Repro Steps: (abstract)

1. Gather some objects which have view definitions registered with the alternate formatting engine.
2. Attempt to Format-Blah them, explicitly requesting certain properties ("$stuff | ft Name, DumpPath")

Expected results:
Something sensible. Ideally we can just generate an alt-formatting view definition on the fly and use that.

Actual results:
The already-registered view definition is used, ignoring the request for certain properties.

Concrete example:

$stuff = dir C:\temp\dumps\ -File | ForEach-DbgDumpFile {
   $thing = lm ntdll
   $thing | Format-List | Out-Null
   Write-Output $thing
}

# BUG: We get the default module table view here, not Name and DumpPath
$stuff | ft Name, DumpPath

Workarounds:
To get the desired properties with the alternate formatting engine, use the alternate formatting cmdlets directly (like "$stuff | fat Name, DumpPath").

To use the standard formatting engine, use the module-qualified name of the formatting cmdlets (like "$stuff | Microsoft.PowerShell.Utility\Format-Table Name, DumpPath").

Something is amiss with how PowerShell generates code to access a Span. (DbgShell currently uses Windows PowerShell 5.1 (latest Win10/.NET circa 1/1/2019).)

Repro steps:

ntna
$mem = dd $ip
$mem.GetMemory().Span
$mem.GetMemory().Span[ 0 ]

Expected result:
The last command should give you the first byte in the memory block.

Actual result:

Operation could destabilize the runtime.
At line:4 char:1
+ $mem.GetMemory().Span[ 0 ]
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], VerificationException
    + FullyQualifiedErrorId : System.Security.VerificationException

When searching for more info about this sort of exception, I found reports that indicate it is the kind of thing that can happen when the C# compiler accidentally generates unverifiable IL. In this case, it's not the C# compiler, of course; it's the PowerShell script interpreter/compiler or maybe the Dynamic stuff it uses.

Expanded error info:

AddedByShowError      : True
PSMessageDetails      :
Exception             : System.Security.VerificationException: Operation could destabilize the runtime.
                           at CallSite.Target(Closure , CallSite , Object , Int32 )
                           at System.Dynamic.UpdateDelegates.UpdateAndExecute2[T0,T1,TRet](CallSite site, T0 arg0, T1
                        arg1)
                           at System.Management.Automation.Interpreter.DynamicInstruction`3.Run(InterpretedFrame frame)
                           at
                        System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
                        frame)
TargetObject          :
CategoryInfo          : OperationStopped: (:) [], VerificationException
FullyQualifiedErrorId : System.Security.VerificationException
ErrorDetails          :
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 4
PipelineIterationInfo : {}

MyCommand             :
BoundParameters       : {}
UnboundArguments      : {}
ScriptLineNumber      : 4
OffsetInLine          : 1
HistoryId             : -1
ScriptName            :
Line                  : $mem.GetMemory().Span[ 0 ]

PositionMessage       : At line:4 char:1
                        + $mem.GetMemory().Span[ 0 ]
                        + ~~~~~~~~~~~~~~~~~~~~~~~~~~
PSScriptRoot          :
PSCommandPath         :
InvocationName        :
PipelineLength        : 0
PipelinePosition      : 0
ExpectingInput        : False
CommandOrigin         : Internal
DisplayScriptPosition :

00000000000000000000000000000000000000000000000000000000000000000000000000000000
ExceptionType : System.Security.VerificationException
Message        : Operation could destabilize the runtime.
Data           : {System.Management.Automation.Interpreter.InterpretedFrameInfo}
InnerException :
TargetSite     : System.Object CallSite.Target(System.Runtime.CompilerServices.Closure,
                 System.Runtime.CompilerServices.CallSite, System.Object, Int32)
StackTrace     :    at CallSite.Target(Closure , CallSite , Object , Int32 )
                    at System.Dynamic.UpdateDelegates.UpdateAndExecute2[T0,T1,TRet](CallSite site, T0 arg0, T1 arg1)
                    at System.Management.Automation.Interpreter.DynamicInstruction`3.Run(InterpretedFrame frame)
                    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
                 frame)
HelpLink       :
Source         : Anonymously Hosted DynamicMethods Assembly
HResult        : -2146233075

