示例#1
0
        protected override UnifiedBlockingObject GetCriticalSectionBlockingObject(UnifiedStackFrame frame)
        {
            UnifiedBlockingObject result = null;
            var parameters = GetParameters(frame, ENTER_CRITICAL_SECTION_FUNCTION_PARAM_COUNT);
            var criticalSectionAddress = ConvertToAddress(parameters[0]);

            byte[] buffer = new byte[Marshal.SizeOf(typeof(CRITICAL_SECTION))];
            int read;

            if (!_runtime.ReadMemory(criticalSectionAddress, buffer, buffer.Length, out read) || read != buffer.Length)
                throw new Exception($"Error reading critical section data from address: {criticalSectionAddress}");

            var gch = GCHandle.Alloc(buffer, GCHandleType.Pinned);
            try
            {
                CRITICAL_SECTION section = (CRITICAL_SECTION)Marshal.PtrToStructure(
                    gch.AddrOfPinnedObject(), typeof(CRITICAL_SECTION));
                result = new UnifiedBlockingObject(section, criticalSectionAddress);
            }
            finally
            {
                gch.Free();
            }
            return result;
        }
示例#2
0
        protected override UnifiedBlockingObject GetCriticalSectionBlockingObject(UnifiedStackFrame frame)
        {
            var parameters             = GetParameters(frame, ENTER_CRITICAL_SECTION_FUNCTION_PARAM_COUNT);
            var criticalSectionAddress = ConvertToAddress(parameters[0]);

            var section = ReadStructureFromAddress <CRITICAL_SECTION>(criticalSectionAddress);

            return(new UnifiedBlockingObject(section, criticalSectionAddress));
        }
示例#3
0
 protected override void ExtractWaitForSingleObjectInformation(UnifiedStackFrame frame)
 {
     var parameters = GetParameters(frame, WAIT_FOR_SINGLE_OBJECT_PARAM_COUNT);
     if (parameters.Count > 0)
     {
         var handle = ConvertToAddress(parameters[0]);
         AddSingleWaitInformation(frame, handle);
     }
 }
示例#4
0
        protected override void ExtractWaitForSingleObjectInformation(UnifiedStackFrame frame)
        {
            var parameters = GetParameters(frame, WAIT_FOR_SINGLE_OBJECT_PARAM_COUNT);

            if (parameters.Count > 0)
            {
                var handle = ConvertToAddress(parameters[0]);
                AddSingleWaitInformation(frame, handle);
            }
        }
示例#5
0
 protected override void ExtractWaitForMultipleObjectsInformation(UnifiedStackFrame frame)
 {
     var parameters = GetParameters(frame, WAIT_FOR_MULTIPLE_OBJECTS_PARAM_COUNT);
     if (parameters.Count > 0)
     {
         var numberOfHandles = BitConverter.ToUInt32(parameters[0], 0);
         var addressOfHandlesArray = ConvertToAddress(parameters[1]);
         AddMultipleWaitInformation(frame, numberOfHandles, addressOfHandlesArray);
     }
 }
示例#6
0
        internal override UnifiedBlockingObject GetNtDelayExecutionBlockingObject(UnifiedStackFrame frame)
        {
            var parameters          = GetParameters(frame, NTDELAY_EXECUTION_FUNCTION_PARAM_COUNT);
            var largeIntegerAddress = ConvertToAddress(parameters[1]);

            var largeInt = ReadStructureFromAddress <Int64>(largeIntegerAddress);
            var awaitMs  = (-largeInt) / 10000;

            return(new UnifiedBlockingObject(awaitMs));
        }
示例#7
0
        public bool GetCriticalSectionBlockingObject(UnifiedStackFrame frame, out UnifiedBlockingObject blockingObject)
        {
            blockingObject = null;

            if (frame.Handles != null && IsMatchingMethod(frame, ENTER_CRITICAL_SECTION_FUNCTION_NAME))
            {
                blockingObject = GetCriticalSectionBlockingObject(frame);
            }

            return(blockingObject != null);
        }
示例#8
0
        internal bool GetThreadSleepBlockingObject(UnifiedStackFrame frame, out UnifiedBlockingObject blockingObject)
        {
            blockingObject = null;

            if (IsMatchingMethod(frame, NTDELAY_EXECUTION_FUNCTION_NAME))
            {
                blockingObject = GetNtDelayExecutionBlockingObject(frame);
            }

            return(blockingObject != null);
        }
示例#9
0
        protected override void ExtractWaitForMultipleObjectsInformation(UnifiedStackFrame frame)
        {
            var parameters = GetParameters(frame, WAIT_FOR_MULTIPLE_OBJECTS_PARAM_COUNT);

