如何在运行时从 Windbg 扩展中的 DMP 文件获取类型信息?
这与相关我之前的问题,关于从 dmp 文件中提取对象。
正如我在上一个问题中提到的,我可以通过创建包装器“远程”对象成功地将对象从 dmp 文件中提取出来。到目前为止,我已经实现了其中的几个,并且看起来效果很好。然而我遇到了障碍。
在一种情况下,指针存储在类中,例如“SomeBaseClass”类型,但该对象实际上是从“SomeBaseClass”派生的“SomeDerivedClass”类型。例如,它会是这样的:
MyApplication!SomeObject
+0x000 field1 : Ptr32 SomeBaseClass
+0x004 field2 : Ptr32 SomeOtherClass
+0x008 field3 : Ptr32 SomeOtherClass
我需要某种方法来找出“field1”的实际类型是什么。
更具体地说,使用示例地址:
MyApplication!SomeObject
+0x000 field1 : 0cae2e24 SomeBaseClass
+0x004 field2 : 0x262c8d3c SomeOtherClass
+0x008 field3 : 0x262c8d3c SomeOtherClass
0:000> dt SomeBaseClass 0cae2e24
MyApplication!SomeBaseClass
+0x000 __VFN_table : 0x02de89e4
+0x038 basefield1 : (null)
+0x03c basefield2 : 3
0:000> dt SomeDerivedClass 0cae2e24
MyApplication!SomeDerivedClass
+0x000 __VFN_table : 0x02de89e4
+0x038 basefield1 : (null)
+0x03c basefield2 : 3
+0x040 derivedfield1 : 357
+0x044 derivedfield2 : timecode_t
当我在 WinDbg 中时,我可以执行以下操作:
dt 0x02de89e4
它将显示类型:
0:000> dt 0x02de89e4
SomeDerivedClass::`vftable'
Symbol not found.
但如何在扩展中获取该类型?我可以使用 SearchMemory() 来查找 'SomeDerivedClass::`vftable' 吗?如果您遵循我的其他问题,我需要此类型信息,以便我知道要创建什么类型的包装器远程类。我认为它最终可能是某种 case 语句,我必须将字符串与类型匹配?我对此表示同意,但我仍然不知道在哪里可以获得表示相关对象类型的字符串(即上面示例中的 SomeObject->field1 )。
This is related to my previous question, regarding pulling objects from a dmp file.
As I mentioned in the previous question, I can successfully pull object out of the dmp file by creating wrapper 'remote' objects. I have implemented several of these so far, and it seems to be working well. However I have run into a snag.
In one case, a pointer is stored in a class, say of type 'SomeBaseClass', but that object is actually of the type 'SomeDerivedClass' which derives from 'SomeBaseClass'. For example it would be something like this:
MyApplication!SomeObject
+0x000 field1 : Ptr32 SomeBaseClass
+0x004 field2 : Ptr32 SomeOtherClass
+0x008 field3 : Ptr32 SomeOtherClass
I need some way to find out what the ACTUAL type of 'field1' is.
To be more specific, using example addresses:
MyApplication!SomeObject
+0x000 field1 : 0cae2e24 SomeBaseClass
+0x004 field2 : 0x262c8d3c SomeOtherClass
+0x008 field3 : 0x262c8d3c SomeOtherClass
0:000> dt SomeBaseClass 0cae2e24
MyApplication!SomeBaseClass
+0x000 __VFN_table : 0x02de89e4
+0x038 basefield1 : (null)
+0x03c basefield2 : 3
0:000> dt SomeDerivedClass 0cae2e24
MyApplication!SomeDerivedClass
+0x000 __VFN_table : 0x02de89e4
+0x038 basefield1 : (null)
+0x03c basefield2 : 3
+0x040 derivedfield1 : 357
+0x044 derivedfield2 : timecode_t
When I am in WinDbg, I can do this:
dt 0x02de89e4
And it will show the type:
0:000> dt 0x02de89e4
SomeDerivedClass::`vftable'
Symbol not found.
But how do I get that inside an extension? Can I use SearchMemory() to look for 'SomeDerivedClass::`vftable'? If you follow my other question, I need this type information so I know what type of wrapper remote classes to create. I figure it might end up being some sort of case-statement, where I have to match a string to a type? I am ok with that, but I still don't know where I can get that string that represents the type of the object in question (ie SomeObject->field1 in the above example).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
卫生部!这比我想象的要简单得多。虚函数表只是其他符号,因此我可以将 GetSymbol() 与 field1 的虚函数表的地址一起使用。然后只需使用我期望的几种类型设置一个 case 语句,并根据情况创建正确的类型。
例如:
在 WinDbg 中,当我运行扩展时,会输出:
Simple。只需要解析该缓冲区,我就可以开始了......
DOH! It was much simpler than I thought. The virtual function tables are simply other symbols, so I can use GetSymbol() with the address of the field1's vftable. Then simply setup a case statement with the few types I expect, and create the right one for the situation.
For example:
In WinDbg when I run the extension this outputs:
Simple. Just have to parse that buffer and I should be good to go...