When running the latest binary release, on Windows 7 Pro SP1, both x86 and x64 version, I get the following error:

$ ./DbgShell.exe

Unhandled Exception: System.Exception: Could not load dbgeng.dll.
at MS.DbgShell.MainClass._NormalModeMainWrapper(String[] args) in C:\src\DbgShell\DbgShell\MainClass.cs:line 467
at MS.DbgShell.MainClass.Main(String[] args) in C:\src\DbgShell\DbgShell\MainClass.cs:line 130

So I look at the incriminating code:

              string pathToDbgEng = Path.Combine( rootDir, "Debugger", "dbgeng.dll" );

            IntPtr hDbgEng = NativeMethods.LoadLibraryEx( pathToDbgEng,
                                                          IntPtr.Zero,
                                                          LoadLibraryExFlags.LOAD_WITH_ALTERED_SEARCH_PATH );
            if( IntPtr.Zero == hDbgEng )
                throw new Exception( "Could not load dbgeng.dll." );

The file is indeed in the Debugger folder, yet the error persists.
I have tried to replace the file with the one from my WinDbg installation, but to no avail.

Is there something that I could have missed? Thanks.

The approach with DbgShell.exe is clear. But the console UX is somewhat poor. There are other hosts, VSCode + PowerShell, to start with, and some more, e.g. my own Far Manager + PowerShellFar (I am interested in using it specifically). Other hosts provide some powerful tools, UI, etc. For example, Tab completion in DbgShell is better than nothing but drop down Intellisense menus in other hosts are much better. Or, say, other hosts allow debugging of PowerShell scripts designed for debugging of something else. Etc., etc.

In other words, is DbgShell.exe the only option or the normal PowerShell module package possible, too?

The current snapshot of ClrMd code is badly out-of-date. Updating it will be a bit of a pain for two reasons:

1. There were a few small customizations made to the ClrMd code.
2. The current version of ClrMd code was taken from what seems to be a now-defunct branch (ClrObject).

I had figured that the inconsistent handling between addresses with only decimal digits was just an unfortunate cost of PowerShell, until I saw the AddressTransformation... so I poked at it a bit more:

> Read-DbgMemory -Address 0x17409680
17409680  "󸇳."

