Clever Geek Handbook

How to get partition / offset resolution information from windbg / dbgeng api?

I am writing an extension for Windbg, and at some point I need to get permissions for memory offset, similar to what !address addr

Windbg will provide. I looked at the available debugger API functions here:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff551059%28v=vs.85%29.aspx

However, I was unable to find such a function that would return the section / permissions information regarding memory offset. Basically, I would like to get the section that contains the address, data section, text section, etc., what permissions does it have, etc.

The closest sounding function I've found is GetOffsetInformation in the IDebugDataSpaces4 interface. However, according to the documentation, it doesn't provide anything from what I'm looking for:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff548055(v=vs.85).aspx

I could always run a command !address

and process its output, but I was looking for a cleaner way that I could get this information directly using the API.

Am I missing something? Is there a documented / undocumented way that I could achieve this?

+3


source to share


1 answer


QueryVirtual not working?

#include <engextcpp.hpp>

class EXT_CLASS : public ExtExtension
{
public:
    EXT_COMMAND_METHOD(getoffinfo);
};

EXT_DECLARE_GLOBALS();


EXT_COMMAND( getoffinfo, "", "{;e,d=0;getoffinfo;simulates !address <address>}" )

{
    ULONG64 Offset  = GetUnnamedArgU64(0);
    if (Offset == 0)
    {
        Out( "usage !getoffinfo <address>\n");
    }
    else
    {
        MEMORY_BASIC_INFORMATION64 meminfo;
        memset(&meminfo,0,sizeof(MEMORY_BASIC_INFORMATION64 ));
        m_Data2->QueryVirtual(Offset,&meminfo);
        Out("Allocation Base    :   %x\n",meminfo.AllocationBase);
        Out("Base Address       :   %x\n",meminfo.BaseAddress);
        Out("End Address        :   %x\n",meminfo.AllocationBase + meminfo.RegionSize);
        Out("RegionSize         :   %x\n",meminfo.RegionSize);
        Out("Type               :   %x\n",meminfo.Type);
        Out("State              :   %x\n",meminfo.State);
    }

}


do the following

0:000> !address windbg
Usage:                  Image
Allocation Base:        01000000
Base Address:           01000000
End Address:            01001000
Region Size:            00001000
Type:                   01000000    MEM_IMAGE
State:                  00001000    MEM_COMMIT
Protect:                00000002    PAGE_READONLY
More info:              lmv m windbg
More info:              !lmi windbg
More info:              ln 0x1000000

0:000> .load getoffinfo
0:000> !getoffinfo
usage !getoffinfo <address>
0:000> !getoffinfo windbg
Allocation Base    :   1000000
Base Address       :   1000000
End Address        :   1001000
RegionSize         :   1000
Type               :   1000000
State              :   1000
+3


source






More articles:


All Articles