_SEARCH_MEMORY, *PDBGKD_SEARCH_MEMORY;
typedef struct _DBGKD_GET_SET_BUS_DATA {
ULONG BusDataType;
ULONG BusNumber;
ULONG SlotNumber;
ULONG Offset;
ULONG Length;
} DBGKD_GET_SET_BUS_DATA, *PDBGKD_GET_SET_BUS_DATA;
#include <pshpack4.h>
typedef struct _DBGKD_MANIPULATE_STATE32 {
ULONG ApiNumber;
USHORT ProcessorLevel;
USHORT Processor;
NTSTATUS ReturnStatus;
union {
DBGKD_READ_MEMORY32 ReadMemory;
DBGKD_WRITE_MEMORY32 WriteMemory;
DBGKD_READ_MEMORY64 ReadMemory64;
DBGKD_WRITE_MEMORY64 WriteMemory64;
DBGKD_GET_CONTEXT GetContext;
DBGKD_SET_CONTEXT SetContext;
DBGKD_WRITE_BREAKPOINT32 WriteBreakPoint;
DBGKD_RESTORE_BREAKPOINT RestoreBreakPoint;
DBGKD_CONTINUE Continue;
DBGKD_CONTINUE2 Continue2;
DBGKD_READ_WRITE_IO32 ReadWriteIo;
DBGKD_READ_WRITE_IO_EXTENDED32 ReadWriteIoExtended;
DBGKD_QUERY_SPECIAL_CALLS QuerySpecialCalls;
DBGKD_SET_SPECIAL_CALL32 SetSpecialCall;
DBGKD_SET_INTERNAL_BREAKPOINT32 SetInternalBreakpoint;
DBGKD_GET_INTERNAL_BREAKPOINT32 GetInternalBreakpoint;
DBGKD_GET_VERSION32 GetVersion32;
DBGKD_BREAKPOINTEX BreakPointEx;
DBGKD_READ_WRITE_MSR ReadWriteMsr;
DBGKD_SEARCH_MEMORY SearchMemory;
} u;
} DBGKD_MANIPULATE_STATE32, *PDBGKD_MANIPULATE_STATE32;
#include <poppack.h>
typedef struct _DBGKD_MANIPULATE_STATE64 {
ULONG ApiNumber;
USHORT ProcessorLevel;
USHORT Processor;
NTSTATUS ReturnStatus;
union {
DBGKD_READ_MEMORY64 ReadMemory;
DBGKD_WRITE_MEMORY64 WriteMemory;
DBGKD_GET_CONTEXT GetContext;
DBGKD_SET_CONTEXT SetContext;
DBGKD_WRITE_BREAKPOINT64 WriteBreakPoint;
DBGKD_RESTORE_BREAKPOINT RestoreBreakPoint;
DBGKD_CONTINUE Continue;
DBGKD_CONTINUE2 Continue2;
DBGKD_READ_WRITE_IO64 ReadWriteIo;
DBGKD_READ_WRITE_IO_EXTENDED64 ReadWriteIoExtended;
DBGKD_QUERY_SPECIAL_CALLS QuerySpecialCalls;
DBGKD_SET_SPECIAL_CALL64 SetSpecialCall;
DBGKD_SET_INTERNAL_BREAKPOINT64 SetInternalBreakpoint;
DBGKD_GET_INTERNAL_BREAKPOINT64 GetInternalBreakpoint;
DBGKD_GET_VERSION64 GetVersion64;
DBGKD_BREAKPOINTEX BreakPointEx;
DBGKD_READ_WRITE_MSR ReadWriteMsr;
DBGKD_SEARCH_MEMORY SearchMemory;
DBGKD_GET_SET_BUS_DATA GetSetBusData;
} u;
} DBGKD_MANIPULATE_STATE64, *PDBGKD_MANIPULATE_STATE64;
__inline
ULONG
DbgkdManipulateState32To64(
IN PDBGKD_MANIPULATE_STATE32 r32,
OUT PDBGKD_MANIPULATE_STATE64 r64,
OUT PULONG AdditionalDataSize
)
{
r64->ApiNumber = r32->ApiNumber;
r64->ProcessorLevel = r32->ProcessorLevel;
r64->Processor = r32->Processor;
r64->ReturnStatus = r32->ReturnStatus;
*AdditionalDataSize = 0;
//
// translate the messages which may be sent by the kernel
//
switch (r64->ApiNumber) {
case DbgKdSetContextApi:
case DbgKdRestoreBreakPointApi:
case DbgKdContinueApi:
case DbgKdContinueApi2:
case DbgKdRebootApi:
case DbgKdClearSpecialCallsApi:
case DbgKdRestoreBreakPointExApi:
case DbgKdCauseBugCheckApi:
case DbgKdSwitchProcessor:
case DbgKdWriteMachineSpecificRegister:
case DbgKdWriteIoSpaceApi:
case DbgKdSetSpecialCallApi:
case DbgKdSetInternalBreakPointApi:
case DbgKdWriteIoSpaceExtendedApi:
break;
case DbgKdReadMachineSpecificRegister:
r64->u.ReadWriteMsr = r32->u.ReadWriteMsr;
break;
//
// GetVersion may need to be handled by the calling code;
// it needs to call DbgkdGetVersion32To64 with the DebuggerDataBlock.
