String comparison in Windbg script

Question

Using Windbg script I want to check the presence of a certain string in an argument of any function.

0:000> g
Breakpoint 0 hit
eax=00000001 ebx=00000000 ecx=0         


        

Answer 1

From the comments:

Let's see if I get any WDS based answer.

Hard to believe that you want to go the long tramp. But ok, here it is, the WinDbg built-in solution:

r $t9=1;.foreach /ps fffff (endaddr {s -[1]w 00570000 L1000 0}) {.foreach /ps fffff (findaddr {s -[1]u 00570000 ${endaddr} "hello"}) {r $t9=2} }; .if (@$t9==2) { .echo "Found"} .else {.echo "Not Found"}

What it does? Well, I leave that as an exercise to you, spoilers below.

r $t9=1; sets the T9 pseudo register to a defined value so that it is not accidentally equal to the value used for comparison later.

s -[1]w 00570000 L1000 0 does a memory search for a DWORD (w) of value 0, which is equal to a Unicode end of string. [1] limits the output to the address only.

.foreach /ps fffff (endaddr { ... }) {...}; assigns the address to the endaddr variable. /ps fffff skips other findings if there are many.

s -[1]u 00570000 ${endaddr} "hello" does a memory search, this time for a Unicode string (u), also limiting to address output ([1]).

.foreach /ps fffff (findaddr {...}) {...} takes the output of the search. The findaddr variable is unused here but might be useful in the final command, depending on what you're trying to achieve.

r $t9=2 changes the T9 pseudo register to a value indicating that the search term was found.

.if (@$t9==2) { ... } .else { ... } does something based on the T9 pseudo register.