> 0x17409680 | Read-DbgMemory
Read-DbgMemory : Could not access memory: 90108800
At line:1 char:14
+ 0x17409680 | Read-DbgMemory
+              ~~~~~~~~~~~~~~
    + CategoryInfo          : ReadError: (15301904384:UInt64) [Read-DbgMemory], DbgMemoryAccessException
    + FullyQualifiedErrorId : MemoryAccessFailure,MS.Dbg.Commands.ReadDbgMemoryCommand

> Read-DbgMemory -Address 17409680
Read-DbgMemory : Could not access memory: 0109a690
At line:1 char:1
+ Read-DbgMemory -Address 17409680
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ReadError: (17409680:UInt64) [Read-DbgMemory], DbgMemoryAccessException
    + FullyQualifiedErrorId : MemoryAccessFailure,MS.Dbg.Commands.ReadDbgMemoryCommand

Get-DbgSymbol "MyClass::MyFunction" | Read-DbgDisassembly returns the error "Read-DbgDisassembly : Cannot process argument transformation on parameter 'Address'. Could not convert 'MS.Dbg.DbgPublicSymbol' to an address.". So I tried sticking a Select Address in there, but that didn't work either.

%{ $_.Address.ToString("X8") } got the job done but doesn't seem like the intended workflow.

Running git --version directly returns correct result, but if I assign it to a variable then it will be garbled: $x = git --version; $x.

2>C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(4406,5): error MSB3030: Could not copy the file "E:\Source\Repos\DbgShell\DbgProvider\Debugger.Converters.clr.ps1" because it was not found.
2>C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(4406,5): error MSB3030: Could not copy the file "E:\Source\Repos\DbgShell\DbgProvider\Debugger.Converters.Cui.ps1" because it was not found.
2>C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(4406,5): error MSB3030: Could not copy the file "E:\Source\Repos\DbgShell\DbgProvider\Debugger.Converters.dfsr.ps1" because it was not found.
2>C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(4406,5): error MSB3030: Could not copy the file "E:\Source\Repos\DbgShell\DbgProvider\Debugger.Converters.tlx.ps1" because it was not found.
2>C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(4406,5): error MSB3030: Could not copy the file "E:\Source\Repos\DbgShell\DbgProvider\Debugger.Converters.utl.ps1" because it was not found.
2>C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(4406,5): error MSB3030: Could not copy the file "E:\Source\Repos\DbgShell\DbgProvider\Debugger.DebuggeeTypes.cui.psfmt" because it was not found.
2>C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(4406,5): error MSB3030: Could not copy the file "E:\Source\Repos\DbgShell\DbgProvider\Debugger.DebuggeeTypes.dfsr.psfmt" because it was not found.

Should the files be added, or the project updated?

The wide string functions work how I would expect, however the ascii/UTF8 string read functions simply throw exceptions with no partial results if the string is longer than the requested bytes.

The basic underpinnings for this are already in—for instance, the DbgEngContext field representing the process has been updated to be able hold a process ID or a EPROCESS address (ProcessIndexOrAddress). But there is a lot more to be done, like getting the namespace provider wired up.

Recipes:

1. Break on a function only when "foo" is on the callstack or argument is a particular value.
2. ... add more to this list ...

https://github.com/aquynh/capstone: "Capstone is a disassembly framework with the target of becoming the ultimate disasm engine for binary analysis and reversing in the security community."

Attach is more recognizable verb, I guess.

Class MS.Dbg.DbgUModeThreadInfo has a property uint32 Tid {get;}
Cmdlet Get-ClrStack has a parameter [-OsTid]

It would be great to have both names equal. It's better from naming conventions point of view and gives a better chance to use them in pipeline with bind by property name.

I'm searching for... something in a haystack. I don't even know what exactly the something is yet. I've got a memory dump, and a million candidate addresses in a file; I want to read the value for each from the dump and analyze the results.

Get-Content Candidates.log | Read-DbgMemory -LengthInBytes 4 | Out-String -Stream | Out-File Values.txt gets me almost all of the way there - except that the output is crammed full of formatting control characters. An option to print things without formatting, or strip the control strings out, would be very helpful for this.

I've forked DbgShell and started putting together a basic memory search command (which hopefully I will be able to polish into a reasonable pull request before the ADHD decides otherwise for me). I wanted to share some thoughts and get some input.

1. I've forgone DbgEng's search granularity option so that I could implement search alignment independent of the search size, to allow things like searching for pointers to nearby addresses:

> Search-DbgMemory 04244c -SearchValueLengthInBytes 3 -SearchResultAlignment 4 -FromAddress 1 | % { $_.Address - 1 } | Read-DbgMemory -LengthInBytes 16
719b1c40  04244c8b 060441f7 b8000000 00000001
