Thursday, October 14, 2010

Windbg, Script to Extract All HttpRequest URLs of a memory dump

Case, You get a Dump from a live proudction Server, (which has some performance problem for some real cusomters. ), at first you want to dump out all the requests that the server is handling.

Her is a how to tutorial.

#List all Requests

0:030> !DumpHeap -type System.Web.HttpRequest  -short
026a0a78
026d6510
026da4dc
0676ea70
0a6dad80
0a6dd820
0a8044d0
0a805efc
0a808d88
0a810c04
0e72b648
0e76e80c
0e76f228
0e7707ec
0e7780bc
0e77ebb0


here , we get the Request address. let’s pick any of them. like 0e7810bc
!do 0e7810bc
# Dump the object WebRequest

0:030> !do 0e77ebb0
Name: System.Web.HttpRequest
MethodTable: 6614c58c
EEClass: 65f50b50
Size: 172(0xac) bytes
(C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll)
Fields:
      MT    Field   Offset                 Type VT     Attr    Value Name
6614e9b8  4001079        4 ...HttpWorkerRequest  0 instance 0e77e3ec _wr
6614ab4c  400107a        8 ...m.Web.HttpContext  0 instance 0e77eaf0 _context
793308ec  400107b        c        System.String  0 instance 0e77e61c _httpMethod
66126cf0  400107c       98         System.Int32  1 instance        2 _httpVerb
793308ec  400107d       10        System.String  0 instance 00000000 _requestType
6614776c  400107e       14 ...m.Web.VirtualPath  0 instance 0e77f92c _path
793308ec  400107f       18        System.String  0 instance 00000000 _rewrittenUrl
793043b8  4001080       a0       System.Boolean  1 instance        0 _computePathInfo
6614776c  4001081       1c ...m.Web.VirtualPath  0 instance 0e77ed34 _filePath
6614776c  4001082       20 ...m.Web.VirtualPath  0 instance 00000000 _currentExecutionFilePath
6614776c  4001083       24 ...m.Web.VirtualPath  0 instance 00000000 _pathInfo
793308ec  4001084       28        System.String  0 instance 0e781028 _queryStringText
793043b8  4001085       a1       System.Boolean  1 instance        0 _queryStringOverriden
7933335c  4001086       2c        System.Byte[]  0 instance 0e780e00 _queryStringBytes
793308ec  4001087       30        System.String  0 instance 0e77e670 _pathTranslated
793308ec  4001088       34        System.String  0 instance 00000000 _contentType
79332b38  4001089       9c         System.Int32  1 instance       -1 _contentLength
793308ec  400108a       38        System.String  0 instance 00000000 _clientTarget
793040bc  400108b       3c      System.Object[]  0 instance 00000000 _acceptTypes
793040bc  400108c       40      System.Object[]  0 instance 00000000 _userLanguages
660fe570  400108d       44 ...owserCapabilities  0 instance 0a7f9178 _browsercaps
7a5ec77c  400108e       48           System.Uri  0 instance 0e7810bc _url
7a5ec77c  400108f       4c           System.Uri  0 instance 00000000 _referrer
66153a28  4001090       50 ...b.HttpInputStream  0 instance 00000000 _inputStream
660fefa4  4001091       54 ...ClientCertificate  0 instance 00000000 _clientCertificate
79328f08  4001092       58 ...l.WindowsIdentity  0 instance 00000000 _logonUserIdentity
660fe224  4001093       5c ...tpValueCollection  0 instance 00000000 _params
660fe224  4001094       60 ...tpValueCollection  0 instance 0e780e10 _queryString
660fe224  4001095       64 ...tpValueCollection  0 instance 00000000 _form
66153264  4001096       68 ...pHeaderCollection  0 instance 00000000 _headers
660fe2f4  4001097       6c ...verVarsCollection  0 instance 00000000 _serverVariables
661519e4  4001098       70 ...pCookieCollection  0 instance 00000000 _cookies
66119620  4001099       74 ...ttpFileCollection  0 instance 00000000 _files
66153618  400109a       78 ...awUploadedContent  0 instance 00000000 _rawContent
793043b8  400109b       a2       System.Boolean  1 instance        0 _readEntityBody
793040bc  400109c       7c      System.Object[]  0 instance 00000000 _multipartContentElements
7933325c  400109d       80 System.Text.Encoding  0 instance 06698c34 _encoding
66113a6c  400109e       84 ...treamFilterSource  0 instance 00000000 _filterSource
7932e5e8  400109f       88     System.IO.Stream  0 instance 00000000 _installedFilter
6610b028  40010a0       a4 ...SimpleBitVector32  1 instance 0e77ec54 _flags
793308ec  40010a3       8c        System.String  0 instance 00000000 _AnonymousId
6614776c  40010a4       90 ...m.Web.VirtualPath  0 instance 0e77ed34 _clientFilePath
6614776c  40010a5       94 ...m.Web.VirtualPath  0 instance 00000000 _clientBaseDir
79330508  40010a1       d8        System.Object  0   shared   static s_browserLock
    >> Domain:Value  000d5050:NotInit  000f8758:0a6c8f30 00157af8:0a6db934 <<
793043b8  40010a2      7e0       System.Boolean  1   shared   static s_browserCapsEvaled
    >> Domain:Value  000d5050:NotInit  000f8758:1 00157af8:1 <<


in this request 0e77ebb0 , the _Url in red above is not null. the Address of the Url is

0e7810bc , this space is stored as the base object address 0e77ebb0 +48 Offset.
when you run dd 0e77ebb0 +48  l 1

0:030> dd 0e77ebb0 +48  l 1
0e77ebf8  0e7810bc

So, we can get the address of the url by run the caculating the baseaddress of request plus the offset.

