![]() It prints me all file names which were opened by my app. So I came up with following command which works on win64: bp kernelbase!CreateFileW “du /c100( k 3 gc” I learned that on 圆4 the four integer (or pointer) arguments are passed in RCX, RDX, R8 and R9 registers and not put on the stack. Well it was the first time I was playing with WinDbg scripting and I’m not a assembler guy, so it was tough :) Then I realized that it’s a 圆4 process and it has very different calling convention and different set of registries. Breakpoint hits but I got an error “Memory access error”. I run dotnet.exe with my ASPNET Core app and attached in WinDbg to it. Then k 3 means to show last 3 frames of the callstack and gc means to continue execution. Every push of an argument decreases ESP so we increase it back to get the value of the last passed (but first in the signature) argument - it’s the file name (see CreateFile). Why +4? For WinAPI calling convention (which is _stdcall actually) arguments are passed from right to left. prints) value of the first function argument (for this we use register as it points to the top of the stack). Here we’re setting a breakpoint ( bp) on function CreateFileW (Unicode version of CreateFile) in kernelbase.dll and when the breakpoint hits execute code in quotes. I'm using this function to preserve the time stamp on a downloaded files from within my app. Here’s it: bp kernelbase!CreateFileW ".printf \"Opening file: \", dwo(. In the c++.windows.32-bits newsgroup Matthew Wilson wrote: HANDLE hfile CreateFile(strFile2Touch, GENERICWRITE, FILESHAREREAD, NULL, OPENEXISTING, 0, NULL) Will using CreateFile destroy the original file. So we can understand who is responsible for creating and opening files. One of examples was about how to set a breakpoint in native WinAPI function CreateFileW to output filename and callstack. One day I was watching terrific video from dotNext conference where Sasha Goldstein talked about using WinDbg. WinDbg: how to set a breakpoint at Win32 CreateFile for a win64 process
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |