Main Page | Class Hierarchy | Class List | File List | Class Members | File Members

dbgk.h File Reference

Go to the source code of this file.

Functions

VOID DbgkCreateThread (PVOID StartAddress)
VOID DbgkExitThread (NTSTATUS ExitStatus)
VOID DbgkExitProcess (NTSTATUS ExitStatus)
VOID DbgkMapViewOfSection (IN HANDLE SectionHandle, IN PVOID BaseAddress, IN ULONG SectionOffset, IN ULONG_PTR ViewSize)
VOID DbgkUnMapViewOfSection (IN PVOID BaseAddress)
BOOLEAN DbgkForwardException (IN PEXCEPTION_RECORD ExceptionRecord, IN BOOLEAN DebugException, IN BOOLEAN SecondChance)

Function Documentation

VOID DbgkCreateThread PVOID  StartAddress  ) 
 

Definition at line 211 of file dbgkproc.c.

References _EPROCESS::CreateProcessReported, DbgkpSectionHandleToFileHandle(), DbgkpSendApiMessage(), _ETHREAD::DeadThread, _EPROCESS::DebugPort, EXCEPTION_EXECUTE_HANDLER, ExFreePool(), FALSE, FileName, IMAGE_ADDRESSING_MODE_32BIT, IMAGE_INFO, _IMAGE_INFO::ImageAddressingMode, _IMAGE_INFO::ImageBase, _IMAGE_INFO::ImageSectionNumber, _IMAGE_INFO::ImageSelector, _IMAGE_INFO::ImageSize, KernelMode, L, MmGetFileNameForSection(), NT_SUCCESS, NTSTATUS(), NULL, PAGED_CODE, _EPROCESS::Pcb, _IMAGE_INFO::Properties, PsCallImageNotifyRoutines(), PsGetCurrentProcess, PsGetCurrentThread, PsImageNotifyEnabled, PsLockProcess(), PsLockWaitForever, PsNtDllPathName, PsSystemDllBase, PsUnlockProcess(), RtlAnsiStringToUnicodeString(), RtlFreeUnicodeString(), RtlImageNtHeader(), RtlInitUnicodeString(), _EPROCESS::SectionBaseAddress, _EPROCESS::SectionHandle, Status, TRUE, _EPROCESS::UniqueProcessId, _KPROCESS::UserTime, and ZwOpenFile().

Referenced by PspUserThreadStartup(). 

00217                    :
00218 
00219     This function is called when a new thread begins to execute. If the
00220     thread has an associated DebugPort, then a message is sent thru the
00221     port.
00222 
00223     If this thread is the first thread in the process, then this event
00224     is translated into a CreateProcessInfo message.
00225 
00226     If a message is sent, then while the thread is awaiting a reply,
00227     all other threads in the process are suspended.
00228 
00229 Arguments:
00230 
00231     StartAddress - Supplies the start address for the thread that is
00232         starting.
00233 
00234 Return Value:
00235 
00236     None.
00237 
00238 --*/
00239 
00240 {
00241     PVOID Port;
00242     DBGKM_APIMSG m;
00243     PDBGKM_CREATE_THREAD CreateThreadArgs;
00244     PDBGKM_CREATE_PROCESS CreateProcessArgs;
00245     PETHREAD Thread;
00246     PEPROCESS Process;
00247     PDBGKM_LOAD_DLL LoadDllArgs;
00248     NTSTATUS Status;
00249     OBJECT_ATTRIBUTES Obja;
00250     IO_STATUS_BLOCK IoStatusBlock;
00251     PIMAGE_NT_HEADERS NtHeaders;
00252 
00253     PAGED_CODE();
00254 
00255     Process = PsGetCurrentProcess();
00256 
00257     Port = PsGetCurrentThread()->HideFromDebugger ? NULL : Process->DebugPort;
00258 
00259     if ( PsImageNotifyEnabled && !Process->Pcb.UserTime) {
00260         IMAGE_INFO ImageInfo;
00261         PIMAGE_NT_HEADERS NtHeaders;
00262         ANSI_STRING FileName;
00263         UNICODE_STRING UnicodeFileName;
00264         PUNICODE_STRING pUnicodeFileName;
00265 
00266         //
00267         // notification of main .exe
00268         //
00269         ImageInfo.Properties = 0;
00270         ImageInfo.ImageAddressingMode = IMAGE_ADDRESSING_MODE_32BIT;
00271         ImageInfo.ImageBase = Process->SectionBaseAddress;
00272         ImageInfo.ImageSize = 0;
00273 
00274         try {
00275             NtHeaders = RtlImageNtHeader(Process->SectionBaseAddress);
00276     
00277             if ( NtHeaders ) {
00278                 ImageInfo.ImageSize = NtHeaders->OptionalHeader.SizeOfImage;
00279                 }
00280             }
00281         except(EXCEPTION_EXECUTE_HANDLER) {
00282             ImageInfo.ImageSize = 0;
00283         }
00284         ImageInfo.ImageSelector = 0;
00285         ImageInfo.ImageSectionNumber = 0;
00286 
00287         pUnicodeFileName = NULL;
00288         Status = MmGetFileNameForSection(Process->SectionHandle, (PSTRING)&FileName);
00289         if ( NT_SUCCESS(Status) ) {
00290             Status = RtlAnsiStringToUnicodeString(&UnicodeFileName,&FileName,TRUE);
00291             ExFreePool(FileName.Buffer);
00292             if ( NT_SUCCESS(Status) ) {
00293                 pUnicodeFileName = &UnicodeFileName;
00294                 }
00295             }
00296         PsCallImageNotifyRoutines(
00297                     pUnicodeFileName,
00298                     Process->UniqueProcessId,
00299                     &ImageInfo
00300                     );
00301         if ( pUnicodeFileName ) {
00302             RtlFreeUnicodeString(pUnicodeFileName);
00303             }
00304 
00305         //
00306         // and of ntdll.dll
00307         //
00308         ImageInfo.Properties = 0;
00309         ImageInfo.ImageAddressingMode = IMAGE_ADDRESSING_MODE_32BIT;
00310         ImageInfo.ImageBase = PsSystemDllBase;
00311         ImageInfo.ImageSize = 0;
00312 
00313         try {
00314             NtHeaders = RtlImageNtHeader(PsSystemDllBase);
00315             if ( NtHeaders ) {
00316                 ImageInfo.ImageSize = NtHeaders->OptionalHeader.SizeOfImage;
00317                 }
00318             }
00319         except(EXCEPTION_EXECUTE_HANDLER) {
00320             ImageInfo.ImageSize = 0;
00321             }
00322 
00323         ImageInfo.ImageSelector = 0;
00324         ImageInfo.ImageSectionNumber = 0;
00325 
00326         RtlInitUnicodeString(&UnicodeFileName,L"\\SystemRoot\\System32\\ntdll.dll");
00327         PsCallImageNotifyRoutines(
00328                     &UnicodeFileName,
00329                     Process->UniqueProcessId,
00330                     &ImageInfo
00331                     );
00332         }
00333 
00334 
00335     if ( !Port ) {
00336 
00337         return;
00338     }
00339 
00340     Thread = PsGetCurrentThread();
00341 
00342     if ( Thread->DeadThread ) {
00343         return;
00344     }
00345 
00346     //
00347     // To determine if this should be turned into a create process,
00348     // all threads in the process are suspended. The process list
00349     // is then examined to see if the curent thread is the only thread
00350     // on the list. If so, this becomes a create process message
00351     //
00352 
00353     PsLockProcess(Process,KernelMode,PsLockWaitForever);
00354 
00355     //
00356     // If we are doing a debug attach, then the create process has
00357     // already occured. If this is the case, then the process has
00358     // accumulated some time, so set reported to true
00359     //
00360 
00361     if ( Process->Pcb.UserTime ) {
00362         Process->CreateProcessReported = TRUE;
00363         }
00364 
00365     if ( Process->CreateProcessReported == FALSE ) {
00366 
00367         //
00368         // This is a create process
00369         //
00370 
00371         Process->CreateProcessReported = TRUE;
00372 
00373         CreateThreadArgs = &m.u.CreateProcessInfo.InitialThread;
00374         CreateThreadArgs->SubSystemKey = 0;
00375 
00376         CreateProcessArgs = &m.u.CreateProcessInfo;
00377         CreateProcessArgs->SubSystemKey = 0;
00378         CreateProcessArgs->FileHandle = DbgkpSectionHandleToFileHandle(
00379                                             Process->SectionHandle
00380                                             );
00381         CreateProcessArgs->BaseOfImage = Process->SectionBaseAddress;
00382         CreateThreadArgs->StartAddress = NULL;
00383         CreateProcessArgs->DebugInfoFileOffset = 0;
00384         CreateProcessArgs->DebugInfoSize = 0;
00385 
00386         try {
00387             NtHeaders = RtlImageNtHeader(Process->SectionBaseAddress);
00388             if ( NtHeaders ) {
00389                 CreateThreadArgs->StartAddress = (PVOID)(
00390                     NtHeaders->OptionalHeader.ImageBase +
00391                     NtHeaders->OptionalHeader.AddressOfEntryPoint);
00392 
00393                 CreateProcessArgs->DebugInfoFileOffset = NtHeaders->FileHeader.PointerToSymbolTable;
00394                 CreateProcessArgs->DebugInfoSize = NtHeaders->FileHeader.NumberOfSymbols;
00395                 }
00396             }
00397         except(EXCEPTION_EXECUTE_HANDLER) {
00398             CreateThreadArgs->StartAddress = NULL;
00399             CreateProcessArgs->DebugInfoFileOffset = 0;
00400             CreateProcessArgs->DebugInfoSize = 0;
00401         }
00402 
00403         DBGKM_FORMAT_API_MSG(m,DbgKmCreateProcessApi,sizeof(*CreateProcessArgs));
00404 
00405         PsUnlockProcess(Process);
00406 
00407         DbgkpSendApiMessage(&m,Port,FALSE);
00408         ZwClose(CreateProcessArgs->FileHandle);
00409 
00410         LoadDllArgs = &m.u.LoadDll;
00411         LoadDllArgs->BaseOfDll = PsSystemDllBase;
00412         LoadDllArgs->DebugInfoFileOffset = 0;
00413         LoadDllArgs->DebugInfoSize = 0;
00414 
00415         try {
00416             NtHeaders = RtlImageNtHeader(PsSystemDllBase);
00417             if ( NtHeaders ) {
00418                 LoadDllArgs->DebugInfoFileOffset = NtHeaders->FileHeader.PointerToSymbolTable;
00419                 LoadDllArgs->DebugInfoSize = NtHeaders->FileHeader.NumberOfSymbols;
00420                 }
00421             }
00422         except(EXCEPTION_EXECUTE_HANDLER) {
00423             LoadDllArgs->DebugInfoFileOffset = 0;
00424             LoadDllArgs->DebugInfoSize = 0;
00425         }
00426 
00427         //
00428         // Send load dll section for NT dll !
00429         //
00430 
00431         InitializeObjectAttributes(
00432             &Obja,
00433             &PsNtDllPathName,
00434             OBJ_CASE_INSENSITIVE,
00435             NULL,
00436             NULL
00437             );
00438 
00439         Status = ZwOpenFile(
00440                     &LoadDllArgs->FileHandle,
00441                     (ACCESS_MASK)(GENERIC_READ | SYNCHRONIZE),
00442                     &Obja,
00443                     &IoStatusBlock,
00444                     FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE,
00445                     FILE_SYNCHRONOUS_IO_NONALERT
00446                     );
00447 
00448         if ( NT_SUCCESS(Status) ) {
00449             DBGKM_FORMAT_API_MSG(m,DbgKmLoadDllApi,sizeof(*LoadDllArgs));
00450             DbgkpSendApiMessage(&m,Port,TRUE);
00451         }
00452         ZwClose(LoadDllArgs->FileHandle);
00453 
00454     } else {
00455 
00456         CreateThreadArgs = &m.u.CreateThread;
00457         CreateThreadArgs->SubSystemKey = 0;
00458         CreateThreadArgs->StartAddress = StartAddress;
00459 
00460         DBGKM_FORMAT_API_MSG(m,DbgKmCreateThreadApi,sizeof(*CreateThreadArgs));
00461 
00462         PsUnlockProcess(Process);
00463 
00464         DbgkpSendApiMessage(&m,Port,TRUE);
00465     }
00466 
00467 
00468 }

