Udostępnij za pośrednictwem


Determining process architecture with JavaScript and LINQ

It’s been a while since my last post about our JavaScript scripting and extensibility support and we’ve loved seeing what some of you are doing with it. I wanted to do a post on JavaScript and how it could be used in a simple scenario, and I stumbled on this StackOverflow question the other day and wanted to take the opportunity to demonstrate a basic JavaScript extension. This script isn’t perfect, there are some cases where it doesn’t work, it’s just an example of how you can use JavaScript in cases like this. The question is “Is there a Windbg/NTSD command to tell me if a process I have attached to in a live debugging session is a 32-bit one or a 64-bit one?”

That post has a few good answers, mostly around check the state of Wow64, another way not mentioned there would be to do the following:

  1. Run ‘dx @$curprocess.Threads’
  2. Click each thread and look for “GuestState”, if the thread GuestState, click it
  3. If any thread has a GuestState of x86, then you’re debugging a 32-bit process

If this is something you want to do often, none of these suggestions (including mine) are really great, they’re indirectly telling you want you want and take some thought. If this is something you find yourself doing daily, you can write a quick script to expose the information in a more direct manner.

First, let’s setup the basics of our script, this is mostly taken from the MSDN documentation we have we have in JavaScript Debugger Scripting.

 
"use strict";

class __CheckArchitecture
{
    //
    // Add a property called 'ProcessArchitecture' on process.
    //
    get ProcessArchitecture()
    {
        return “Hello World!”;
    }
};

function initializeScript()
{
    //
    // Extends our notion of a process to place architecture information on it.
    //
    return [new host.namedModelParent(__CheckArchitecture, "Debugger.Models.Process")];
}

This is the skeleton logic of “extending” the debugger’s “Process” model with a property of “ProccessArchitecture”. We’ll have a blog post soon going deeper into what we mean about extending objects, but if you watch our Defrag Tools videos linked from my last blog post, we explain the basics. If you load this script with ‘.scriptload’ and then run ‘dx @$curprocess’, you’ll see the new field “ProcessArchitecture” with a value of “Hello World!”. Next step is to replace “Hello World!” with the logic to get the actual architecture.
Since we know that every thread of an x86 process will have “GuestState.Architecture” on it, we can write a LINQ query to check the values of all the threads. If you aren’t familiar with LINQ, check out my blog post here to learn the basics. The query I came up with is:
[code]
@$curprocess.Threads.Any(t=> t.GuestState.Architecture =="x86")

This query will give us true if any of the threads x86. In the earlier script, we can replace line 10 with:

 
var guestStates = this.Threads.Any(t=> t.GuestState.Architecture =="x86");

if(guestStates)
    return "x86";
else
    return "x64";

If you’re targeting a 32-bit process, loading this and running the query from before will now show us that ProcessArchitecture is x86! Unfortunately, if you’re targeting an x64 process the script won’t load. We need to adjust our LINQ query to handle the error case:

 
var guestStates = this.Threads.Any(t=> (!(t.GuestState === undefined) && t.GuestState.Architecture =="x86"));

This now verifies that GuestState is available before trying to access it. I’ll note that this doesn’t work in certain dump cases or if you’re using the 32-bit debugger, but it’s a first step if you find yourself needing to script the debugger depending on target architecture or need this information at a glance. The full final script is pasted at the end of this post.

One of the things some of you have asked about is the pain of loading and debugging scripts. We’re working on improvement in this area soon that will be out in an SDK preview in the near future. Also, don’t forget that with the Creator’s Update SDK officially out, you can see what’s new at Debugging Tools for Windows: New for Windows 10
Leave any feedback or questions in the comments below!
-Andy
@aluhrs13

Final full script:

 
"use strict";

class __CheckArchitecture
{
    //
    // Add a property called 'ProcessArchitecture' on process.
    //
    get ProcessArchitecture()
    {
        var guestStates = this.Threads.Any(t=> (!(t.GuestState === undefined) && t.GuestState.Architecture =="x86"));

        if(guestStates)
            return "x86";
        else
            return "x64";
    }
};

function initializeScript()
{
    //
    // Extends our notion of a process to place architecture information on it.
    //
    return [new host.namedModelParent(__CheckArchitecture, "Debugger.Models.Process")];
}