NativeDebugWrappers
Interface to a context. This provides platform agnostic wrapper to a platform specific OS Context.
Used to lock the buffer and get a raw pointer to it.
This is the only way to change the entire context at once.
This is useful for pinvoking to native functions.
context writer object
Expected usage would be (in C# syntax):
IContext c = NativeContextAllocator.Alloc();
using(IContextWriter w = c.OpenForDirectAccess) { // context buffer is now locked
SomeNativeFunctionToGetThreadContext(w.RawBuffer, w.Size);
} // w is disposed, this unlocks the context buffer.
This will return the context specific flags for the given AgnosticContextFlags
the value (found in the enum) of the platform specific flags desired
This will clear the context buffer.
Enable or disable the single-step flag in the context.
true to enable single-stepping, false to disable it
Throws if the architecture doesn't support single-stepping.
Create a new deep copy of this context.
The copies are independent and can be modified without interfering with each other.
copy of this context
Contexts can be large, so copying excessively would be expensive.
INativeContext c1 = ...
INativeContext c2 = c1.Clone();
Assert(c1 != c2); // true, Clone gives different instances
Assert(c1.Equals(c2)); // true
Assert(c2.Equals(c1)); // true
Enumerate registers names (and their types) for late-bound access. Available registers depend on the flags.
an enumeration of (name,type) pairs
An implementation does not need to include all registers on the context.
The returned strings can be used with other by-name functions like
and .
Get a register by name
Name of the registers. Lookup is case insensitive
value of register. Registers can be arbitrary types (uint32, double, long, etc), so this
returns an object. Throws if name is not currently valid
Sets a register by name.
Case-insensitive name of register to set.
value of register to set. Type of value must be convertable to type of the register
Throws if no matching name or if register is not valid for the given Flags.
Get Size in bytes. Size could change depending on the flags.
Get the flags associated with the context.
Flags are platform specific and generally indicate which parts of the context are valid.
Flags will affect which registers are available (EnumerateRegisters), potentially the Size of the context,
and how contexts are compared.
Expanding the active flags means newly included registers have an uninitialized value.
A context could be completely constructed late-bound by setting the Flags and then calling
SetRegisterByName on each regsister
Get or Set the instruction pointer
Get the stack pointer
Is the single step flag enabled?
Get a simple string description of the CPU the context is for. A implementation may also provide a ToString()
override to give more detail (eg, which flags are active)
Get the ImageFileMachine code. This is used for getting an interop callstack for a machine.
Used by TraverseStack
Base class for DumpReader exceptions
Dump is valid, but missing the requested data.
Dump is malformed or corrupted.
Immutable pointer into the dump file. Has associated size for runtime checking.
Returns a DumpPointer to the same memory, but associated with a smaller size.
smaller size to shrink the pointer to.
new DumpPointer
Copy numberBytesToCopy from the DumpPointer into &destinationBuffer[indexDestination].
buffer for memory
size of allocated buffer
index into buffer
number of bytes to copy
Copy raw bytes to buffer
buffer to copy to.
number of bytes to copy. Caller ensures the destinationBuffer
is large enough
Marshal this into a managed structure, and do bounds checks.
Type of managed structure to marshal as
a managed copy of the structure
Read contents of a minidump.
If we have a 32-bit dump, then there's an addressing collision possible.
OS debugging code sign extends 32 bit wide addresses into 64 bit wide addresses.
The CLR does not sign extend, thus you cannot round-trip target addresses exposed by this class.
Currently we read these addresses once and don't hand them back, so it's not an issue.
Translates from an RVA to Dump Pointer.
RVA within the dump
DumpPointer representing RVA.
Translates from an RVA to Dump Pointer.
RVA within the dump
DumpPointer representing RVA.
Translates from an RVA to Dump Pointer.
RVA within the dump
DumpPointer representing RVA.
Gets a MINIDUMP_STRING at the given RVA as an System.String.
RVA of MINIDUMP_STRING
System.String representing contents of MINIDUMP_STRING at the given RVA
Gets a MINIDUMP_STRING at the given DumpPointer as an System.String.
DumpPointer to a MINIDUMP_STRING
System.String representing contents of MINIDUMP_STRING at the given location
in the dump
Read memory from the dump file and return results in newly allocated buffer
target address in dump to read length bytes from
number of bytes to read
newly allocated byte array containing dump memory
All memory requested must be readable or it throws.
Read memory from the dump file and copy into the buffer
target address in dump to read buffer.Length bytets from
destination buffer to copy target memory to.