then Inspect the Url object which is located in 0e7810bc

!do 0e7810bc

0:030> !do 0e7810bc
Name: System.Uri
MethodTable: 7a5ec77c
EEClass: 7a4554f8
Size: 40(0x28) bytes
(C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll)
Fields:
      MT    Field   Offset                 Type VT     Attr    Value Name
793308ec  4001b52        c        System.String  0 instance 0e781110 m_String
793308ec  4001b53       10        System.String  0 instance 00000000 m_originalUnicodeString
7a5ec934  4001b54       14     System.UriParser  0 instance 0669fc44 m_Syntax
793308ec  4001b55       18        System.String  0 instance 00000000 m_DnsSafeHost
7aa1303c  4001b56        4        System.UInt64  1 instance 37624152064 m_Flags
7a5ec9fc  4001b57       1c   System.Uri+UriInfo  0 instance 0e78117c m_Info
793043b8  4001b58       20       System.Boolean  1 instance        0 m_iriParsing
793308ec  4001b47      644        System.String  0   shared   static UriSchemeFile
    >> Domain:Value  000d5050:NotInit  000f8758:0e6a1434 00157af8:0e6a1434 <<
793308ec  4001b48      648        System.String  0   shared   static UriSchemeFtp
    >> Domain:Value  000d5050:NotInit  000f8758:0e6a141c 00157af8:0e6a141c <<
793308ec  4001b49      64c        System.String  0   shared   static UriSchemeGopher
    >> Domain:Value  000d5050:NotInit  000f8758:0e6a1450 00157af8:0e6a1450 <<
793308ec  4001b4a      650        System.String  0   shared   static UriSchemeHttp
    >> Domain:Value  000d5050:NotInit  000f8758:0e6a13e4 00157af8:0e6a13e4 <<
793308ec  4001b4b      654        System.String  0   shared   static UriSchemeHttps
    >> Domain:Value  000d5050:NotInit  000f8758:0e6a1400 00157af8:0e6a1400 <<


then dumpobject  0e781110 , which you can get this value from base address+C

0:030> !do 0e781110
Name: System.String
MethodTable: 793308ec
EEClass: 790ed64c
Size: 106(0x6a) bytes
(C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: http://localhost:88/WebSite/Default.aspx?q=1
Fields:
      MT    Field   Offset                 Type VT     Attr    Value Name
79332b38  4000096        4         System.Int32  1 instance       45 m_arrayLength
79332b38  4000097        8         System.Int32  1 instance       44 m_stringLength
793315cc  4000098        c          System.Char  1 instance       68 m_firstChar
793308ec  4000099       10        System.String  0   shared   static Empty
    >> Domain:Value  000d5050:0a6901d0 000f8758:0a6901d0 00157af8:0a6901d0 <<
7933151c  400009a       14        System.Char[]  0   shared   static WhitespaceChars
    >> Domain:Value  000d5050:0a690728 000f8758:0e690a0c 00157af8:02697aac <<



here we get url. whole process is get the addressof Request, then get the address of URL by inspecting the memory  offset 48. Get the URl Address B. then inspect B+offset c, get the string value.

When can put all into a foreach command.

0:030> .foreach   (req {!DumpHeap -type System.Web.HttpRequest -short}) { .foreach /pS 1 (a {dd ${req}+48  l 1}) {.echo ${a}; !do poi(${a}+c)} }
026d342c
Name: System.String
MethodTable: 793308ec
EEClass: 790ed64c
Size: 106(0x6a) bytes
(C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: http://localhost:88/WebSite/Default.aspx?q=1
Fields:
      MT    Field   Offset                 Type VT     Attr    Value Name
79332b38  4000096        4         System.Int32  1 instance       45 m_arrayLength
79332b38  4000097        8         System.Int32  1 instance       44 m_stringLength
793315cc  4000098        c          System.Char  1 instance       68 m_firstChar
793308ec  4000099       10        System.String  0   shared   static Empty
    >> Domain:Value  000d5050:0a6901d0 000f8758:0a6901d0 00157af8:0a6901d0 <<
7933151c  400009a       14        System.Char[]  0   shared   static WhitespaceChars
    >> Domain:Value  000d5050:0a690728 000f8758:0e690a0c 00157af8:02697aac <<
00000000
Invalid parameter poi(00000000+c)
026dc358
Name: System.String
MethodTable: 793308ec
EEClass: 790ed64c
Size: 106(0x6a) bytes
(C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: http://localhost:88/WebSite/Default.aspx?q=3
Fields:
      MT    Field   Offset                 Type VT     Attr    Value Name
79332b38  4000096        4         System.Int32  1 instance       45 m_arrayLength
79332b38  4000097        8         System.Int32  1 instance       44 m_stringLength
793315cc  4000098        c          System.Char  1 instance       68 m_firstChar
793308ec  4000099       10        System.String  0   shared   static Empty
    >> Domain:Value  000d5050:0a6901d0 000f8758:0a6901d0 00157af8:0a6901d0 <<
7933151c  400009a       14        System.Char[]  0   shared   static WhitespaceChars
    >> Domain:Value  000d5050:0a690728 000f8758:0e690a0c 00157af8:02697aac <<
067705a8
Name: System.String
MethodTable: 793308ec
EEClass: 790ed64c
Size: 98(0x62) bytes


here we get all the ongoing request urls.
if you get errors like

00000000
Invalid parameter poi(00000000+c)
00000000
Invalid parameter poi(00000000+c)
00000000
Invalid parameter poi(00000000+c)
00000000
Invalid parameter poi(00000000+c)

that means the application itself never query the url of the request. by default the _Url is keeped as binary format in the IISworkrequest.

image

No comments:

 
Locations of visitors to this page