Windbg脚本:有没有办法将当前执行的命令输出到日志中?
Windbg script: Is there a way to have the currently executed command outputted to the log?
我正在使用 cdb
和脚本文件来处理进程的崩溃输入(我不收集转储)。
cdb
的命令行如下:
PS> & "C:\Program Files (x86)\Windows Kits\Debuggers\x64\cdb.exe" -g -logo K:\_projects\fuzz\out_test.txt -c "`$`$><K:\_projects\fuzz\crash_info_script.wsc" "K:\_projects\fuzz\bin\simpleTest.exe" -f "K:\_projects\fuzz\corpus\crashes\test_00000000.bin"
传递给cdb
的脚本文件(上面命令行中的crash_info_script.wsc
)很简单,因为我只需要基本信息:
!analyze -v; .exr -1; lm; k; lmDvmsimpleTest; qq
问题是命令本身不在输出日志中。例如,在后者中我有(.exr -1
和 lm
的输出):
ExceptionAddress: 00007ffe75721f3e (simpleTest!foo+0x0000000000290f7e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000001a435a25000
Attempt to read from address 000001a435a25000
start end module name
00007ff6`df020000 00007ff6`df07d000 simpleTest C (export symbols) K:\_projects\fuzz2\bin\simpleTest.exe
00007ffe`75250000 00007ffe`7686a000 foo (export symbols) K:\_projects\fuzz2\bin\foo.dll
00007ffe`ac530000 00007ffe`ac5ce000 uxtheme (deferred)
00007ffe`aeb10000 00007ffe`aeb41000 cryptnet (deferred)
00007ffe`aeb50000 00007ffe`aeb5a000 VERSION (deferred)
00007ffe`b5230000 00007ffe`b5242000 kernel_appcore (deferred)
00007ffe`b6c50000 00007ffe`b6c5c000 cryptbase (deferred)
00007ffe`b6ce0000 00007ffe`b6d0c000 wldp (deferred)
00007ffe`b6f40000 00007ffe`b6f52000 msasn1 (deferred)
00007ffe`b7100000 00007ffe`b7134000 devobj (deferred)
00007ffe`b74a0000 00007ffe`b75ff000 CRYPT32 (deferred)
...
我想要什么:
> .exr -1
ExceptionAddress: 00007ffe75721f3e (simpleTest!foo+0x0000000000290f7e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000001a435a25000
Attempt to read from address 000001a435a25000
> lm
start end module name
00007ff6`df020000 00007ff6`df07d000 simpleTest C (export symbols) K:\_projects\fuzz2\bin\simpleTest.exe
00007ffe`75250000 00007ffe`7686a000 foo (export symbols) K:\_projects\fuzz2\bin\foo.dll
00007ffe`ac530000 00007ffe`ac5ce000 uxtheme (deferred)
00007ffe`aeb10000 00007ffe`aeb41000 cryptnet (deferred)
00007ffe`aeb50000 00007ffe`aeb5a000 VERSION (deferred)
00007ffe`b5230000 00007ffe`b5242000 kernel_appcore (deferred)
00007ffe`b6c50000 00007ffe`b6c5c000 cryptbase (deferred)
00007ffe`b6ce0000 00007ffe`b6d0c000 wldp (deferred)
00007ffe`b6f40000 00007ffe`b6f52000 msasn1 (deferred)
00007ffe`b7100000 00007ffe`b7134000 devobj (deferred)
00007ffe`b74a0000 00007ffe`b75ff000 CRYPT32 (deferred)
...
