Start of Windbg script and expansion Tool

Start of Windbg script and expansion Tool

I haven't written any articles for a long time. Recently I have been busy with script and extension tools for the project's adjustable nature. In view of the strong power of windbg and the relatively small amount of information, I decided to write a series of articles on how to develop Windbg scripts and extended commands. Your support is my greatest motivation. I hope this series of articles will help you.

So what does a complete windbg script look like? First, let's look at the following example:

$ This script is used to list user processes and stacks.

R $ t0 = nt! PsActiveProcessHead
. For (r $ t1 = poi (@ $ t0); (@ $ t1! = 0) & (@ $ t1! = @ $ T0); r $ t1 = poi (@ $ t1 ))
{
R? $ T2 = # CONTAINING_RECORD (@ $ t1, nt! _ EPROCESS, ActiveProcessLinks );
. Process @ $ t2
. Reload
! Process @ $ t2
}

 

Compared with Windbg scripts, windbg extensions are complex and usually require more effort to write the same function. However, one benefit of Windbg extensions is that you can obtain more functions, you can even write a debugger using these extensions. What does a complete windbg extension look like? The extension dll prints the value of a global string.

Example of windbg extension written in C ++:

HRESULT CALLBACK
PrintPTR (PDEBUG_CLIENT pDebugClient, PCSTR args)
{
UNREFERENCED_PARAMETER (args );

IDebugSymbols * pDebugSymbols;
If (SUCCEEDED (pDebugClient-> QueryInterface (_ uuidof (IDebugSymbols), (void **) & pDebugSymbols )))
{// Resolve the symbol
ULONG64 ulAddress = 0;
If (SUCCEEDED (pDebugSymbols-> GetOffsetByName ("TestSTLMap! G_wString ", & ulAddress )))
{
IDebugDataSpaces * pDebugDataSpaces;
If (SUCCEEDED (pDebugClient-> QueryInterface (_ uuidof (IDebugDataSpaces), (void **) & pDebugDataSpaces )))
{// Read the value of the pointer from the target address space
ULONG64 ulPtr = 0;
If (SUCCEEDED (pDebugDataSpaces-> ReadPointersVirtual (1, ulAddress, & ulPtr )))
{
PDEBUG_CONTROL pDebugControl;
If (SUCCEEDED (pDebugClient-> QueryInterface (_ uuidof (IDebugControl), (void **) & pDebugControl )))
{// Output the values
PDebugControl-> Output (DEBUG_OUTPUT_NORMAL, "% p TestSTLMap! G_wString = 0x % p \ n ", ulAddress, ulPtr );
PDebugControl-> Output (DEBUG_OUTPUT_NORMAL, "% mu \ n", ulPtr );
PDebugControl-> Release ();
}
}
PDebugDataSpaces-> Release ();
}
PDebugSymbols-> Release ();
}
}
Return S_ OK;
}

 

Summary

Based on my research, I found that there are not many people doing relevant research in China. In fact, there are also a few cool people in the industry outside of China who do relatively better, but these tools are enough to shock you, start today. If you are interested, you can continue to pay attention to subsequent articles.