addresses? Here’s an example of what I’d like to do –
I want to know when ssonsvr.exe has terminated. To do this, I want to
monitor writes to the Type field of the object header of the process object.
I can manually do this with the following WinDbg commands:
First, getting the EPROCESS address of ssonsvr.exe –
kd> !process 0 0 ssonsvr.exe
PROCESS 85d1a020 SessionId: 0 Cid: 094c Peb: 7ffde000 ParentCid: 0910
DirBase: 24240560 ObjectTable: e1047890 HandleCount: 24.
Image: ssonsvr.exe
The number after the string ‘PROCESS’ is the _EPROCESS address that I’m
interested in. Taking that address, I can get the encapsulating object
header. (For demonstration purposes, this is done in steps but normally I’d
just take the object address and subtract 0x18 from it to get the same
result.)
First, get the encapsulating object:
kd> !object 85d1a020
Object: 85d1a020 Type: (867c6e38) Process
ObjectHeader: 85d1a008 (old version)
HandleCount: 1 PointerCount: 8
Embedded in the return string is ObjectHeader: and the following address is
where the object header is located. Using that address, we can gain access to
the
kd> dt nt!_OBJECT_HEADER 85d1a008
+0x000 PointerCount : 8
+0x004 HandleCount : 1
+0x004 NextToFree : 0x00000001
+0x008 Type : 0x867c6e38 _OBJECT_TYPE
<snipped for brevity>
When Type changes then the process object is no longer valid so I want to
set a break point when this address is written to. For convenience, I’ll go
ahead and write some cosmetic space and follow that with a stack dump. This
is done with
kd> ba w4 85d1a008+8 ".echo *** end of ssonsvr ***;.echo*;kb200"
This break point is the real meat of the matter. Is it possible to write a
WinDbg script that would automate the essentials of the above example?