            if (parameters.Count > 0)
            {
                var numberOfHandles       = BitConverter.ToUInt32(parameters[0], 0);
                var addressOfHandlesArray = ConvertToAddress(parameters[1]);
                AddMultipleWaitInformation(frame, numberOfHandles, addressOfHandlesArray);
            }
        }
示例#10
0
        protected void AddSingleWaitInformation(UnifiedStackFrame frame, ulong handleValue)
        {
            // TODO The process id can't be zero, or this will always fail!
            //      Currently we are running the stack walker only for dump files, which means
            //      we don't have an id to run DuplicateHandle against.
            var typeName   = GetHandleType((IntPtr)handleValue, 0);
            var objectName = GetHandleObjectName((IntPtr)handleValue, 0);

            UnifiedHandle unifiedHandle = new UnifiedHandle(handleValue, typeName, objectName);

            frame.Handles.Add(unifiedHandle);
        }
示例#11
0
        private void FillFaultingThreadAndModuleInformation(CommandExecutionContext context)
        {
            UnifiedStackTrace stackTrace = new UnifiedStackTrace(_dbgEngTarget.DebuggerInterface, context);

            _triageInformation.TotalThreadCount   = (int)stackTrace.NumThreads;
            _triageInformation.ManagedThreadCount = stackTrace.Threads.Count(t => t.IsManagedThread);

            LastEventInformation lastEventInformation = _dbgEngTarget.GetLastEventInformation();

            if (lastEventInformation == null)
            {
                return;
            }

            ThreadInfo faultingThread = stackTrace.Threads.SingleOrDefault(t => t.OSThreadId == lastEventInformation.OSThreadId);

            if (faultingThread == null)
            {
                return;
            }

            _triageInformation.FaultingThreadOSID      = faultingThread.OSThreadId;
            _triageInformation.IsFaultingThreadManaged = faultingThread.IsManagedThread;
            _triageInformation.EventDescription        = lastEventInformation.EventDescription;

            if (lastEventInformation.ExceptionRecord.HasValue)
            {
                _triageInformation.ExceptionCode = lastEventInformation.ExceptionRecord.Value.ExceptionCode;
            }
            if (faultingThread.IsManagedThread && faultingThread.ManagedThread.CurrentException != null)
            {
                _triageInformation.ManagedExceptionType = faultingThread.ManagedThread.CurrentException.Type.Name;
            }

            var frames = stackTrace.GetStackTrace(faultingThread.Index);

            UnifiedStackFrame faultingFrame = frames.FirstOrDefault(f => f.Module != null && !WellKnownMicrosoftModules.Contains(f.Module));

            if (faultingFrame != null)
            {
                _triageInformation.FaultingModule = faultingFrame.Module;
                _triageInformation.FaultingMethod = faultingFrame.Method;
            }

            if (ShowFaultingStack)
            {
                context.WriteLine("Faulting call stack:");
                stackTrace.PrintStackTrace(context, frames);
            }
        }
示例#12
0
        protected void AddMultipleWaitInformation(UnifiedStackFrame frame, uint numberOfHandles, ulong addressOfHandlesArray)
        {
            if (numberOfHandles > MAXIMUM_WAIT_OBJECTS)
            {
                numberOfHandles = MAXIMUM_WAIT_OBJECTS;
            }

            var handles = ReadHandles(addressOfHandlesArray, numberOfHandles);

            foreach (var handleBytes in handles)
            {
                ulong handleValue = ConvertToAddress(handleBytes);
                AddSingleWaitInformation(frame, handleValue);
            }
        }
示例#13
0
        private List <byte[]> GetParameters(UnifiedStackFrame stackFrame, int paramCount)
        {
            List <byte[]> result    = new List <byte[]>();
            var           offset    = stackFrame.FramePointer + 4; // Parameters start at EBP + 4
            int           bytesRead = 0;

            for (int i = 0; i < paramCount; i++)
            {
                byte[] paramBuffer = new byte[IntPtr.Size];
                offset += (uint)IntPtr.Size;
                if (_runtime.ReadMemory(offset, paramBuffer, paramBuffer.Length, out bytesRead))
                {
                    result.Add(paramBuffer);
                }
            }

            return(result);
        }
示例#14
0
        public bool SetFrameParameters(UnifiedStackFrame frame)
        {
            if (IsMatchingMethod(frame, WAIT_FOR_SINGLE_OBJECT_FUNCTION_NAME) ||
                IsMatchingMethod(frame, WAIT_FOR_SINGLE_OBJECT_EX_FUNCTION_NAME))
            {
                ExtractWaitForSingleObjectInformation(frame);
                return(true);
            }

