Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

String comparison in Windbg script

Using Windbg script I want to check the presence of a certain string in an argument of any function.

0:000> g
Breakpoint 0 hit
eax=00000001 ebx=00000000 ecx=00422fc6 edx=00000000 esi=03d574e8 edi=00000005
eip=76d8fd3f esp=000cf7ac ebp=000cf7c8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
USER32!MessageBoxW:
76d8fd3f 8bff            mov     edi,edi

0:000> du poi(esp+8)
03d574e8  "Cannot find "hello""

Here the 2nd parameter passed to MessageBoxW is Cannot find "hello".

So I want to check the presence of string hello inside the 2nd argument.

Based on this MSDN article, I tried the following commands, but it's not working:

0:000> r $t1 = poi(esp+8)
0:000> as /mu $MSG $t1
0:000> .echo ${$MSG}
Cannot find "hello"
0:000> .if ($spat(@"${MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
NotFound

It should return Found I guess!

Thanks.

like image 369
Dev.K. Avatar asked Mar 31 '15 15:03

Dev.K.


1 Answers

What's wrong with escaping ${MSG}?

In the .if command you used, ${MSG} does not get replaced due to a missing $. Try searching for MSG as the proof:

0:001> .if ($spat(@"${MSG}","*MSG*") == 0) {.echo NotFound} .else {.echo Found}
Found

It gets replaced in

0:001> .if ($spat(${$MSG},"*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '(Cannot find "hello","*hello*") == 0) {.echo NotFound} .else {.echo Found}'

but that is missing has quotation marks before Cannot. It also gets replaced in

0:001> .if ($spat("${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '("Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'

but there, the quotation marks are closed by the quotation marks inside the string. Also, the @ symbol does not help:

0:001> .if ($spat(@"${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '(@"Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'

So this is one of those cases where IMHO they forgot to consider escape characters in WinDbg. Very frustrating and always a source of errors.

Solution with PyKD extension

Luckily there is PyKD and the code to check for the string is

>>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
True

reg("esp") gets the value of the ESP register. +8 adds 8 of course. ptrPtr() gets a pointer sized value from that address. loadWStr() reads from that value until it hits a NUL character. "hello" in performs a find operation. You could also use .find("hello")>0.

Here's how I tried it:

0:003> .dvalloc 2000
Allocated 2000 bytes starting at 00470000
0:003> eu 00470000 "Cannot find \"hello\""
0:003> du 00470000 
00470000  "Cannot find "hello""
0:003> ep 00470000+1008 00470000 
0:003> r esp=00470000+1000
0:003> .load E:\debug\Extensions\pykd\x86\pykd.dll
0:003> !pycmd
Python 2.7.8 |Anaconda 2.1.0 (32-bit)| (default, Jul  2 2014, 15:13:35) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
True
>>> exit()

You can put the following code into a .PY file

from pykd import * 
print "hello" in loadWStr(ptrPtr(reg("esp")+8))

And then run it without the interactive console like this:

0:003> !py e:\debug\hello.py
True

Solution with WinDbg

In WinDbg, you need to get rid of the quotation marks. One way to do that is .foreach:

0:001> .foreach (token {.echo $MSG}){.echo ${token}}
Cannot
find
hello

The output does not contain quotation marks any more. Let's assign this output to another alias:

0:001> as /c NOQ .foreach (token {.echo ${$MSG}}){.echo ${token}}

With this new alias, your command will work:

0:001> .if ($spat("${NOQ}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Found
like image 51
Thomas Weller Avatar answered Oct 20 '22 18:10

Thomas Weller