Is there a way to dump the arguments in va_list in windbg given the format string and the starting address of va_list?
I usually do this by just dumping the content of the stack using command dd esp (for x86) or dq rsp (for x64). Knowing the starting address of va_list makes it a bit easier to locate the place in the stack where vararg block begins, but usually you can either guess it or calculate by knowing the sizes of regular (non-vararg parameters) to the function.
Here is an annotated example for x86. The function beeing called:
printf("%d %o %g %s %c", 101, 201, 301.0, "401-string", '5');
in debugger:
0:000> bp MSVCR100D!printf
0:000> g
Breakpoint 1 hit
eax=00000001 ebx=00000000 ecx=2549afc4 edx=00000000 esi=002ceeb8 edi=002cf040
eip=0ff57ee0 esp=002cee98 ebp=002cf04c iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
MSVCR100D!printf:
0ff57ee0 8bff mov edi,edi
0:000> dd /c1 esp
002cee98 01365cee // return address
002cee9c 0137d6e8 // pointer to the format string "%d %o %g %s %c" --> next follows our variable arguments
002ceea0 00000065 // first vararg argument, int 101
002ceea4 000000c9 // second vararg argument, int 201
002ceea8 00000000 // third vararg argument, double 301.0, it occupies two slots in stack
002ceeac 4072d000 // third argument continues
002ceeb0 0137d70c // fourth vararg argument, pointer to string
002ceeb4 00000035 // fifth vararg argument, 8-bit character (still occupies 4 bytes in stack)
002ceeb8 25b87244
002ceebc 002cf254
002ceec0 0041c520
002ceec4 00000000
...
For other functions it will be very similar, because all functions that use variable number of arguments have to be following __cdecl calling convention, so you will find the same type of layout of parameters in the stack.
Related
I need to get the address of the function required by .fnret command in WinDBG.
For example, I want to get the information about return value of apphelp!ApphelpCheckRunApp function.
First, I set a breakpoint on this function:
bp apphelp!ApphelpCheckRunApp
Then I'm continuing the execution, until it breaks on that function.
After breaking, I'm executing .fnret [Address] command.
I already tried to use the 77b345d5 address displayed on the breakpoint:
Breakpoint 0 hit
eax=77b345d5 ebx=7ed320f5 ecx=7ffac000 edx=7c886920 esi=7ffac000 edi=00000018
eip=77b345d5 esp=0378ce90 ebp=0378d108 iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000213
appHelp!ApphelpCheckRunApp:
77b345d5 8bff mov edi,edi
but that seems to be not what I need, because I get the following error:
^ Unknown or unsupported return type in '.fnret 77b345d5'
Also I used return address 7c818cdf of this function from call stack (got via kb command):
ChildEBP RetAddr Args to Child
0283ce8c 7c818cdf 00000474 046bb7d0 00000000 appHelp!ApphelpCheckRunApp
but it leads me to the same error.
Which WinDBG command I should use for that and which return address it will display (in case it isn't displayed yet on breakpoint)? Will it then properly work for .fnret or .fnret /s commands? Unfortunately, there are no any examples of using them on MSDN, only the documentation.
Hoping on your help. Thanks in advance.
.fnret is only useful if you have private pdb
it is not useful if you have public pdb because it needs to retrieve the type information
here is a sample usage on a compiled code with private pdb
0:000> x /t /v /f myst!towlower
prv func 00007ff6`74ba5f84 7 <function> myst!towlower (unsigned short)
0:000> x /t /v /f myst!toupper
prv func 00007ff6`74b91b10 2a <function> myst!toupper (int)
0:000> .fnret myst!towlower
myst!towlower (00007ff6`74ba5f84) = unsigned short 1
0:000> .fnret myst!toupper
myst!toupper (00007ff6`74b91b10) = int 0n1
error on a known function which returns a HANDLE using public stripped pdb
0:000> .fnret KERNELBASE!CreateFileA
^ Unknown or unsupported return type in '.fnret KERNELBASE!CreateFileA'
success on a system file with private pdb
it casts the forced return value dumped in #rax as a typed return with value of a function with type information
a system file with prrivate pdb
0:000> .printf "%y\n" , 0x00000001`800bace0 ; an arbitrary function
ole32!ToUnicode (00000001`800bace0)
0:000> .printf "%mu\n" , 00000001`8014c17a ; an arbitrary wide string
guageErrorPointerംА
0:000> r rax = 00000001`8014c17a the $retreg is populated with an address of wide string
0:000> .fnret 0x00000001`800bace0 << fnret casts the $retreg as wide string and prints the resulting widestring
ole32!ToUnicode (00000001`800bace0) = wchar_t * 0x00000001`8014c17a
"guageErrorPointer???"