//
case DbgKdGetVersionApi:
break;
case DbgKdGetContextApi:
*AdditionalDataSize = sizeof(CONTEXT);
break;
//case DbgKdQuerySpecialCallsApi:
// r64->u.QuerySpecialCalls = r32->u.QuerySpecialCalls;
// *AdditionalDataSize = r64->u.QuerySpecialCalls.NumberOfSpecialCalls * sizeof(ULONG);
// break;
case DbgKdWriteBreakPointExApi:
r64->u.BreakPointEx = r32->u.BreakPointEx;
*AdditionalDataSize = r64->u.BreakPointEx.BreakPointCount * sizeof(ULONG);
break;
case DbgKdReadVirtualMemoryApi:
case DbgKdReadPhysicalMemoryApi:
case DbgKdReadControlSpaceApi:
DbgkdReadMemory32To64(&r32->u.ReadMemory, &r64->u.ReadMemory);
if (NT_SUCCESS(r32->ReturnStatus)) {
*AdditionalDataSize = r64->u.ReadMemory.ActualBytesRead;
}
break;
case DbgKdWriteVirtualMemoryApi:
case DbgKdWritePhysicalMemoryApi:
case DbgKdWriteControlSpaceApi:
DbgkdWriteMemory32To64(&r32->u.WriteMemory, &r64->u.WriteMemory);
break;
case DbgKdWriteBreakPointApi:
DbgkdWriteBreakpoint32To64(&r32->u.WriteBreakPoint, &r64->u.WriteBreakPoint);
break;
case DbgKdReadIoSpaceApi:
DbgkdReadWriteIo32To64(&r32->u.ReadWriteIo, &r64->u.ReadWriteIo);
break;
case DbgKdReadIoSpaceExtendedApi:
DbgkdReadWriteIoExtended32To64(&r32->u.ReadWriteIoExtended, &r64->u.ReadWriteIoExtended);
break;
case DbgKdGetInternalBreakPointApi:
DbgkdGetInternalBreakpoint32To64(&r32->u.GetInternalBreakpoint, &r64->u.GetInternalBreakpoint);
break;
case DbgKdSearchMemoryApi:
r64->u.SearchMemory = r32->u.SearchMemory;
break;
}
return sizeof(DBGKD_MANIPULATE_STATE64);
}
__inline
ULONG
DbgkdManipulateState64To32(
IN PDBGKD_MANIPULATE_STATE64 r64,
OUT PDBGKD_MANIPULATE_STATE32 r32
)
{
r32->ApiNumber = r64->ApiNumber;
r32->ProcessorLevel = r64->ProcessorLevel;
r32->Processor = r64->Processor;
r32->ReturnStatus = r64->ReturnStatus;
//
// translate the messages sent by the debugger
//
switch (r32->ApiNumber) {
//
// These send nothing in the u part.
case DbgKdGetContextApi:
case DbgKdSetContextApi:
case DbgKdClearSpecialCallsApi:
case DbgKdRebootApi:
case DbgKdCauseBugCheckApi:
case DbgKdSwitchProcessor:
break;
case DbgKdRestoreBreakPointApi:
r32->u.RestoreBreakPoint = r64->u.RestoreBreakPoint;
break;
case DbgKdContinueApi:
r32->u.Continue = r64->u.Continue;
break;
case DbgKdContinueApi2:
r32->u.Continue2 = r64->u.Continue2;
break;
//case DbgKdQuerySpecialCallsApi:
// r32->u.QuerySpecialCalls = r64->u.QuerySpecialCalls;
// break;
case DbgKdRestoreBreakPointExApi:
// NYI
break;
case DbgKdReadMachineSpecificRegister:
case DbgKdWriteMachineSpecificRegister:
r32->u.ReadWriteMsr = r64->u.ReadWriteMsr;
break;
case DbgKdGetVersionApi:
r32->u.GetVersion32.ProtocolVersion = r64->u.GetVersion64.ProtocolVersion;
break;
case DbgKdWriteBreakPointExApi:
r32->u.BreakPointEx = r64->u.BreakPointEx;
break;
case DbgKdWriteVirtualMemoryApi:
DbgkdWriteMemory64To32(&r64->u.WriteMemory, &r32->u.WriteMemory);
break;
//
// 32 bit systems only support 32 bit physical r/w
//
case DbgKdReadControlSpaceApi:
case DbgKdReadVirtualMemoryApi:
case DbgKdReadPhysicalMemoryApi:
DbgkdReadMemory64To32(&r64->u.ReadMemory, &r32->u.ReadMemory);
break;
case DbgKdWritePhysicalMemoryApi:
DbgkdWriteMemory64To32(&r64->u.WriteMemory, &r32->u.WriteMemory);
break;
case DbgKdWriteBreakPointApi:
DbgkdWriteBreakpoint64To32(&r64->u.WriteBreakPoint, &r32->u.WriteBreakPoint);
break;
case DbgKdWriteControlSpaceApi:
DbgkdWriteMemory64To32(&r64->u.WriteMemory, &r32->u.WriteMemory);
break;
case DbgKdReadIoSpaceApi:
case DbgKdWriteIoSpaceApi:
DbgkdReadWriteIo64To32(&r64->u.ReadWriteIo, &r32->u.ReadWriteIo);
break;
case DbgKdSetSpecialCallApi:
DbgkdSetSpecialCall64To32(&r64->u.SetSpecialCall, &r32->u.SetSpecialCall);
break;
case DbgKdSetInternalBreakPointApi:
