This is related to my previous question, regarding pulling objects from a dmp file.
As I mentioned in the previous question, I can successfully pull object out of the dmp fi开发者_如何学JAVAle by creating wrapper 'remote' objects. I have implemented several of these so far, and it seems to be working well. However I have run into a snag.
In one case, a pointer is stored in a class, say of type 'SomeBaseClass', but that object is actually of the type 'SomeDerivedClass' which derives from 'SomeBaseClass'. For example it would be something like this:
MyApplication!SomeObject
+0x000 field1 : Ptr32 SomeBaseClass
+0x004 field2 : Ptr32 SomeOtherClass
+0x008 field3 : Ptr32 SomeOtherClass
I need some way to find out what the ACTUAL type of 'field1' is.
To be more specific, using example addresses:
MyApplication!SomeObject
+0x000 field1 : 0cae2e24 SomeBaseClass
+0x004 field2 : 0x262c8d3c SomeOtherClass
+0x008 field3 : 0x262c8d3c SomeOtherClass
0:000> dt SomeBaseClass 0cae2e24
MyApplication!SomeBaseClass
+0x000 __VFN_table : 0x02de89e4
+0x038 basefield1 : (null)
+0x03c basefield2 : 3
0:000> dt SomeDerivedClass 0cae2e24
MyApplication!SomeDerivedClass
+0x000 __VFN_table : 0x02de89e4
+0x038 basefield1 : (null)
+0x03c basefield2 : 3
+0x040 derivedfield1 : 357
+0x044 derivedfield2 : timecode_t
When I am in WinDbg, I can do this:
dt 0x02de89e4
And it will show the type:
0:000> dt 0x02de89e4
SomeDerivedClass::`vftable'
Symbol not found.
But how do I get that inside an extension? Can I use SearchMemory() to look for 'SomeDerivedClass::`vftable'? If you follow my other question, I need this type information so I know what type of wrapper remote classes to create. I figure it might end up being some sort of case-statement, where I have to match a string to a type? I am ok with that, but I still don't know where I can get that string that represents the type of the object in question (ie SomeObject->field1 in the above example).
DOH! It was much simpler than I thought. The virtual function tables are simply other symbols, so I can use GetSymbol() with the address of the field1's vftable. Then simply setup a case statement with the few types I expect, and create the right one for the situation.
For example:
char buffer[255];
ULONG64 displacement;
GetSymbol(0x02de89e4,buffer, &displacement);
dprintf("0x%08lx = %s\n", 0x02de89e4, buffer);
In WinDbg when I run the extension this outputs:
0x02de89e4 = MyApplication!SomeDerivedClass::`vftable'
Simple. Just have to parse that buffer and I should be good to go...
精彩评论