我可以在每个命令后使用 .printf
但这很不方便,尤其是当我更改脚本时。
我没有可模糊的可执行文件,它来自转储,所以我不能确定你看到的行为是否是因为那个。
使用-cfr file命令代替-c并尝试
前目录内容
D:\niet>ls -lg
total 153021
-rw-r--r-- 1 197121 156689581 Aug 17 23:49 MEMORY.DMP
-rw-r--r-- 1 197121 22 Sep 17 16:09 foo.wds
D:\niet>file MEMORY.DMP
MEMORY.DMP: MS Windows 64bit crash dump, 4992030524978970960 pages
D:\niet>cat foo.wds
!analyze -v
lm
kb
q
使用的命令
D:\niet>cdb -g -logo foo.txt -cfr foo.wds -z MEMORY.DMP
debugger
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
post 目录内容
D:\niet>ls -lg
total 153053
-rw-r--r-- 1 197121 156689581 Aug 17 23:49 MEMORY.DMP
-rw-r--r-- 1 197121 29738 Sep 17 16:19 foo.txt
-rw-r--r-- 1 197121 22 Sep 17 16:09 foo.wds
寻找已执行的命令
D:\niet>cat foo.txt | grep -i ": kd"
1: kd> !analyze -v
1: kd> lm
1: kd> kb
1: kd> q
我正在使用 cdb
和脚本文件来处理进程的崩溃输入(我不收集转储)。
cdb
的命令行如下:
PS> & "C:\Program Files (x86)\Windows Kits\Debuggers\x64\cdb.exe" -g -logo K:\_projects\fuzz\out_test.txt -c "`$`$><K:\_projects\fuzz\crash_info_script.wsc" "K:\_projects\fuzz\bin\simpleTest.exe" -f "K:\_projects\fuzz\corpus\crashes\test_00000000.bin"
传递给cdb
的脚本文件(上面命令行中的crash_info_script.wsc
)很简单,因为我只需要基本信息:
!analyze -v; .exr -1; lm; k; lmDvmsimpleTest; qq
问题是命令本身不在输出日志中。例如,在后者中我有(.exr -1
和 lm
的输出):
ExceptionAddress: 00007ffe75721f3e (simpleTest!foo+0x0000000000290f7e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000001a435a25000
Attempt to read from address 000001a435a25000
start end module name
00007ff6`df020000 00007ff6`df07d000 simpleTest C (export symbols) K:\_projects\fuzz2\bin\simpleTest.exe
00007ffe`75250000 00007ffe`7686a000 foo (export symbols) K:\_projects\fuzz2\bin\foo.dll
00007ffe`ac530000 00007ffe`ac5ce000 uxtheme (deferred)
00007ffe`aeb10000 00007ffe`aeb41000 cryptnet (deferred)
00007ffe`aeb50000 00007ffe`aeb5a000 VERSION (deferred)
00007ffe`b5230000 00007ffe`b5242000 kernel_appcore (deferred)
00007ffe`b6c50000 00007ffe`b6c5c000 cryptbase (deferred)
00007ffe`b6ce0000 00007ffe`b6d0c000 wldp (deferred)
00007ffe`b6f40000 00007ffe`b6f52000 msasn1 (deferred)
00007ffe`b7100000 00007ffe`b7134000 devobj (deferred)
00007ffe`b74a0000 00007ffe`b75ff000 CRYPT32 (deferred)
...
我想要什么:
> .exr -1
ExceptionAddress: 00007ffe75721f3e (simpleTest!foo+0x0000000000290f7e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000001a435a25000
Attempt to read from address 000001a435a25000
> lm
start end module name
00007ff6`df020000 00007ff6`df07d000 simpleTest C (export symbols) K:\_projects\fuzz2\bin\simpleTest.exe
00007ffe`75250000 00007ffe`7686a000 foo (export symbols) K:\_projects\fuzz2\bin\foo.dll
00007ffe`ac530000 00007ffe`ac5ce000 uxtheme (deferred)
00007ffe`aeb10000 00007ffe`aeb41000 cryptnet (deferred)
00007ffe`aeb50000 00007ffe`aeb5a000 VERSION (deferred)
00007ffe`b5230000 00007ffe`b5242000 kernel_appcore (deferred)
00007ffe`b6c50000 00007ffe`b6c5c000 cryptbase (deferred)
00007ffe`b6ce0000 00007ffe`b6d0c000 wldp (deferred)
00007ffe`b6f40000 00007ffe`b6f52000 msasn1 (deferred)
00007ffe`b7100000 00007ffe`b7134000 devobj (deferred)
00007ffe`b74a0000 00007ffe`b75ff000 CRYPT32 (deferred)
...
我可以在每个命令后使用 .printf
但这很不方便,尤其是当我更改脚本时。
我没有可模糊的可执行文件,它来自转储,所以我不能确定你看到的行为是否是因为那个。
使用-cfr file命令代替-c并尝试
前目录内容
D:\niet>ls -lg
total 153021
-rw-r--r-- 1 197121 156689581 Aug 17 23:49 MEMORY.DMP
-rw-r--r-- 1 197121 22 Sep 17 16:09 foo.wds
D:\niet>file MEMORY.DMP
MEMORY.DMP: MS Windows 64bit crash dump, 4992030524978970960 pages
D:\niet>cat foo.wds
!analyze -v
lm
kb
q
使用的命令
D:\niet>cdb -g -logo foo.txt -cfr foo.wds -z MEMORY.DMP
debugger
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
post 目录内容
D:\niet>ls -lg
total 153053
-rw-r--r-- 1 197121 156689581 Aug 17 23:49 MEMORY.DMP
-rw-r--r-- 1 197121 29738 Sep 17 16:19 foo.txt
-rw-r--r-- 1 197121 22 Sep 17 16:09 foo.wds
寻找已执行的命令
D:\niet>cat foo.txt | grep -i ": kd"
1: kd> !analyze -v
1: kd> lm
1: kd> kb
1: kd> q