VOID DbgkExitProcess NTSTATUS  ExitStatus  ) 
 

Definition at line 528 of file dbgkproc.c.

References DbgkpSendApiMessage(), _EPROCESS::DebugPort, FALSE, KeQuerySystemTime(), NULL, PAGED_CODE, PsGetCurrentProcess, and PsGetCurrentThread.

Referenced by PspExitThread(). 

00534                    :
00535 
00536     This function is called when a process terminates. The address
00537     space of the process is still intact, but no threads exist in
00538     the process.
00539 
00540 Arguments:
00541 
00542     ExitStatus - Supplies the ExitStatus of the exiting process.
00543 
00544 Return Value:
00545 
00546     None.
00547 
00548 --*/
00549 
00550 {
00551     PVOID Port;
00552     DBGKM_APIMSG m;
00553     PDBGKM_EXIT_PROCESS args;
00554     PEPROCESS Process;
00555 
00556     PAGED_CODE();
00557 
00558     Process = PsGetCurrentProcess();
00559     Port = PsGetCurrentThread()->HideFromDebugger ? NULL : Process->DebugPort;
00560 
00561     if ( !Port ) {
00562         return;
00563     }
00564 
00565     if ( PsGetCurrentThread()->DeadThread ) {
00566         return;
00567     }
00568 
00569     //
00570     // this ensures that other timed lockers of the process will bail
00571     // since this call is done while holding the process lock, and lock duration
00572     // is controlled by debugger
00573     //
00574     KeQuerySystemTime(&PsGetCurrentProcess()->ExitTime);
00575 
00576     args = &m.u.ExitProcess;
00577     args->ExitStatus = ExitStatus;
00578 
00579     DBGKM_FORMAT_API_MSG(m,DbgKmExitProcessApi,sizeof(*args));
00580 
00581     DbgkpSendApiMessage(&m,Port,FALSE);
00582 
00583 }

VOID DbgkExitThread NTSTATUS  ExitStatus  ) 
 

Definition at line 471 of file dbgkproc.c.

References DbgkpResumeProcess(), DbgkpSendApiMessage(), DbgkpSuspendProcess(), _EPROCESS::DebugPort, FALSE, NULL, PAGED_CODE, PsGetCurrentProcess, PsGetCurrentThread, and TRUE.

Referenced by PspExitThread(). 

00477                    :
00478 
00479     This function is called when a new thread terminates. At this
00480     point, the thread will no longer execute in user-mode. No other
00481     exit processing has occured.
00482 
00483     If a message is sent, then while the thread is awaiting a reply,
00484     all other threads in the process are suspended.
00485 
00486 Arguments:
00487 
00488     ExitStatus - Supplies the ExitStatus of the exiting thread.
00489 
00490 Return Value:
00491 
00492     None.
00493 
00494 --*/
00495 
00496 {
00497     PVOID Port;
00498     DBGKM_APIMSG m;
00499     PDBGKM_EXIT_THREAD args;
00500     PEPROCESS Process;
00501 
00502     PAGED_CODE();
00503 
00504     Process = PsGetCurrentProcess();
00505     Port = PsGetCurrentThread()->HideFromDebugger ? NULL : Process->DebugPort;
00506 
00507     if ( !Port ) {
00508         return;
00509     }
00510 
00511     if ( PsGetCurrentThread()->DeadThread ) {
00512         return;
00513     }
00514 
00515     args = &m.u.ExitThread;
00516     args->ExitStatus = ExitStatus;
00517 
00518     DBGKM_FORMAT_API_MSG(m,DbgKmExitThreadApi,sizeof(*args));
00519 
00520     DbgkpSuspendProcess(TRUE);
00521 
00522     DbgkpSendApiMessage(&m,Port,FALSE);
00523 
00524     DbgkpResumeProcess(TRUE);
00525 }

BOOLEAN DbgkForwardException IN PEXCEPTION_RECORD  ExceptionRecord,
IN BOOLEAN  DebugException,
IN BOOLEAN  SecondChance
 

Definition at line 99 of file dbgkport.c.

