public override object GetArgumentValue(DkmStackWalkFrame frame, int index) { ulong esp = (uint)frame.Registers.GetStackPointer(); uint esp2 = frame.VscxGetRegisterValue32(CpuRegister.Esp); uint ebp = frame.VscxGetRegisterValue32(CpuRegister.Ebp); ulong frameBase = (uint)frame.FrameBase; int stackOffset = 0; for (int i = 0; i < index; ++i) stackOffset += _parameters[i].GetPaddedSize(WordSize); // The return address (4 bytes) is at the top of the stack, so offset by 4 to skip the return // address. ulong stackAddress = esp + 4 + (ulong)stackOffset; int paramSize = _parameters[index].GetSize(WordSize); byte[] parameter = new byte[paramSize]; frame.Process.ReadMemory(stackAddress, DkmReadMemoryFlags.None, parameter); switch (paramSize) { case 4: return BitConverter.ToUInt32(parameter, 0); case 8: return BitConverter.ToUInt64(parameter, 0); default: return parameter; } }
public override object GetArgumentValue(DkmStackWalkFrame frame, int index) { ulong esp = (uint)frame.Registers.GetStackPointer(); uint esp2 = frame.VscxGetRegisterValue32(CpuRegister.Esp); uint ebp = frame.VscxGetRegisterValue32(CpuRegister.Ebp); ulong frameBase = (uint)frame.FrameBase; int stackOffset = 0; for (int i = 0; i < index; ++i) { stackOffset += _parameters[i].GetPaddedSize(WordSize); } // The return address (4 bytes) is at the top of the stack, so offset by 4 to skip the return // address. ulong stackAddress = esp + 4 + (ulong)stackOffset; int paramSize = _parameters[index].GetSize(WordSize); byte[] parameter = new byte[paramSize]; frame.Process.ReadMemory(stackAddress, DkmReadMemoryFlags.None, parameter); switch (paramSize) { case 4: return(BitConverter.ToUInt32(parameter, 0)); case 8: return(BitConverter.ToUInt64(parameter, 0)); default: return(parameter); } }
void createProcessTracer_OnFunctionExited( DkmStackWalkFrame frame, StackFrameAnalyzer frameAnalyzer) { try { ulong processInfoAddr = Convert.ToUInt64( frameAnalyzer.GetArgumentValue(frame, "lpProcessInformation")); // Check the return address first, it should be in EAX. CreateProcessAsUser and // CreateProcess both return 0 on failure. If the function failed, there is no child to // attach to. if (0 == frame.VscxGetRegisterValue32(CpuRegister.Eax)) { return; } // The process was successfully created. Extract the PID from the PROCESS_INFORMATION // output param. An attachment request must happend through the EnvDTE, which can only // be accessed from the VsPackage, so a request must be sent via a component message. DkmProcess process = frame.Process; int size = Marshal.SizeOf(typeof(PROCESS_INFORMATION)); byte[] buffer = new byte[size]; process.ReadMemory(processInfoAddr, DkmReadMemoryFlags.None, buffer); PROCESS_INFORMATION info = MarshalUtility.ByteArrayToStructure <PROCESS_INFORMATION>(buffer); DkmCustomMessage attachRequest = DkmCustomMessage.Create( process.Connection, process, PackageServices.VsPackageMessageGuid, (int)VsPackageMessage.AttachToChild, process.LivePart.Id, info.dwProcessId); attachRequest.SendToVsService(PackageServices.DkmComponentEventHandler, false); } catch (Exception exception) { Logger.LogError( exception, "An error occured handling the exit breakpoint. HR = 0x{0:X}", exception.HResult); } }
void createProcessTracer_OnFunctionExited( DkmStackWalkFrame frame, StackFrameAnalyzer frameAnalyzer) { try { ulong processInfoAddr = Convert.ToUInt64( frameAnalyzer.GetArgumentValue(frame, "lpProcessInformation")); // Check the return address first, it should be in EAX. CreateProcessAsUser and // CreateProcess both return 0 on failure. If the function failed, there is no child to // attach to. if (0 == frame.VscxGetRegisterValue32(CpuRegister.Eax)) return; // The process was successfully created. Extract the PID from the PROCESS_INFORMATION // output param. An attachment request must happend through the EnvDTE, which can only // be accessed from the VsPackage, so a request must be sent via a component message. DkmProcess process = frame.Process; int size = Marshal.SizeOf(typeof(PROCESS_INFORMATION)); byte[] buffer = new byte[size]; process.ReadMemory(processInfoAddr, DkmReadMemoryFlags.None, buffer); PROCESS_INFORMATION info = MarshalUtility.ByteArrayToStructure<PROCESS_INFORMATION>(buffer); DkmCustomMessage attachRequest = DkmCustomMessage.Create( process.Connection, process, PackageServices.VsPackageMessageGuid, (int)VsPackageMessage.AttachToChild, process.LivePart.Id, info.dwProcessId); attachRequest.SendToVsService(PackageServices.DkmComponentEventHandler, false); } catch (Exception exception) { Logger.LogException( exception, "An error occured handling the exit breakpoint. HR = 0x{0:X}", exception.HResult); } }