com - 在 windbg 脚本中获取 System.__ComObject 的 RCW 值
问题描述
我正在尝试编写一个 Windbg 脚本,其中我在一个文件中有 1k 个地址。对于每个地址,偏移处0x30
是一个 COM 对象。
我想从 COM 对象中获取所有本机指针。我知道如何手动操作,如下所示。我在脚本中迭代它时遇到了麻烦。
从 a System.__ComObject
,!do <comobject>
给RCW: in text
. 倾倒RCW
使用!DumpRCW
给了我IUnknown pointer
我需要的东西。
Name: System.__ComObject
MethodTable: 00007ffcf2941330
EEClass: 00007ffcf22264b0
RCW: 000001d3634f3460
Size: 32(0x20) bytes
File: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffcf2949de8 40005b2 8 System.Object 0 instance 0000000000000000 __identity
00007ffcf294d1f8 400045c 10 ...ections.Hashtable 0 instance 0000000000000000 m_ObjectToDataMap
0:000> !DumpRCW /d 000001d35a9e0d70
Managed object: 000001d37976a708
Creating thread: 000001d35d552a60
IUnknown pointer: 000001d31e63ce28
COM Context: 000001dffecab0f8
Managed ref count: 1
IUnknown V-table pointer : 00007ffcd3f0edb8 (captured at RCW creation time)
Flags:
COM interface pointers:
IP Context MT Type
000001d31e63ce20 000001dffecab0f8 00007ffc949869c0 NativeClass.ClassX
000001d31e63ce28 000001dffecab0f8 00007ffc949868e0 NativeClass.ClassX
对于脚本,问题是:
如何从使用脚本中获取RCW
价值?ComObject
中的字段System.__ComObject
为空。
我到目前为止的脚本:
0:000> .foreach /f ( obj "d:\windbg\debug1.allmanagedtxs.small.txt") { .printf "%p\n", obj; !do poi(${obj}+0x30) }
000001d378daa6d8
Name: System.__ComObject
MethodTable: 00007ffcf2941330
EEClass: 00007ffcf22264b0
RCW: 000001d3634f3460
Size: 32(0x20) bytes
File: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffcf2949de8 40005b2 8 System.Object 0 instance 0000000000000000 __identity
00007ffcf294d1f8 400045c 10 ...ections.Hashtable 0 instance 0000000000000000 m_ObjectToDataMap
000001d37976a728
Name: System.__ComObject
MethodTable: 00007ffcf2941330
EEClass: 00007ffcf22264b0
RCW: 000001d35a9e0d70
Size: 32(0x20) bytes
File: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffcf2949de8 40005b2 8 System.Object 0 instance 0000000000000000 __identity
00007ffcf294d1f8 400045c 10 ...ections.Hashtable 0 instance 0000000000000000 m_ObjectToDataMap
解决方案
我讨厌解析字符串 :) 但这里又是一个解析字符串的方法,它在实时会话中调整它以从文件中解析
/// <reference path="JSProvider.d.ts" />
function log(x) {
host.diagnostics.debugLog(x + "\n")
}
function exec(cmdstr) {
return host.namespace.Debugger.Utility.Control.ExecuteCommand(cmdstr);
}
function rcw(first) {
var obs = exec("!DumpHeap -short -type System.__ComObject")
for (i of obs) {
var cstr = "!do -nofields " + i
foo = exec(cstr)
for (j of foo) {
if (j.includes("RCW") == true) {
blah = exec("!DumpRCW " + j.substr(j.lastIndexOf(" ") + 1))
for (k of blah) {
if (k.includes("IUnknown pointer") == true) {
log(k)
}
}
}
}
}
}
在实时目标上执行此操作
.load jsprovider
.scriptload foo.js
0:007> dx @$scriptContents.rcw()
IUnknown pointer: 00000227da903bf0
IUnknown pointer: 00000227da73e618
IUnknown pointer: 00000227da73dd10
IUnknown pointer: 00000227f4a765f0
IUnknown pointer: 00000227f4a77888
IUnknown pointer: 00000227f4a74ea0
@$scriptContents.rcw()
实际 clickety 点击通知 3bf0
0:007> !DumpHeap -short -type System.__ComObject
00000227dc23b218
00000227dc23f620
00000227dc23f640
00000227dc25e7d0
00000227dc25faa0
00000227dc25fac0
0:007> !DumpObj /d 00000227dc23b218
Name: System.__ComObject
MethodTable: 00007ffda24adad8
EEClass: 00007ffda2492608
RCW: 00000227da7450e0
Size: 32(0x20) bytes
File: C:\WINDOWS\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffda2518948 40005b8 8 System.Object 0 instance 0000000000000000 __identity
00007ffda251bb18 4000462 10 ...ections.Hashtable 0 instance 0000000000000000 m_ObjectToDataMap
0:007> !DumpRCW /d 00000227da7450e0
Managed object: 00000227dc23b218
Creating thread: 00000227da6e30b0
IUnknown pointer: 00000227da903bf0
COM Context: 00000227da72c668
Managed ref count: 1
IUnknown V-table pointer : 00007ffdc3252190 (captured at RCW creation time)
Flags:
COM interface pointers:
IP Context MT Type
00000227da903bf0 00000227da72c668 00007ffd4a1b5c88 TestDispatchUtility.DispatchUtility+IDispatchInfo
顺便说一句,使用的二进制文件来自这里
推荐阅读
- vb.net - 从 VB.NET 中的 Oracle Update 语句返回唯一 ID
- javascript - 从 js 数组中删除公共对象并创建新的 js 数组
- spring-boot - findAll() 上的 @NamedEntityGraphs
- import - Shopify 导入 csv 产品
- .net - How to make a specific cell in Janus GridEx to be not editable
- javascript - Vue 道具未定义
- delphi - TPopupMenu 作为子组件,不起作用
- vim - 仅使用 VIM 命令创建 python 注释字符串
- reactjs - react-native-router-flux - 首次加载后未收到任何选项卡更改事件
- c - C子进程没有收到SIGINT信号