Is it possible to 'peek' at the stack enough to deduce, perhaps by mapping an address to the debug .map file or something, what the calling function is programmatically?
I have a function that is called from a ton of different places, and basically if possible I would like to be able to programmatically log out who called the function so that I can trace the progression of parameter values over time, and be able to connect them back to where they may be going wrong. I could add a parameter so that the caller must provide a user string or something, but I'd like to do something less intrusive if it's possible.
GCC has features for this, such as __builtin_return_address (see http://gcc.gnu.org/onlinedocs/gcc/Return-Address.html). They should be used only for debugging or special testing purposes and not as part of production code.
You can generate MiniDump files using windows API and load them later in the debugger and if symbols are available you should be able to debug the crash and investigate values of variables.
Related
If you set a breakpoint in the debugger over a function ptr, you will see the name of the assembly included in the inspector panel. This seems to work for all function objects including lambdas.
You may see something like this;
Func=0x00FF00FF00{UE4Editor-Game.dll!<lambda_4b5336d9060965465490645>::<lambda_invoker_cdecl>}
Question; How would one programmatically obtain a string containing the assembly information given here, using the function pointer Func and functions that are available a Windows development environment?
For the given example I would call something like this;
const char* details = GetFunctionAssemblyString(Func);
The most important part I would like to obtain is this; UE4Editor-Game.dll However the full string might also be interesting...
This is for development tools only, and not-intended to be cross platform, so using windows specific functions is acceptable. I have access to the debug database .pdb.
Cheers
Note that 'assembly' is a term that is limited to .net, it indicates an image file (whether exe or dll or otherwise) that has attached metadata. For native contexts the analogous term is 'module', a module may or may not have symbol names available but is likely not going to have more than that in the usual case. Note that there may possibly be debugging information but that can be removed and the module will continue to work, the same is not the case if the metadata were removed from a .net assembly.
All of that being said, you can use the Debug Help Library to get as much information about a native process as is available. Note that comments in SymInitialize make it sound like it is not feasible for a process to load information about itself. Once you have initialized dbghelp for a particular process you could use SymFromAddr to get the name associated with a particular address and then SymGetModuleInfo64 to get information for the module containing that address.
I use C++ to address the following task:
I'd like to get the list of all API functions, which are used by the particular process. It can be any Windows 7 process - 32 or 64 including system processes.
So far, the only solution I see - is to create a kernel driver to intercept all possible APIs, listen them for some time and check if particular process called them. It won't guarantee me full list of APIs of that process, but at least will give me some of them.
This method looks dangerous and not effective.
If there is any simpler way to deal with that task? If there is a way to get a full list of APIs of the process, not just the ones called during some time?
Thank you.
No, it's not possible, at least in any meaningful or general sense.
I can write a program that (for example) takes interactive input from the user in the form of a string, then uses GetProcAddress to find the address of a function by that name, and invokes that function.
Note that although using interactive input to read function names is fairly unusual, reading them from some external file is quite a bit more common.
Also note that a kernel driver isn't really the correct place to look either. If you want to do this, you want to intercept at the level of the DLLs used by the program.
One possibility is to create a "shadow" DLL for every DLL to which the program links statically. Then if it calls LoadLibrary/GetProcAddress, you can dynamically intercept those calls to determine what functions it's calling in them, and so on.
This still won't get an absolute result, since it could (as outlined above) get data at runtime to find functions in one execution that it doesn't use in another.
If you want an existing tool to do (approximately) that, consider depends.exe. It's been around for quite a while, and works quite well.
I am trying to debug a crash dump and I want to check the value of some variable on the stack. Problem is some methods have been inlined in the release build but I want to dump the variables (dv) of this.
If I go to the stack frame and do a dv command it shows me all variables for that particular function but not those within the inlined call.
I can do a uf (unassmeble function) command to see the assembly code but its a lot of work figuring things out.
It is not generally possible in an optimized build.
The optimizer might decide not to allocate memory to a variable, so studying the assembly code to figure out which register is the variable in is the only way.
Furthermore, if "Omit frame pointers" switch is on, the debugger wouldn't correctly show any variable allocated on stack.
You may try to add code to log variables you're interested in into a file.
