Example #1
0
            ulong GetReturnAddress(DkmThread thread)
            {
                // GetCurrentFrameInfo should provide the return address but the result is actually the current instruction address... so we have to go and lookup stack frame data at [ebp+4]
                var frameRegs = thread.GetCurrentRegisters(new DkmUnwoundRegister[0]);

                ulong address = 0;

                var x86Regs = frameRegs as DkmX86FrameRegisters;

                if (x86Regs != null)
                {
                    byte[] ebpData = new byte[4];
                    if (x86Regs.GetRegisterValue(22, ebpData) == 4)
                    {
                        address = DebugHelpers.ReadPointerVariable(thread.Process, BitConverter.ToUInt32(ebpData, 0) + 4).GetValueOrDefault(0);
                    }
                }

                if (address == 0)
                {
                    thread.GetCurrentFrameInfo(out address, out _, out _);
                }

                return(address);
            }
Example #2
0
        internal static DkmInspectionSession CreateInspectionSession(DkmProcess process, DkmThread thread, SupportBreakpointHitMessage data, out DkmStackWalkFrame frame)
        {
            const int CV_ALLREG_VFRAME   = 0x00007536;
            var       vFrameRegister     = DkmUnwoundRegister.Create(CV_ALLREG_VFRAME, new ReadOnlyCollection <byte>(BitConverter.GetBytes(data.vframe)));
            var       registers          = thread.GetCurrentRegisters(new[] { vFrameRegister });
            var       instructionAddress = process.CreateNativeInstructionAddress(registers.GetInstructionPointer());

            frame = DkmStackWalkFrame.Create(thread, instructionAddress, data.frameBase, 0, DkmStackWalkFrameFlags.None, null, registers, null);

            return(DkmInspectionSession.Create(process, null));
        }
Example #3
0
        public CppExpressionEvaluator(DkmThread thread, ulong frameBase, ulong vframe) {
            _process = thread.Process;

            var inspectionSession = DkmInspectionSession.Create(_process, null);
            _cppInspectionContext = DkmInspectionContext.Create(inspectionSession, _process.GetNativeRuntimeInstance(), thread, Timeout,
                DkmEvaluationFlags.TreatAsExpression | DkmEvaluationFlags.NoSideEffects, DkmFuncEvalFlags.None, 10, CppLanguage, null);

            const int CV_ALLREG_VFRAME = 0x00007536;
            var vframeReg = DkmUnwoundRegister.Create(CV_ALLREG_VFRAME, new ReadOnlyCollection<byte>(BitConverter.GetBytes(vframe)));
            var regs = thread.GetCurrentRegisters(new[] { vframeReg });
            var iaddr = _process.CreateNativeInstructionAddress(regs.GetInstructionPointer());
            _nativeFrame = DkmStackWalkFrame.Create(thread, iaddr, frameBase, 0, DkmStackWalkFrameFlags.None, null, regs, null);
        }
Example #4
0
        public CppExpressionEvaluator(DkmThread thread, ulong frameBase, ulong vframe)
        {
            _process = thread.Process;

            var inspectionSession = DkmInspectionSession.Create(_process, null);

            _cppInspectionContext = DkmInspectionContext.Create(inspectionSession, _process.GetNativeRuntimeInstance(), thread, Timeout,
                                                                DkmEvaluationFlags.TreatAsExpression | DkmEvaluationFlags.NoSideEffects, DkmFuncEvalFlags.None, 10, CppLanguage, null);

            const int CV_ALLREG_VFRAME = 0x00007536;
            var       vframeReg        = DkmUnwoundRegister.Create(CV_ALLREG_VFRAME, new ReadOnlyCollection <byte>(BitConverter.GetBytes(vframe)));
            var       regs             = thread.GetCurrentRegisters(new[] { vframeReg });
            var       iaddr            = _process.CreateNativeInstructionAddress(regs.GetInstructionPointer());

            _nativeFrame = DkmStackWalkFrame.Create(thread, iaddr, frameBase, 0, DkmStackWalkFrameFlags.None, null, regs, null);
        }