OK, that command is indeed not helpful at all when using public PDBs.
I found better solution here: How to get return value from a function in windbg?.
It is possible to get the memory address of return value by viewing eax/rax register on x86/x64 appropriately, using r command (since it always is stored there). After breakpoint, I'm just typing r eax on x86 or r rax on x64. Output will be look like this:
eax=[Address]
Then, I'm displaying a value of received memory address via d* (dd, du etc. displaying data types commands), like this:
du [Address]
After looking at the output, it becomes understandable which data is returned, and its data type also (at least in most of cases).
But to understand first, which data type is used, I'm trying the different combinations of display memory commands and display referenced memory commands.
Are there macros that provide the correct printf format specifiers for IV, UV, STRLEN, Size_t and SSize_t? None are listed in perlapi.
C provides macros for the format specifiers for the types provided by stdint.h, such as uint32_t.
#include <inttypes.h>
#include <stdint.h>
uint32_t i = ...;
printf("i = %" PRIu32 "\n", i);
Is there something similar to PRIu32 for IV, UV, STRLEN, Size_t and SSize_t?
The larger problem is that I'm trying to suggest a fix for the following compilation warnings produced when installing Sort::Key on Ubuntu on Windows Subsystem for Linux:
Key.xs: In function ‘_keysort’:
Key.xs:237:12: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘IV {aka long int}’ [-Wformat=]
croak("unsupported sort type %d", type);
^~~~~~~~~~~~~~~~~~~~~~~~~~
Key.xs: In function ‘_multikeysort’:
Key.xs:547:9: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘STRLEN {aka long unsigned int}’ [-Wformat=]
croak("wrong number of results returned "
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Key.xs:547:9: warning: format ‘%d’ expects argument of type ‘int’, but argument 3 has type ‘IV {aka long int}’ [-Wformat=]
For UV, the following macros exist:
UVuf (decimal)
UVof (octal)
UVxf (lc hex)
UVXf (uc hex)
For IV, the following macro exists:
IVdf (decimal)
For NV, the following macros exist:
NVef ("%e-ish")
NVff ("%f-ish")
NVgf ("%g-ish")
For Size_t and STRLEN, use the builtin z length modifier.[1]
%zu (decimal)
%zo (octal)
%zx (lc hex)
%zX (uc hex)
For SSize_t, use the builtin z length modifier.[1]
%zd (decimal)
For example,
IV iv = ...;
STRLEN len = ...;
croak("iv=%" IVdf " len=%zu", iv, len);
While Size_t and SSize_t are configurable, they're never different from size_t and ssize_t in practice, and STRLEN is a typedef for Size_t.
If Size_t is the same as size_t, then %zu is correct.
STRLEN is likely, but not certain, to be the same as size_t.
If SSize_t is the same as ssize_t, then %zd is probably correct (it's complicated).
For other types, if you don't know what predefined type they correspond to, convert to a known type. Knowing the signedness helps. For example:
some_unknown_signed_integer_type n = 42;
some_unknown_unsigned_integer_type x = 128;
printf("n = %jd\n", (intmax_t)n);
printf("x = %ju\n", (uintmax_t)x);
intmax_t and uintmax_t are defined in <stdint.h>.
You can get away with converting to long or unsigned long and using %ld or %lu, for example, if you happen to know that the type is no wider than long or unsigned long.
When disassembling in Radare2, the output is decorated with random annotations of memory peeks, decimal conversions, etc., for example:
...
0000:06ea and al, 0x7f
0000:06ec cmp al, 5 ; 5
0000:06ee jne 0x712
0000:06f0 mov eax, dword [bx + 8] ; [0x8:4]=-1 ; 8
0000:06f4 mov edx, dword [bp + 0x14] ; [0x14:4]=-1 ; 20
...
