Windbg脚本中的字符串比较 [英] String comparison in Windbg script
问题描述
使用Windbg脚本我想检查任何函数的参数中是否存在某个字符串。
Using Windbg script I want to check the presence of a certain string in an argument of any function.
0:000> g
Breakpoint 0 hit
eax=00000001 ebx=00000000 ecx=00422fc6 edx=00000000 esi=03d574e8 edi=00000005
eip=76d8fd3f esp=000cf7ac ebp=000cf7c8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
USER32!MessageBoxW:
76d8fd3f 8bff mov edi,edi
0:000> du poi(esp+8)
03d574e8 "Cannot find "hello""
第二个参数传递给 MessageBoxW
是找不到hello
。
所以我想检查第二个参数内的字符串 hello
的存在。
So I want to check the presence of string hello
inside the 2nd argument.
根据这个 MSDN文章,我尝试了以下命令,但它不起作用:
Based on this MSDN article, I tried the following commands, but it's not working:
0:000> r $t1 = poi(esp+8)
0:000> as /mu $MSG $t1
0:000> .echo ${$MSG}
Cannot find "hello"
0:000> .if ($spat(@"${MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
NotFound
应该返回找到
我猜!
谢谢。
推荐答案
逃避$ {MSG}有什么问题?
在您使用的 .if
命令中, $ {MSG}
不会被替换缺少 $ 。尝试搜索 MSG 作为证明:
What's wrong with escaping ${MSG}?
In the .if
command you used, ${MSG}
does not get replaced due to a missing $. Try searching for MSG as the proof:
0:001> .if ($spat(@"${MSG}","*MSG*") == 0) {.echo NotFound} .else {.echo Found}
Found
在
0:001> .if ($spat(${$MSG},"*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '(Cannot find "hello","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
但是在不能之前缺少引号。它也被替换为
but that is missing has quotation marks before Cannot. It also gets replaced in
0:001> .if ($spat("${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '("Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
但是,引号用字符串中的引号封闭。另外, @
符号没有帮助:
but there, the quotation marks are closed by the quotation marks inside the string. Also, the @
symbol does not help:
0:001> .if ($spat(@"${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '(@"Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
所以这是IMHO他们忘记在WinDbg中考虑转义字符的情况之一。非常沮丧,总是一个错误的来源。
So this is one of those cases where IMHO they forgot to consider escape characters in WinDbg. Very frustrating and always a source of errors.
幸运的是有一个 PyKD ,检查字符串的代码是
Luckily there is PyKD and the code to check for the string is
>>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
True
reg(esp)
获取ESP寄存器的值。当然可以添加8个$ code> +8 ptrPtr()
从该地址获取一个指针大小的值。 loadWStr()
从该值读取直到它触及NUL字符。
中的hello执行查找操作。您也可以使用 .find(hello)> 0
。
reg("esp")
gets the value of the ESP register. +8
adds 8 of course. ptrPtr()
gets a pointer sized value from that address. loadWStr()
reads from that value until it hits a NUL character. "hello" in
performs a find operation. You could also use .find("hello")>0
.
以下是我如何尝试: / p>
Here's how I tried it:
0:003> .dvalloc 2000
Allocated 2000 bytes starting at 00470000
0:003> eu 00470000 "Cannot find \"hello\""
0:003> du 00470000
00470000 "Cannot find "hello""
0:003> ep 00470000+1008 00470000
0:003> r esp=00470000+1000
0:003> .load E:\debug\Extensions\pykd\x86\pykd.dll
0:003> !pycmd
Python 2.7.8 |Anaconda 2.1.0 (32-bit)| (default, Jul 2 2014, 15:13:35) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
True
>>> exit()
您可以将以下代码放入.PY文件中
You can put the following code into a .PY file
from pykd import *
print "hello" in loadWStr(ptrPtr(reg("esp")+8))
然后运行它,没有这样的交互式控制台:
And then run it without the interactive console like this:
0:003> !py e:\debug\hello.py
True
使用WinDbg解决方案
在WinDbg中,您需要清除引号。一种方法是 .foreach
:
0:001> .foreach (token {.echo $MSG}){.echo ${token}}
Cannot
find
hello
输出不再包含引号。让我们将此输出分配给另一个别名:
The output does not contain quotation marks any more. Let's assign this output to another alias:
0:001> as /c NOQ .foreach (token {.echo ${$MSG}}){.echo ${token}}
有了这个新的别名,你的命令将会起作用:
With this new alias, your command will work:
0:001> .if ($spat("${NOQ}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Found
这篇关于Windbg脚本中的字符串比较的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!