Windbg scripting assigning the result of a command

2019-09-21 07:34发布

站内问答 / 前沿技术
666 1 6

Regularly I need to investigate dumpfiles, always in the same way, and I'd like to automate this. I'm using Windbg as a tool, and I'm thinking of using Windbg scripting.

I have done some first attempts with PYKD, but I don't like the overhead that much, so I've opted for the standard Windbg scripting, but this is getting into a nightmare, let me show you what I want to do:

0:001> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffc`26272685 : ffffffff`fffffffe 00007ff7`06e563f0 00007ff7`00000000 0000005a`1fb6fd70 : user32!NtUserGetMessage+0xa
01 00007ff7`06d87596 : 00000000`00000008 00007ff7`06e5d048 00000000`00007c1c 0000005a`00000004 : user32!GetMessageW+0x25
02 00007ff7`06d87673 : 0000005a`1f2b3710 00007ff7`06e5c7d0 0000005a`1f2ac270 00000000`00000002 : <Application>!CServiceModule::Run+0x8ee [sourcefile.cpp @ 1905] 
03 00007ffc`26875ada : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : <Application>!CServiceModule::ServiceMain+0x63 [sourcefile.cpp @ 1379] 
04 00007ffc`26ef13d2 : 00007ffc`26875aa0 0000005a`1f2ac270 00000000`00000000 00000000`00000000 : sechost!ScSvcctrlThreadA+0x3a
05 00007ffc`270454f4 : 00007ffc`26ef13b0 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x22
06 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34
0:001> dx Debugger.Sessions[0].Processes[26520].Threads[14812].Stack.Frames[2].SwitchTo();dv /t /v
// The second command "dx ..." happens by clicking on the DML link of the line, corresponding with the line, containing "CServiceModule::Run".

Now, how to do this in a Windbg script?

  1. Launch the kb command and put the result in a variable. (How to do that? I already tried using as and aS but neither seems to work)

  2. If I can't get the whole kb result in one variable, try to use a .foreach, as in following example:

    .foreach ( token { kb} ) 
{
 .printf "TEST\n"
}

    => even that is not working: kb has about 8 lines of results, while the word TEST is printed 78 times.

  3. Instead of printing the word "TEST", print the variable token and see what it looks like.
    => How to do that? I already tried .printf "%msu \n" , ${token}, or @$token, ... but nothing is working.

  4. Even if I get this working: how can I do string manipulation, decimal/hexadecimal number conversion, ...?

  5. Not to forget: how do I compile such a script? I'm currently trying to run the script in Windbg, which sometimes gives compilation errors, but those are very unreadable (I add a new line, causing a problem, but the complication error (not a typo) does not even mention that newly added line).

You might say: just have a look at the examples, mentioned under this URL, but I can't find one example of a standard Windbg command, being run, and have its result stored in a variable (which is the first thing I need to do).

In case I get my script working, I might turn this post into a general "Windbg scripting FAQ" for the mentioned (and newly added) questions.

Edit after first answer
I realise that I've mistaken with the kb command: the actual command I need to use is ~* k, giving following result:

enter image description here

(Small remark: I've just a screenshot, instead of a text copy, in order to emphasize the DML hyperlinks)

As you can see, there are some DML results, and I would like to "click" on the line, containing CServiceModule::Run. When I do this by hand, there seems to be a translation towards the following command:

dx Debugger.Sessions[0].Processes[26520].Threads[14812].Stack.Frames[2].SwitchTo()

Here 26520 is the HexToDec conversion of 6798,
and 14812 is the HexToDec conversion of 39DC.
(Both to be retrieved from the screenshot's Id: 6798.39dc)

So I "need" the string manipulation and the HexToDec conversion in order to simulate DML clicking. If, however, you know an easier way to do put this "click" action into a script, I'd very very thankful!