            if (IsMatchingMethod(frame, WAIT_FOR_MULTIPLE_OBJECTS_FUNCTION_NAME) ||
                IsMatchingMethod(frame, WAIT_FOR_MULTIPLE_OBJECTS_EX_FUNCTION_NAME))
            {
                ExtractWaitForMultipleObjectsInformation(frame);
                return(true);
            }

            return(false);
        }
示例#15
0
        private List<byte[]> GetParameters(UnifiedStackFrame stackFrame, int paramCount)
        {
            List<byte[]> result = new List<byte[]>();
            var offset = stackFrame.FramePointer + 4; // Parameters start at EBP + 4
            int bytesRead = 0;

            for (int i = 0; i < paramCount; i++)
            {
                byte[] paramBuffer = new byte[IntPtr.Size];
                offset += (uint)IntPtr.Size;
                if (_runtime.ReadMemory(offset, paramBuffer, paramBuffer.Length, out bytesRead))
                {
                    result.Add(paramBuffer);
                }
            }

            return result;
        }
示例#16
0
 private bool IsMatchingMethod(UnifiedStackFrame frame, string key)
 {
     return frame?.Method == key;
 }
示例#17
0
 protected abstract void ExtractWaitForSingleObjectInformation(UnifiedStackFrame frame);
示例#18
0
 protected abstract void ExtractWaitForMultipleObjectsInformation(UnifiedStackFrame frame);
示例#19
0
 protected abstract UnifiedBlockingObject GetCriticalSectionBlockingObject(UnifiedStackFrame frame);
示例#20
0
 protected abstract void ExtractWaitForSingleObjectInformation(UnifiedStackFrame frame);
示例#21
0
 protected abstract void ExtractWaitForMultipleObjectsInformation(UnifiedStackFrame frame);
示例#22
0
        protected void AddSingleWaitInformation(UnifiedStackFrame frame, ulong handleValue)
        {
            // TODO The process id can't be zero, or this will always fail!
            //      Currently we are running the stack walker only for dump files, which means
            //      we don't have an id to run DuplicateHandle against.
            var typeName = GetHandleType((IntPtr)handleValue, 0);
            var objectName = GetHandleObjectName((IntPtr)handleValue, 0);

            UnifiedHandle unifiedHandle = new UnifiedHandle(handleValue, typeName, objectName);
            frame.Handles.Add(unifiedHandle);
        }
示例#23
0
        protected void AddMultipleWaitInformation(UnifiedStackFrame frame, uint numberOfHandles, ulong addressOfHandlesArray)
        {
            if (numberOfHandles > MAXIMUM_WAIT_OBJECTS)
                numberOfHandles = MAXIMUM_WAIT_OBJECTS;

            var handles = ReadHandles(addressOfHandlesArray, numberOfHandles);
            foreach (var handleBytes in handles)
            {
                ulong handleValue = ConvertToAddress(handleBytes);
                AddSingleWaitInformation(frame, handleValue);
            }
        }
示例#24
0
        public bool SetFrameParameters(UnifiedStackFrame frame)
        {
            if (IsMatchingMethod(frame, WAIT_FOR_SINGLE_OBJECT_FUNCTION_NAME) ||
                IsMatchingMethod(frame, WAIT_FOR_SINGLE_OBJECT_EX_FUNCTION_NAME))
            {
                ExtractWaitForSingleObjectInformation(frame);
                return true;
            }

            if (IsMatchingMethod(frame, WAIT_FOR_MULTIPLE_OBJECTS_FUNCTION_NAME) ||
                IsMatchingMethod(frame, WAIT_FOR_MULTIPLE_OBJECTS_EX_FUNCTION_NAME))
            {
                ExtractWaitForMultipleObjectsInformation(frame);
                return true;
            }

            return false;
        }
示例#25
0
        public bool GetCriticalSectionBlockingObject(UnifiedStackFrame frame, out UnifiedBlockingObject blockingObject)
        {
            bool result = false;

            if (frame.Handles != null && IsMatchingMethod(frame, ENTER_CRITICAL_SECTION_FUNCTION_NAME))
            {
                blockingObject = GetCriticalSectionBlockingObject(frame);
                result = blockingObject != null;
            }
            else
            {
                blockingObject = null;
            }

            return result;
        }
示例#26
0
 internal abstract UnifiedBlockingObject GetNtDelayExecutionBlockingObject(UnifiedStackFrame frame);
示例#27
0
 protected abstract UnifiedBlockingObject GetCriticalSectionBlockingObject(UnifiedStackFrame frame);
示例#28
0
 private bool IsMatchingMethod(UnifiedStackFrame frame, string key)
 {
     return(frame?.Method == key);
 }