RE: Getting A .DMP File From ISA

• From: "David Farinic" <davidf@xxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 8 Feb 2005 18:37:09 +0100

>.."give me a hint how you"..

Yes sure... 

Sorry for messy-quick reply but better then nothing I guess:
 

So first u can connect only 1 debuger process to 1 debugee app.
Create new console app and call DebugActiveProcess(FirewallPID)

Then set DebugSetProcessKillOnExit(FALSE); So if you will exit your new
app it will not kill firewall (kinda important) it works like that on
>=w2k3(wXP).

On <=w2k DebugSetProcessKillOnExit(false) doesn't work and u will kill
monitored application by stopping application which is attached as
debugger.

Then just wait for event from debugee app with WaitForDebugEvent( &de,
INFINITE ) )

Handle events and pass them further with Function

ContinueDebugEvent( de.dwProcessId, de.dwThreadId,
                      ContinueStatus );//example
DBG_EXCEPTION_NOT_HANDLED

Now system will pass you events like 

LOAD_DLL_DEBUG_EVENT where u can monitor loading and unloading of your
plugin filter dlls and check its base address  etc..

There are more event which u can find in MSDN.

Whats interesting for us is 

EXCEPTION_DEBUG_EVENT

When this happens monitored app is paused and you get DEBUG_EVENT &de 

From where you can get these main info

Exceptioncode:de.u.Exception.ExceptionRecord.ExceptionCode

ThreadID: de.dwThreadId

Address:  de.u.Exception.ExceptionRecord.ExceptionAddress

 

.ExceptionAddress is EIP 

So now we have address and threaded where it broke now lets find out
context of that thread

We need to call

GetThreadContext(threadHandle,&dbthreadcntx) to get context of crashed
thread.

From DEBUG_EVENT de we don't have however threadHandle only ThreadID

Therefore you have to maintain list of Threads 

 

So on debug event CREATE_THREAD_DEBUG_EVENT you will add thread handle
info to dynamic array of thread handles.

 

Once you call GetThreadContext(threadHandle,&dbthreadcntx)

You have now access to crashing thread context and you can read memory
based on context to get stack :

 
printf("Thread ID:0x%.8X Thread Handle:0x%.8X\r\n     EIP:0x%.8X
EBP:0x%.8X
ESP:0x%.8X\r\n",ThreadInfos[i].ThreadId,ThreadInfos[i].hThread,dbthreadc
ntx.Eip,dbthreadcntx.Ebp,dbthreadcntx.Esp);

...
Toolhelp32ReadProcessMemory(foundPID,(BYTE
*)((DWORD)dbthreadcntx.Esp),&dwarr[0],16*4,&cbRead);

...
printf("Immediate Stack dump:\r\n   %.8X %.8X %.8X %.8X %.8X %.8X %.8X
%.8X\r\n",dwarr[0],dwarr[1],dwarr[2]....
                                    }

And based on EBP and stack you can trace previous stack entries.

 
If any question contact me off list pls.

 
Regards David Farinic
 

  
This mail was checked for viruses by GFI MailSecurity. 
GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI 
FAXmaker), and network security and management software (GFI LANguard) - 
www.gfi.com 

Other related posts:

• » Getting A .DMP File From ISA
• » RE: Getting A .DMP File From ISA
• » RE: Getting A .DMP File From ISA
• » RE: Getting A .DMP File From ISA
• » RE: Getting A .DMP File From ISA
• » RE: Getting A .DMP File From ISA
• » RE: Getting A .DMP File From ISA
• » RE: Getting A .DMP File From ISA
• » RE: Getting A .DMP File From ISA
• » RE: Getting A .DMP File From ISA

1. Home
2. isalist
3. Archive
4. 02-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---