String comparison in Windbg script

后端 未结 3 515
感情败类
感情败类 2021-02-07 11:29

Using Windbg script I want to check the presence of a certain string in an argument of any function.

0:000> g
Breakpoint 0 hit
eax=00000001 ebx=00000000 ecx=0         


        
3条回答
  •  长发绾君心
    2021-02-07 12:12

    What's wrong with escaping ${MSG}?

    In the .if command you used, ${MSG} does not get replaced due to a missing $. Try searching for MSG as the proof:

    0:001> .if ($spat(@"${MSG}","*MSG*") == 0) {.echo NotFound} .else {.echo Found}
    Found
    

    It gets replaced in

    0:001> .if ($spat(${$MSG},"*hello*") == 0) {.echo NotFound} .else {.echo Found}
    Syntax error at '(Cannot find "hello","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
    

    but that is missing has quotation marks before Cannot. It also gets replaced in

    0:001> .if ($spat("${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
    Syntax error at '("Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
    

    but there, the quotation marks are closed by the quotation marks inside the string. Also, the @ symbol does not help:

    0:001> .if ($spat(@"${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
    Syntax error at '(@"Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
    

    So this is one of those cases where IMHO they forgot to consider escape characters in WinDbg. Very frustrating and always a source of errors.

    Solution with PyKD extension

    Luckily there is PyKD and the code to check for the string is

    >>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
    True
    

    reg("esp") gets the value of the ESP register. +8 adds 8 of course. ptrPtr() gets a pointer sized value from that address. loadWStr() reads from that value until it hits a NUL character. "hello" in performs a find operation. You could also use .find("hello")>0.

    Here's how I tried it:

    0:003> .dvalloc 2000
    Allocated 2000 bytes starting at 00470000
    0:003> eu 00470000 "Cannot find \"hello\""
    0:003> du 00470000 
    00470000  "Cannot find "hello""
    0:003> ep 00470000+1008 00470000 
    0:003> r esp=00470000+1000
    0:003> .load E:\debug\Extensions\pykd\x86\pykd.dll
    0:003> !pycmd
    Python 2.7.8 |Anaconda 2.1.0 (32-bit)| (default, Jul  2 2014, 15:13:35) [MSC v.1500 32 bit (Intel)] on win32
    Type "help", "copyright", "credits" or "license" for more information.
    (InteractiveConsole)
    >>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
    True
    >>> exit()
    

    You can put the following code into a .PY file

    from pykd import * 
    print "hello" in loadWStr(ptrPtr(reg("esp")+8))
    

    And then run it without the interactive console like this:

    0:003> !py e:\debug\hello.py
    True
    

    Solution with WinDbg

    In WinDbg, you need to get rid of the quotation marks. One way to do that is .foreach:

    0:001> .foreach (token {.echo $MSG}){.echo ${token}}
    Cannot
    find
    hello
    

    The output does not contain quotation marks any more. Let's assign this output to another alias:

    0:001> as /c NOQ .foreach (token {.echo ${$MSG}}){.echo ${token}}
    

    With this new alias, your command will work:

    0:001> .if ($spat("${NOQ}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
    Found
    

提交回复
热议问题