If you have been reading this so far while thinking any of the following “What? C# and EnScript? When did this happen?” Check out this one for a little intro. My goal in this post is to show you how to debug your C# code while EnScript is calling it. Yes! You can do that!
Debugging in EnScript
First, let’s have a quick review on debugging your EnScript
code inside EnCase. The default operation when in the IDE is to debug. The
start button and its assigned F5 shortcut.
If I have a problem to debug in the EnScript code, I just
click a breakpoint next to where I want to stop. You can see my breakpoint on
line 7, with the yellow arrow on top of it showing that this line is about to
be executed.
Line 8 contains a function that I am bringing in from my C# DLL
mentioned on the first line. If I use Step Into over my EnScript code, it will
walk down the lines here without digging into the C# code. EnCase doesn’t have
the source code, Visual Studio does.
Connecting Visual Studio Debugger
To get to the source code of the C# project, we need to connect EnCase and Visual Studio together. It is fairly simple, but it is not something I realized was possible until one of our developers showed me a couple years ago. I am finally getting to write this to share with all of you.
First thing is that you need to have a project written and
built. Make sure the output type is Class
Library.
Use the build menu to create the DLL file. This file needs
to be placed beside the EnScript source code, so copy it over there.
Put the assembly command in the EnScript code, and make sure
it compiles. This is important to do, because the compile process is what reads
into the DLL file to load all the symbols.
You can confirm the DLL stuff was loaded by viewing the
Class Browser. In there you should find a bunch of things mentioned about
DotNet, but you should also find your project namespace, public classes, and
public functions in there.
Once you have compiled successfully, the symbols are loaded
and ready to go. Go back into Visual Studio and use the Debug menu drop down to find the Attach to Process option.
In the window that pops up, find the EnCase.exe process and click the Attach button.
Visual Studio is now in a paused state waiting for control
to come over. To get the debugger in Visual Studio to trip, you have to set a
break point on code in C#. Otherwise the code will just execute without
stopping.
Hit the start button in EnCase, and wait for your C#
breakpoint.
Tips
#1 File Lock
There is a complexity with the integration of EnCase and the
.NET stuff. The bridge between managed and unmanaged code is not easy. Just ask
anyone who has called into unmanaged/native DLLs from C#.
The only way to release the lock is to exit EnCase entirely. Use the Save
All option and it will be easier to open back up into your EnScript
project.
#2 Project Type
Because of the file lock, I typically start my projects as a
Windows or Console Application. I put some basic test code inside the
ProgramClass and I add another class module to contain the code I intend to use
in EnScript. This allows me to debug as much of the code natively inside Visual
Studio as I can before bringing EnScript into the mix. Once I am comfortable
with the code, I change the project type over to the Class Library and start
testing my code with EnScript.
#3 Logging
You can get error messages logged from the .NET code (and other things), and
direct them to the console in EnCase or to a file on your drive. You will find these options
in the Tools dropdown in the Options… menu item. Then Debug Tab, and the Show Logging button.
Closing
You can download my EnScript and C# code here to follow
along in the screen shots. There is nothing amazing happening in that code, but
you are welcome to use it in your forensic projects (with proper credit of
course)…
I would love to see you attend the EnScriptProgramming course, and then we can talk face to face
about the possibilities of this bridge.
Hit me up on Twitter or leave a comment below if you have
any questions. Thanks for reading!
James Habben
No comments :
Post a Comment