2

Im using the following code to load a DLL from the memory onto another running executable. debugging the following module with the common methods wont work as the debugger is unable to locate the appropriate PDB files, not to mention make it aware that the DLL was actually loaded to the process. i managed to set it somehow working with windbg by:

  1. specifying the debugger where the module is located in the memory and its length using .reload [DLLLocationInMemory]=0x10000000,[DllSizeInMemory]a48194
  2. re-arranging the symbols server .sympath SRV*C:\Symbols\MS\*http://msdl.microsoft.com/download/symbols;c:\mySpecialSymbolsDir
  3. running the show

doing so each debugging iteration is quite annoying, i was wondering if something similar could be done using visual studio's debugging window(especially step #1).

igal k
  • 1,883
  • 2
  • 28
  • 57
  • The question is not very clear to me. You have solved it in WinDbg, but since that's too annoying, you're now looking for a solution in VS? Is that right? What about a solution which for WinDbg that gets rid of step 1 and 2? Would that make an answer? – Thomas Weller Apr 21 '15 at 18:55
  • @ThomasWeller, By annoying i mean that executing both steps 1 & 2 each debugging iteration makes the entire debugging process exhausting, i need to find where the 'DLL' is loaded, then to reload the deubgged process again, load all symbols and run it once again, and yes, anything that would simplify the debugging process would help. – igal k Apr 22 '15 at 06:37
  • When you do `.reload Mod=Addr,Size` you **do not** "load all symbols", but rather the symbols for the module you specified, and you **certainly do not** "reload the deubgged process again". Whoever sent you this way should have explained that in WinDbg every command does a thousand things, and the fact that a command's name is [`.reload`](https://msdn.microsoft.com/en-us/library/windows/hardware/ff564805%28v=vs.85%29.aspx) does not actually mean that every invocation of it causes reloading of something. There's even `.reload /u` to **unload** modules. `.reload` is just a name. – conio Apr 22 '15 at 10:26

2 Answers2

1

You can run .imgscan /l to find all modules in memory and de-facto .reload them.

(What this meta-command basically does is search for “MZ” on all page-aligned addresses. For every “MZ” it finds, it tries to interpret the data starting at this address as a DOS_IMAGE_HEADERS struct, takes the e_lfanew field of the struct, goes to where it points and assumes there’s a PE header (NT_IMAGE_HEADER) there. Then it goes to the SizeOfImage field of the IMAGE_OPTIONAL_HEADER part of the PE header. Then it calls .reload ModName=AddressOfFoundMZ,SizeOfImage. I’m not sure whether or not you’ll get a meaningful name for a module loaded the way you load them.)

You symbol path should be a part of a workspace or set in the environment variable _NT_SYMBOL_PATH (or use a command-line parameter for WinDbg as Thomas suggested). This is true regardless of whether you debug a DLL loaded normally or in the way do, and regardless of whether you use Visual Studio or WinDbg.

I very much doubt that's possible in Visual Studio. I know of no such option in the Modules Windows in Visual Studio, and given that Visual Studio by design does not allow loading mismatched symbols I don't see it allowing you to declare "well, you see this memory region - assume that's a DLL there..."; that's exactly what WinDbg is for.

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
conio
  • 3,681
  • 1
  • 20
  • 34
0

Although your title says "Visual Studio", in your question and in the comments, you mentioned that a WinDbg solution would also help, if the process can be automated. So this is a WinDbg answer.

Symbol path

WinDbg knows the concept of workspaces. You won't get it until you read and exercise Uncovering how Workspaces work with WinDbg [MSDN blogs]. Once you know how they work, set up the base workspace to include your favorite symbol path.

Once you're satisfied with the workspace, create a link for WinDbg to include -Q: suppress the annoying "Save workspace?" question.

As an alternative, you can pass the symbol path using the -y <SymbolPath> command line switch.

Or, if the command is just too long, use the shorter and more comprehensive form

.sympath c:\mySpecialSymbolsDir
.symfix+ C:\Symbols\MS\

Running commands at startup

To run a command at the start of WinDbg, use -c "<command>". This should e.g. be fine for a .reload. If you want to run many commands or complex commands (especially when quotation marks are involved), look into Run script file [MSDN].

Other

Depending on whether you're doing live debugging or crash dump analysis, you might want to use more WinDbg command line options [MSDN].

Things that could be useful in your situation:

-pn <name>: Debug a process by name
-<executable>: Start the executable instead of attaching.   
-z <dump>: Debug a dump file
-srcpath <path>: Path to your sources
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
  • None of this relates to the basic problem of getting the address and size of the module OP injects into the process. Telling him that he can give the debugger `-c ".reload …"` is pointless as he **still** has to find the address and size. It’s better in no way than entering this command inside the debugger. – conio Apr 23 '15 at 16:03
  • @conio: where did he say that it is a problem finding the base address? He said "I need to find where the 'DLL' is loaded" but he didn't say he doesn't know *how* to do it. In fact he wrote "I managed to set it somehow working", which means he knows the needed commands. All there is left is to run those commands when starting the debug session. – Thomas Weller Apr 23 '15 at 21:26
  • Exactly. he said “I need to find” and not, “I automated the find process and need to enter what I find”. Typing `WinDbg -c “.reload …”` is no shorter than typing `WinDbg` and in the command window `.reload …`. Even assuming the base address is the same, the size might change between builds, so he still needs to find (in an unspecified way, which you answer doesn not help with) and then manually enter - whether when running the process from a textual shell or in the WinDbg command window - the address and size. – conio Apr 24 '15 at 11:09
  • And though it seems pretty obvious to me that “I need to find” is different from “I need to enter what I already have found” you can also read between the lines: Assuming OP doesn’t know about workspaces, `-c`, etc. why oh why is he interested "especially step #1”? It’s not because #1 has more characters to type than #2. **Obviously**. It’s because OP knows how to copy-paste and can do it with step #2, but needs to find the correct address and size every time for #1, and there copy-paste doesn’t help him. – conio Apr 24 '15 at 11:14