none
How to capture Windbg DML commands RRS feed

  • Question

  • Good afternoon,

    I'm trying to write a script, which can help me analysing the memory dump of an application. Using Windbg, I run the command "~* k", which can give following results:

    Without DML:

    .  0  Id: 8694.5d90 Suspend: 0 Teb: 05916000 Unfrozen
     # ChildEBP RetAddr 
    00 00e2f8a8 76260b89 ntdll!NtWaitForSingleObject+0xc

    With DML:

    .  0  Id: 8694.5d90 Suspend: 0 Teb: 05916000 Unfrozen
     # ChildEBP RetAddr 
    00 00e2f8a8 76260b89 ntdll!NtWaitForSingleObject+0xc

    As you can see, under the "00" hyperlink, containing the dbx command "dx Debugger.Sessions[0].Processes[34452].Threads[23952].Stack.Frames[0].SwitchTo();dv /t /v", and this is exactly what I'm looking for (as mentioned in the tooltip).

    I'm using the "PYKD" library (found under this URL), but the PYKD command "DbgCommand()", as described in the "PYKD API reference", seems not to give the possibility to capture DML related response.

    Is there a way to capture the DML hyperlink, either with or without using PYKD library?

    Thanks in advance
    Dominique


    • Edited by Dominique___ Monday, September 10, 2018 12:32 PM
    Monday, September 10, 2018 12:30 PM