1条回答
Lonely孤独者°
2楼-- · 2019-09-21 07:55

for .foreach space is the delimiter this command is not meant for reading lines

if you want to print the token use it as is in a alias interpreter

0:001> kb
 # ChildEBP RetAddr  Args to Child              
00 0147fa44 7706f20f 7642d6f7 00000000 00000000 ntdll!DbgBreakPoint
01 0147fa74 75d1ed6c 00000000 0147fac0 770337eb ntdll!DbgUiRemoteBreakin+0x3c
02 0147fa80 770337eb 00000000 7642d643 00000000 kernel32!BaseThreadInitThunk+0xe
03 0147fac0 770337be 7706f1d3 00000000 00000000 ntdll!__RtlUserThreadStart+0x70
04 0147fad8 00000000 7706f1d3 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:001> r $t0 =0 ;.foreach (token { kb } ) { r $t0 = @$t0+1 ; .printf "\"token\" %2d  ${token}\n" , @$t0 }
"token"  1  #
"token"  2  ChildEBP
"token"  3  RetAddr
"token"  4  Args
"token"  5  to
"token"  6  Child
"token"  7  00
"token"  8  0147fa44
"token"  9  7706f20f
"token" 10  7642d6f7
"token" 11  00000000
"token" 12  00000000
"token" 13  ntdll!DbgBreakPoint
"token" 14  01
"token" 15  0147fa74
"token" 16  75d1ed6c
"token" 17  00000000
"token" 18  0147fac0
"token" 19  770337eb
"token" 20  ntdll!DbgUiRemoteBreakin+0x3c
"token" 21  02
"token" 22  0147fa80
"token" 23  770337eb
"token" 24  00000000
"token" 25  7642d643
"token" 26  00000000
"token" 27  kernel32!BaseThreadInitThunk+0xe
"token" 28  03
"token" 29  0147fac0
"token" 30  770337be
"token" 31  7706f1d3
"token" 32  00000000
"token" 33  00000000
"token" 34  ntdll!__RtlUserThreadStart+0x70
"token" 35  04
"token" 36  0147fad8
"token" 37  00000000
"token" 38  7706f1d3
"token" 39  00000000
"token" 40  00000000
"token" 41  ntdll!_RtlUserThreadStart+0x1b

i do not understand your further queries so iam assuming your intent below

0:001> $$ putting the result of kb into a variable use javascript 
0:001> dx @$foo = Debugger.Utility.Control.ExecuteCommand("kb")
@$foo = Debugger.Utility.Control.ExecuteCommand("kb")                
    [0x0]            :  # ChildEBP RetAddr  Args to Child              
    [0x1]            : 00 0147fa44 7706f20f 7642d6f7 00000000 00000000 ntdll!DbgBreakPoint
    [0x2]            : 01 0147fa74 75d1ed6c 00000000 0147fac0 770337eb ntdll!DbgUiRemoteBreakin+0x3c
    [0x3]            : 02 0147fa80 770337eb 00000000 7642d643 00000000 kernel32!BaseThreadInitThunk+0xe
    [0x4]            : 03 0147fac0 770337be 7706f1d3 00000000 00000000 ntdll!__RtlUserThreadStart+0x70
    [0x5]            : 04 0147fad8 00000000 7706f1d3 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:001> dx -r0 @$foo[1]
@$foo[1]         : 00 0147fa44 7706f20f 7642d6f7 00000000 00000000 ntdll!DbgBreakPoint
0:001> dx -r0 @$foo[2]
@$foo[2]         : 01 0147fa74 75d1ed6c 00000000 0147fac0 770337eb ntdll!DbgUiRemoteBreakin+0x3c

again i don't know what you want to convert to hex or dec
so assumption below
trying to dec a hex from stack as well uppercasing strings

a script like this 

function log(a1,a2) 
{ 
    host.diagnostics.debugLog(a1 +"    " +a2 + "\n"); 
}

function exec (cmdstr)
{
    return host.namespace.Debugger.Utility.Control.ExecuteCommand(cmdstr);    
}


function kbtok()
{
    var temp = exec("kb")
    for ( line of temp ) 
    {
        var token = line.split(" ")
        for (tok of token)
        {
            //log(tok)
            try {
                var num = host.parseInt64(tok,16)
                log(tok , num)                
            }
            catch(err) {
                log(tok.toUpperCase(), " ")
            }

        }
    }
}

using it like

.load jsprovider
.scriptload ---path----
dx @$scriptcontents.kbtok()

sample output for stack in first paragraph 

0:001> dx @$scriptContents.kbtok()

#     
CHILDEBP     
RETADDR     

ARGS     
TO     
CHILD 


00    0
013bfef4    20709108
7706f20f    1996943887
763ed3a7    1983828903
00000000    0
00000000    0
NTDLL!DBGBREAKPOINT     
01    1
013bff24    20709156
75d1ed6c    1976692076
00000000    0
013bff70    20709232
770337eb    1996699627
NTDLL!DBGUIREMOTEBREAKIN+0X3C     
02    2
013bff30    20709168
770337eb    1996699627
00000000    0
763ed3f3    1983828979
00000000    0
KERNEL32!BASETHREADINITTHUNK+0XE     
03    3
013bff70    20709232
770337be    1996699582
7706f1d3    1996943827
00000000    0
00000000    0
NTDLL!__RTLUSERTHREADSTART+0X70     
04    4
013bff88    20709256
00000000    0
7706f1d3    1996943827
00000000    0
00000000    0
NTDLL!_RTLUSERTHREADSTART+0X1B     
@$scriptContents.kbtok()

you do not compile a script scripts are interpreted

for a windbg script use $$>a< ---path to script----
for javascript use .scriptload command

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)