DbgkdSetInternalBreakpoint64To32(&r64->u.SetInternalBreakpoint, &r32->u.SetInternalBreakpoint);
break;
case DbgKdGetInternalBreakPointApi:
DbgkdGetInternalBreakpoint64To32(&r64->u.GetInternalBreakpoint, &r32->u.GetInternalBreakpoint);
break;
case DbgKdReadIoSpaceExtendedApi:
case DbgKdWriteIoSpaceExtendedApi:
DbgkdReadWriteIoExtended64To32(&r64->u.ReadWriteIoExtended, &r32->u.ReadWriteIoExtended);
break;
case DbgKdSearchMemoryApi:
r32->u.SearchMemory = r64->u.SearchMemory;
break;
}
return sizeof(DBGKD_MANIPULATE_STATE32);
}
//
// This is the format for the trace data passed back from the kernel to
// the debugger to describe multiple calls that have returned since the
// last trip back. The basic format is that there are a bunch of these
// (4 byte) unions stuck together. Each union is of one of two types: a
// 4 byte unsigned long integer, or a three field struct, describing a
// call (where "call" is delimited by returning or exiting the symbol
// scope). If the number of instructions executed is too big to fit
// into a USHORT -1, then the Instructions field has
// TRACE_DATA_INSTRUCTIONS_BIG and the next union is a LongNumber
// containing the real number of instructions executed.
//
// The very first union returned in each callback is a LongNumber
// containing the number of unions returned (including the "size"
// record, so it's always at least 1 even if there's no data to return).
//
// This is all returned to the debugger when one of two things
// happens:
//
// 1) The pc moves out of all defined symbol ranges
// 2) The buffer of trace data entries is filled.
//
// The "trace done" case is hacked around on the debugger side. It
// guarantees that the pc address that indicates a trace exit never
// winds up in a defined symbol range.
//
// The only other complexity in this system is handling the SymbolNumber
// table. This table is kept in parallel by the kernel and the
// debugger. When the PC exits a known symbol range, the Begin and End
// symbol ranges are set by the debugger and are allocated to the next
// symbol slot upon return. "The next symbol slot" means the numerical
// next slot number, unless we've filled all slots, in which case it is
// #0. (ie., allocation is cyclic and not LRU or something). The
// SymbolNumber table is flushed when a SpecialCalls call is made (ie.,
// at the beginning of the WatchTrace).
//
typedef union _DBGKD_TRACE_DATA {
struct {
UCHAR SymbolNumber;
CHAR LevelChange;
USHORT Instructions;
} s;
ULONG LongNumber;
} DBGKD_TRACE_DATA, *PDBGKD_TRACE_DATA;
#define TRACE_DATA_INSTRUCTIONS_BIG 0xffff
#define TRACE_DATA_BUFFER_MAX_SIZE 40
//
// If the packet type is PACKET_TYPE_KD_DEBUG_IO, then
// the format of the packet data is as follows:
//
#define DbgKdPrintStringApi 0x00003230L
#define DbgKdGetStringApi 0x00003231L
//
// For print string, the Null terminated string to print
// immediately follows the message
//
typedef struct _DBGKD_PRINT_STRING {
ULONG LengthOfString;
} DBGKD_PRINT_STRING, *PDBGKD_PRINT_STRING;
//
// For get string, the Null terminated prompt string
// immediately follows the message. The LengthOfStringRead
// field initially contains the maximum number of characters
// to read. Upon reply, this contains the number of bytes actually
// read. The data read immediately follows the message.
//
//
typedef struct _DBGKD_GET_STRING {
ULONG LengthOfPromptString;
ULONG LengthOfStringRead;
} DBGKD_GET_STRING, *PDBGKD_GET_STRING;
typedef struct _DBGKD_DEBUG_IO {
ULONG ApiNumber;
USHORT ProcessorLevel;
USHORT Processor;
union {
DBGKD_PRINT_STRING PrintString;
DBGKD_GET_STRING GetString;
} u;
} DBGKD_DEBUG_IO, *PDBGKD_DEBUG_IO;
#endif // _WINDBGKD_
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -