Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Does $scmp() $sicmp() $spat() take Expressions ?

raj_rraj_r Member - All Emails Posts: 981
i was trying to use the function $scmp in and was providing it with an
expression and a literal string for compare
and it simply errs with syntax error (quoting . single quoting ,
escaped quoting plain raw expression , alias evaluation of expression
nothing seem to work

it just seems to work with two literals like $scmp("what the *" ,"what the *")

if i do $scmp (foo , "What the *")

where foo might be @@C++ (XXX *)@@masm(poi(someglobal)->memberofstruct
then i get syntax error

is expressions supported ?

in $spat() it is documented that i can use wilcards for "Pattern" but
i get syntax error there too

and the beauty is
if foo is an alias to some expression and

if i do say $spat ( "foo" , foo);

the echoed back output with error shows me that

the engine has replaced both the foo with expression :) and still
finds some syntax error

any pointers ?? how to use this functions in script ?


lkd> ?? (char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName
char * 0x85f8e57c
"windbg.exe"


lkd> as foo @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
lkd> al
Alias Value
------- -------
foo @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

lkd> ? foo
Evaluate expression: -2047285892 = 85f8e57c
lkd> da foo
85f8e57c "windbg.exe"

lkd> ? $scmp(foo,foo)
Syntax error at '(foo,foo)'
lkd> ? $scmp("foo","foo")
Evaluate expression: 0 = 00000000
lkd> ? $scmp("foo","foa")
Evaluate expression: -1 = ffffffff
lkd> ? $scmp("foo","fo")
Evaluate expression: -1 = ffffffff
lkd> ? $scmp("foo",foo)
Syntax error at '("@@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)",foo)'
lkd> ? $spat("foo",foo)
Syntax error at '("@@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)",foo)'
lkd> ? $spat(foo,foo)
Syntax error at '(foo,foo)'

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,198
    Your alias is ultimately resolving to an address but the operators expect
    quoted strings:

    1: kd> as ${/v:foo} @@c++((char
    *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

    1: kd> al
    Alias Value
    ------- -------
    foo @@c++((char
    *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

    1: kd> ? ${foo}
    Evaluate expression: -2065147404 = 84e859f4

    So, this would be the same as passing, 0x84e859f4 to the string compare
    operation:

    1: kd> ? $scmp(84e859f4,"foa")
    Syntax error at '(84e859f4,"foa")'

    What you want is the alias to become the string pointed to by that address,
    which is where the /ma switch comes in:

    1: kd> as /ma ${/v:foo} @@c++((char
    *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    1: kd> al
    Alias Value
    ------- -------
    foo sndvol32.exe

    Now you can pass that to the string operations (adding quotes, which is not
    implied in the alias):

    1: kd> ? $scmp("${foo}","foa")
    Evaluate expression: 1 = 00000001
    1: kd> ? $scmp("${foo}","sndvol32.exe")
    Evaluate expression: 0 = 00000000

    Note that I always enclose my aliases in the expression evaluator operator,
    "${}" so that it's explicit that I'm talking about an alias.

    -scott
    OSR


    "raj_r" wrote in message news:[email protected]

    i was trying to use the function $scmp in and was providing it with an
    expression and a literal string for compare
    and it simply errs with syntax error (quoting . single quoting ,
    escaped quoting plain raw expression , alias evaluation of expression
    nothing seem to work

    it just seems to work with two literals like $scmp("what the *" ,"what the
    *")

    if i do $scmp (foo , "What the *")

    where foo might be @@C++ (XXX *)@@masm(poi(someglobal)->memberofstruct
    then i get syntax error

    is expressions supported ?

    in $spat() it is documented that i can use wilcards for "Pattern" but
    i get syntax error there too

    and the beauty is
    if foo is an alias to some expression and

    if i do say $spat ( "foo" , foo);

    the echoed back output with error shows me that

    the engine has replaced both the foo with expression :) and still
    finds some syntax error

    any pointers ?? how to use this functions in script ?


    lkd> ?? (char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName
    char * 0x85f8e57c
    "windbg.exe"


    lkd> as foo @@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    lkd> al
    Alias Value
    ------- -------
    foo @@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

    lkd> ? foo
    Evaluate expression: -2047285892 = 85f8e57c
    lkd> da foo
    85f8e57c "windbg.exe"

    lkd> ? $scmp(foo,foo)
    Syntax error at '(foo,foo)'
    lkd> ? $scmp("foo","foo")
    Evaluate expression: 0 = 00000000
    lkd> ? $scmp("foo","foa")
    Evaluate expression: -1 = ffffffff
    lkd> ? $scmp("foo","fo")
    Evaluate expression: -1 = ffffffff
    lkd> ? $scmp("foo",foo)
    Syntax error at '("@@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)",foo)'
    lkd> ? $spat("foo",foo)
    Syntax error at '("@@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)",foo)'
    lkd> ? $spat(foo,foo)
    Syntax error at '(foo,foo)'

    -scott
    OSR

  • mmmm Member - All Emails Posts: 1,410
    Ladies & gentlemen, how about that MVP Snoone?



    mm

    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]] On Behalf Of Scott Noone
    Sent: Wednesday, October 03, 2012 12:32 PM
    To: Kernel Debugging Interest List
    Subject: Re:[windbg] Does $scmp() $sicmp() $spat() take Expressions ?

    Your alias is ultimately resolving to an address but the operators expect
    quoted strings:

    1: kd> as ${/v:foo} @@c++((char
    *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileN
    ame)

    1: kd> al
    Alias Value
    ------- -------
    foo @@c++((char
    *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileN
    ame)

    1: kd> ? ${foo}
    Evaluate expression: -2065147404 = 84e859f4

    So, this would be the same as passing, 0x84e859f4 to the string compare
    operation:

    1: kd> ? $scmp(84e859f4,"foa")
    Syntax error at '(84e859f4,"foa")'

    What you want is the alias to become the string pointed to by that address,
    which is where the /ma switch comes in:

    1: kd> as /ma ${/v:foo} @@c++((char
    *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileN
    ame)
    1: kd> al
    Alias Value
    ------- -------
    foo sndvol32.exe

    Now you can pass that to the string operations (adding quotes, which is not
    implied in the alias):

    1: kd> ? $scmp("${foo}","foa")
    Evaluate expression: 1 = 00000001
    1: kd> ? $scmp("${foo}","sndvol32.exe")
    Evaluate expression: 0 = 00000000

    Note that I always enclose my aliases in the expression evaluator operator,
    "${}" so that it's explicit that I'm talking about an alias.

    -scott
    OSR


    "raj_r" wrote in message news:[email protected]

    i was trying to use the function $scmp in and was providing it with an
    expression and a literal string for compare and it simply errs with syntax
    error (quoting . single quoting , escaped quoting plain raw expression ,
    alias evaluation of expression nothing seem to work

    it just seems to work with two literals like $scmp("what the *" ,"what the
    *")

    if i do $scmp (foo , "What the *")

    where foo might be @@C++ (XXX *)@@masm(poi(someglobal)->memberofstruct
    then i get syntax error

    is expressions supported ?

    in $spat() it is documented that i can use wilcards for "Pattern" but i get
    syntax error there too

    and the beauty is
    if foo is an alias to some expression and

    if i do say $spat ( "foo" , foo);

    the echoed back output with error shows me that

    the engine has replaced both the foo with expression :) and still finds some
    syntax error

    any pointers ?? how to use this functions in script ?


    lkd> ?? (char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName
    char * 0x85f8e57c
    "windbg.exe"


    lkd> as foo @@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    lkd> al
    Alias Value
    ------- -------
    foo @@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

    lkd> ? foo
    Evaluate expression: -2047285892 = 85f8e57c
    lkd> da foo
    85f8e57c "windbg.exe"

    lkd> ? $scmp(foo,foo)
    Syntax error at '(foo,foo)'
    lkd> ? $scmp("foo","foo")
    Evaluate expression: 0 = 00000000
    lkd> ? $scmp("foo","foa")
    Evaluate expression: -1 = ffffffff
    lkd> ? $scmp("foo","fo")
    Evaluate expression: -1 = ffffffff
    lkd> ? $scmp("foo",foo)
    Syntax error at '("@@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)",foo)'
    lkd> ? $spat("foo",foo)
    Syntax error at '("@@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)",foo)'
    lkd> ? $spat(foo,foo)
    Syntax error at '(foo,foo)'


    ---
    WINDBG is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,158
    Scott Noone wrote:
    > Your alias is ultimately resolving to an address but the operators expect
    > quoted strings:
    >
    > 1: kd> as /ma ${/v:foo} @@c++((char
    > *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

    How can you type that with a straight face? It makes my head hurt.
    Does using a debugger really have to be as incomprehensible as
    programming in APL?

    Clearly, what the worlds needs most right now is a Windbg clone with an
    embedded Python interpreter...

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • raj_rraj_r Member - All Emails Posts: 981
    Thanks Scott

    well i must have been fooled by the cannot evaluate result when i used
    ? foo with /ma

    lkd> as /ma foo @@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    lkd> al
    Alias Value
    ------- -------
    foo firefox.exe
    lkd> ? foo
    Couldn't resolve error at 'firefox.exe'
    lkd> ? ${foo}
    Couldn't resolve error at 'firefox.exe'
    lkd> as /ma ${/v:foo} @@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    lkd> al
    Alias Value
    ------- -------
    foo firefox.exe
    lkd> ? ${foo}
    Couldn't resolve error at 'firefox.exe'
    lkd> ? foo
    Couldn't resolve error at 'firefox.exe'
    lkd> foo
    Couldn't resolve error at 'irefox.exe'
    lkd> as ${/v:foo} @@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    lkd> al
    Alias Value
    ------- -------
    foo @@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    lkd> ? foo
    Evaluate expression: -2047151724 = 85faf194
    lkd> ?? foo
    char * 0x85faf194
    "firefox.exe"
    lkd> as foo @@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    lkd> al
    Alias Value
    ------- -------
    foo @@c++((char *)@@c++((nt!_eprocess
    *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    lkd> ?? foo
    char * 0x85faf194
    "firefox.exe"
    lkd> ? foo
    Evaluate expression: -2047151724 = 85faf194


    since ? foo & ?? foo was returning result for plain alias i tried
    using it in script and it was returning back syntax error











    On 10/4/12, Scott Noone <[email protected]> wrote:
    > Your alias is ultimately resolving to an address but the operators expect
    > quoted strings:
    >
    > 1: kd> as ${/v:foo} @@c++((char
    > *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    >
    > 1: kd> al
    > Alias Value
    > ------- -------
    > foo @@c++((char
    > *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    >
    > 1: kd> ? ${foo}
    > Evaluate expression: -2065147404 = 84e859f4
    >
    > So, this would be the same as passing, 0x84e859f4 to the string compare
    > operation:
    >
    > 1: kd> ? $scmp(84e859f4,"foa")
    > Syntax error at '(84e859f4,"foa")'
    >
    > What you want is the alias to become the string pointed to by that address,
    >
    > which is where the /ma switch comes in:
    >
    > 1: kd> as /ma ${/v:foo} @@c++((char
    > *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    > 1: kd> al
    > Alias Value
    > ------- -------
    > foo sndvol32.exe
    >
    > Now you can pass that to the string operations (adding quotes, which is not
    >
    > implied in the alias):
    >
    > 1: kd> ? $scmp("${foo}","foa")
    > Evaluate expression: 1 = 00000001
    > 1: kd> ? $scmp("${foo}","sndvol32.exe")
    > Evaluate expression: 0 = 00000000
    >
    > Note that I always enclose my aliases in the expression evaluator operator,
    >
    > "${}" so that it's explicit that I'm talking about an alias.
    >
    > -scott
    > OSR
    >
    >
    > "raj_r" wrote in message news:[email protected]
    >
    > i was trying to use the function $scmp in and was providing it with an
    > expression and a literal string for compare
    > and it simply errs with syntax error (quoting . single quoting ,
    > escaped quoting plain raw expression , alias evaluation of expression
    > nothing seem to work
    >
    > it just seems to work with two literals like $scmp("what the *" ,"what the
    >
    > *")
    >
    > if i do $scmp (foo , "What the *")
    >
    > where foo might be @@C++ (XXX *)@@masm(poi(someglobal)->memberofstruct
    > then i get syntax error
    >
    > is expressions supported ?
    >
    > in $spat() it is documented that i can use wilcards for "Pattern" but
    > i get syntax error there too
    >
    > and the beauty is
    > if foo is an alias to some expression and
    >
    > if i do say $spat ( "foo" , foo);
    >
    > the echoed back output with error shows me that
    >
    > the engine has replaced both the foo with expression :) and still
    > finds some syntax error
    >
    > any pointers ?? how to use this functions in script ?
    >
    >
    > lkd> ?? (char *)@@c++((nt!_eprocess
    > *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName
    > char * 0x85f8e57c
    > "windbg.exe"
    >
    >
    > lkd> as foo @@c++((char *)@@c++((nt!_eprocess
    > *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    > lkd> al
    > Alias Value
    > ------- -------
    > foo @@c++((char *)@@c++((nt!_eprocess
    > *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    >
    > lkd> ? foo
    > Evaluate expression: -2047285892 = 85f8e57c
    > lkd> da foo
    > 85f8e57c "windbg.exe"
    >
    > lkd> ? $scmp(foo,foo)
    > Syntax error at '(foo,foo)'
    > lkd> ? $scmp("foo","foo")
    > Evaluate expression: 0 = 00000000
    > lkd> ? $scmp("foo","foa")
    > Evaluate expression: -1 = ffffffff
    > lkd> ? $scmp("foo","fo")
    > Evaluate expression: -1 = ffffffff
    > lkd> ? $scmp("foo",foo)
    > Syntax error at '("@@c++((char *)@@c++((nt!_eprocess
    > *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)",foo)'
    > lkd> ? $spat("foo",foo)
    > Syntax error at '("@@c++((char *)@@c++((nt!_eprocess
    > *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)",foo)'
    > lkd> ? $spat(foo,foo)
    > Syntax error at '(foo,foo)'
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,198
    "Tim Roberts" wrote in message news:[email protected]
    >How can you type that with a straight face?

    Who said I did? I'll have to get a live webcam going in the office :)

    It's not that bad once you get a feel for the operators and the quirkiness
    of the two evaluators. This expression also takes a bit of a leap of faith
    that (*(PsActiveProcessHead+4))-88) actually means something, so you have to
    have some idea about the data structures involved if you're going to have a
    chance.

    >Clearly, what the worlds needs most right now is a Windbg clone with an
    >embedded Python interpreter...

    Someone wrote a Python extension:

    http://pykd.codeplex.com/

    I keep meaning to take the time to learn Python so I can evaluate if this
    actually works. If someone who already knows Python wants to try it and let
    me know their experience I'd like to hear about it.

    -scott



    "Tim Roberts" wrote in message news:[email protected]

    Scott Noone wrote:
    > Your alias is ultimately resolving to an address but the operators expect
    > quoted strings:
    >
    > 1: kd> as /ma ${/v:foo} @@c++((char
    > *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

    How can you type that with a straight face? It makes my head hurt.
    Does using a debugger really have to be as incomprehensible as
    programming in APL?

    Clearly, what the worlds needs most right now is a Windbg clone with an
    embedded Python interpreter...

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    -scott
    OSR

  • raj_rraj_r Member - All Emails Posts: 981
    This expression also takes a bit of a leap of faith that
    (*(PsActiveProcessHead+4))-88) actually means something

    hehe i knew anyone dealing with debuggers day in day out would figure
    that constants in a jiffy

    it is far more easy to type in constants than typing text that spans
    multiple lines in the command window

    instead of 4 and 88 you would need about two lines of bs to get the same thing

    if you want something that is more os friendly expression you would
    need something like below

    lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
    *)@@masm(nt!PsActiveProcessHead))->Blink) -
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    char * 0x85faf194
    "firefox.exe"

    blink = 4
    activeprocesslinks = 88
    ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))



    On 10/4/12, Scott Noone <[email protected]> wrote:
    > "Tim Roberts" wrote in message news:[email protected]
    >>How can you type that with a straight face?
    >
    > Who said I did? I'll have to get a live webcam going in the office :)
    >
    > It's not that bad once you get a feel for the operators and the quirkiness
    > of the two evaluators. This expression also takes a bit of a leap of faith
    > that (*(PsActiveProcessHead+4))-88) actually means something, so you have to
    >
    > have some idea about the data structures involved if you're going to have a
    >
    > chance.
    >
    >>Clearly, what the worlds needs most right now is a Windbg clone with an
    >>embedded Python interpreter...
    >
    > Someone wrote a Python extension:
    >
    > http://pykd.codeplex.com/
    >
    > I keep meaning to take the time to learn Python so I can evaluate if this
    > actually works. If someone who already knows Python wants to try it and let
    >
    > me know their experience I'd like to hear about it.
    >
    > -scott
    >
    >
    >
    > "Tim Roberts" wrote in message news:[email protected]
    >
    > Scott Noone wrote:
    >> Your alias is ultimately resolving to an address but the operators expect
    >> quoted strings:
    >>
    >> 1: kd> as /ma ${/v:foo} @@c++((char
    >> *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    >
    > How can you type that with a straight face? It makes my head hurt.
    > Does using a debugger really have to be as incomprehensible as
    > programming in APL?
    >
    > Clearly, what the worlds needs most right now is a Windbg clone with an
    > embedded Python interpreter...
    >
    > --
    > Tim Roberts, [email protected]
    > Providenza & Boekelheide, Inc.
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • raj_rraj_r Member - All Emails Posts: 981
    and one needs to quote too even if you make an alias is what i was
    actually missing to grasp :)

    it now works and i get a bool result if i use it like below and
    comments on os and / or structure offset independentness and /or
    robust welcome

    lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    *)@@masm(nt!PsActiveProcessHead))->Blink) -
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    lkd> al
    Alias Value
    ------- -------
    foo firefox.exe
    lkd> ? $scmp(foo,"firefox.exe")
    Syntax error at '(foo,"firefox.exe")'
    lkd> ? $scmp(${foo},"firefox.exe")
    Syntax error at '(firefox.exe,"firefox.exe")' <---------- look at this :)
    lkd> ? $scmp("${foo}","firefox.exe")
    Evaluate expression: 0 = 00000000




    On 10/4/12, raj_r <[email protected]> wrote:
    > This expression also takes a bit of a leap of faith that
    > (*(PsActiveProcessHead+4))-88) actually means something
    >
    > hehe i knew anyone dealing with debuggers day in day out would figure
    > that constants in a jiffy
    >
    > it is far more easy to type in constants than typing text that spans
    > multiple lines in the command window
    >
    > instead of 4 and 88 you would need about two lines of bs to get the same
    > thing
    >
    > if you want something that is more os friendly expression you would
    > need something like below
    >
    > lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
    > *)@@masm(nt!PsActiveProcessHead))->Blink) -
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    > char * 0x85faf194
    > "firefox.exe"
    >
    > blink = 4
    > activeprocesslinks = 88
    > ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    >
    >
    >
    > On 10/4/12, Scott Noone <[email protected]> wrote:
    >> "Tim Roberts" wrote in message news:[email protected]
    >>>How can you type that with a straight face?
    >>
    >> Who said I did? I'll have to get a live webcam going in the office :)
    >>
    >> It's not that bad once you get a feel for the operators and the
    >> quirkiness
    >> of the two evaluators. This expression also takes a bit of a leap of
    >> faith
    >> that (*(PsActiveProcessHead+4))-88) actually means something, so you have
    >> to
    >>
    >> have some idea about the data structures involved if you're going to have
    >> a
    >>
    >> chance.
    >>
    >>>Clearly, what the worlds needs most right now is a Windbg clone with an
    >>>embedded Python interpreter...
    >>
    >> Someone wrote a Python extension:
    >>
    >> http://pykd.codeplex.com/
    >>
    >> I keep meaning to take the time to learn Python so I can evaluate if this
    >> actually works. If someone who already knows Python wants to try it and
    >> let
    >>
    >> me know their experience I'd like to hear about it.
    >>
    >> -scott
    >>
    >>
    >>
    >> "Tim Roberts" wrote in message news:[email protected]
    >>
    >> Scott Noone wrote:
    >>> Your alias is ultimately resolving to an address but the operators
    >>> expect
    >>> quoted strings:
    >>>
    >>> 1: kd> as /ma ${/v:foo} @@c++((char
    >>> *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    >>
    >> How can you type that with a straight face? It makes my head hurt.
    >> Does using a debugger really have to be as incomprehensible as
    >> programming in APL?
    >>
    >> Clearly, what the worlds needs most right now is a Windbg clone with an
    >> embedded Python interpreter...
    >>
    >> --
    >> Tim Roberts, [email protected]
    >> Providenza & Boekelheide, Inc.
    >>
    >>
    >> ---
    >> WINDBG is sponsored by OSR
    >>
    >> For our schedule of WDF, WDM, debugging and other seminars visit:
    >> http://www.osr.com/seminars
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at
    >> http://www.osronline.com/page.cfm?name=ListServer
    >>
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    We used to refer to this as "death by insidious quoting". Most
    interpreted languages that allow quoted strings usually suffer from this;
    every Unix shell (and the shells had inconsistent rules for how to handle
    them), and in general the problem is that you need to know how many levels
    of macros the parameter is passed through to know how many quotes to add.
    C finally solved this with the # (and ##) preprocessor operators. It
    mostly works, most of the time.
    joe

    > and one needs to quote too even if you make an alias is what i was
    > actually missing to grasp :)
    >
    > it now works and i get a bool result if i use it like below and
    > comments on os and / or structure offset independentness and /or
    > robust welcome
    >
    > lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    > *)@@masm(nt!PsActiveProcessHead))->Blink) -
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    > lkd> al
    > Alias Value
    > ------- -------
    > foo firefox.exe
    > lkd> ? $scmp(foo,"firefox.exe")
    > Syntax error at '(foo,"firefox.exe")'
    > lkd> ? $scmp(${foo},"firefox.exe")
    > Syntax error at '(firefox.exe,"firefox.exe")' <---------- look at this :)
    > lkd> ? $scmp("${foo}","firefox.exe")
    > Evaluate expression: 0 = 00000000
    >
    >
    >
    >
    > On 10/4/12, raj_r <[email protected]> wrote:
    >> This expression also takes a bit of a leap of faith that
    >> (*(PsActiveProcessHead+4))-88) actually means something
    >>
    >> hehe i knew anyone dealing with debuggers day in day out would figure
    >> that constants in a jiffy
    >>
    >> it is far more easy to type in constants than typing text that spans
    >> multiple lines in the command window
    >>
    >> instead of 4 and 88 you would need about two lines of bs to get the same
    >> thing
    >>
    >> if you want something that is more os friendly expression you would
    >> need something like below
    >>
    >> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
    >> *)@@masm(nt!PsActiveProcessHead))->Blink) -
    >> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    >> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    >> char * 0x85faf194
    >> "firefox.exe"
    >>
    >> blink = 4
    >> activeprocesslinks = 88
    >> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    >>
    >>
    >>
    >> On 10/4/12, Scott Noone <[email protected]> wrote:
    >>> "Tim Roberts" wrote in message news:[email protected]
    >>>>How can you type that with a straight face?
    >>>
    >>> Who said I did? I'll have to get a live webcam going in the office :)
    >>>
    >>> It's not that bad once you get a feel for the operators and the
    >>> quirkiness
    >>> of the two evaluators. This expression also takes a bit of a leap of
    >>> faith
    >>> that (*(PsActiveProcessHead+4))-88) actually means something, so you
    >>> have
    >>> to
    >>>
    >>> have some idea about the data structures involved if you're going to
    >>> have
    >>> a
    >>>
    >>> chance.
    >>>
    >>>>Clearly, what the worlds needs most right now is a Windbg clone with an
    >>>>embedded Python interpreter...
    >>>
    >>> Someone wrote a Python extension:
    >>>
    >>> http://pykd.codeplex.com/
    >>>
    >>> I keep meaning to take the time to learn Python so I can evaluate if
    >>> this
    >>> actually works. If someone who already knows Python wants to try it and
    >>> let
    >>>
    >>> me know their experience I'd like to hear about it.
    >>>
    >>> -scott
    >>>
    >>>
    >>>
    >>> "Tim Roberts" wrote in message news:[email protected]
    >>>
    >>> Scott Noone wrote:
    >>>> Your alias is ultimately resolving to an address but the operators
    >>>> expect
    >>>> quoted strings:
    >>>>
    >>>> 1: kd> as /ma ${/v:foo} @@c++((char
    >>>> *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    >>>
    >>> How can you type that with a straight face? It makes my head hurt.
    >>> Does using a debugger really have to be as incomprehensible as
    >>> programming in APL?
    >>>
    >>> Clearly, what the worlds needs most right now is a Windbg clone with an
    >>> embedded Python interpreter...
    >>>
    >>> --
    >>> Tim Roberts, [email protected]
    >>> Providenza & Boekelheide, Inc.
    >>>
    >>>
    >>> ---
    >>> WINDBG is sponsored by OSR
    >>>
    >>> For our schedule of WDF, WDM, debugging and other seminars visit:
    >>> http://www.osr.com/seminars
    >>>
    >>> To unsubscribe, visit the List Server section of OSR Online at
    >>> http://www.osronline.com/page.cfm?name=ListServer
    >>>
    >>
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • raj_rraj_r Member - All Emails Posts: 981
    so i have this in a script file

