📄 wdbgexts.h
字号:
ULONG64 MmProcessCommit;
ULONG64 MmPagedPoolCommit;
ULONG64 MmExtendedCommit;
ULONG64 MmZeroedPageListHead;
ULONG64 MmFreePageListHead;
ULONG64 MmStandbyPageListHead;
ULONG64 MmModifiedPageListHead;
ULONG64 MmModifiedNoWritePageListHead;
ULONG64 MmAvailablePages;
ULONG64 MmResidentAvailablePages;
ULONG64 PoolTrackTable;
ULONG64 NonPagedPoolDescriptor;
ULONG64 MmHighestUserAddress;
ULONG64 MmSystemRangeStart;
ULONG64 MmUserProbeAddress;
ULONG64 KdPrintCircularBuffer;
ULONG64 KdPrintCircularBufferEnd;
ULONG64 KdPrintWritePointer;
ULONG64 KdPrintRolloverCount;
ULONG64 MmLoadedUserImageList;
} KDDEBUGGER_DATA64, *PKDDEBUGGER_DATA64;
#endif
/************************************
Type Dump Ioctl
*************************************/
//
// Fields are not indented if this is set
//
#define DBG_DUMP_NO_INDENT 0x00000001
//
// Offsets are not printed if this is set
//
#define DBG_DUMP_NO_OFFSET 0x00000002
//
// Verbose output
//
#define DBG_DUMP_VERBOSE 0x00000004
//
// Callback is done for each of fields
//
#define DBG_DUMP_CALL_FOR_EACH 0x00000008
//
// A list of type is dumped, listLink should have info about next element pointer
//
#define DBG_DUMP_LIST 0x00000020
//
// Nothing is printed if this is set (only callbacks and data copies done)
//
#define DBG_DUMP_NO_PRINT 0x00000040
//
// Ioctl returns the size as usual, but will not do field prints/callbacks if this is set
//
#define DBG_DUMP_GET_SIZE_ONLY 0x00000080
//
// Specifies how much deep into structs we can go
//
#define DBG_DUMP_RECUR_LEVEL(l) ((l & 0xf) << 8)
//
// No newlines are printed after each field
//
#define DBG_DUMP_COMPACT_OUT 0x00002000
//
// An array of type is dumped, number of elements can be specified in listLink->size
//
#define DBG_DUMP_ARRAY 0x00008000
//
// The specified addr value is actually the address of field listLink->fName
//
#define DBG_DUMP_ADDRESS_OF_FIELD 0x00010000
//
// The specified addr value is actually the adress at the end of type
//
#define DBG_DUMP_ADDRESS_AT_END 0x00020000
//
// This could be used to copy only the primitive types like ULONG, PVOID etc.
// - will not work with structures/unions
//
#define DBG_DUMP_COPY_TYPE_DATA 0x00040000
//
// Dump and callback optons for fields - Options used in FIELD_INFO.fOptions
//
//
// Callback is done before printing the field if this is set
//
#define DBG_DUMP_FIELD_CALL_BEFORE_PRINT 0x00000001
//
// No callback is done
//
#define DBG_DUMP_FIELD_NO_CALLBACK_REQ 0x00000002
//
// Subfields of the fields are processesed
//
#define DBG_DUMP_FIELD_RECUR_ON_THIS 0x00000004
//
// fName must match completely for the field to be dumped instead just a prefix
// match by default
//
#define DBG_DUMP_FIELD_FULL_NAME 0x00000008
//
// This causes array elements of an array field to be printed
//
#define DBG_DUMP_FIELD_ARRAY 0x00000010
//
// The data of the field is copied into fieldCallBack
//
#define DBG_DUMP_FIELD_COPY_FIELD_DATA 0x00000020
//
// In callback or when Ioctl returns, the FIELD_INFO.address has the address of field.
// If no address is supplied for the type, it contains total offset of the field.
//
#define DBG_DUMP_FIELD_RETURN_ADDRESS 0x00001000
//
// Return the offset and size in bits instead of bytes is case of Bitfield
//
#define DBG_DUMP_FIELD_SIZE_IN_BITS 0x00002000
//
// If the field is a pointer, it is dumped as a string, ANSI, WCHAR, MULTI or GUID
// depending on following options
//
#define DBG_DUMP_FIELD_DEFAULT_STRING 0x00010000
#define DBG_DUMP_FIELD_WCHAR_STRING 0x00020000
#define DBG_DUMP_FIELD_MULTI_STRING 0x00040000
#define DBG_DUMP_FIELD_GUID_STRING 0x00080000
//
// Error status returned on TYPE DUMP Ioctl failure
//
#define MEMORY_READ_ERROR 0x01
#define SYMBOL_TYPE_INDEX_NOT_FOUND 0x02
#define SYMBOL_TYPE_INFO_NOT_FOUND 0x03
#define FIELDS_DID_NOT_MATCH 0x04
#define NULL_SYM_DUMP_PARAM 0x05
#define NULL_FIELD_NAME 0x06
#define INCORRECT_VERSION_INFO 0x07
#define EXIT_ON_CONTROLC 0x08
#define CANNOT_ALLOCATE_MEMORY 0x09
typedef
ULONG
(WDBGAPI*PSYM_DUMP_FIELD_CALLBACK)(
struct _FIELD_INFO *pField,
PVOID UserContext
);
typedef struct _FIELD_INFO {
PUCHAR fName; // Name of the field
PUCHAR printName; // Name to be printed at dump
ULONG size; // Size of the field
ULONG fOptions; // Dump Options for the field
ULONG64 address; // address of the field
PVOID fieldCallBack; // Return info or callBack routine for the field
} FIELD_INFO, *PFIELD_INFO;
typedef struct _SYM_DUMP_PARAM {
ULONG size; // size of this struct
PUCHAR sName; // type name
ULONG Options; // Dump options
ULONG64 addr; // Address to take data for type
PFIELD_INFO listLink; // fName here would be used to do list dump
PVOID Context; // Usercontext passed to CallbackRoutine
PSYM_DUMP_FIELD_CALLBACK CallbackRoutine;
// Routine called back
ULONG nFields; // # elements in Fields
PFIELD_INFO Fields; // Used to return information about field
} SYM_DUMP_PARAM, *PSYM_DUMP_PARAM;
#ifdef __cplusplus
#define CPPMOD extern "C"
#else
#define CPPMOD
#endif
#ifndef NOEXTAPI
#if defined(KDEXT_64BIT)
#define WINDBG_EXTENSION_APIS WINDBG_EXTENSION_APIS64
#define DECLARE_API(s) DECLARE_API64(s)
#elif defined(KDEXT_32BIT)
#define WINDBG_EXTENSION_APIS WINDBG_EXTENSION_APIS32
#define DECLARE_API(s) DECLARE_API32(s)
#else
#define DECLARE_API(s) \
CPPMOD VOID \
s( \
HANDLE hCurrentProcess, \
HANDLE hCurrentThread, \
ULONG dwCurrentPc, \
ULONG dwProcessor, \
PCSTR args \
)
#endif
#define DECLARE_API32(s) \
CPPMOD VOID \
s( \
HANDLE hCurrentProcess, \
HANDLE hCurrentThread, \
ULONG dwCurrentPc, \
ULONG dwProcessor, \
PCSTR args \
)
#define DECLARE_API64(s) \
CPPMOD VOID \
s( \
HANDLE hCurrentProcess, \
HANDLE hCurrentThread, \
ULONG64 dwCurrentPc, \
ULONG dwProcessor, \
PCSTR args \
)
extern WINDBG_EXTENSION_APIS ExtensionApis;
#define dprintf (ExtensionApis.lpOutputRoutine)
#define GetExpression (ExtensionApis.lpGetExpressionRoutine)
