- Have access to the internet to use the Microsoft symbol server.
- Access to symbol files using a UNC path.
In both cases it is impossible to set break points using symbolic names in either a live debug session or when using adplus. This is clearly a problem for the adplus configuration script I discussed in VB Script production debugging.
If symbols aren’t available there is another solution by adding break points set using a memory address location. In the previous blog the adplus config file was setting a breakpoint on the function vbscript!CScriptRuntime::RecordErrorContext. To find out the memory address for the breakpoint we need to determine what the offset to vbscript!CScriptRuntime::RecordErrorContext is in vbscript.dll.
First we need to take a dump of the process on the production server and load it into windbg on a machine which does have access to a symbol store. Open the dump and enter the x command to find the address of the function
0:031> x vbscript!CScriptRuntime::RecordErrorContext
734753cf vbscript!CScriptRuntime::RecordErrorContext =
Then we need to find the module address for vbscript.
0:031> lmm vbscript
start end module name
73460000 734c5000 vbscript
Subtract the module start address from the symbol address
0:031> ?734753cf - 73460000
Evaluate expression: 86991 = 000153cf
Now we have our offset we can use it to set a break point either during a live debug or in the adplus config file. The dump I used in the example above was using 5.6.0.8515 of vbscript.dll. The Address element of the adplus configuration file should be modified from
vbscript!CScriptRuntime::RecordErrorContext
to
vbscript + 0x000153cf
No comments:
Post a Comment