References DbgkpSendApiMessage(), _EPROCESS::DebugPort, _EPROCESS::ExceptionPort, FALSE, NT_SUCCESS, NTSTATUS(), NULL, PAGED_CODE, PsGetCurrentProcess, PsGetCurrentThread, and TRUE.

Referenced by KiDispatchException(). 

00107                    :
00108 
00109     This function is called forward an exception to the calling process's
00110     debug or subsystem exception port.
00111 
00112 Arguments:
00113 
00114     ExceptionRecord - Supplies a pointer to an exception record.
00115 
00116     DebugException - Supplies a boolean variable that specifies whether
00117         this exception is to be forwarded to the process's
00118         DebugPort(TRUE), or to its ExceptionPort(FALSE).
00119 
00120 Return Value:
00121 
00122     TRUE - The process has a DebugPort or an ExceptionPort, and the reply
00123         received from the port indicated that the exception was handled.
00124 
00125     FALSE - The process either does not have a DebugPort or
00126         ExceptionPort, or the process has a port, but the reply received
00127         from the port indicated that the exception was not handled.
00128 
00129 --*/
00130 
00131 {
00132     PEPROCESS Process;
00133     PVOID Port;
00134     DBGKM_APIMSG m;
00135     PDBGKM_EXCEPTION args;
00136     NTSTATUS st;
00137 
00138     PAGED_CODE();
00139 
00140     args = &m.u.Exception;
00141 
00142     //
00143     // Initialize the debug LPC message with default infomaation.
00144     //
00145 
00146     DBGKM_FORMAT_API_MSG(m,DbgKmExceptionApi,sizeof(*args));
00147 
00148     //
00149     // Get the address of the destination LPC port.
00150     //
00151 
00152     Process = PsGetCurrentProcess();
00153     if (DebugException) {
00154         Port = PsGetCurrentThread()->HideFromDebugger ? NULL : Process->DebugPort;
00155 
00156     } else {
00157         Port = Process->ExceptionPort;
00158         m.h.u2.ZeroInit = LPC_EXCEPTION;
00159     }
00160 
00161     //
00162     // If the destination LPC port address is NULL, then return FALSE.
00163     //
00164 
00165     if (Port == NULL) {
00166         return FALSE;
00167     }
00168 
00169     //
00170     // Fill in the remainder of the debug LPC message.
00171     //
00172 
00173     args->ExceptionRecord = *ExceptionRecord;
00174     args->FirstChance = !SecondChance;
00175 
00176     //
00177     // Send the debug message to the destination LPC port.
00178     //
00179 
00180     st = DbgkpSendApiMessage(&m,Port,DebugException);
00181 
00182     //
00183     // If the send was not successful, then return a FALSE indicating that
00184     // the port did not handle the exception. Otherwise, if the debug port
00185     // is specified, then look at the return status in the message.
00186     //
00187 
00188     if (!NT_SUCCESS(st) ||
00189         ((DebugException) &&
00190         (m.ReturnedStatus == DBG_EXCEPTION_NOT_HANDLED || !NT_SUCCESS(m.ReturnedStatus)))) {
00191         return FALSE;
00192 
00193     } else {
00194         return TRUE;
00195     }
00196 }
}

VOID DbgkMapViewOfSection IN HANDLE  SectionHandle,
IN PVOID  BaseAddress,
IN ULONG  SectionOffset,
IN ULONG_PTR  ViewSize
 

Definition at line 586 of file dbgkproc.c.

References DbgkpSectionHandleToFileHandle(), DbgkpSendApiMessage(), _EPROCESS::DebugPort, EXCEPTION_EXECUTE_HANDLER, KernelMode, NULL, PAGED_CODE, PsGetCurrentProcess, PsGetCurrentThread, RtlImageNtHeader(), and TRUE.

Referenced by NtMapViewOfSection(). 