All memory requested must be readable or it throws.
Read memory from target and copy it to the local buffer pointed to by
destinationBuffer. Throw if any portion of the requested memory is unavailable.
target address in dump file to copy
destinationBufferSizeInBytes bytes from.
pointer to copy the memory to.
size of the destinationBuffer in bytes.
Read memory from target and copy it to the local buffer pointed to by destinationBuffer.
target address in dump file to copy
destinationBufferSizeInBytes bytes from.
pointer to copy the memory to.
size of the destinationBuffer in bytes.
Number of contiguous bytes successfuly copied into the destination buffer.
ToString override.
string description of the DumpReader.
Constructor
filename to open dump file
Dispose method.
Get a DumpPointer for the given stream. That can then be used to further decode the stream.
type of stream to lookup
DumpPointer refering into the stream.
Get the thread for the given thread Id.
thread Id to lookup.
a DumpThread object representing a thread in the dump whose thread id matches
the requested id.
Enumerate all the native threads in the dump
an enumerate of DumpThread objects
Check on whether there's an exception stream in the dump
true iff there is a MINIDUMP_EXCEPTION_STREAM in the dump.
Return the TID from the exception stream.
The TID from the exception stream.
Lookup the first module in the target with a matching.
The name can either be a matching full name, or just shortname
The first DumpModule that has a matching name.
Return the module containing the target address, or null if no match.
address in target
Null if no match. Else a DumpModule such that the target address is in between the range specified
by the DumpModule's .BaseAddress and .Size property
This can be useful for symbol lookups or for using module images to
supplement memory read requests for minidumps.
Enumerate all the modules in the dump.
Version numbers of OS that this dump was taken on.
Operating system that the dump was taken on.
Friendly helper to get full OS version string (including CSDVersion) that the dump was taken on.
This is really just to compensate that public OperatingSystem's ctor doesn't let us
add the service pack string, so we need a special helper for that.
The processor architecture that this dump was taken on.
Remove the OS sign-extension from a target address.
Type of stream within the minidump.
Describes a data stream within the minidump
Size of the stream in bytes.
Offset (in bytes) from the start of the minidump to the data stream.
True iff the data is missing.
Describes a data stream within the minidump
Size of the stream in bytes.
Offset (in bytes) from the start of the minidump to the data stream.
Describes a range of memory in the target.
Starting Target address of the memory range.
Location in minidump containing the memory corresponding to StartOfMemoryRage
Describes a range of memory in the target.
This is used for full-memory minidumps where
all of the raw memory is laid out sequentially at the
end of the dump. There is no need for individual RVAs
as the RVA is the base RVA plus the sum of the preceeding
data blocks.
Starting Target address of the memory range.
Size of memory in bytes.
The struct that holds an EXCEPTION_RECORD
The struct that holds contents of a dump's MINIDUMP_STREAM_TYPE.ExceptionStream
which is a MINIDUMP_EXCEPTION_STREAM.
Describes system information about the system the dump was taken on.
This is returned by the MINIDUMP_STREAM_TYPE.SystemInfoStream stream.
Address that module is loaded within target.
Size of image within memory copied from IMAGE_OPTIONAL_HEADER.SizeOfImage.
Note that this is usually different than the file size.
Checksum, copied from IMAGE_OPTIONAL_HEADER.CheckSum. May be 0 if not optional
header is not available.
TimeStamp in Unix 32-bit time_t format. Copied from IMAGE_FILE_HEADER.TimeDateStamp
RVA within minidump of the string containing the full path of the module.
Gets TimeDateStamp as a DateTime. This is based off a 32-bit value and will overflow in 2038.
This is not the same as the timestamps on the file.
Raw MINIDUMP_THREAD structure imported from DbgHelp.h
Describes the memory location of the thread's raw stack.
List of Threads in the minidump.
Represents a native module in a dump file. This is a flyweight object.
Constructor
owning DumpReader
unmanaged dump structure describing the module
Usually, the full filename of the module. Since the dump may not be captured on the local
machine, be careful of using this filename with the local file system.
In some cases, this could be a short filename, or unavailable.
Base address within the target of where this module is loaded.
Size of this module in bytes as loaded in the target.
UTC Time stamp of module. This is based off a 32-bit value and will overflow in 2038.
This is different than any of the filestamps. Call ToLocalTime() to convert from UTC.
Gets the raw 32 bit time stamp. Use the Timestamp property to get this as a System.DateTime.
Represents a thread from a minidump file. This is a flyweight object.
