使用Windbg脚本我想检查任何函数的参数中是否存在某个字符串.
0:000> g
Breakpoint 0 hit
eax=00000001 ebx=00000000 ecx=00422fc6 edx=00000000 esi=03d574e8 edi=00000005
eip=76d8fd3f esp=000cf7ac ebp=000cf7c8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
USER32!MessageBoxW:
76d8fd3f 8bff mov edi,edi
0:000> du poi(esp+8)
03d574e8 "Cannot find "hello""
这里传递给的第二个参数MessageBoxW是Cannot find "hello".
所以我想检查hello第二个参数中是否存在字符串.
基于这篇MSDN文章,我尝试了以下命令,但它不起作用:
0:000> r $t1 = poi(esp+8)
0:000> as /mu $MSG $t1
0:000> .echo ${$MSG}
Cannot find "hello"
0:000> .if ($spat(@"${MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
NotFound
应该回来Found我猜!
谢谢.
Tho*_*ler 11
在.if您使用的命令中,${MSG}由于缺少$而不会被替换.尝试搜索MSG作为证据:
0:001> .if ($spat(@"${MSG}","*MSG*") == 0) {.echo NotFound} .else {.echo Found}
Found
它被取代了
0:001> .if ($spat(${$MSG},"*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '(Cannot find "hello","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
但缺少之前有引号不能.它也被取代了
0:001> .if ($spat("${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '("Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
但在那里,引号由字符串内的引号关闭.此外,@符号没有帮助:
0:001> .if ($spat(@"${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '(@"Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
所以这是恕我直言,他们忘了在WinDbg中考虑转义字符的情况之一.非常令人沮丧,总是一个错误的来源.
幸运的是有PyKD和检查字符串的代码是
>>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
True
reg("esp")获取ESP寄存器的值.+8当然增加了8个.ptrPtr()从该地址获取指针大小的值.loadWStr()从该值读取,直到它达到NUL字符."hello" in执行查找操作.你也可以用.find("hello")>0.
这是我尝试的方式:
0:003> .dvalloc 2000
Allocated 2000 bytes starting at 00470000
0:003> eu 00470000 "Cannot find \"hello\""
0:003> du 00470000
00470000 "Cannot find "hello""
0:003> ep 00470000+1008 00470000
0:003> r esp=00470000+1000
0:003> .load E:\debug\Extensions\pykd\x86\pykd.dll
0:003> !pycmd
Python 2.7.8 |Anaconda 2.1.0 (32-bit)| (default, Jul 2 2014, 15:13:35) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
True
>>> exit()
您可以将以下代码放入.PY文件中
from pykd import *
print "hello" in loadWStr(ptrPtr(reg("esp")+8))
然后在没有交互式控制台的情况下运行它:
0:003> !py e:\debug\hello.py
True
在WinDbg中,您需要删除引号.一种方法是.foreach:
0:001> .foreach (token {.echo $MSG}){.echo ${token}}
Cannot
find
hello
输出不再包含引号.让我们将此输出分配给另一个别名:
0:001> as /c NOQ .foreach (token {.echo ${$MSG}}){.echo ${token}}
使用这个新别名,您的命令将起作用:
0:001> .if ($spat("${NOQ}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Found