Using Windbg script I want to check the presence of a certain string in an argument of any function.
0:000> g
Breakpoint 0 hit
eax=00000001 ebx=00000000 ecx=00422fc6 edx=00000000 esi=03d574e8 edi=00000005
eip=76d8fd3f esp=000cf7ac ebp=000cf7c8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
USER32!MessageBoxW:
76d8fd3f 8bff mov edi,edi
0:000> du poi(esp+8)
03d574e8 "Cannot find "hello""
Here the 2nd parameter passed to MessageBoxW
is Cannot find "hello"
.
So I want to check the presence of string hello
inside the 2nd argument.
Based on this MSDN article, I tried the following commands, but it's not working:
0:000> r $t1 = poi(esp+8)
0:000> as /mu $MSG $t1
0:000> .echo ${$MSG}
Cannot find "hello"
0:000> .if ($spat(@"${MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
NotFound
It should return Found
I guess!
Thanks.
In the .if
command you used, ${MSG}
does not get replaced due to a missing $. Try searching for MSG as the proof:
0:001> .if ($spat(@"${MSG}","*MSG*") == 0) {.echo NotFound} .else {.echo Found}
Found
It gets replaced in
0:001> .if ($spat(${$MSG},"*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '(Cannot find "hello","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
but that is missing has quotation marks before Cannot. It also gets replaced in
0:001> .if ($spat("${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '("Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
but there, the quotation marks are closed by the quotation marks inside the string. Also, the @
symbol does not help:
0:001> .if ($spat(@"${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '(@"Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
So this is one of those cases where IMHO they forgot to consider escape characters in WinDbg. Very frustrating and always a source of errors.
Luckily there is PyKD and the code to check for the string is
>>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
True
reg("esp")
gets the value of the ESP register. +8
adds 8 of course. ptrPtr()
gets a pointer sized value from that address. loadWStr()
reads from that value until it hits a NUL character. "hello" in
performs a find operation. You could also use .find("hello")>0
.
Here's how I tried it:
0:003> .dvalloc 2000
Allocated 2000 bytes starting at 00470000
0:003> eu 00470000 "Cannot find \"hello\""
0:003> du 00470000
00470000 "Cannot find "hello""
0:003> ep 00470000+1008 00470000
0:003> r esp=00470000+1000
0:003> .load E:\debug\Extensions\pykd\x86\pykd.dll
0:003> !pycmd
Python 2.7.8 |Anaconda 2.1.0 (32-bit)| (default, Jul 2 2014, 15:13:35) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
True
>>> exit()
You can put the following code into a .PY file
from pykd import *
print "hello" in loadWStr(ptrPtr(reg("esp")+8))
And then run it without the interactive console like this:
0:003> !py e:\debug\hello.py
True
In WinDbg, you need to get rid of the quotation marks. One way to do that is .foreach
:
0:001> .foreach (token {.echo $MSG}){.echo ${token}}
Cannot
find
hello
The output does not contain quotation marks any more. Let's assign this output to another alias:
0:001> as /c NOQ .foreach (token {.echo ${$MSG}}){.echo ${token}}
With this new alias, your command will work:
0:001> .if ($spat("${NOQ}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Found
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With