Constructor for DumpThread
owning DumpReader object
unmanaged structure in dump describing the thread
Safe way to get a thread's context
a native context object representing the thread context
Get the raw thread context as a buffer or bytes. This is dangerous.
pointer to buffer to get the context
size of the buffer in bytes. Must be large enough to hold the
context. For variable-size contexts, caller may need to check context flags afterwards
to determine how large the context really is.
Context may not be available in the dump.
The native OS Thread Id of this thread.
Utility class to provide various random Native debugging operations.
Marshal a structure from the given buffer. Effectively returns ((T*) &buffer[offset]).
type of structure to marshal
array of bytes representing binary buffer to marshal
offset in buffer to marhsal from
marshaled structure
Gets the raw compilation timestamp of a file.
This can be matched with the timestamp of a module in a dump file.
NOTE: This is NOT the same as the file's creation or last-write time.
0 for common failures like file not found or invalid format. Throws on gross
errors. Else returns the module's timestamp for comparison against the minidump
module's stamp.
Determine if this is a valid DOS image.
Thrown when failing to read memory from a target.
Initialize a new exception
address where read failed
size of read attempted
Initializes a new instance of the ReadMemoryFailureException.
Initializes a new instance of the ReadMemoryFailureException with the specified error message.
The message that describes the error.
Initializes a new instance of the ReadMemoryFailureException with the specified error message and inner Exception.
The message that describes the error.
The exception that is the cause of the current exception.
Initializes a new instance of the ReadMemoryFailureException class with serialized data.
The SerializationInfo that holds the serialized object data about the exception being thrown.
The StreamingContext that contains contextual information about the source or destination.
Interface to provide access to target
Read memory from the target process. Either reads all memory or throws.
target address to read memory from
buffer to fill with memory
Throws if can't read all the memory
Platform agnostic flags used to extract platform-specific context flag values
Native debug event Codes that are returned through NativeStop event
Common Exception codes
Users can define their own exception codes, so the code could be any value.
The OS reserves bit 28 and may clear that for its own purposes
Fired when debuggee gets a Control-C.
Flags for
No flags.
Exception can not be continued. Debugging services can still override this to continue the exception, but recommended to warn the user in this case.
Information about an exception
This will default to the correct caller's platform
Address in the debuggee that the exception occured at.
Number of parameters used in ExceptionInformation array.
Based off ExceptionFlags, is the exception Non-continuable?
Information about an exception debug event.
Read the image name from the target.
access to target's memory
String for full path to image. Null if name not available
MSDN says this will never be provided for during Attach scenarios; nor for the first 1 or 2 dlls.
Read the log message from the target.
interface to access debuggee memory
string containing message or null if not available
Matches DEBUG_EVENT layout on 32-bit architecture
Matches DEBUG_EVENT layout on 64-bit architecture
Values to pass to ContinueDebugEvent for ContinueStatus
This is our own "empty" value
Debugger consumes exceptions. Debuggee will never see the exception. Like "gh" in Windbg.
Debugger does not interfere with exception processing, this passes the exception onto the debuggee.
Like "gn" in Windbg.
Serves as the global method for creating a platform-specific context
Generates a new context object for the platform in which Mdbg is running.
Newly allocated platform specific context
Throws if running on an unsupported platform
Determines the platform architecture the OS is running a process in. Wow mode processes
will report INTEL (32bit) otherwise all processes run in the native system architecture
Generates a new context object for the current platform. This does NOT account for Wow mode processes.
This method should be primarily used for dump debugging.
The architecture for which to create the context
Newly allocated platform specific context.
Throws if running on an unsupported platform
Exposes raw contents of the Context in IContext. This locks the buffer. Dispose this object to unlock the buffer
The implementation behind the interface has a variety of ways to ensure the memory is safe to write to.
The buffer may be in the native heap; or it may be to a pinned object in the managed heap
This is primarily intended for writing to the context (by passing the buffer out to a pinvoke),
but can also be a way to read the raw bytes.
The size of the buffer. This should be the same as INativeContext.Size.
A pointer to the raw buffer. The memory is pinned until this object is disposed. Check the context Flags
to know which raw bytes are valid to be read.
The size of the buffer. This should be the same as Context.Size.
A pointer to the raw buffer. The memory is pinned until this object is disposed. Check the context Flags
to know which raw bytes are valid to be read.
Describes the ProcessorArchitecture in a SYSTEM_INFO field.
This can also be reported by a dump file.
A very basic PE reader that can extract a few useful pieces of information