Changes

2,442 bytes added ,  00:53, 23 January 2015
no edit summary
Line 1,038: Line 1,038:  
| u32[2]
 
| u32[2]
 
| Unknown/padding
 
| Unknown/padding
 +
|}
 +
 +
== struct DebugEventInfo ==
 +
 +
{| class="wikitable" border="1"
 +
!  Type
 +
!  Field
 +
|-
 +
| u32
 +
| Event type
 +
|-
 +
| u32
 +
| Thread ID (not used in all events)
 +
|-
 +
| u32[2]
 +
| Unknown/padding
 +
|-
 +
| u32[6]
 +
| Event-specific data (see below)
 +
|}
 +
 +
{| class="wikitable" border="1"
 +
!  Event type
 +
!  Id
 +
|-
 +
| PROCESS
 +
| 0
 +
|-
 +
| CREATE THREAD
 +
| 1
 +
|-
 +
| EXIT THREAD
 +
| 2
 +
|-
 +
| EXIT PROCESS
 +
| 3
 +
|-
 +
| EXCEPTION
 +
| 4
 +
|-
 +
| DLL LOAD
 +
| 5
 +
|-
 +
| DLL UNLOAD
 +
| 6
 +
|-
 +
| SCHEDULE IN
 +
| 7
 +
|-
 +
| SCHEDULE OUT
 +
| 8
 +
|-
 +
| SYSCALL IN
 +
| 9
 +
|-
 +
| SYSCALL OUT
 +
| 10
 +
|-
 +
| OUTPUT STRING
 +
| 11
 +
|-
 +
| MAP
 +
| 12
 +
|}
 +
 +
=== PROCESS event ===
 +
 +
{| class="wikitable" border="1"
 +
!  Type
 +
!  Field
 +
|-
 +
| u64
 +
| Program ID
 +
|-
 +
| char[8]
 +
| Process name
 +
|-
 +
| u32
 +
| Process ID
 +
|-
 +
| u32
 +
| 0 = newly created process, 1 = attached process
 +
|}
 +
 +
=== CREATE THREAD event ===
 +
 +
{| class="wikitable" border="1"
 +
!  Type
 +
!  Field
 +
|-
 +
| u32
 +
| Creator thread ID
 +
|-
 +
| u32
 +
| Base address (?)
 +
|-
 +
| u32
 +
| Entrypoint
 +
|}
 +
 +
=== EXIT THREAD/PROCESS events ===
 +
 +
A single u32 reason field is used.
 +
 +
Thread exit reasons:
 +
{| class="wikitable" border="1"
 +
!  Reason
 +
!  Id
 +
|-
 +
| (None)
 +
| 0
 +
|-
 +
| TERMINATE
 +
| 1
 +
|-
 +
| EXIT PROCESS
 +
| 2
 +
|-
 +
| TERMINATE PROCESS
 +
| 3
 +
|}
 +
 +
Process exit reasons:
 +
{| class="wikitable" border="1"
 +
!  Reason
 +
!  Id
 +
|-
 +
| (None)
 +
| 0
 +
|-
 +
| TERMINATE
 +
| 1
 +
|-
 +
| UNHANDLED EXCEPTION
 +
| 2
 +
|}
 +
 +
=== EXCEPTION event ===
 +
 +
{| class="wikitable" border="1"
 +
!  Type
 +
!  Field
 +
|-
 +
| u32
 +
| Exception type
 +
|-
 +
| u32
 +
| Exception address
 +
|-
 +
| u32
 +
| Argument (type-specific)
 +
|}
 +
 +
Exception types:
 +
{| class="wikitable" border="1"
 +
!  Reason
 +
!  Id
 +
!  Argument
 +
|-
 +
| UNDEFINED INSTRUCTION
 +
| 0
 +
| (None)
 +
|-
 +
| (Unknown)
 +
| 1
 +
| (None)
 +
|-
 +
| (Unknown, mem-related)
 +
| 2
 +
| Address
 +
|-
 +
| (Unknown, mem-related)
 +
| 3
 +
| Address
 +
|-
 +
| ATTACH BREAK
 +
| 4
 +
| (None)
 +
|-
 +
| BREAKPOINT
 +
| 5
 +
| (None)
 +
|-
 +
| USER BREAK
 +
| 6
 +
| User break type
 +
|-
 +
| DEBUGGER BREAK
 +
| 7
 +
| (None)
 +
|-
 +
| UNDEFINED SYSCALL
 +
| 8
 +
| Attempted syscall ID
 +
|}
 +
 +
User break types:
 +
{| class="wikitable" border="1"
 +
!  Reason
 +
!  Id
 +
|-
 +
| PANIC
 +
| 0
 +
|-
 +
| ASSERT
 +
| 1
 +
|-
 +
| USER
 +
| 2
 +
|}
 +
 +
=== SCHEDULER/SYSCALL IN/OUT events ===
 +
 +
{| class="wikitable" border="1"
 +
!  Type
 +
!  Field
 +
|-
 +
| u64
 +
| Clock tick
 +
|-
 +
| u32
 +
| Syscall (only for SYSCALL events)
 +
|}
 +
 +
=== OUTPUT STRING event ===
 +
 +
{| class="wikitable" border="1"
 +
!  Type
 +
!  Field
 +
|-
 +
| u32
 +
| String address
 +
|-
 +
| u32
 +
| String size
 +
|}
 +
 +
=== MAP event ===
 +
 +
{| class="wikitable" border="1"
 +
!  Type
 +
!  Field
 +
|-
 +
| u32
 +
| Mapped address
 +
|-
 +
| u32
 +
| Mapped size
 +
|-
 +
| u32
 +
| MemoryPermission
 +
|-
 +
| u32
 +
| MemoryState
 
|}
 
|}