WinDbg Extension stepping

2019-08-13 23:57发布

问题:

I am trying to write an extension function that will run to the next call and then print out information about the next instruction.

I am using IDebugControl::Execute to run tc. As noted in the documentation, this call returns before the tracing has actually occurred. Sleeping or calling DispatchCallbacks does not see the tc trace occur before my extension returns.

How can I allow the trace to happen without returning from the call?

If I add my own DebugEventCallback then I can get notified of the triggered DebuggeeState and EngineState changes, but can't reach back into the engine from those callbacks.

回答1:

I think It is not a good idea to make call changing a debugger state through IDebugControl::Execute ( g, t, etc )

At first you should implement step command:

control->SetExecutionStatus(DEBUG_STATUS_STEP_OVER);
control->WaitForEvent(DEBUG_WAIT_DEFAULT, INFINITE);

then you can make a matcher for call signature:

registers->GetInstructionOffset( &ip );
control->Disassemble( ip, ..., disasmStr, .. 
return  disasmStr

then can build your own tc:

while( CurrentInstruction() != 'call' ) makeOneStep()

you can use our python extension: pykd.codeplex.com

Python code will look like:

from pykd import disasm, step
while disasm().instruction.find('call') < 0:
   step()