First steps with WinDbg scripting… (Memento)

Posted by Matthieu Suiche on Friday, August 3, 2007 · Leave a Comment 

Here is a sample of script for Windbg for people who doesn’t want to waste time because they don’t find any document.

Firstly, to declare a variable you must use the prefix “r”. Moreover, the name must be $t[0..n]
Secondly, if you use the flag “/D” after “.printf” you can use pseudo-html code inside.
Thirdly, to read the value of an address you have to use “poi()” with the prefix “@” like : poi(@$t0)
To write byte or dword, you should use “eb” or “ed”.

And… the most fun is that you can create links like the following scheme :
.printf /D “<link cmd=\”COMMAND_TO_EXECUTE\”>DISPLAY_TEXT</link>\\n”;

To execute a script use
kd> $$>< "FULL_SCRIPT_PATH"

References:
http://blogs.msdn.com/debuggingtoolbox/archive/tags/Windbg+Scripts/default.aspx
http://www.dumpanalysis.org/blog/index.php/category/windbg-scripts/


$$
$$ A sample of Windbg script: "KdDebuggerEnabled Control"
$$ Matthieu Suiche 08/2007
$$ http://www.msuiche.net
$$

r $t0 = nt!KdDebuggerEnabled;

.if (poi(@$t0) == 1)
{
    .printf "\\nThe debugger is enabled...\\n";

    $$
    $$ We display the KdDebuggerEnabled byte.
    $$
    .printf /D "      nt!KdDebuggerEnabled <b>";
    db nt!KdDebuggerEnabled nt!KdDebuggerEnabled
    .printf /D "</b>\\n";

    $$
    $$ We print a link command!
    $$
    .printf /D "<link cmd=\"eb @$t0 0x00\">Hermione! Show me how your HIDDEN talents are wonderful!</link>\\n";

}
.else
{
    .printf /D "\\nThe debugger is hidden. \\n";

    $$
    $$ We display the KdDebuggerEnabled byte.
    $$
    .printf /D "      nt!KdDebuggerEnabled <b>";
    db nt!KdDebuggerEnabled nt!KdDebuggerEnabled
    .printf /D "</b>\\n";

    $$
    $$ We print a link command!
    $$
    .printf /D "<link cmd=\"eb @$t0 0x01\">Oh Hermione please reset the debug flag!</link>\\n";
}

Filed under Debugging, Windows · Tagged with

About Matthieu Suiche

Comments are closed.