I find them largely irrelevant: for example, I don't care about the value at 0x14 when that is used as a displacement rather than a fixed address. What command do I use to hide them, either globally or for a particular address?
This is possible since version 3.0. The commands are:
e asm.comments=false
e asm.usercomments=true
The former turns all comments off and the latter overrides this for user-added comments. Currently there's no finer distinction than this: you can't turn off the [0x8:4]=-1 keeping the decimal conversions only, for example.
I found the following code snippet in verilog code for AES.
function [7:0] xtime;
input [7:0] b; xtime={b[6:0],1'b0}^(8'h1b&{8{b[7]}});
endfunction
Please explain what does this do. The more elaborate explanation, the better.
b is a 8 bit input.
b[6:0],1'b0 last 7 bits left shifted, and padded with 0
^ xor
8'h1b 8 bits hex 1b anded with the sign bit.
Explained in one line: If msb is set xor with 0x1b otherwise just *2
A quick search of xtime and AES leads me to this c implementation’s comment:
// xtime is a macro that finds the product of {02} and the argument to
// xtime modulo {1b}
#define xtime(x) ((x<<1) ^ (((x>>7) & 1) * 0x11b))
looks like it maybe is doing about the same.
Lets clean up the code and breakdown some of the assignments:
function [7:0] xtime;
input [7:0] b;
reg [7:0] temp1;
reg [7:0] temp2;
begin
temp1 = {b[6:0],1'b0};
temp2 = ( 8'h1b & {8{b[7]}} );
xtime = temp1 ^ temp2;
end
endfunction
Function called xtime outputs the variable xtime 8 bits wide. Has 8 bit wide input called b.
temp1 left shifts input b, padding LSB (Least Significant Bit) with 0 and throwing away MSB (Most Significant Bit).
temp2 bitwise ANDs 8'h1B (8'b0001_1011) with the MSB of input b.
b[7] selects bit 7 of b.
{8{value}} is the replication operator.
{8{1'b1}} => 8'b1111_1111
{4{2'b10}} => 8'b1010_1010
xtime performs the bitwise XOR of temp1 and temp2.
I need something like struct or class in c++
For example I need a class with an array and two attribute (size and len) and some function like append and remove .
How can I implement this in assembly with macros and procedures?
Tasm supports eg.
struc String // note: without 't' at the end
size dw 100
len dw 10
data db 0 dup(100)
ends String
Gnu assembler also has a .struct directive.
The syntax for MASM is:
String STRUCT
size dw 100
len dw 10
String ENDS
Usage again from the same MASM manual:
ASSUME eax:PTR String
mov ecx, [eax].size,
mov edx, [eax].len
ASSUME eax:nothing
.. or ..
mov ecx, (String PTR [eax]).size // One can 'cast' to struct pointer
One can also access a local variable directly
mov eax, myStruct.len
Here's a sample MASM struct from a HID interface routine that I wrote:
SP_DEVICE_INTERFACE_DATA struct
CbSize DWORD ?
ClassGuid GUID <>
Flags DWORD ?
Reserved ULONG ?
SP_DEVICE_INTERFACE_DATA ends
Structure in 8086 MASM
syntax
struct_name STRUC
var_name type ?
...
struct_name ENDS
Rules
1)It can't be initialized (If initialized results in garbage values)
2)It should be accessed using "direct addressing mode" (If not result in "immediate addressing mode")
program to add two numbers
DATA SEGMENT
FOO STRUC
A DB ?
B DB ?
SUM DW ?
FOO ENDS
DATA ENDS
CODE SEGMENT
ASSUME CS:CODE,DS:DATA
START:MOV AX,DATA
MOV DS,AX
XOR AX,AX
MOV DS:[FOO.A],0FFH
MOV DS:[FOO.B],0FFH
MOV AL,DS:[FOO.A] ;al=ff
ADD AL,DS:[FOO.B] ;al=al+ff
ADC AH,00H ;ah=ah+carry_flag(1/0)+00
MOV DS:[FOO.SUM],AX ;sum=ax
HLT ;stop
CODE ENDS
END START