00595                    :
00596 
00597     This function is called when the current process successfully
00598     maps a view of an image section. If the process has an associated
00599     debug port, then a load dll message is sent.
00600 
00601 Arguments:
00602 
00603     SectionHandle - Supplies a handle to the section mapped by the
00604         process.
00605 
00606     BaseAddress - Supplies the base address of where the section is
00607         mapped in the current process address space.
00608 
00609     SectionOffset - Supplies the offset in the section where the
00610         processes mapped view begins.
00611 
00612     ViewSize - Supplies the size of the mapped view.
00613 
00614 Return Value:
00615 
00616     None.
00617 
00618 --*/
00619 
00620 {
00621 
00622     PVOID Port;
00623     DBGKM_APIMSG m;
00624     PDBGKM_LOAD_DLL LoadDllArgs;
00625     PEPROCESS Process;
00626     PIMAGE_NT_HEADERS NtHeaders;
00627 
00628     PAGED_CODE();
00629 
00630     Process = PsGetCurrentProcess();
00631 
00632     Port = PsGetCurrentThread()->HideFromDebugger ? NULL : Process->DebugPort;
00633 
00634     if ( !Port || KeGetPreviousMode() == KernelMode ) {
00635         return;
00636     }
00637 
00638     LoadDllArgs = &m.u.LoadDll;
00639     LoadDllArgs->FileHandle = DbgkpSectionHandleToFileHandle(SectionHandle);
00640     LoadDllArgs->BaseOfDll = BaseAddress;
00641     LoadDllArgs->DebugInfoFileOffset = 0;
00642     LoadDllArgs->DebugInfoSize = 0;
00643 
00644     try {
00645         NtHeaders = RtlImageNtHeader(BaseAddress);
00646         if ( NtHeaders ) {
00647             LoadDllArgs->DebugInfoFileOffset = NtHeaders->FileHeader.PointerToSymbolTable;
00648             LoadDllArgs->DebugInfoSize = NtHeaders->FileHeader.NumberOfSymbols;
00649             }
00650         }
00651     except(EXCEPTION_EXECUTE_HANDLER) {
00652         LoadDllArgs->DebugInfoFileOffset = 0;
00653         LoadDllArgs->DebugInfoSize = 0;
00654     }
00655 
00656     DBGKM_FORMAT_API_MSG(m,DbgKmLoadDllApi,sizeof(*LoadDllArgs));
00657 
00658     DbgkpSendApiMessage(&m,Port,TRUE);
00659     ZwClose(LoadDllArgs->FileHandle);
00660 
00661 }

VOID DbgkUnMapViewOfSection IN PVOID  BaseAddress  ) 
 

Definition at line 664 of file dbgkproc.c.

References DbgkpSendApiMessage(), _EPROCESS::DebugPort, KernelMode, NULL, PAGED_CODE, PsGetCurrentProcess, PsGetCurrentThread, and TRUE.

Referenced by MmUnmapViewOfSection(). 

00670                    :
00671 
00672     This function is called when the current process successfully
00673     un maps a view of an image section. If the process has an associated
00674     debug port, then an "unmap view of section" message is sent.
00675 
00676 Arguments:
00677 
00678     BaseAddress - Supplies the base address of the section being
00679         unmapped.
00680 
00681 Return Value:
00682 
00683     None.
00684 
00685 --*/
00686 
00687 {
00688 
00689     PVOID Port;
00690     DBGKM_APIMSG m;
00691     PDBGKM_UNLOAD_DLL UnloadDllArgs;
00692     PEPROCESS Process;
00693 
00694     PAGED_CODE();
00695 
00696     Process = PsGetCurrentProcess();
00697 
00698     Port = PsGetCurrentThread()->HideFromDebugger ? NULL : Process->DebugPort;
00699 
00700     if ( !Port || KeGetPreviousMode() == KernelMode ) {
00701         return;
00702     }
00703 
00704     UnloadDllArgs = &m.u.UnloadDll;
00705     UnloadDllArgs->BaseAddress = BaseAddress;
00706 
00707     DBGKM_FORMAT_API_MSG(m,DbgKmUnloadDllApi,sizeof(*UnloadDllArgs));
00708 
00709     DbgkpSendApiMessage(&m,Port,TRUE);
00710 
00711 }
}

Generated on Sat May 15 19:43:23 2004 for test by doxygen 1.3.7