Command script, is to complete a specific task related commands are grouped together, stored in a script file is loaded into the Windbg in the implementation, to achieve our objective. You can be understood as a kind of script language like c or assembler, but he does not need the compiler to compile it into an executable file, but its contents by an interpreter translated into corresponding action. The Windbg scripts is to use Windbg as interpreter, translating the script for the actual content of the action.
Since it can be used as a language, then it has often contain elements of general language: data types, variables, expressions, statements, functions, and so, here we were simply to talk about.
First, the type of data
about data types, helping Windbg's not specifically enumerated, but commonly encountered in use, both numeric and string.
- Numerical
values do not have much need to explain, and all programming languages integer meaning, have a binary representation of the points in time.
Code:
binary 0B
. 8-ary 0n
10 0T hex
16 hex 0x - String
String by a pair of "enclosed, such as the above" hello windbg ".
Second, variables
defined in the variable windbg is very special, in fact, it does not have the concept of variable, so when learning will feel very uncomfortable. However, we are likely to change in thinking, the variable is actually just to save temporary results, if you want to preserve some value, then the pseudo-register (refer Windbg command of grammar rules series ) should be a better choice, windbg offers 20 pseudo register $ t0- $ t19, save for temporary command numeric variables. Call them pseudo-register for a reason, first and register their operations, are using the r command in C ++ expressions are required in front of the @ symbol, but they are not really register, just name defined windbg only. Using these pseudo-registers are very convenient:
Code:
0:000> r $t0=0x123 0:000> r $t0 $t0=00000123 0:000> r eax eax=004c1b89 0:000> r $t0=@eax 0:000> r $t0 $t0=004c1b89
From the above example can be seen following the command r @ may be omitted.
Third, alias
alias variables, and some difference, he takes a variable value during the execution, and the like macro alias, replace the original operands in interpreting the content directly. Alias, there are two, one is a fixed name, one is custom.
- Fixed alias name
fixed alias name and pseudo-registers are similar, Windbg provided 10, $ u0- $ u9. When used still r command, but to be preceded by "u" one, like this. "":
Code:
From the above examples it can be seen once the alias is defined, the use of his time, the Windbg alias will replace the contents.0:000> r $.u0 = "123" 0:000> .echo $u0 123
- Custom Alias
Custom alias will be more complicated, however, with its presence, can we think that some of the strings that define aliases memory. Operation There are three custom alias command: as, ad, al.
As the definition of an alias, that the power of which can specify a memory address, then the contents of the memory alias definitions.
Code:
The above command will be defined as an alias address 0x00010000, since the use of as / ma option, the content as a '\ 0' terminated ASCII string parsing, $ {} is an alias interpreter, more on this later. In addition to the / ma options as there are other powerful options:0:000> .dvalloc 10 Allocated 1000 bytes starting at 00010000 0:000> ea 00010000 "123456" 0:000> as /ma ${/v:test} 0x00010000 0:000> .echo test 123456
Code:
/ ma parameter specifies the memory address as an ASCII string.
/ mu parameter specifies the memory address as the Unicode strings.
/ msa memory address specified as a parameter string ANSI_STRING.
/ MSU memory address specified as a parameter UNICODE_STRING string.
/ f alias parameter equal to the contents of the specified file.
/ e alias parameter equal to the specified environment variable.
al Show Aliases already defined, the defined alias AD deleted, then continuing with the example just enter the following command:
Code:
You can see very clearly now.0:000> al Alias Value ------- ------- test 123456 0:000> ad ${/v:test} 0:000> al No aliases
Now let's explain the example that was strange in the $ {}, this thing called the interpreter alias, the alias braces back inside, Windbg know that there is an alias, it needs to be translated. In fact, without this symbol can be, but when he wrote the script complex may be a problem, with who knows who, I will not diverge, the best suggestion is to use. The interpreter also has options, above / v: it was one.
/ v: to keep intact the alias, not the translation, definition and deleted when used.
/ n: If the alias definition translated content, or without any translation.
/ f: If the alias definition translated content, otherwise translated as empty.
/ d: if the alias is defined as a translated, or translated into 0, corresponding to #ifdef.
Fourth, the expression
Windbg provides two expressions: Assembler and C ++ expression expression (refer to the rules of grammar series Windbg command ). Operators and operands Either of these expressions are slightly different.
The default is a compilation of expression, find the value of the expression is compiled with?, Seeking C ++ expressions of values ??.
Compiled expressions usable addition operator +, -, *, / other than these arithmetic operators also have some similar transformation operator, such as POI, sometimes you off to a function, the first parameter is a pointer to the string, like how to print this string do? Such can dd esp + 4, and then once a da from the results, with POI, a single command can be done, dd poi (esp + 4) .
C ++ expression is more abundant, almost all the C ++ expression can be used, and include -> operator Windbg want C ++ expressions by way of explanation, and needs @@ c ++ in front of the expression ().
Fifth, the statement
said that the script should be written in accordance with the idea of programming, since it is programmed, how can less got flow control statements it? Windbg supports the following flow control statements:
the .if
.else
.elif
.for
.while
.break
.continue
.do
.printf formatted output, familiar with it.
.block statement block
$$ notes, looks strange
There, .block to talk individually, the so-called statement block, surrounded by {} in fact, apart from a pile of statements, including .if, behind .else fact statement block statement, a block statement inside alias (remember it) will be translated when entering the block, after entering the block, if you modify the definition of an alias, then it is invalid (remember alias as is to replace it) in subsequent statements in this block, so, if you need to follow statement to take effect, the following statements into a single statement in the block, i.e. {a} containing them together, but can not identify directly Windbg {} contains things up, so it was .block, see here, remember, if you need an alias to be translated, he must take place in a block of statements.
Six function (built-in)
where they talk and the two built-in functions $ $ sicmp are SCMP string comparison, a case-sensitive, a case-insensitive. These two functions has a fault, it is the only parameter takes a string literal, that is, you can only write $ scmp ( "123", " 123"), you can not write $ scmp (poi (esp + 4 ), " 123 "), well, it was anxious not write to these two functions What is the use? Do not worry, we can use an alias (this is the alias of the most useful place), or just followed that example:
Code:
0:000> as /ma ${/v:test} 00010000
0:000> ? $scmp("${test}","123456")
Evaluate expression: 0 = 00000000
0:000> ? $scmp("${test}","123457")
Evaluate expression: -1 = ffffffff
So that you can compare a string variable.
Well, with the above knowledge, write a windbg script should have a basis, and the rest is to see how much you know "API", and more detailed information need to dig in to help Windbg's.
Last posted a full example, using the feet Hook CreateFileW, this example is not long, but are the essence of ah, ha ha.
Code:
.dvalloc /b 0x79990000 30 ew 0x79990000 0xc033 ed 0x79990002 0x00001cc2 bp kernel32!CreateFileW " as /mu ${/v:filename} poi(esp+4); .block{ .if ($sicmp(\"${filename}\", \"c:\\1.txt\") == 0){ .echo \"open 1.txt\"; r eip=0x79990000 } } ad ${/v:filename}; gc; "
Seven, execution
First to a simple piece of script
codes:
.echo “hello windbg”
This command displays the "hello windbg" string, save it to c: \ 1.txt file, then enter the Windbg command window:
$> <c: \ 1.txt enter,
Look what has gone on the screen?
Windbg will 1.txt the contents as a Windbg command is executed. This is a simple script. $> < , According to this example, it is easy to see that it is the role of the script file to explain Windbg, completed by him will turn into a txt Windbg command key conversion. In fact, you know this, Windbg script even if the entry, we can put a lot of commands written in this document, and then use the $> <loading execution.
Here's the script from loading under Windbg command execution, a total of five related commands, $ < , $> < , $$ < , $$> < and $$> < command reads the contents of the specified script file and use its contents as a debugger command input . as follows:
$<Filename $><Filename $$< Filename $$>< Filename $$>a< Filename [arg1 arg2 arg3 ... ]
parameter:
- Filename
Specifies the file contains a valid debugger command text. File names must follow the Microsoft Windows file naming conventions. File names may contain spaces. - argn
specify any number of debugger string parameters to be passed to the script. The debugger will replace any string form $ $ Arg { n- } with corresponding script file argn execute the script before. Parameters may not contain quotes or semicolons. A plurality of arguments must be separated by a space; If a parameter contains a space, it must be enclosed in quotes. All arguments are optional.
surroundings:
| mode |
In user mode, kernel mode |
| aims |
Real-time crash dump |
| platform |
Complete |
Detailed description:
$$ < and $ < token to perform literally find script commands in the file. However, for $ < you can specify any file name, including a semicolon included. Because $ < allows a name of a file can not be connected using semicolons as $ < other debugger commands, because a portion of the partition breaks and file name for the command can not be used semicolons.
$$> < and $> < token execute commands found in the script file to literally this means that their open script file, a semicolon, a carriage return and replace all executed with a single command generated text blocks. Like $ < has been discussed, $> < variant allows the file name contains a semicolon, which means that no series $> < command and other debugger.
$$> < and $> < token is useful if the script contains a debugger command program.
Unless you have a file name contains a semicolon, does not require the use of two $ < or $> < .
$$> < token enable the debugger to pass parameters to the script. If the file name contains spaces, it must be enclosed in quotes. If the parameters provided too much, the extra parameters are ignored. If no parameters are supplied too little, $ form any source of the token Arg $ { n } positions n is greater than the number of parameters provided in the form of the text will be retained and will not be replaced with any content. You can use a semicolon and other commands in the command; there is a semicolon to terminate the parameter list.
When the script debugger execution, command display output and the corresponding debugger command window. Upon reaching the end of the script file, and returns control to the debugger.
The following table summarizes how to use these tokens.
| Token | It allows file names that contain semicolons | Allow series between other commands separated by semicolons | Will command block to a single | Allow script parameters |
|---|---|---|---|---|
| $< |
Yes |
no |
no |
no |
| $>< |
Yes |
no |
Yes |
no |
| $$< |
no |
Yes |
no |
no |
| $$>< |
no |
Yes |
Yes |
no |
| $$>a< |
no |
Yes |
Yes |
Yes |
$ < , $> < , $$ < and $$> < command back to the command file contained explicit script and displays the output of these commands. $$> < command does not echo the command in a script file, locate, but only display their output. You can nest script files. If the script debugger encounters in which a token, execution will move to a new script file and complete the new script file, return to the previous position. You can also call a script recursively. In WinDbg, you can paste the debugger command other commands in the text window.
reference:
https://blog.csdn.net/superliuxing/article/details/19206985