WinDbg - 将字符串参数与内存中的字符串进行比较
WinDbg - compare a string argument with a string from memory
我需要将作为参数传递给 WinDbg 的字符串与内存中的字符串进行比较。如何实现?
例如,字符串位于加载的 PE 中的特定偏移量。所以,我可以通过执行 da /c 100 <addr> 轻松读取字符串。
但是,如何在 WinDbg 脚本中使用 .if 使用此字符串与 arg1 进行比较? (我猜 $SPAT())
我试图将 da 命令的输出读入 Alias 或 User-Defined Register,但我没有成功。
您可以使用 as /c:
将字符串分配给别名
0:012> as /c Hello .printf "%ma", 06130000
0:012> .echo @"${Hello}"
Hello world
然后你可以在上面使用 $spat():
0:012> ? $spat(@"${Hello}","*ell*")
Evaluate expression: 1 = 00000000`00000001
0:012> ? $spat(@"${Hello}","x*")
Evaluate expression: 0 = 00000000`00000000
要从命令行控制模式,请使用 -c 命令行开关设置另一个别名:
windbg -c "as Pattern *ell*"
// this line is from the command line argument
0:006> as Pattern *ell*
0:006> .dvalloc 1000
Allocated 1000 bytes starting at 04610000
0:006> ea 04610000 "Hello world"
0:006> as /c Hello .printf "%ma", 04610000
0:006> .echo ${Pattern}
*ell*
0:006> .echo ${Hello}
Hello world
0:006> ? $spat(@"${Hello}", @"${Pattern}")
Evaluate expression: 1 = 00000001
一个javascript这样也可以用
function log(instr) {
host.diagnostics.debugLog(instr + "\n");
}
function initializeScript(){
return [new host.namedModelParent(foo, "Debugger.Models.Process")];
}
class foo {
Init(comparand) {
var peb = host.currentProcess.Environment.EnvironmentBlock;
var cmdlinebuff = peb.ProcessParameters.CommandLine.Buffer;
var cmdline = host.memory.readWideString(cmdlinebuff);
var progname = cmdline.slice(0, cmdline.indexOf(" "));
var argname1 = cmdline.slice(cmdline.indexOf(" ")+1);
log (progname);
log (argname1);
if(comparand==argname1) {
log ( "argument matches with comparand");
}else{
log("argument does not match with comparand ");
}
}
}
和运行像这样
C:\>cdb -c ".load jsprovider;.scriptload c:\cmdln.js" calc my_1337_cmdline
0:000> cdb: Reading initial command '.load jsprovider;.scriptload c:\cmdln.js'
JavaScript script successfully loaded from 'c:\cmdln.js'
0:000> dx @$curprocess.Init("my_1337")
calc
my_1337_cmdline
argument does not match with comparand
@$curprocess.Init("my_1337")
0:000> dx @$curprocess.Init("my_1337_cmdline")
calc
my_1337_cmdline
argument matches with comparand
@$curprocess.Init("my_1337_cmdline")
0:000>
如果您需要传递地址,您也可以这样做而不是文字字符串
function log(instr) {
host.diagnostics.debugLog(instr + "\n");
}
function initializeScript(){
return[new host.namedModelParent(foo, "Debugger.Models.Process")];
}
class foo {
cmpCmdln(addrtostr) {
var peb = host.currentProcess.Environment.EnvironmentBlock;
var clnbuf = peb.ProcessParameters.CommandLine.Buffer;
var cmdln = host.memory.readWideString(clnbuf);
var arg1 = cmdln.slice(cmdln.indexOf(" ")+1);
var teststr = host.memory.readString(addrtostr);
if(teststr.slice(0,arg1.length)===arg1) {
log("Deal With Success : " + teststr);
}else{
log("Deal with failure : " + teststr);
}
}
}
加载 jsprovider ,加载脚本和 运行 like
0:000> du @@c++((@$peb->ProcessParameters->CommandLine.Buffer))
001d20a4 "calc !This"
0:000> dx @$curprocess.cmpCmdln(0x52004d)
Deal With Success : !This program cannot be run in DOS mode.
$
@$curprocess.cmpCmdln(0x52004d)
0:000> dx @$curprocess.cmpCmdln(0x52005d)
Deal with failure : nnot be run in DOS mode.
$
@$curprocess.cmpCmdln(0x52005d)
我需要将作为参数传递给 WinDbg 的字符串与内存中的字符串进行比较。如何实现?
例如,字符串位于加载的 PE 中的特定偏移量。所以,我可以通过执行 da /c 100 <addr> 轻松读取字符串。
但是,如何在 WinDbg 脚本中使用 .if 使用此字符串与 arg1 进行比较? (我猜 $SPAT())
我试图将 da 命令的输出读入 Alias 或 User-Defined Register,但我没有成功。
您可以使用 as /c:
0:012> as /c Hello .printf "%ma", 06130000
0:012> .echo @"${Hello}"
Hello world
然后你可以在上面使用 $spat():
0:012> ? $spat(@"${Hello}","*ell*")
Evaluate expression: 1 = 00000000`00000001
0:012> ? $spat(@"${Hello}","x*")
Evaluate expression: 0 = 00000000`00000000
要从命令行控制模式,请使用 -c 命令行开关设置另一个别名:
windbg -c "as Pattern *ell*"
// this line is from the command line argument
0:006> as Pattern *ell*
0:006> .dvalloc 1000
Allocated 1000 bytes starting at 04610000
0:006> ea 04610000 "Hello world"
0:006> as /c Hello .printf "%ma", 04610000
0:006> .echo ${Pattern}
*ell*
0:006> .echo ${Hello}
Hello world
0:006> ? $spat(@"${Hello}", @"${Pattern}")
Evaluate expression: 1 = 00000001
一个javascript这样也可以用
function log(instr) {
host.diagnostics.debugLog(instr + "\n");
}
function initializeScript(){
return [new host.namedModelParent(foo, "Debugger.Models.Process")];
}
class foo {
Init(comparand) {
var peb = host.currentProcess.Environment.EnvironmentBlock;
var cmdlinebuff = peb.ProcessParameters.CommandLine.Buffer;
var cmdline = host.memory.readWideString(cmdlinebuff);
var progname = cmdline.slice(0, cmdline.indexOf(" "));
var argname1 = cmdline.slice(cmdline.indexOf(" ")+1);
log (progname);
log (argname1);
if(comparand==argname1) {
log ( "argument matches with comparand");
}else{
log("argument does not match with comparand ");
}
}
}
和运行像这样
C:\>cdb -c ".load jsprovider;.scriptload c:\cmdln.js" calc my_1337_cmdline
0:000> cdb: Reading initial command '.load jsprovider;.scriptload c:\cmdln.js'
JavaScript script successfully loaded from 'c:\cmdln.js'
0:000> dx @$curprocess.Init("my_1337")
calc
my_1337_cmdline
argument does not match with comparand
@$curprocess.Init("my_1337")
0:000> dx @$curprocess.Init("my_1337_cmdline")
calc
my_1337_cmdline
argument matches with comparand
@$curprocess.Init("my_1337_cmdline")
0:000>
如果您需要传递地址,您也可以这样做而不是文字字符串
function log(instr) {
host.diagnostics.debugLog(instr + "\n");
}
function initializeScript(){
return[new host.namedModelParent(foo, "Debugger.Models.Process")];
}
class foo {
cmpCmdln(addrtostr) {
var peb = host.currentProcess.Environment.EnvironmentBlock;
var clnbuf = peb.ProcessParameters.CommandLine.Buffer;
var cmdln = host.memory.readWideString(clnbuf);
var arg1 = cmdln.slice(cmdln.indexOf(" ")+1);
var teststr = host.memory.readString(addrtostr);
if(teststr.slice(0,arg1.length)===arg1) {
log("Deal With Success : " + teststr);
}else{
log("Deal with failure : " + teststr);
}
}
}
加载 jsprovider ,加载脚本和 运行 like
0:000> du @@c++((@$peb->ProcessParameters->CommandLine.Buffer))
001d20a4 "calc !This"
0:000> dx @$curprocess.cmpCmdln(0x52004d)
Deal With Success : !This program cannot be run in DOS mode.
$
@$curprocess.cmpCmdln(0x52004d)
0:000> dx @$curprocess.cmpCmdln(0x52005d)
Deal with failure : nnot be run in DOS mode.
$
@$curprocess.cmpCmdln(0x52005d)