System Function Argument Viewer
Starting from version 1.5, VisualDDK contains a feature that significantly simplifies debugging assembly-level code. Basically, it allows easily viewing the typed argument values for any function of any module even if the sources are not available. To see how this works, let's try setting a breakpoint inside IoCreateFile() and examining the arguments:
-
Start a debugging session using either "attach" dialog, or a driver project.
-
Press the "break all" button in Visual Studio or "Print Screen" button on the debugged machine to break into debugger.
-
Open "disassembly" window
-
Type "IoCreateFile" in the "address" line.
-
Set a breakpoint somewhere after the "mov ebp,esp" instruction. Your debugging window should look like that:
- Press the "continue" button and wait till the breakpoint hits. If you open the "locals" window, it will be empty, as the symbols for ntoskrnl.exe do not provide any information about locals or function arguments. Let's fix it and let VisualDDK convert the for us.
-
Open the %APPDATA%\VisualDDK folder and create a file called SystemFunctionPrototypes.txt there.
-
Enter the following text in the file and save it:
nt!IoCreateFile: FileHandle = void *, DesiredAccess = int, ObjectAttributes = nt!_OBJECT_ATTRIBUTES *In this example we have specified the first 3 arguments for IoCreateFile(). In real life, you can specify any number of arguments you wish. The general format of the SystemFunctionPrototypes.txt is the following:<funciton name>: <arg1 name> = <arg1 type>, <arg2 name> = <arg2 type>, ...Note that it is recommended to use fully qualified type names (e.g nt!_OBJECT_ATTRIBUTES). If you want to reference a type declared in the currently open driver project, you can use the "@main!TypeName" syntax. - Return back to Visual Studio and do a single step (or resume execution
till the breakpoint hits again). Open the Locals window:
As you can see, the arguments you have typed into SystemFunctionPrototypes.txt are now displayed with correct types. Note that you can also use the "@arg<number>" syntax (e.g. @arg6) in the Watch window to view function arguments. If an argument referenced by the "@arg" keyword was not defined in SystemFunctionPrototypes.txt, or the current function is not defined there, VisualDDK will use type PVOID for it.