You're going to have to figure this out through disassembly, unfortunately. If you're not already comfortable with this then it's as good a time as any to start practicing, it's a valuable skill to have for debugging tough problems.
Also, while it doesn't help you now, the PDB file format generated by Visual Studio 2012 now does a better job of tracking inline functions. Thus, in the future this particular situation should be mitigated in most cases. You can read more about the feature here:
http://dotnet.dzone.com/news/debugging-optimized-code
Currently, I have a C++ exe project, which dynamic load N DLLs.
Those DLLs will perform calling to the functions which is re-inside exe project.
Now, within my exe project, I wish to know the callers are coming from which DLLs.
Is it possible to do so using any available Windows API?
It depends on what your actual goal is. You cannot do it if you're expecting the DLLs to be possibly malicious (that is, if you're expecting them to try to trick you). But if it's just for debugging or logging or something relaitvely harmless like that, you can look at the stack and get the address that the ret instruction will use to return to the caller, enumerate through the loaded DLLs and test which of them that address is inside of.
To get the "return address", you can use the _ReturnAddress intrinsic in Visual C++, and then you can use the GetModuleHandleEx function, passing in GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS to get a handle to the DLL that the address is inside of.
But I must repeat: you cannot base security decisions off the results of this test. It is very easy for malicious code to fake and "trick" your program into thinking it's a "trusted" or "safe" DLL. As I said, if it's just for debugging or logging or something, then go right ahead.
Also, this will obviously only tell you the DLL the immediate caller is inside of. You can't do it if you're 5 levels deep or something....
If you have given the same callback to multiple DLL's, then it is up to them to provide you with information about who's who. Most API callback have a parameter you can pass to the callback. If this is so for your callbacks, you can use this to identify the DLLs.
It probably isn't possible considering that the call stack will come back down to your exe anyway.
EDIT: By the look of your post, is this a hypothetical situation?
Is this helpful? Check the parameter 'GetModuleBaseRoutine'
If you're architecting the exe, and you're not assuming the DLL's are hostile (see Dean's answer), you might be able to achieve the effect by providing each DLL with a different set of pointers for the callback functions, which each in-turn forward to the actual callback functions. You could then associate the calls with the calling DLL, based on which pass-through callback was actually called.
Of course, this assumes you're providing the callback addresses to the DLL's, but presumably this would be the normal design for an application where a DLL called back into the calling exe. It won't work if the DLL is mucking around in your process memory for internal functions, of course, but then you're probably into the hostile situation.
I have the following question and from a systems perspective want to know how to achieve this easily and efficiently.
Given a task 'abc' that has been built with debug information and a global variable "TRACE" that is normally set to 0, I would like to print out to file 'log' the address of each function that is called between the time that TRACE is set to 1 and back again to 0.
I was considering doing this through a front-loading / boot-strapping task that I'd develop which looks at the instructions for a common pattern of jump/frame pointer push, writing down the address and then mapping addresses to function names from the symbolic debug information in abc. There could be better system level ways to do this without a front-loader though, and I'm not sure what is most feasible.
Any implemented techniques out there?
One possibility is to preprocess the source before compiling it. This preprocessing would add code at the beginning of each function that would check the TRACE global and, if set, write to the log. As Mystagogue said, the compiler has preprocessor macros that expand to the name of the function.
You might also look at some profiling tools. Some of them have functionality close to what you're asking for. For example, some will sample the entire callstack periodically, which can tell you a lot about the code flow without actually logging every call.
Looking for a common prologue/epilogue won't work in the presence of frame-pointer omission and tail call optimization. Also, modern optimizers like to split functions into several chunks and merge common tail chunks of different functions.
There is no standard solution.
For Microsoft compiler, check out _penter and _pexit hooks. For GCC, look at -finstrument-functions option and friends.
Also, on x86 Windows you can use a monitor such as WinApiOverride32. It's primarily intended for monitoring DLL and system API calls, but you can generate a description file from your application's map file and monitor internal functions as well.
(Edited: added link to GCC option.)
Make sure you've looked into the __func__ or __FUNCTION__ predefined identifiers. They provide a string literal of the function/method name you are currently executing.