开发者

How to extend the set of APIs visible to the logexts extension of windbg/cdb/ntdb?

开发者 https://www.devze.com 2023-02-04 05:50 出处:网络
I trace certutil using the following cdb script (named TraceScript.txt): !logexts.loge c:\\logs !logexts.logc e *

I trace certutil using the following cdb script (named TraceScript.txt):

!logexts.loge c:\logs
!logexts.logc e *
!logexts.logo d d
!logexts.logo d t
!logexts.logo e v
g
!logexts.logb f
q

and the following batch file (named trace.cm开发者_如何学Pythond):

@echo off
set SYMBOL_PATH=srv*c:\users\markk\appdata\local\temp\symbolcache
cdb -y %SYMBOL_PATH% -cf c:\utils\TraceScript.txt %*

All is fine, but I have noticed the following line in the output:

[LogHookComInterface] Interface {7a18edde-7e78-4163-8ded-78e2c9cee924} is unknown -- not logging.

Where the GUID corresponds to the following registry path:

HKEY_CLASSES_ROOT\Interface\{7A18EDDE-7E78-4163-8DED-78E2C9CEE924}

Which in turn corresponds to the ICertConfig2 interface - seems relevant, isn't it?

Anyway, I am wondering whether it is possible to make this interface visible to the logger, because without it all the logging is useless. How do I know it? The logger reports a single invocation of the CoCreateInstance API with the GUID 372FCE38-4324-11D0-8810-00A0C903B83C, which corresponds to the CertConfig class, which I guess implements the ICertConfig2 interface. No other certificate related APIs appear in the log. So without the ICertConfig2 interface the log is useless.

Any ideas?

P.S.

I will gladly accept ways to trace the ICertConfig2 COM API.


Take a look at the files under (path to windbg)\winext\manifest

The files there contain the definitions used by the logger extension. com.h contain definitions for interfaces

uuid.h contain the mapping from GUID to interfaces.

you will need to convert the definition of ICertConfig2 to the format used by the tool

0

精彩评论

暂无评论...
验证码 换一张
取 消