1

I start with Windbg. In a "kernel debugger" session, I place myself in the context of a service (I chose audiosrv for my learning). I would like to disassemble a function that I easily identify with the "x" command. I use the "u" function with the name of the previously obtained function. But the "u" command reports an error.

1: kd> .process /i /p ffffb00787f23080
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
1: kd> g
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff807`42225700 cc              int     3
1: kd> !process -1 0
PROCESS ffffb00787f23080
    SessionId: 0  Cid: 0ec4    Peb: 28a2e68000  ParentCid: 02f8
    DirBase: 14351b002  ObjectTable: ffff85843f652800  HandleCount: 302.
    Image: svchost-Copy.exe
1: kd> .reload

1: kd> x AUDIOSRVPOLICYMANAGER!lambda_578
00007ffc977a3598 AUDIOSRVPOLICYMANAGER!wil::init_once_nothrow&lt;&lt;lambda_578ae89ec9d34aac4820f7673924a253&gt; &gt; (void) 00007ffc977a445c AUDIOSRVPOLICYMANAGER!<lambda_578ae89ec9d34aac4820f7673924a253>::operator() (void)


1: kd> u 00007ffc977a445c AUDIOSRVPOLICYMANAGER!&lt;lambda_578ae89ec9d34aac4820f7673924a253&gt;::operator(): 00007ffc977a445c 48894c2408      mov     qword ptr [rsp+8],rcx
00007ffc977a4461 55 push rbp 00007ffc977a4462 53              push    rbx
00007ffc977a4463 56 push rsi 00007ffc977a4464 57              push    rdi
00007ffc977a4465 4156 push r14 00007ffc977a4467 488bec          mov     rbp,rsp
00007ffc`977a446a 4881ec80000000  sub     rsp,80h
1: kd> u AUDIOSRVPOLICYMANAGER!<lambda_578ae89ec9d34aac4820f7673924a253>::operator()
Syntax error at 'AUDIOSRVPOLICYMANAGER!<lambda_578ae89ec9d34aac4820f7673924a253>::operator()'

IDA says : "lambda_578ae89ec9d34aac4820f7673924a253__operator_" I also tried this :

1: kd> u  AUDIOSRVPOLICYMANAGER!_lambda_578ae89ec9d34aac4820f7673924a253__operator__
Couldn't resolve error at 'AUDIOSRVPOLICYMANAGER!_lambda_578ae89ec9d34aac4820f7673924a253__operator__'

Why does the "u" command fail while the "x" command displays the function name?

ps : I can't make a correct layout. Sorry.

blabb
  • 16,376
  • 1
  • 15
  • 30
NoelBlanc
  • 61
  • 4
  • i want to mark "accepted" but i can't find the icon to click. Please, point it to me. – NoelBlanc Mar 13 '23 at 08:33
  • 1
    The reason you won't see the button is it seems you've posted the question from a different account. See the following for instructions on how to get your two accounts merged: https://reverseengineering.stackexchange.com/help/merging-accounts – PeterJ Mar 13 '23 at 08:53

1 Answers1

1

Use @! before the symbol. See breakpoint syntax
Enclose the symbol in double quotes.
Do not use the overloaded parameters use only bare function name. In the example below I have omitted void() and the space

0: kd> x audiosrv!<*598*
00007ffd`e3d5dedc audiosrv!<lambda_9971db2eae47a9fe5413ed8c1598f1b0>::operator() (void)
0: kd> u @!"audiosrv!<lambda_9971db2eae47a9fe5413ed8c1598f1b0>::operator()"
audiosrv!<lambda_9971db2eae47a9fe5413ed8c1598f1b0>::operator():
00007ffd`e3d5dedc 48894c2408      mov     qword ptr [rsp+8],rcx
00007ffd`e3d5dee1 53              push    rbx
00007ffd`e3d5dee2 4883ec20        sub     rsp,20h
00007ffd`e3d5dee6 488364243000    and     qword ptr [rsp+30h],0
00007ffd`e3d5deec 488bca          mov     rcx,rdx
00007ffd`e3d5deef 488d542430      lea     rdx,[rsp+30h]
00007ffd`e3d5def4 e8d3f4ffff      call    audiosrv!Microsoft::WRL::WeakRef::As<IInspectable> (00007ffd`e3d5d3cc)
00007ffd`e3d5def9 488b4c2430      mov     rcx,qword ptr [rsp+30h]

A lambda is an ambiguous location. If possible use the address instead of the long winded symbol string

0: kd> ln @!"audiosrv!<lambda_9971db2eae47a9fe5413ed8c1598f1b0>::operator()"
Browse module
Set bu breakpoint

(00007ffde3d5dedc) audiosrv!&lt;lambda_9971db2eae47a9fe5413ed8c1598f1b0&gt;::operator() | (00007ffde3d5df34)   audiosrv!<lambda_da2549763b2484cb2cd636c002fd2274>::operator()
Exact matches:
    audiosrv!<lambda_9971db2eae47a9fe5413ed8c1598f1b0>::operator() (void)
    audiosrv!<lambda_92c40f897d3a9c7e927f302002ea2ff3>::operator() (void)
    audiosrv!<lambda_b3a8f3052f5fb17079f668791b666c16>::operator() (void)
    audiosrv!<lambda_ce21942885de90a1a6198292e021f395>::operator() (void)
    audiosrv!<lambda_6721409c6d8d6be39a12e154768b61d2>::operator() (void)

disassembly of first two symbols will point to the same address

0: kd> u @!"audiosrv!<lambda_9971db2eae47a9fe5413ed8c1598f1b0>::operator()" l2
audiosrv!<lambda_9971db2eae47a9fe5413ed8c1598f1b0>::operator():
00007ffd`e3d5dedc 48894c2408      mov     qword ptr [rsp+8],rcx
00007ffd`e3d5dee1 53              push    rbx
0: kd> u @!"audiosrv!<lambda_92c40f897d3a9c7e927f302002ea2ff3>::operator()" l2
audiosrv!<lambda_9971db2eae47a9fe5413ed8c1598f1b0>::operator():
00007ffd`e3d5dedc 48894c2408      mov     qword ptr [rsp+8],rcx
00007ffd`e3d5dee1 53              push    rbx
sudhackar
  • 2,659
  • 1
  • 10
  • 27
blabb
  • 16,376
  • 1
  • 15
  • 30
  • Thank you very much. I missed this information about "u @!" because I lack good documentation on windgb... or because I'm not able to understand all the documentation. It doesn't matter. I'm still learning. – NoelBlanc Mar 11 '23 at 16:22
  • Mark it as accepted if you find the answer useful marking removes the query from unanswered list and improves the site – blabb Mar 12 '23 at 03:30
  • I do the merge mecanism but i can't see the "accepted" button. – NoelBlanc Mar 13 '23 at 21:17
  • i can't mark "accepted". why? How to do that? – NoelBlanc Mar 23 '23 at 11:17