How can I get type information at runtime from a DMP file in a Windbg extension?

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by pj4533 on Stack Overflow See other posts from Stack Overflow or by pj4533
Published on 2010-04-06T21:22:30Z Indexed on 2010/04/06 23:53 UTC
Read the original article Hit count: 248

Filed under:
|
|
|
|

This is related to my previous question, regarding pulling objects from a dmp file.

As I mentioned in the previous question, I can successfully pull object out of the dmp file by creating wrapper 'remote' objects. I have implemented several of these so far, and it seems to be working well. However I have run into a snag.

In one case, a pointer is stored in a class, say of type 'SomeBaseClass', but that object is actually of the type 'SomeDerivedClass' which derives from 'SomeBaseClass'. For example it would be something like this:

MyApplication!SomeObject
   +0x000 field1            : Ptr32 SomeBaseClass
   +0x004 field2            : Ptr32 SomeOtherClass
   +0x008 field3            : Ptr32 SomeOtherClass

I need someway to find out what the ACTUAL type of 'field1' is.

To be more specific, using example addresses:

MyApplication!SomeObject
   +0x000 field1            : 0cae2e24 SomeBaseClass
   +0x004 field2            : 0x262c8d3c SomeOtherClass
   +0x008 field3            : 0x262c8d3c SomeOtherClass

0:000> dt SomeBaseClass 0cae2e24 
MyApplication!SomeBaseClass
   +0x000 __VFN_table : 0x02de89e4 
   +0x038 basefield1         : (null) 
   +0x03c basefield2        : 3

0:000> dt SomeDerivedClass 0cae2e24 
MyApplication!SomeDerivedClass
   +0x000 __VFN_table : 0x02de89e4 
   +0x038 basefield1        : (null) 
   +0x03c basefield2        : 3
   +0x040 derivedfield1     : 357
   +0x044 derivedfield2     : timecode_t

When I am in WinDbg, I can do this:

dt 0x02de89e4

And it will show the type:

0:000> dt 0x02de89e4 
SomeDerivedClass::`vftable'
Symbol  not found.

But how do get that inside an extension? Can I use SearchMemory() to look for 'SomeDerivedClass::`vftable'? If you follow my other question, I need this type information so I know what type of wrapper remote classes to create. I figure it might end up being some sort of case-statement, where I have to match a string to a type? I am ok with that, but I still don't know where I can get that string that represents the type of the object in question (ie SomeObject->field1 in the above example).

© Stack Overflow or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about WinDbg

Related posts about memory-dump

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle