search

rodneyviana / netext

WinDbg extension for data mining managed heap. It also includes commands to list http request, wcf services, WIF tokens among others
http://blogs.msdn.microsoft.com/rodneyviana
Other
224 stars 35 forks source link

How to select a variable in !wfrom when multiple variables have the same name #8

Closed freaksterrao closed 4 years ago

freaksterrao commented 5 years ago

So I have base class that has a private member variable that is an AutoReset event and I have another variable in the child class that is a Guid array that shares the same name as the base variable after obfuscation.

Is there a way to select the child variable in !wfrom? Currently the parent variable is always selected. My current command is (d is the variable name): !wfrom -nofield -nospace -obj 57EDDF3C select d (this returns me the parent member)

Since this was not working, I saw that the variable is at the offset 50. So I tried: !wfrom -nofield -nospace -obj 57EDDF3C select $addr()+50

But this gave a random memory address. Is there any way I can fetch the member variable other than manually doing a !wdo or !do on the class address?

rodneyviana commented 5 years ago

freaksterrao,

Please show me with !wdo which field(s) you want to show?

Thanks,

Rodney

freaksterrao commented 5 years ago

netext !wdo command: image

The same using SOSEX !mdt command: image

As you can see I want to select d which is a System.Guid[]. But d which is a System.Threading.AutoResetEvent is selected since its first to be listed.

rodneyviana commented 5 years ago

Sorry for the delay. In this case, you use the offset (+50) plus the size of the word (4 bytes for 32-bit and 8 for 64-bit). To use your example:

!wfrom -nofield -nospace -obj 57EDDF3C+50+4 select $dbgrun("dt KERNELBASE!_GUID poi("+$tohexstring($addr())+")") {3d705aeb-61b1-4287-ae07-0dc81ff8a7c8} +0x000 Data1 : 0x3d705aeb +0x004 Data2 : 0x61b1 +0x006 Data3 : 0x4287 +0x008 Data4 : [8] "???"

Or: !wfrom -nofield -nospace -obj 57EDDF3C+50+4 select $split($dbgrun("dt KERNELBASE!_GUID poi("+$tohexstring($addr())+")"),"\n",0) {3d705aeb-61b1-4287-ae07-0dc81ff8a7c8}

Notice that if it was a GUID instead of an array (GUID[]) you should have used this: 0:000> !wfrom -nofield -nospace -obj 57EDDF3C+50+4 select $split($dbgrun("dt KERNELBASE!_GUID "+$tohexstring($addr())),"\n",0) {3d705aeb-61b1-4287-ae07-0dc81ff8a7c8}

rodneyviana commented 4 years ago

Closing for lack of activities. Please reopen if help is still needed