vbox的更動 57125 路徑 trunk/src/VBox/Debugger

時間撮記:

2015-7-30 上午10:16:39 (9 年 以前)

作者:

vboxsync

訊息:

DBGPlugInWinNt.cpp: With windows 10/AMD64 there is more kernel space that needs searching.

檔案:

• trunk/src/VBox/Debugger/DBGPlugInWinNt.cpp (修改) (6 筆差異)

trunk/src/VBox/Debugger/DBGPlugInWinNt.cpp

@@ -71 +71 @@
 
 /**
- * PsLoadedModuleList entry for 32-bit NT aka LDR_DATA_TABLE_ENTRY.
- * Tested with XP.
- *
- * @todo This is incomplete and just to get rid of warnings.
+ * PsLoadedModuleList entry for 64-bit NT aka LDR_DATA_TABLE_ENTRY.
  */
 typedef struct NTMTE64
@@ -953 +950 @@
      */
     CPUMMODE        enmMode = DBGFR3CpuGetMode(pUVM, 0 /*idCpu*/);
-    uint64_t const  uStart  = enmMode == CPUMMODE_LONG ? UINT64_C(0xfffff80000000000) : UINT32_C(0x80001000);
+    uint64_t const  uStart  = enmMode == CPUMMODE_LONG ? UINT64_C(0xffff080000000000) : UINT32_C(0x80001000);
     uint64_t const  uEnd    = enmMode == CPUMMODE_LONG ? UINT64_C(0xffffffffffff0000) : UINT32_C(0xffff0000);
     DBGFADDRESS     KernelAddr;
@@ -1061 +1058 @@
                     &&  pHdrs->FileHeader.SizeOfOptionalHeader      == sizeof(pHdrs->OptionalHeader)
                     &&  pHdrs->FileHeader.NumberOfSections          >= 10 /* the kernel has lots */
-                    &&  (pHdrs->FileHeader.Characteristics & (IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_DLL)) == IMAGE_FILE_EXECUTABLE_IMAGE
+                    &&      (pHdrs->FileHeader.Characteristics & (IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_DLL))
+                         == IMAGE_FILE_EXECUTABLE_IMAGE
                     &&  pHdrs->OptionalHeader.Magic                 == IMAGE_NT_OPTIONAL_HDR64_MAGIC
                     &&  pHdrs->OptionalHeader.NumberOfRvaAndSizes   == IMAGE_NUMBEROF_DIRECTORY_ENTRIES
@@ -1077 +1075 @@
                     while (RT_SUCCESS(rc))
                     {
-                        /* check the name. */
+                        /* Read the start of the MTE and check some basic members. */
                         DBGFADDRESS MteAddr = HitAddr;
                         rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrSub(&MteAddr, RT_OFFSETOF(NTMTE64, DllBase)),
@@ -1092 +1090 @@
                             )
                         {
+                            /* Try read the base name and compare with known NT kernel names. */
                             rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/, DBGFR3AddrFromFlat(pUVM, &Addr, uMte2.v64.BaseDllName.Buffer),
                                                u.wsz, uMte2.v64.BaseDllName.Length);
@@ -1101 +1100 @@
                                )
                             {
+                                /* Read the link entry of the previous entry in the list and check that its
+                                   forward pointer points at the MTE we've found. */
                                 rc = DBGFR3MemRead(pUVM, 0 /*idCpu*/,
                                                    DBGFR3AddrFromFlat(pUVM, &Addr, uMte2.v64.InLoadOrderLinks.Blink),