719d8df8  04244c13 042444dd c310c483 fe4356e9
71a1e99c  04244c8b 04c231d9 244c8b00 c221d904

On the one hand, awesome!, you're not going to be doing that in WinDbg... on the other hand, that's not a very straightforward approach and byte granularity means you're search for pointers in a 256 byte region or 64kB region, no in between... any thoughts on a better way to do it?

2. I'm taking the search value as a ulong, which means it caps out at 8 bytes... supporting strings seems easy enough, but I've no idea how to tackle 9+ byte non-string patterns. Are there any existing commands I can crib from?

3. My ultimate goal is to do something like this:

[Heap 007f0000 segment 52800000 (msvcrt!_crtheap)]
52808dec  04244c8b e808508d fff61480 cc0004c2
[<unknown>]
658d0160  04244c8d 04244489 8b4ceca1 24448965
[srvcli; "C:\Windows\System32\srvcli.dll"]
719b1c40  04244c8b 060441f7 b8000000 00000001
719d8df8  04244c13 042444dd c310c483 fe4356e9
71a1e99c  04244c8b 04c231d9 244c8b00 c221d904

Is there a way I can do grouping without accumulating?

A long time ago I started writing some manual MAML (in DbgProvider.dll-Help.xml), but manual MAML is not a lot of fun.

It seems like PlatyPS is the way to go here.

Note that for "about" topics, I don't think PlatyPS will do what I want--it expects .md input in a very particular format, and for "about" topics I'd like to be a little more free-form. But for cmdlet topics, PlatyPS might be just the thing.

It would be great if Get-ClrStack will be able to accept instances of MS.Dbg.DbgThreadContainer as an input so it will be able to use in the pipeline.

PS Dbg:\NetDebugDemos_16124\Threads
> Get-ChildItem | Get-ClrStack

It's possible it's mentioned in one of the about_ help files, but it should be on the main readme.md as well.

I wanted to see the PEB for my process. Since the thread namespace includes a Teb, I figured there'd be a matching Peb in the process namespace, but alas, there is not. (I did eventually figure out that there is a $peb variable, at least)

Save my conscience from the magic string!
DbgPseudoRegisterInfo.GetDbgPsedoRegisterInfo(Debugger, "$peb").Value

Regular dps:

> dps 26ee7c30
26ee7c30  2368c010
26ee7c34  13234900
26ee7c38  5f080100 d2d1!CSRGBToLinearTranslator::s_shaders+400f0
26ee7c3c  26db1aa8
26ee7c40  26ee74a8
26ee7c44  26e80020

Awesome recursive dps:

26ee7c30  2368c010  -> 50afffa8 jscript9!Js::JavascriptLibrary::`vftable'
26ee7c34  13234900  -> 50b35650 jscript9!Js::GlobalObject::`vftable'
26ee7c38  5f080100 d2d1!CSRGBToLinearTranslator::s_shaders+400f0
26ee7c3c  26db1aa8  -> 50afa570 jscript9!ScriptEngine::`vftable'
26ee7c40  26ee74a8  -> 21dd7da0  -> 50afffa8 jscript9!Js::JavascriptLibrary::`vftable'
26ee7c44  26e80020  -> 26a0cda0  -> 50afffa8 jscript9!Js::JavascriptLibrary::`vftable'

Ah! It is so much more clear what I am looking at now! And with colorization it's even better!

> Get-ChildItem C:\dumps -File | Mount-DbgDumpFile
Mount-DbgDumpFile : Cannot find path 'Dbg:\example.dmp' because it does not exist.
At line:1 char:32
+ Get-ChildItem C:\dumps -File | Mount-DbgDumpFile
+                                ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Dbg:\example.dmp:String) [Mount-DbgDumpFile], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,MS.Dbg.Commands.MountDbgDumpFileCommand

This would be to run an analysis script on all of the dump files in a folder.

Also helpful for that would be a way to automatically dismount dump files (or even actually dismount them at all) so you don't get target name conflicts if your script errors out and you have to restart it

It took 5-6 seconds for every launch on my desktop. Would be appreciated if this could be improved.

My object has an int? property that is null when it doesn't apply/can't be calculated. The standard Format-Table doesn't print anything when it's null. The alternate table formatting displays it as "$null" which has the unfortunate effect of making the least important information the most visible, so I have to do a ScriptColumn with a null check to handle it.

DbgEng.dll has a concept of "context": what is the current "system", the current process within that system, the current thread within that process, and the current frame within that thread. (See the DbgEngContext class.) DbgShell exposes this via its namespace. It supports switching between contexts, such as between threads, or between multiple processes in a live debugging scenario.

However, some combinations of context just don't work together. For instance, if you are attached to a dump, and then try to launch a new, live process under the debugger, dbgeng context gets completely discombobulated.

DbgShell needs to add some guard rails so that you don't end up in situations that don't work.

EnumerateLIST_ENTRY has two main troubles:

1. It yields PSObjects, not DbgValues.
2. It throws a NotImplementedException

The NotImplementedException can be resolved easily enough by skipping the dynamic entirely:

        var val = Debugger.GetValueForAddressAndType( curItemAddr, entryType, itemNamePrefix + idx.ToString(), false, false );
        yield return val;

        curListEntry = val.Properties[listEntryMemberPath].Value;
        curListEntry = curListEntry.Flink;

Additionally, the head = head.WrappingPSObject; at the start is a bit inconvenient, since it means one has to pass in the PSObject.BaseObject instead of the PSObject directly, and the is DbgPointerValue & is DbgValueError checks don't work, since the values are always PSObject.

The purpose of this issue is to share some learnings (and some salt about DbgHelp) that I have gained in the past few days furthering my descent into madness my understanding of symbols; whether any of this should be considered an issue that prompts changes to DbgShell or an endorsement of any particular approach I leave to the readers' judgement.
SymbolSearchPerf.cs.txt

1. SymSearch results are a superset of SymEnumSymbols - there is no symbol that SymEnumSymbols will return that SymSearch can not also return.

"But wait!" you say, "I have done searches that get results from SymEnumSymbols but not SymSearch!" And indeed, you are correct. So I shall share the sad tale of a simple, unassuming symbol, known to its friends as mshtml!g_hIsolatedHeap.

> Get-DbgSymbol "mshtml!g_hIsolatedHeap" -UseSymEnum
      0x642b1ba0 g_hIsolatedHeap

As expected. And what about SymSearch?

> Get-DbgSymbol "mshtml!g_hIsolatedHeap" -UseSymSearch

Nothing. Have I lied to you? No! I have not! It is DbgHelp that lies! This symbol's proper name is not mshtml!g_hIsolatedHeap at all, but in truth is mshtml!_g_hIsolatedHeap!

> Get-DbgSymbol "mshtml!_g_hIsolatedHeap" -UseSymSearch
      0x642b1ba0 g_hIsolatedHeap

SymEnumSymbols succceeds where SymSearch does not because DbgHelp secretly inserts search globs to cover for the lies it tells! But at what cost, you ask? "No, I didn-" Yes, you did. But unfortunately, there are so many different ways that DbgHelp is heckin' slow, you can't unambiguously pin it to one single thing† - but one can at least quantify how slow the various ways of calling into it to ask about our friend mshtml!_g_hIsolatedHeap are!

(spoiler alert: Benchmarkdotnet picked microseconds for this table because some of the rows I cut out actually need it)

There are few things you can tell from that table (should the names happen to make sense to you, or should you reference against the attached code). First is that with the default settings DbgHelp does try to match against your original search terms before searching again with the injected star glob. Next you might notice that SymSearch manages to take twice as long (unless you set symopts to search against still-"decorated" streams, a trival concession for our symbol with no decoration to be had). I'm not really sure how it does that. One might also notice that there are undocumented wildcards (that one might want to, you know, escape). In this case, I used #, which seems to mean "match the preceding character 0 or 1 times"‡, but there's also some handling for a [a-z] style syntax.

Now, if one were to examine DbgHelp more closely††, one might notice that the public apis seem to pretty much just be messy wrappers aound DIA functions. And there is an undocumented SymGetDiaSession, what might one get from that? Crashes, unless one also notices the SymFreeDiaString and surmises that DbgHelp's DIA is special and doesn't use SysAllocString to allocate "BSTR" values.

Wow, using .NET COM interop with an exact search string gets us an answer 100 times faster (as long as we don't look at any string properties...). C++/CLI our way around the string issue and we get a whopping 3,000 times faster. Even undecoration & search globs can't get us as slow as the DbgHelp APIs go. But wait! There's more... most of those 112 microsecond were just fetching the DiaSession!

But why stop there? If you profile it, it's painfully obvious that DbgHelp's DIA is hamstrung by some inefficient UTF8 -> UTF16 conversion logic... and the disassembly tarot cards will tell you that the version of DIA in msdia140 somewhat improves on that conversion, in addition to a statically linked towlower... so how would that fare?

Well, shoot. Those numbers are rather remarkably close to DbgHelp's... I profiled them to make sure I wasn't accidentally double testing. I'm starting to suspect there was a reason the DbgHelp DIA used LocalAlloc instead of SysAllocString... _{msdia140 will use LocalAlloc if you use a secret alternate GUID to get your IDiaDataSource but I think I should post this and go to sleep before I get lured into testing that}

( SymbolSearchPerf.cs.txt contains the benchmark code, which should compile & run against the head of my personal DbgShell repository)

† aside from the dynamically linked towlower call in DbgHelp!nextToken

‡ except in mshtml!_#_hIsolatedHeap where it means "get stuck in an infinite loop"

†† Not by diassembling it, of course, that would be against the terms of use!

HI, I need to integrate with c# / Any known package? or this library can be integrated with c#