#define CheckControlC (ExtensionApis.lpCheckControlCRoutine)
#define GetContext (ExtensionApis.lpGetThreadContextRoutine)
#define SetContext (ExtensionApis.lpSetThreadContextRoutine)
#define Ioctl (ExtensionApis.lpIoctlRoutine)
#define Disasm (ExtensionApis.lpDisasmRoutine)
#define GetSymbol (ExtensionApis.lpGetSymbolRoutine)
#define ReadMemory (ExtensionApis.lpReadProcessMemoryRoutine)
#define WriteMemory (ExtensionApis.lpWriteProcessMemoryRoutine)
#define StackTrace (ExtensionApis.lpStackTraceRoutine)
#define GetKdContext(ppi) \
Ioctl( IG_KD_CONTEXT, (PVOID)ppi, sizeof(*ppi) )
//
// BOOL
// GetDebuggerData(
// ULONG Tag,
// PVOID Buf,
// ULONG Size
// )
//
#define GetDebuggerData(TAG, BUF, SIZE) \
( (((PDBGKD_DEBUG_DATA_HEADER64)(BUF))->OwnerTag = (TAG)), \
(((PDBGKD_DEBUG_DATA_HEADER64)(BUF))->Size = (SIZE)), \
Ioctl( IG_GET_DEBUGGER_DATA, (PVOID)(BUF), (SIZE) ) )
// Check if LocalAlloc is prototyped
#ifdef _WINBASE_
__inline VOID
ReadPhysical(
ULONG64 address,
PVOID buf,
ULONG size,
PULONG sizer
)
{
PPHYSICAL phy;
phy = (PPHYSICAL)LocalAlloc(LPTR, sizeof(*phy) + size );
ZeroMemory( phy->Buf, size );
phy->Address = address;
phy->BufLen = size;
Ioctl( IG_READ_PHYSICAL, (PVOID)phy, sizeof(*phy) + size );
*sizer = phy->BufLen;
CopyMemory( buf, phy->Buf, *sizer );
LocalFree( phy );
}
__inline VOID
WritePhysical(
ULONG64 address,
PVOID buf,
ULONG size,
PULONG sizew
)
{
PPHYSICAL phy;
phy = (PPHYSICAL)LocalAlloc(LPTR, sizeof(*phy) + size );
ZeroMemory( phy->Buf, size );
phy->Address = address;
phy->BufLen = size;
CopyMemory( phy->Buf, buf, size );
Ioctl( IG_WRITE_PHYSICAL, (PVOID)phy, sizeof(*phy) + size );
*sizew = phy->BufLen;
LocalFree( phy );
}
__inline VOID
ReadMsr(
ULONG MsrReg,
ULONGLONG *MsrValue
)
{
PREAD_WRITE_MSR msr;
msr = (PREAD_WRITE_MSR)LocalAlloc(LPTR, sizeof(*msr));
msr->Msr = MsrReg;
Ioctl( IG_READ_MSR, (PVOID)msr, sizeof(*msr) );
*MsrValue = msr->Value;
LocalFree( msr );
}
__inline VOID
WriteMsr(
ULONG MsrReg,
ULONGLONG MsrValue
)
{
PREAD_WRITE_MSR msr;
msr = (PREAD_WRITE_MSR)LocalAlloc(LPTR, sizeof(*msr));
msr->Msr = MsrReg;
msr->Value = MsrValue;
Ioctl( IG_WRITE_MSR, (PVOID)msr, sizeof(*msr) );
LocalFree( msr );
}
__inline VOID
SetThreadForOperation(
ULONG_PTR * Thread
)
{
Ioctl(IG_SET_THREAD, (PVOID)Thread, sizeof(PULONG));
}
__inline VOID
SetThreadForOperation32(
ULONG Thread
)
{
Ioctl(IG_SET_THREAD, (PVOID)LongToPtr(Thread), sizeof(PULONG));
}
__inline VOID
SetThreadForOperation64(
PULONG64 Thread
)
{
Ioctl(IG_SET_THREAD, (PVOID)Thread, sizeof(PULONG));
}
__inline VOID
ReadControlSpace(
USHORT processor,
ULONG address,
PVOID buf,
ULONG size
)
{
PREADCONTROLSPACE prc;
prc = (PREADCONTROLSPACE)LocalAlloc(LPTR, sizeof(*prc) + size );
