WinDbg - 将字符串参数与内存中的字符串进行比较 [英] WinDbg - compare a string argument with a string from memory

问题描述

我需要将作为参数传递给 WinDbg 的字符串与内存中的字符串进行比较.如何实现?

I need to compare a string, passed as an argument to WinDbg with a string from memory. How can this be achieved?

例如，字符串位于加载的 PE 内的特定偏移量中.因此，我可以通过执行 da/c 100 轻松读取字符串.但是，我如何使用这个字符串，在 WinDbg 脚本中使用 .if 将它与 arg1 进行比较?(和 $SPAT()，我猜)

For example, the string is located in a specific offset within the loaded PE. So, I can easily read the string by executing da /c 100 <addr>. But, how can I use this string, to compare it with arg1, in a WinDbg script, using .if? (and $SPAT(), I guess)

我试图将 da 命令的输出读入别名或用户定义的寄存器，但没有成功.

I was trying to read the output of the da command into an Alias or a User-Defined Register, but I was unsuccessful.

推荐答案

您可以使用 as/c 将字符串分配给别名:

You can assign a string to an alias using as /c:

0:012> as /c Hello .printf "%ma", 06130000
0:012> .echo @"${Hello}"
Hello world

然后您可以在其上使用 $spat() :

You can then use $spat() on it:

0:012> ? $spat(@"${Hello}","*ell*")
Evaluate expression: 1 = 00000000`00000001
0:012> ? $spat(@"${Hello}","x*")
Evaluate expression: 0 = 00000000`00000000

要从命令行控制模式，请使用 -c 命令行开关设置另一个别名:

To control the pattern from the command line, set another alias using the -c command line switch:

windbg -c "as Pattern *ell*"

// this line is from the command line argument
0:006> as Pattern *ell*

0:006> .dvalloc 1000
Allocated 1000 bytes starting at 04610000
0:006> ea 04610000 "Hello world"
0:006> as /c Hello .printf "%ma", 04610000
0:006> .echo ${Pattern}
*ell*
0:006> .echo ${Hello}
Hello world
0:006> ? $spat(@"${Hello}", @"${Pattern}")
Evaluate expression: 1 = 00000001

这篇关于WinDbg - 将字符串参数与内存中的字符串进行比较的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！