OpenDTrace - Windows

The program to be traced

This is the source code for the program to be traced. As always, when experimenting with something new, I try to make the example as short as possibly: only two functions are called: MessageBoxA and ExitProcess.

The program does not need the C library, therefore I link it with /NODEFAULTLIB and have to specify the entry point with /ENTRY.

//
//   cl /nologo /W4 /wd4100 /GS- MessageBox.c /link /nodefaultlib /entry:start /subsystem:Windows user32.lib kernel32.lib
//

#include <windows.h>

int start(void* PEB) {

   char  arg1[100];
   char* arg2 = "The title";


   wsprintfA(arg1,
     "arg1 = %I64d\n"
     "arg2 = %I64d"  , arg1, arg2);

   MessageBoxA(0, arg1, arg2, 0);

   ExitProcess(0);
}

Github repository about-DTrace, path: /Windows/MessageBox/MessageBox.c

The script

The following script catches the call to MessageBox and prints the addresses of the two string parameters (arg1 and arg2).

BEGIN {
  printf("execname = %s\n", execname);
}

pid$target:USER32:MessageBoxA:entry 
 /* /arg2 != 0/ */
{

/* 
   Did not work!

   printf("%s\n", copyinstr(args[1]) );

*/

   printf("arg1 = %d, arg2 = %d\n", arg1, arg2);
}

END {}

Github repository about-DTrace, path: /Windows/MessageBox/trace.d

Unfortunately, I was unable to use copyinstr() to printf the string that was passed to the MessageBox.

Running the script

dtrace -c MessageBox.exe -s trace.d

The script's output shows that it correctly determines the values of the addresses that are passed to MessageBox: