0:000> kb
ChildEBP RetAddr Args to Child
00068928 77e7a33e 01c27848 00068948 77e7a36f RPCRT4!
LRPC_CCALL::SendReceive+0x22a
00068934 77e7a36f 00068964 76f22e68 00068d40 RPCRT4!I_RpcSendReceive
+0x24
00068948 77ef4675 00068990 01c27880 00000000 RPCRT4!NdrSendReceive
+0x2b
00068d24 76f235e7 76f22e68 76f22c70 00068d40 RPCRT4!
NdrClientCall2+0x222
00068d38 76f2357b 00000000 02372ba4 00000001 DNSAPI!R_ResolverQuery
+0x1b
00068d94 71a526c6 02372ba4 00000001 00000000 DNSAPI!DnsQuery_W+0x14f
00068dc8 71a5266f 02372ba4 00000001 00000000 mswsock!HostentBlob_Query
+0x29
00068df4 71a51b0a 02372b38 00396600 003965e8 mswsock!Rnr_DoDnsLookup
+0x7d
- clipped
There are a few msdn blogs and other pages that say this is done by
dumping the memory around the first param and looking for two dwords
in a fow that have the PID and TID as their value. (dpp 01c27848 in
this example) Right now when in user mode I use gpedit to turn on rpc
debug info and use rpcexts.dll. I'd like to not have to do that
though. Any advice would be greatly appreciated.
JR
good luck,
Marc
"JR" <justin...@gmail.com> wrote in message
news:44278ee9-e4ec-490e...@f40g2000pri.googlegroups.com...
Thank you for the reply. I have the book you referenced and I have
read chapter 8. They have a kernel mode or complete memory dump for
those examples. It's rather easy when you have a kernel dump and can
use the !lpc command. I am trying to do it with a user mode memory
dump. That chapter also describes how to get the information with
rpcexts.dll commands. I'm looking for that PID/TID data in a structure
that is currently on the stack. Thanks again.
So based on that article I use this breakpoint to dump the PID data
Bp ole32!CRpcChannelBuffer::SendReceive2 "r @$t0 = poi(poi(edi +
18)+8);? @$t0;g"
This works great. Now when I attach the debugger and set the bp I get
a list of the other PIDs that my exe calls in real time.
Is anyone else doing anything like this? I want to make sure I am
using the right function and that I won't be missing any out-of-
process com calls.