ZeroMemory( prc->Buf, size );
prc->Processor = processor;
prc->Address = address;
prc->BufLen = size;
Ioctl( IG_READ_CONTROL_SPACE, (PVOID)prc, sizeof(*prc) + size );
CopyMemory( buf, prc->Buf, size );
LocalFree( prc );
}
__inline VOID
ReadControlSpace32(
USHORT processor,
ULONG address,
PVOID buf,
ULONG size
)
{
PREADCONTROLSPACE32 prc;
prc = (PREADCONTROLSPACE32)LocalAlloc(LPTR, sizeof(*prc) + size );
ZeroMemory( prc->Buf, size );
prc->Processor = processor;
prc->Address = address;
prc->BufLen = size;
Ioctl( IG_READ_CONTROL_SPACE, (PVOID)prc, sizeof(*prc) + size );
CopyMemory( buf, prc->Buf, size );
LocalFree( prc );
}
__inline VOID
ReadControlSpace64(
USHORT processor,
ULONG64 address,
PVOID buf,
ULONG size
)
{
PREADCONTROLSPACE64 prc;
prc = (PREADCONTROLSPACE64)LocalAlloc(LPTR, sizeof(*prc) + size );
ZeroMemory( prc->Buf, size );
prc->Processor = processor;
prc->Address = address;
prc->BufLen = size;
Ioctl( IG_READ_CONTROL_SPACE, (PVOID)prc, sizeof(*prc) + size );
CopyMemory( buf, prc->Buf, size );
LocalFree( prc );
}
#endif // _WINBASE_
__inline VOID
ReadIoSpace(
ULONG address,
PULONG data,
PULONG size
)
{
IOSPACE is;
is.Address = address;
is.Length = *size;
Ioctl( IG_READ_IO_SPACE, (PVOID)&is, sizeof(is) );
memcpy(data, &is.Data, is.Length);
*size = is.Length;
}
__inline VOID
ReadIoSpace32(
ULONG address,
PULONG data,
PULONG size
)
{
IOSPACE32 is;
is.Address = address;
is.Length = *size;
Ioctl( IG_READ_IO_SPACE, (PVOID)&is, sizeof(is) );
memcpy(data, &is.Data, is.Length);
*size = is.Length;
}
__inline VOID
ReadIoSpace64(
ULONG64 address,
PULONG data,
PULONG size
)
{
IOSPACE64 is;
is.Address = address;
is.Length = *size;
Ioctl( IG_READ_IO_SPACE, (PVOID)&is, sizeof(is) );
memcpy(data, &is.Data, is.Length);
*size = is.Length;
}
__inline VOID
WriteIoSpace(
ULONG address,
ULONG data,
PULONG size
)
{
IOSPACE is;
is.Address = (ULONG)address;
is.Length = *size;
is.Data = data;
Ioctl( IG_WRITE_IO_SPACE, (PVOID)&is, sizeof(is) );
*size = is.Length;
}
__inline VOID
WriteIoSpace32(
ULONG address,
ULONG data,
PULONG size
)
{
IOSPACE32 is;
is.Address = address;
is.Length = *size;
is.Data = data;
Ioctl( IG_WRITE_IO_SPACE, (PVOID)&is, sizeof(is) );
*size = is.Length;
}
__inline VOID
WriteIoSpace64(
ULONG64 address,
ULONG data,
PULONG size
)
{
IOSPACE64 is;
is.Address = address;
is.Length = *size;
is.Data = data;
Ioctl( IG_WRITE_IO_SPACE, (PVOID)&is, sizeof(is) );
*size = is.Length;
}
__inline VOID
ReadIoSpaceEx(
ULONG address,
PULONG data,
PULONG size,
ULONG interfacetype,
ULONG busnumber,
ULONG addressspace
)
{
IOSPACE_EX is;
is.Address = (ULONG)address;
is.Length = *size;
is.Data = 0;
is.InterfaceType = interfacetype;
is.BusNumber = busnumber;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -