public void Get_The_Correct_Current_Position()
{
// arrange
var builder = new DebugEngineProxyBuilder();
builder.WithExecuteResult("!positions",
@">Thread ID=0x7590 - Position: 35:0
Thread ID=0x12A0 - Position: 246A:0
Thread ID=0x6CDC - Position: 21D59:0
Thread ID=0x2984 - Position: 21DFE:0
Thread ID=0x3484 - Position: 21ECA:0
Thread ID=0x60B4 - Position: 2414F:0
Thread ID=0x1F54 - Position: 241DE:0
");
var facade = new TimeTravelFacade {
DebugEngineProxy = builder.Build()
};
// act
var position = facade.GetCurrentPosition();
var threadPosition = facade.GetCurrentPosition(0x60b4);
// assert
position.Should().Be(new Position(0x35, 0));
threadPosition.Should().Be(new Position(0x2414f, 0));
}
public void Get_The_Ending_Position()
{
// arrange
var builder = new DebugEngineProxyBuilder();
builder.WithExecuteResult("!tt 100",
@"Setting position to the end of the trace
Setting position: 2D164:0
ModLoad: 00007ffa`4cc00000 00007ffa`4cc95000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 00007ffa`4cec0000 00007ffa`4ceea000 C:\WINDOWS\SYSTEM32\dwmapi.dll
ModLoad: 00007ffa`4fc30000 00007ffa`4fd97000 C:\WINDOWS\System32\MSCTF.dll
ModLoad: 00007ffa`51a80000 00007ffa`51b1e000 C:\WINDOWS\System32\clbcatq.dll
ModLoad: 00007ffa`4d750000 00007ffa`4d781000 C:\WINDOWS\SYSTEM32\ntmarta.dll
ModLoad: 00007ffa`4c1e0000 00007ffa`4c2bc000 C:\WINDOWS\System32\CoreMessaging.dll
ModLoad: 00007ffa`49f70000 00007ffa`4a0a6000 C:\WINDOWS\SYSTEM32\wintypes.dll
ModLoad: 00007ffa`48270000 00007ffa`4855e000 C:\WINDOWS\System32\CoreUIComponents.dll
ModLoad: 00007ffa`33e40000 00007ffa`33ed8000 C:\WINDOWS\System32\TextInputFramework.dll
(9b04.7590): Break instruction exception - code 80000003 (first/second chance not available)
Time Travel Position: 2D164:0
ntdll!NtTerminateProcess+0x12:
00007ffa`523603f2 0f05 syscall");
var facade = new TimeTravelFacade {
DebugEngineProxy = builder.Build()
};
// act
var position = facade.GetEndingPosition();
// assert
position.Should().Be(new Position(0x2D164, 0));
}
public void Disassemble_The_Correct_Number_Of_Instructions()
{
// arrange
var builder = new DebugEngineProxyBuilder();
builder.With32Bit(false);
builder.WithExecuteResult("u rip L2", @"KERNEL32!GetTimeFormatWWorker+0xc43:
00007ffa`51315543 6645898632010000 mov word ptr [r14+132h],r8w
00007ffa`5131554b 498d8630010000 lea rax,[r14+130h]
");
var facade = new DisassemblyFacade {
DebugEngineProxy = builder.Build()
};
var expected = new[]
{
new DisassemblyLine(0x00007ffa51315543, ByteArrayBuilder.StringToByteArray("6645898632010000"), "mov",
"word ptr [r14+132h],r8w"),
new DisassemblyLine(0x00007ffa5131554b, ByteArrayBuilder.StringToByteArray("498d8630010000"), "lea",
"rax,[r14+130h]")
};
// act
var lines = facade.GetDisassemblyLines(2);
// assert
lines.Should().Equal(expected);
}
public void Get_The_Current_StackTrace_Correctly()
{
// arrange
var builder = new DebugEngineProxyBuilder();
builder.WithExecuteResult("k", @"Child-SP RetAddr Call Site
00000000`0014d180 00007ffa`513150ed KERNEL32!GetTimeFormatWWorker+0xc43
00000000`0014d1d0 00007ffa`513138e6 KERNEL32!GetTimeFormatWWorker+0x7ed
00000000`0014ff90 00000000`00000000 ntdll!RtlUserThreadStart+0x21");
builder.WithExecuteResult("~~[7590] k", @"Child-SP RetAddr Call Site
00000000`0014d180 00007ffa`513150ed KERNEL32!GetTimeFormatWWorker+0xc43
00000000`0014d1d0 00007ffa`513138e6 KERNEL32!GetTimeFormatWWorker+0x7ed
00000000`0014ff90 00000000`00000000 ntdll!RtlUserThreadStart+0x21");
builder.WithThreadId(0x7590);
var stackFacade = new StackFacade {
DebugEngineProxy = builder.Build()
};
// act
var stackTrace = stackFacade.GetCurrentStackTrace();
var stackTrace2 = stackFacade.GetCurrentStackTrace(0x7590);
// assert
stackTrace.Should().Be(new StackTrace(new[]
{
new StackFrame(0x000000000014d180, 0x00007ffa513150ed, "KERNEL32", "GetTimeFormatWWorker", 0xc43),
new StackFrame(0x000000000014d1d0, 0x00007ffa513138e6, "KERNEL32", "GetTimeFormatWWorker", 0x7ed),
new StackFrame(0x000000000014ff90, 0x0000000000000000, "ntdll", "RtlUserThreadStart", 0x21)
}));
stackTrace2.Should().Be(new StackTrace(new[]
{
new StackFrame(0x000000000014d180, 0x00007ffa513150ed, "KERNEL32", "GetTimeFormatWWorker", 0xc43),
new StackFrame(0x000000000014d1d0, 0x00007ffa513138e6, "KERNEL32", "GetTimeFormatWWorker", 0x7ed),
new StackFrame(0x000000000014ff90, 0x0000000000000000, "ntdll", "RtlUserThreadStart", 0x21)
}));
}
public void Set_Write_Breakpoint_Correctly()
{
// arrange
var facade = new BreakpointFacade();
var builder = new DebugEngineProxyBuilder();
builder.WithExecuteResult("");
facade.DebugEngineProxy = builder.Build();
// act
facade.SetWriteAccessBreakpoint(8, 0x100);
// assert
builder.Mock.Verify(proxy => proxy.Execute("ba w8 100"), Times.Once);
}
public void Clear_Breakpoints()
{
// arrange
var facade = new BreakpointFacade();
var builder = new DebugEngineProxyBuilder();
builder.WithExecuteResult("");
facade.DebugEngineProxy = builder.Build();
// act
facade.ClearBreakpoints();
// assert
builder.Mock.Verify(proxy => proxy.Execute("bc *"), Times.Once);
}
public void Get_The_Current_Frame_Correctly()
{
// arrange
var engBuilder = new DebugEngineProxyBuilder();
engBuilder.WithExecuteResult("!positions", @">Thread ID=0x7590 - Position: 168CC:0
Thread ID=0x12A0 - Position: 211F5:0
Thread ID=0x6CDC - Position: 21D59:0
Thread ID=0x2984 - Position: 21DFE:0
Thread ID=0x3484 - Position: 21ECA:0
Thread ID=0x60B4 - Position: 2414F:0
Thread ID=0x1F54 - Position: 241DE:0
");
engBuilder.With32Bit(false);
engBuilder.WithThreadId(0x7590);
var stackBuilder = new StackFacadeBuilder();
var stackTrace = new StackTrace(new List <StackFrame>());
stackBuilder.WithGetCurrentStackTrace(stackTrace);
var registerSet = new RegisterSet();
var registerBuilder = new RegisterFacadeBuilder();
registerBuilder.WithGetCurrentRegisterSet(Register.All, registerSet);
var disassemblyLine = new DisassemblyLine(0x00007ffa51315595, ByteArrayBuilder.StringToByteArray("4d3bd1"),
"cmp", "r10,r9");
var disBuilder = new DisassemblyFacadeBuilder();
disBuilder.WithGetDisassemblyLines(1, new[] { disassemblyLine });
var facade = new TimeTravelFacade
{
DebugEngineProxy = engBuilder.Build(),
StackFacade = stackBuilder.Build(),
RegisterFacade = registerBuilder.Build(),
DisassemblyFacade = disBuilder.Build()
};
// act
var frame = facade.GetCurrentFrame();
// assert
frame.Position.Should().Be(new Position(0x168CC, 0));
frame.DisassemblyLine.Should().Be(disassemblyLine);
frame.RegisterSet.Should().Be(registerSet);
frame.StackTrace.Should().Be(stackTrace);
frame.ThreadId.Should().Be(0x7590);
}
public void Enforce_Length_Restrictions()
{
// arrange
var facade = new BreakpointFacade();
var builder = new DebugEngineProxyBuilder();
builder.WithExecuteResult("");
facade.DebugEngineProxy = builder.Build();
Action shouldThrow = () => facade.SetReadAccessBreakpoint(10, 0x100);
Action shouldThrow2 = () => facade.SetWriteAccessBreakpoint(10, 0x100);
// act
// assert
shouldThrow.Should().Throw <ArgumentOutOfRangeException>();
shouldThrow2.Should().Throw <ArgumentOutOfRangeException>();
}
public void Throw_If_Time_Travel_Position_Cant_Be_Determined()
{
var facade = new TimeTravelFacade();
var position = new Position(0, 0);
var builder = new DebugEngineProxyBuilder();
builder.WithExecuteResult(@"Setting position to the beginning of the trace
Setting position: E:0
Breakpoint 0 hit
Time Travel Position E:0
ntdll!NtSetInformationWorkerFactory+0x14:
00007ffc`f0ee3554 c3 ret");
facade.DebugEngineProxy = builder.Build();
Action a = () => facade.SetPosition(position);
a.Should().Throw <ApplicationException>();
}
public void Get_The_Starting_Position()
{
// arrange
var builder = new DebugEngineProxyBuilder();
builder.WithExecuteResult("!tt 0",
@"Setting position to the beginning of the trace
Setting position: 35:0
(9b04.7590): Break instruction exception - code 80000003 (first/second chance not available)
Time Travel Position: 35:0
ntdll!NtSetInformationWorkerFactory+0x14:
00007ffa`52363104 c3 ret");
var facade = new TimeTravelFacade {
DebugEngineProxy = builder.Build()
};
// act
var position = facade.GetStartingPosition();
// assert
position.Should().Be(new Position(0x35, 0));
}
public void Identify_32_And_64_Bit_Arch()
{
// Arrange
var builder = new DebugEngineProxyBuilder();
builder.WithExecuteResult("!peb", @"PEB at 00000000003b9000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
...
ImageBaseAddress: 0000000140000000 _NT_SYMBOL_PATH=SRV*c:\symbols*http://msdl.microsoft.com/download/symbols");
var proxy = builder.Build();
// Act
var indexMethod = new IndexMethod();
indexMethod.DebugEngineProxy = builder.Build();
var is32 = indexMethod.Is32Bit();
// Assert
is32.Should().BeFalse("00000000003b9000 is 16 characters and thus 64bit");
}
public void Set_The_Position_Correctly()
{
// arrange
var facade = new TimeTravelFacade();
var position = new Position(0, 0);
var builder = new DebugEngineProxyBuilder();
builder.WithExecuteResult(@"Setting position to the beginning of the trace
Setting position: E:0
Breakpoint 0 hit
Time Travel Position: E:0
ntdll!NtSetInformationWorkerFactory+0x14:
00007ffc`f0ee3554 c3 ret");
facade.DebugEngineProxy = builder.Build();
// act
var posResult = facade.SetPosition(position);
// assert
builder.Mock.Verify(proxy => proxy.Execute("!tt 0:0"), Times.Once);
posResult.ActualPosition.Should().Be(new Position(0xe, 0));
posResult.BreakpointHit.Should().Be(0);
}