    as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    *)@@masm(nt!PsActiveProcessHead))->Blink) -
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    bu nt!PspCreateProcess ".block { gu;.if ( $scmp('${foo}','calc.exe')
    == 0 ) {.echo 'calc started';g;} .else {.printf '%ma' , ${foo}; } }"

    run the script

    kd> $<.\scripts\logret.txt

    kd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    *)@@masm(nt!PsActiveProcessHead))->Blink) -
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    kd> bu nt!PspCreateProcess ".block { gu;.if (
    $scmp('${foo}','calc.exe') == 0 ) {.echo 'calc started';g;} .else
    {.printf '%ma' , ${foo}; } }"
    breakpoint 0 redefined
    kd> al
    Alias Value
    ------- -------
    foo cmd.exe
    kd> bl
    0 e 805802e7 0001 (0001) nt!PspCreateProcess ".block { gu;.if (
    $scmp('cmd.exe','calc.exe') == 0 ) {.echo 'calc started';g;} .else
    {.printf '%ma' , cmd.exe; } }"

    kd> g
    Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    started';g;} .else {.printf '%ma' , cmd.exe; } '
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    kd> g
    Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    started';g;} .else {.printf '%ma' , cmd.exe; } '
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    kd> g
    Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    started';g;} .else {.printf '%ma' , cmd.exe; } '
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)

    i dont know what syntax i need to give this to

    if i use double quotes over foo like "${foo}" it errs
    if i escape like \"${foo}\" it errs
    in single quote it errs

    also it seems expansion doesn't take place since iam doing something
    stupid with quotes :( or placement of .block

    any pointers

    On 10/4/12, [email protected] <[email protected]> wrote:
    > We used to refer to this as "death by insidious quoting". Most
    > interpreted languages that allow quoted strings usually suffer from this;
    > every Unix shell (and the shells had inconsistent rules for how to handle
    > them), and in general the problem is that you need to know how many levels
    > of macros the parameter is passed through to know how many quotes to add.
    > C finally solved this with the # (and ##) preprocessor operators. It
    > mostly works, most of the time.
    > joe
    >
    >> and one needs to quote too even if you make an alias is what i was
    >> actually missing to grasp :)
    >>
    >> it now works and i get a bool result if i use it like below and
    >> comments on os and / or structure offset independentness and /or
    >> robust welcome
    >>
    >> lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    >> *)@@masm(nt!PsActiveProcessHead))->Blink) -
    >> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    >> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    >> lkd> al
    >> Alias Value
    >> ------- -------
    >> foo firefox.exe
    >> lkd> ? $scmp(foo,"firefox.exe")
    >> Syntax error at '(foo,"firefox.exe")'
    >> lkd> ? $scmp(${foo},"firefox.exe")
    >> Syntax error at '(firefox.exe,"firefox.exe")' <---------- look at this
    >> :)
    >> lkd> ? $scmp("${foo}","firefox.exe")
    >> Evaluate expression: 0 = 00000000
    >>
    >>
    >>
    >>
    >> On 10/4/12, raj_r <[email protected]> wrote:
    >>> This expression also takes a bit of a leap of faith that
    >>> (*(PsActiveProcessHead+4))-88) actually means something
    >>>
    >>> hehe i knew anyone dealing with debuggers day in day out would figure
    >>> that constants in a jiffy
    >>>
    >>> it is far more easy to type in constants than typing text that spans
    >>> multiple lines in the command window
    >>>
    >>> instead of 4 and 88 you would need about two lines of bs to get the same
    >>> thing
    >>>
    >>> if you want something that is more os friendly expression you would
    >>> need something like below
    >>>
    >>> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
    >>> *)@@masm(nt!PsActiveProcessHead))->Blink) -
    >>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    >>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    >>> char * 0x85faf194
    >>> "firefox.exe"
    >>>
    >>> blink = 4
    >>> activeprocesslinks = 88
    >>> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    >>>
    >>>
    >>>
    >>> On 10/4/12, Scott Noone <[email protected]> wrote:
    >>>> "Tim Roberts" wrote in message news:[email protected]
    >>>>>How can you type that with a straight face?
    >>>>
    >>>> Who said I did? I'll have to get a live webcam going in the office :)
    >>>>
    >>>> It's not that bad once you get a feel for the operators and the
    >>>> quirkiness
    >>>> of the two evaluators. This expression also takes a bit of a leap of
    >>>> faith
    >>>> that (*(PsActiveProcessHead+4))-88) actually means something, so you
    >>>> have
    >>>> to
    >>>>
    >>>> have some idea about the data structures involved if you're going to
    >>>> have
    >>>> a
    >>>>
    >>>> chance.
    >>>>
    >>>>>Clearly, what the worlds needs most right now is a Windbg clone with an
    >>>>>embedded Python interpreter...
    >>>>
    >>>> Someone wrote a Python extension:
    >>>>
    >>>> http://pykd.codeplex.com/
    >>>>
    >>>> I keep meaning to take the time to learn Python so I can evaluate if
    >>>> this
    >>>> actually works. If someone who already knows Python wants to try it and
    >>>> let
    >>>>
    >>>> me know their experience I'd like to hear about it.
    >>>>
    >>>> -scott
    >>>>
    >>>>
    >>>>
    >>>> "Tim Roberts" wrote in message news:[email protected]
    >>>>
    >>>> Scott Noone wrote:
    >>>>> Your alias is ultimately resolving to an address but the operators
    >>>>> expect
    >>>>> quoted strings:
    >>>>>
    >>>>> 1: kd> as /ma ${/v:foo} @@c++((char
    >>>>> *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    >>>>
    >>>> How can you type that with a straight face? It makes my head hurt.
    >>>> Does using a debugger really have to be as incomprehensible as
    >>>> programming in APL?
    >>>>
    >>>> Clearly, what the worlds needs most right now is a Windbg clone with an
    >>>> embedded Python interpreter...
    >>>>
    >>>> --
    >>>> Tim Roberts, [email protected]
    >>>> Providenza & Boekelheide, Inc.
    >>>>
    >>>>
    >>>> ---
    >>>> WINDBG is sponsored by OSR
    >>>>
    >>>> For our schedule of WDF, WDM, debugging and other seminars visit:
    >>>> http://www.osr.com/seminars
    >>>>
    >>>> To unsubscribe, visit the List Server section of OSR Online at
    >>>> http://www.osronline.com/page.cfm?name=ListServer
    >>>>
    >>>
    >>
    >> ---
    >> WINDBG is sponsored by OSR
    >>
    >> For our schedule of WDF, WDM, debugging and other seminars visit:
    >> http://www.osr.com/seminars
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at
    >> http://www.osronline.com/page.cfm?name=ListServer
    >>
    >
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • Pavel_APavel_A Member Posts: 2,691
    On 03-Oct-2012 22:09, Tim Roberts wrote:
    > Clearly, what the worlds needs most right now is a Windbg clone with an
    > embedded Python interpreter...

    Sort of... http://pykd.codeplex.com/

    -- pa
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,198
    "raj_r" wrote in message news:[email protected]
    >hehe i knew anyone dealing with debuggers day in day out would figure
    >that constants in a jiffy
    >
    >it is far more easy to type in constants than typing text that spans
    >multiple lines in the command window

    Absolutely. I use constant values all the time for expressions that I enter,
    no point in being OS independent if you're just doing a one-off command. The
    only time it really matters is if you're writing a script to be used over an
    over, in which case you have the luxury of whitespace and comments.

    -scott





    "raj_r" wrote in message news:[email protected]

    This expression also takes a bit of a leap of faith that
    (*(PsActiveProcessHead+4))-88) actually means something

    hehe i knew anyone dealing with debuggers day in day out would figure
    that constants in a jiffy

    it is far more easy to type in constants than typing text that spans
    multiple lines in the command window

    instead of 4 and 88 you would need about two lines of bs to get the same
    thing

    if you want something that is more os friendly expression you would
    need something like below

    lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
    *)@@masm(nt!PsActiveProcessHead))->Blink) -
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    char * 0x85faf194
    "firefox.exe"

    blink = 4
    activeprocesslinks = 88
    ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))



    On 10/4/12, Scott Noone <[email protected]> wrote:
    > "Tim Roberts" wrote in message news:[email protected]
    >>How can you type that with a straight face?
    >
    > Who said I did? I'll have to get a live webcam going in the office :)
    >
    > It's not that bad once you get a feel for the operators and the quirkiness
    > of the two evaluators. This expression also takes a bit of a leap of faith
    > that (*(PsActiveProcessHead+4))-88) actually means something, so you have
    > to
    >
    > have some idea about the data structures involved if you're going to have
    > a
    >
    > chance.
    >
    >>Clearly, what the worlds needs most right now is a Windbg clone with an
    >>embedded Python interpreter...
    >
    > Someone wrote a Python extension:
    >
    > http://pykd.codeplex.com/
    >
    > I keep meaning to take the time to learn Python so I can evaluate if this
    > actually works. If someone who already knows Python wants to try it and
    > let
    >
    > me know their experience I'd like to hear about it.
    >
    > -scott
    >
    >
    >
    > "Tim Roberts" wrote in message news:[email protected]
    >
    > Scott Noone wrote:
    >> Your alias is ultimately resolving to an address but the operators expect
    >> quoted strings:
    >>
    >> 1: kd> as /ma ${/v:foo} @@c++((char
    >> *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    >
    > How can you type that with a straight face? It makes my head hurt.
    > Does using a debugger really have to be as incomprehensible as
    > programming in APL?
    >
    > Clearly, what the worlds needs most right now is a Windbg clone with an
    > embedded Python interpreter...
    >
    > --
    > Tim Roberts, [email protected]
    > Providenza & Boekelheide, Inc.
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >

    -scott
    OSR

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,198
    "raj_r" wrote in message news:[email protected]
    >so i have this in a script file
    ...
    >kd> g
    >Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    >started';g;} .else {.printf '%ma' , cmd.exe; } '

    You still want the double quotes. However, in this case you're doing a
    conditional breakpoint:

    bu address "command"

    So the quotes need to be escaped. Something like:

    ".block {gu; .if ( $scmp(\"${foo}\",\"calc.exe\") == 0 ) {.echo 'calc
    started';} .else {.printf \"${foo}\"; g} }"

    (Note that I also changed your printf statement as the alias is not an
    address, it's a string!)

    Which, yes, is spaghetti. The fact that it's a conditional breakpoint means
    that is has special quoting rules AND that it has to all fit on one line,
    which makes it pretty much impossible for a human to parse. The trick that I
    use though is to work on the command in a more natural format and then
    collapse it when I want to try it (this could also be automated through
    scripting, but the manual approach works):

    .block
    {
    gu;
    .if ( $scmp(\"${foo}\",\"calc.exe\") == 0 )
    {
    .echo 'calc started';
    }
    .else
    {
    .printf \"${foo}\";
    g
    }
    }

    I know that you mentioned you tried it with escape quotes and that it didn't
    work, but I suspect there was something else going on (such as the printf).

    Also, I don't think this script does exactly what you're expecting. In the
    case of this script, the value of ${foo} stays constant and does not
    reevaluate for each invocation of the breakpoint. I'll let you deal with
    that one when you get to it though :)

    -scott



    "raj_r" wrote in message news:[email protected]

    so i have this in a script file

    as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    *)@@masm(nt!PsActiveProcessHead))->Blink) -
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    bu nt!PspCreateProcess ".block { gu;.if ( $scmp('${foo}','calc.exe')
    == 0 ) {.echo 'calc started';g;} .else {.printf '%ma' , ${foo}; } }"

    run the script

    kd> $<.\scripts\logret.txt

    kd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    *)@@masm(nt!PsActiveProcessHead))->Blink) -
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    kd> bu nt!PspCreateProcess ".block { gu;.if (
    $scmp('${foo}','calc.exe') == 0 ) {.echo 'calc started';g;} .else
    {.printf '%ma' , ${foo}; } }"
    breakpoint 0 redefined
    kd> al
    Alias Value
    ------- -------
    foo cmd.exe
    kd> bl
    0 e 805802e7 0001 (0001) nt!PspCreateProcess ".block { gu;.if (
    $scmp('cmd.exe','calc.exe') == 0 ) {.echo 'calc started';g;} .else
    {.printf '%ma' , cmd.exe; } }"

    kd> g
    Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    started';g;} .else {.printf '%ma' , cmd.exe; } '
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    kd> g
    Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    started';g;} .else {.printf '%ma' , cmd.exe; } '
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    kd> g
    Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    started';g;} .else {.printf '%ma' , cmd.exe; } '
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)

    i dont know what syntax i need to give this to

    if i use double quotes over foo like "${foo}" it errs
    if i escape like \"${foo}\" it errs
    in single quote it errs

    also it seems expansion doesn't take place since iam doing something
    stupid with quotes :( or placement of .block

    any pointers

    On 10/4/12, [email protected] <[email protected]> wrote:
    > We used to refer to this as "death by insidious quoting". Most
    > interpreted languages that allow quoted strings usually suffer from this;
    > every Unix shell (and the shells had inconsistent rules for how to handle
    > them), and in general the problem is that you need to know how many levels
    > of macros the parameter is passed through to know how many quotes to add.
    > C finally solved this with the # (and ##) preprocessor operators. It
    > mostly works, most of the time.
    > joe
    >
    >> and one needs to quote too even if you make an alias is what i was
    >> actually missing to grasp :)
    >>
    >> it now works and i get a bool result if i use it like below and
    >> comments on os and / or structure offset independentness and /or
    >> robust welcome
    >>
    >> lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    >> *)@@masm(nt!PsActiveProcessHead))->Blink) -
    >> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    >> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    >> lkd> al
    >> Alias Value
    >> ------- -------
    >> foo firefox.exe
    >> lkd> ? $scmp(foo,"firefox.exe")
    >> Syntax error at '(foo,"firefox.exe")'
    >> lkd> ? $scmp(${foo},"firefox.exe")
    >> Syntax error at '(firefox.exe,"firefox.exe")' <---------- look at this
    >> :)
    >> lkd> ? $scmp("${foo}","firefox.exe")
    >> Evaluate expression: 0 = 00000000
    >>
    >>
    >>
    >>
    >> On 10/4/12, raj_r <[email protected]> wrote:
    >>> This expression also takes a bit of a leap of faith that
    >>> (*(PsActiveProcessHead+4))-88) actually means something
    >>>
    >>> hehe i knew anyone dealing with debuggers day in day out would figure
    >>> that constants in a jiffy
    >>>
    >>> it is far more easy to type in constants than typing text that spans
    >>> multiple lines in the command window
    >>>
    >>> instead of 4 and 88 you would need about two lines of bs to get the same
    >>> thing
    >>>
    >>> if you want something that is more os friendly expression you would
    >>> need something like below
    >>>
    >>> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
    >>> *)@@masm(nt!PsActiveProcessHead))->Blink) -
    >>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    >>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    >>> char * 0x85faf194
    >>> "firefox.exe"
    >>>
    >>> blink = 4
    >>> activeprocesslinks = 88
    >>> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    >>>
    >>>
    >>>
    >>> On 10/4/12, Scott Noone <[email protected]> wrote:
    >>>> "Tim Roberts" wrote in message news:[email protected]
    >>>>>How can you type that with a straight face?
    >>>>
    >>>> Who said I did? I'll have to get a live webcam going in the office :)
    >>>>
    >>>> It's not that bad once you get a feel for the operators and the
    >>>> quirkiness
    >>>> of the two evaluators. This expression also takes a bit of a leap of
    >>>> faith
    >>>> that (*(PsActiveProcessHead+4))-88) actually means something, so you
    >>>> have
    >>>> to
    >>>>
    >>>> have some idea about the data structures involved if you're going to
    >>>> have
    >>>> a
    >>>>
    >>>> chance.
    >>>>
    >>>>>Clearly, what the worlds needs most right now is a Windbg clone with an
    >>>>>embedded Python interpreter...
    >>>>
    >>>> Someone wrote a Python extension:
    >>>>
    >>>> http://pykd.codeplex.com/
    >>>>
    >>>> I keep meaning to take the time to learn Python so I can evaluate if
    >>>> this
    >>>> actually works. If someone who already knows Python wants to try it and
    >>>> let
    >>>>
    >>>> me know their experience I'd like to hear about it.
    >>>>
    >>>> -scott
    >>>>
    >>>>
    >>>>
    >>>> "Tim Roberts" wrote in message news:[email protected]
    >>>>
    >>>> Scott Noone wrote:
    >>>>> Your alias is ultimately resolving to an address but the operators
    >>>>> expect
    >>>>> quoted strings:
    >>>>>
    >>>>> 1: kd> as /ma ${/v:foo} @@c++((char
    >>>>> *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    >>>>
    >>>> How can you type that with a straight face? It makes my head hurt.
    >>>> Does using a debugger really have to be as incomprehensible as
    >>>> programming in APL?
    >>>>
    >>>> Clearly, what the worlds needs most right now is a Windbg clone with an
    >>>> embedded Python interpreter...
    >>>>
    >>>> --
    >>>> Tim Roberts, [email protected]
    >>>> Providenza & Boekelheide, Inc.
    >>>>
    >>>>
    >>>> ---
    >>>> WINDBG is sponsored by OSR
    >>>>
    >>>> For our schedule of WDF, WDM, debugging and other seminars visit:
    >>>> http://www.osr.com/seminars
    >>>>
    >>>> To unsubscribe, visit the List Server section of OSR Online at
    >>>> http://www.osronline.com/page.cfm?name=ListServer
    >>>>
    >>>
    >>
    >> ---
    >> WINDBG is sponsored by OSR
    >>
    >> For our schedule of WDF, WDM, debugging and other seminars visit:
    >> http://www.osr.com/seminars
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at
    >> http://www.osronline.com/page.cfm?name=ListServer
    >>
    >
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >

    -scott
    OSR

  • raj_rraj_r Member - All Emails Posts: 981
    I'll let you deal with that one when you get to it though :)

    you may as well say how now so that the archive has an informational thread
    coz i found another route and made it more generic

    if i get struck on one rock i tend to simply flow away through its
    sides till i eventually reach the ocean

    here is how i did what i wanted


    F:\windbg\scripts>type logcrap.txt

    bu nt!PspCreateProcess "gu; $$>a< .\\scripts\\testscr.txt ${$arg1}"

    F:\windbg\612windbg\scripts>type testscr.txt

    as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY *)@@masm(nt!PsActiveProces
    sHead))->Blink) - @@c++(#FIELD_OFFSET(nt!_EPROCESS ,
    ActiveProcessLinks)) + @@c++(#FIELD_OFFSET(nt!_EPROCESS ,
    ImageFileName)))
    .block { .if ($scmp("${foo}","${$arg1}") == 0) {.echo ${$arg1}.exe started stopp
    ing windbg;} .else { .echo ${foo};g }}


    kd> sxe ibp;.reboot
    Shutdown occurred at (Thu Oct 4 23:37:10.125 2012 (UTC +
    5:30))...unloading all symbol tables.
    Waiting to reconnect...
    Connected to Windows XP 2600 x86 compatible target at (Thu Oct 4
    23:37:23.093 2012 (UTC + 5:30)), ptr64 FALSE

    cut version info

    nt!RtlpBreakWithStatusInstruction:
    804e3592 cc int 3

    kd> $$>a< .\scripts\logcrap.txt smss.exe
    kd> bl
    0 e 805802e7 0001 (0001) nt!PspCreateProcess "gu; $$>a<
    .\\scripts\\testscr.txt smss.exe"

    kd> g

    smss.exe.exe started stopping windbg <-----------------------------
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    kd> !process 0 0
    **** NT ACTIVE PROCESS DUMP ****
    PROCESS 81291830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
    DirBase: 00039000 ObjectTable: e1000b50 HandleCount: 35.
    Image: System

    PROCESS ffb5a998 SessionId: none Cid: 0194 Peb: 7ffdd000 ParentCid: 0004
    DirBase: 06c37000 ObjectTable: e17fd5d0 HandleCount: 0.
    Image: smss.exe

    kd> we can now set process specific bps on smss.exe as Eprocess is now
    available but with no active threads yet
    kd> lets break on logonui.exe

    kd> $$>a< .\scripts\logcrap.txt logonui.exe
    breakpoint 0 redefined
    kd> bl
    0 e 805802e7 0001 (0001) nt!PspCreateProcess "gu; $$>a<
    .\\scripts\\testscr.txt logonui.exe"

    kd> g
    autochk.exe
    csrss.exe
    winlogon.exe
    services.exe
    lsass.exe
    svchost.exe
    svchost.exe
    svchost.exe
    svchost.exe
    logonui.exe.exe started stopping windbg
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    kd> lets break on some autorun malware say calc.exe

    kd> $$>a< .\scripts\logcrap.txt calc.exe
    breakpoint 0 redefined
    kd> bl
    0 e 805802e7 0001 (0001) nt!PspCreateProcess "gu; $$>a<
    .\\scripts\\testscr.txt calc.exe"

    kd> g
    svchost.exe
    spoolsv.exe
    userinit.exe
    explorer.exe
    ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5
    ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5
    ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5
    vmusrvc.exe
    calc.exe.exe started stopping windbg
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)

    kd> if there is a process creation windbg will let me know in kernel
    mode who wants sxe cpr:process
    kd> btw pavel lebedynsky posted a sequence to break in kernel mode in
    another thread
    kd> might have to check it as it talks about ntuserProcessXXX api and
    resetting of global flags and loading of kernel symbols +ksl flag in
    !gflag






    F:\windbg\scripts>


    On 10/4/12, Scott Noone <[email protected]> wrote:
    > "raj_r" wrote in message news:[email protected]
    >>so i have this in a script file
    > ...
    >>kd> g
    >>Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    >>started';g;} .else {.printf '%ma' , cmd.exe; } '
    >
    > You still want the double quotes. However, in this case you're doing a
    > conditional breakpoint:
    >
    > bu address "command"
    >
    > So the quotes need to be escaped. Something like:
    >
    > ".block {gu; .if ( $scmp(\"${foo}\",\"calc.exe\") == 0 ) {.echo 'calc
    > started';} .else {.printf \"${foo}\"; g} }"
    >
    > (Note that I also changed your printf statement as the alias is not an
    > address, it's a string!)
    >
    > Which, yes, is spaghetti. The fact that it's a conditional breakpoint means
    >
    > that is has special quoting rules AND that it has to all fit on one line,
    > which makes it pretty much impossible for a human to parse. The trick that I
    >
    > use though is to work on the command in a more natural format and then
    > collapse it when I want to try it (this could also be automated through
    > scripting, but the manual approach works):
    >
    > .block
    > {
    > gu;
    > .if ( $scmp(\"${foo}\",\"calc.exe\") == 0 )
    > {
    > .echo 'calc started';
    > }
    > .else
    > {
    > .printf \"${foo}\";
    > g
    > }
    > }
    >
    > I know that you mentioned you tried it with escape quotes and that it didn't
    >
    > work, but I suspect there was something else going on (such as the printf).
    >
    > Also, I don't think this script does exactly what you're expecting. In the
    >
    > case of this script, the value of ${foo} stays constant and does not
    > reevaluate for each invocation of the breakpoint. I'll let you deal with
    > that one when you get to it though :)
    >
    > -scott
    >
    >
    >
    > "raj_r" wrote in message news:[email protected]
    >
    > so i have this in a script file
    >
    > as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    > *)@@masm(nt!PsActiveProcessHead))->Blink) -
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    > bu nt!PspCreateProcess ".block { gu;.if ( $scmp('${foo}','calc.exe')
    > == 0 ) {.echo 'calc started';g;} .else {.printf '%ma' , ${foo}; } }"
    >
    > run the script
    >
    > kd> $<.\scripts\logret.txt
    >
    > kd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    > *)@@masm(nt!PsActiveProcessHead))->Blink) -
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    > kd> bu nt!PspCreateProcess ".block { gu;.if (
    > $scmp('${foo}','calc.exe') == 0 ) {.echo 'calc started';g;} .else
    > {.printf '%ma' , ${foo}; } }"
    > breakpoint 0 redefined
    > kd> al
    > Alias Value
    > ------- -------
    > foo cmd.exe
    > kd> bl
    > 0 e 805802e7 0001 (0001) nt!PspCreateProcess ".block { gu;.if (
    > $scmp('cmd.exe','calc.exe') == 0 ) {.echo 'calc started';g;} .else
    > {.printf '%ma' , cmd.exe; } }"
    >
    > kd> g
    > Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    > started';g;} .else {.printf '%ma' , cmd.exe; } '
    > nt!NtCreateProcessEx+0x7e:
    > 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    > kd> g
    > Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    > started';g;} .else {.printf '%ma' , cmd.exe; } '
    > nt!NtCreateProcessEx+0x7e:
    > 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    > kd> g
    > Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    > started';g;} .else {.printf '%ma' , cmd.exe; } '
    > nt!NtCreateProcessEx+0x7e:
    > 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    >
    > i dont know what syntax i need to give this to
    >
    > if i use double quotes over foo like "${foo}" it errs
    > if i escape like \"${foo}\" it errs
    > in single quote it errs
    >
    > also it seems expansion doesn't take place since iam doing something
    > stupid with quotes :( or placement of .block
    >
    > any pointers
    >
    > On 10/4/12, [email protected] <[email protected]> wrote:
    >> We used to refer to this as "death by insidious quoting". Most
    >> interpreted languages that allow quoted strings usually suffer from this;
    >> every Unix shell (and the shells had inconsistent rules for how to handle
    >> them), and in general the problem is that you need to know how many
    >> levels
    >> of macros the parameter is passed through to know how many quotes to add.
    >> C finally solved this with the # (and ##) preprocessor operators. It
    >> mostly works, most of the time.
    >> joe
    >>
    >>> and one needs to quote too even if you make an alias is what i was
    >>> actually missing to grasp :)
    >>>
    >>> it now works and i get a bool result if i use it like below and
    >>> comments on os and / or structure offset independentness and /or
    >>> robust welcome
    >>>
    >>> lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    >>> *)@@masm(nt!PsActiveProcessHead))->Blink) -
    >>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    >>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    >>> lkd> al
    >>> Alias Value
    >>> ------- -------
    >>> foo firefox.exe
    >>> lkd> ? $scmp(foo,"firefox.exe")
    >>> Syntax error at '(foo,"firefox.exe")'
    >>> lkd> ? $scmp(${foo},"firefox.exe")
    >>> Syntax error at '(firefox.exe,"firefox.exe")' <---------- look at this
    >>> :)
    >>> lkd> ? $scmp("${foo}","firefox.exe")
    >>> Evaluate expression: 0 = 00000000
    >>>
    >>>
    >>>
    >>>
    >>> On 10/4/12, raj_r <[email protected]> wrote:
    >>>> This expression also takes a bit of a leap of faith that
    >>>> (*(PsActiveProcessHead+4))-88) actually means something
    >>>>
    >>>> hehe i knew anyone dealing with debuggers day in day out would figure
    >>>> that constants in a jiffy
    >>>>
    >>>> it is far more easy to type in constants than typing text that spans
    >>>> multiple lines in the command window
    >>>>
    >>>> instead of 4 and 88 you would need about two lines of bs to get the
    >>>> same
    >>>> thing
    >>>>
    >>>> if you want something that is more os friendly expression you would
    >>>> need something like below
    >>>>
    >>>> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
    >>>> *)@@masm(nt!PsActiveProcessHead))->Blink) -
    >>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    >>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    >>>> char * 0x85faf194
    >>>> "firefox.exe"
    >>>>
    >>>> blink = 4
    >>>> activeprocesslinks = 88
    >>>> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    >>>>
    >>>>
    >>>>
    >>>> On 10/4/12, Scott Noone <[email protected]> wrote:
    >>>>> "Tim Roberts" wrote in message news:[email protected]
    >>>>>>How can you type that with a straight face?
    >>>>>
    >>>>> Who said I did? I'll have to get a live webcam going in the office :)
    >>>>>
    >>>>> It's not that bad once you get a feel for the operators and the
    >>>>> quirkiness
    >>>>> of the two evaluators. This expression also takes a bit of a leap of
    >>>>> faith
    >>>>> that (*(PsActiveProcessHead+4))-88) actually means something, so you
    >>>>> have
    >>>>> to
    >>>>>
    >>>>> have some idea about the data structures involved if you're going to
    >>>>> have
    >>>>> a
    >>>>>
    >>>>> chance.
    >>>>>
    >>>>>>Clearly, what the worlds needs most right now is a Windbg clone with
    >>>>>> an
    >>>>>>embedded Python interpreter...
    >>>>>
    >>>>> Someone wrote a Python extension:
    >>>>>
    >>>>> http://pykd.codeplex.com/
    >>>>>
    >>>>> I keep meaning to take the time to learn Python so I can evaluate if
    >>>>> this
    >>>>> actually works. If someone who already knows Python wants to try it
    >>>>> and
    >>>>> let
    >>>>>
    >>>>> me know their experience I'd like to hear about it.
    >>>>>
    >>>>> -scott
    >>>>>
    >>>>>
    >>>>>
    >>>>> "Tim Roberts" wrote in message news:[email protected]
    >>>>>
    >>>>> Scott Noone wrote:
    >>>>>> Your alias is ultimately resolving to an address but the operators
    >>>>>> expect
    >>>>>> quoted strings:
    >>>>>>
    >>>>>> 1: kd> as /ma ${/v:foo} @@c++((char
    >>>>>> *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    >>>>>
    >>>>> How can you type that with a straight face? It makes my head hurt.
    >>>>> Does using a debugger really have to be as incomprehensible as
    >>>>> programming in APL?
    >>>>>
    >>>>> Clearly, what the worlds needs most right now is a Windbg clone with
    >>>>> an
    >>>>> embedded Python interpreter...
    >>>>>
    >>>>> --
    >>>>> Tim Roberts, [email protected]
    >>>>> Providenza & Boekelheide, Inc.
    >>>>>
    >>>>>
    >>>>> ---
    >>>>> WINDBG is sponsored by OSR
    >>>>>
    >>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
    >>>>> http://www.osr.com/seminars
    >>>>>
    >>>>> To unsubscribe, visit the List Server section of OSR Online at
    >>>>> http://www.osronline.com/page.cfm?name=ListServer
    >>>>>
    >>>>
    >>>
    >>> ---
    >>> WINDBG is sponsored by OSR
    >>>
    >>> For our schedule of WDF, WDM, debugging and other seminars visit:
    >>> http://www.osr.com/seminars
    >>>
    >>> To unsubscribe, visit the List Server section of OSR Online at
    >>> http://www.osronline.com/page.cfm?name=ListServer
    >>>
    >>
    >>
    >>
    >> ---
    >> WINDBG is sponsored by OSR
    >>
    >> For our schedule of WDF, WDM, debugging and other seminars visit:
    >> http://www.osr.com/seminars
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at
    >> http://www.osronline.com/page.cfm?name=ListServer
    >>
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,198
    That's pretty much it, the problem with the script before was that it set
    the alias before it set the breakpoint. In order for it to work properly,
    setting the alias had to be part of the conditional breakpoint expression.

    In the end, much easier to put everything into a script and have the
    conditional expression launch the script.

    -scott


    "raj_r" wrote in message news:[email protected]

    I'll let you deal with that one when you get to it though :)

    you may as well say how now so that the archive has an informational thread
    coz i found another route and made it more generic

    if i get struck on one rock i tend to simply flow away through its
    sides till i eventually reach the ocean

    here is how i did what i wanted


    F:\windbg\scripts>type logcrap.txt

    bu nt!PspCreateProcess "gu; $$>a< .\\scripts\\testscr.txt ${$arg1}"

    F:\windbg\612windbg\scripts>type testscr.txt

    as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    *)@@masm(nt!PsActiveProces
    sHead))->Blink) - @@c++(#FIELD_OFFSET(nt!_EPROCESS ,
    ActiveProcessLinks)) + @@c++(#FIELD_OFFSET(nt!_EPROCESS ,
    ImageFileName)))
    .block { .if ($scmp("${foo}","${$arg1}") == 0) {.echo ${$arg1}.exe started
    stopp
    ing windbg;} .else { .echo ${foo};g }}


    kd> sxe ibp;.reboot
    Shutdown occurred at (Thu Oct 4 23:37:10.125 2012 (UTC +
    5:30))...unloading all symbol tables.
    Waiting to reconnect...
    Connected to Windows XP 2600 x86 compatible target at (Thu Oct 4
    23:37:23.093 2012 (UTC + 5:30)), ptr64 FALSE

    cut version info

    nt!RtlpBreakWithStatusInstruction:
    804e3592 cc int 3

    kd> $$>a< .\scripts\logcrap.txt smss.exe
    kd> bl
    0 e 805802e7 0001 (0001) nt!PspCreateProcess "gu; $$>a<
    .\\scripts\\testscr.txt smss.exe"

    kd> g

    smss.exe.exe started stopping windbg <-----------------------------
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    kd> !process 0 0
    **** NT ACTIVE PROCESS DUMP ****
    PROCESS 81291830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid:
    0000
    DirBase: 00039000 ObjectTable: e1000b50 HandleCount: 35.
    Image: System

    PROCESS ffb5a998 SessionId: none Cid: 0194 Peb: 7ffdd000 ParentCid:
    0004
    DirBase: 06c37000 ObjectTable: e17fd5d0 HandleCount: 0.
    Image: smss.exe

    kd> we can now set process specific bps on smss.exe as Eprocess is now
    available but with no active threads yet
    kd> lets break on logonui.exe

    kd> $$>a< .\scripts\logcrap.txt logonui.exe
    breakpoint 0 redefined
    kd> bl
    0 e 805802e7 0001 (0001) nt!PspCreateProcess "gu; $$>a<
    .\\scripts\\testscr.txt logonui.exe"

    kd> g
    autochk.exe
    csrss.exe
    winlogon.exe
    services.exe
    lsass.exe
    svchost.exe
    svchost.exe
    svchost.exe
    svchost.exe
    logonui.exe.exe started stopping windbg
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    kd> lets break on some autorun malware say calc.exe

    kd> $$>a< .\scripts\logcrap.txt calc.exe
    breakpoint 0 redefined
    kd> bl
    0 e 805802e7 0001 (0001) nt!PspCreateProcess "gu; $$>a<
    .\\scripts\\testscr.txt calc.exe"

    kd> g
    svchost.exe
    spoolsv.exe
    userinit.exe
    explorer.exe
    ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5
    ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5
    ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5
    vmusrvc.exe
    calc.exe.exe started stopping windbg
    nt!NtCreateProcessEx+0x7e:
    8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)

    kd> if there is a process creation windbg will let me know in kernel
    mode who wants sxe cpr:process
    kd> btw pavel lebedynsky posted a sequence to break in kernel mode in
    another thread
    kd> might have to check it as it talks about ntuserProcessXXX api and
    resetting of global flags and loading of kernel symbols +ksl flag in
    !gflag






    F:\windbg\scripts>


    On 10/4/12, Scott Noone <[email protected]> wrote:
    > "raj_r" wrote in message news:[email protected]
    >>so i have this in a script file
    > ...
    >>kd> g
    >>Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    >>started';g;} .else {.printf '%ma' , cmd.exe; } '
    >
    > You still want the double quotes. However, in this case you're doing a
    > conditional breakpoint:
    >
    > bu address "command"
    >
    > So the quotes need to be escaped. Something like:
    >
    > ".block {gu; .if ( $scmp(\"${foo}\",\"calc.exe\") == 0 ) {.echo 'calc
    > started';} .else {.printf \"${foo}\"; g} }"
    >
    > (Note that I also changed your printf statement as the alias is not an
    > address, it's a string!)
    >
    > Which, yes, is spaghetti. The fact that it's a conditional breakpoint
    > means
    >
    > that is has special quoting rules AND that it has to all fit on one line,
    > which makes it pretty much impossible for a human to parse. The trick that
    > I
    >
    > use though is to work on the command in a more natural format and then
    > collapse it when I want to try it (this could also be automated through
    > scripting, but the manual approach works):
    >
    > .block
    > {
    > gu;
    > .if ( $scmp(\"${foo}\",\"calc.exe\") == 0 )
    > {
    > .echo 'calc started';
    > }
    > .else
    > {
    > .printf \"${foo}\";
    > g
    > }
    > }
    >
    > I know that you mentioned you tried it with escape quotes and that it
    > didn't
    >
    > work, but I suspect there was something else going on (such as the
    > printf).
    >
    > Also, I don't think this script does exactly what you're expecting. In
    > the
    >
    > case of this script, the value of ${foo} stays constant and does not
    > reevaluate for each invocation of the breakpoint. I'll let you deal with
    > that one when you get to it though :)
    >
    > -scott
    >
    >
    >
    > "raj_r" wrote in message news:[email protected]
    >
    > so i have this in a script file
    >
    > as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    > *)@@masm(nt!PsActiveProcessHead))->Blink) -
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    > bu nt!PspCreateProcess ".block { gu;.if ( $scmp('${foo}','calc.exe')
    > == 0 ) {.echo 'calc started';g;} .else {.printf '%ma' , ${foo}; } }"
    >
    > run the script
    >
    > kd> $<.\scripts\logret.txt
    >
    > kd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    > *)@@masm(nt!PsActiveProcessHead))->Blink) -
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    > @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    > kd> bu nt!PspCreateProcess ".block { gu;.if (
    > $scmp('${foo}','calc.exe') == 0 ) {.echo 'calc started';g;} .else
    > {.printf '%ma' , ${foo}; } }"
    > breakpoint 0 redefined
    > kd> al
    > Alias Value
    > ------- -------
    > foo cmd.exe
    > kd> bl
    > 0 e 805802e7 0001 (0001) nt!PspCreateProcess ".block { gu;.if (
    > $scmp('cmd.exe','calc.exe') == 0 ) {.echo 'calc started';g;} .else
    > {.printf '%ma' , cmd.exe; } }"
    >
    > kd> g
    > Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    > started';g;} .else {.printf '%ma' , cmd.exe; } '
    > nt!NtCreateProcessEx+0x7e:
    > 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    > kd> g
    > Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    > started';g;} .else {.printf '%ma' , cmd.exe; } '
    > nt!NtCreateProcessEx+0x7e:
    > 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    > kd> g
    > Syntax error at '('cmd.exe','calc.exe') == 0 ) {.echo 'calc
    > started';g;} .else {.printf '%ma' , cmd.exe; } '
    > nt!NtCreateProcessEx+0x7e:
    > 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
    >
    > i dont know what syntax i need to give this to
    >
    > if i use double quotes over foo like "${foo}" it errs
    > if i escape like \"${foo}\" it errs
    > in single quote it errs
    >
    > also it seems expansion doesn't take place since iam doing something
    > stupid with quotes :( or placement of .block
    >
    > any pointers
    >
    > On 10/4/12, [email protected] <[email protected]> wrote:
    >> We used to refer to this as "death by insidious quoting". Most
    >> interpreted languages that allow quoted strings usually suffer from this;
    >> every Unix shell (and the shells had inconsistent rules for how to handle
    >> them), and in general the problem is that you need to know how many
    >> levels
    >> of macros the parameter is passed through to know how many quotes to add.
    >> C finally solved this with the # (and ##) preprocessor operators. It
    >> mostly works, most of the time.
    >> joe
    >>
    >>> and one needs to quote too even if you make an alias is what i was
    >>> actually missing to grasp :)
    >>>
    >>> it now works and i get a bool result if i use it like below and
    >>> comments on os and / or structure offset independentness and /or
    >>> robust welcome
    >>>
    >>> lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
    >>> *)@@masm(nt!PsActiveProcessHead))->Blink) -
    >>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    >>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
    >>> lkd> al
    >>> Alias Value
    >>> ------- -------
    >>> foo firefox.exe
    >>> lkd> ? $scmp(foo,"firefox.exe")
    >>> Syntax error at '(foo,"firefox.exe")'
    >>> lkd> ? $scmp(${foo},"firefox.exe")
    >>> Syntax error at '(firefox.exe,"firefox.exe")' <---------- look at this
    >>> :)
    >>> lkd> ? $scmp("${foo}","firefox.exe")
    >>> Evaluate expression: 0 = 00000000
    >>>
    >>>
    >>>
    >>>
    >>> On 10/4/12, raj_r <[email protected]> wrote:
    >>>> This expression also takes a bit of a leap of faith that
    >>>> (*(PsActiveProcessHead+4))-88) actually means something
    >>>>
    >>>> hehe i knew anyone dealing with debuggers day in day out would figure
    >>>> that constants in a jiffy
    >>>>
    >>>> it is far more easy to type in constants than typing text that spans
    >>>> multiple lines in the command window
    >>>>
    >>>> instead of 4 and 88 you would need about two lines of bs to get the
    >>>> same
    >>>> thing
    >>>>
    >>>> if you want something that is more os friendly expression you would
    >>>> need something like below
    >>>>
    >>>> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
    >>>> *)@@masm(nt!PsActiveProcessHead))->Blink) -
    >>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
    >>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    >>>> char * 0x85faf194
    >>>> "firefox.exe"
    >>>>
    >>>> blink = 4
    >>>> activeprocesslinks = 88
    >>>> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
    >>>>
    >>>>
    >>>>
    >>>> On 10/4/12, Scott Noone <[email protected]> wrote:
    >>>>> "Tim Roberts" wrote in message news:[email protected]
    >>>>>>How can you type that with a straight face?
    >>>>>
    >>>>> Who said I did? I'll have to get a live webcam going in the office :)
    >>>>>
    >>>>> It's not that bad once you get a feel for the operators and the
    >>>>> quirkiness
    >>>>> of the two evaluators. This expression also takes a bit of a leap of
    >>>>> faith
    >>>>> that (*(PsActiveProcessHead+4))-88) actually means something, so you
    >>>>> have
    >>>>> to
    >>>>>
    >>>>> have some idea about the data structures involved if you're going to
    >>>>> have
    >>>>> a
    >>>>>
    >>>>> chance.
    >>>>>
    >>>>>>Clearly, what the worlds needs most right now is a Windbg clone with
    >>>>>> an
    >>>>>>embedded Python interpreter...
    >>>>>
    >>>>> Someone wrote a Python extension:
    >>>>>
    >>>>> http://pykd.codeplex.com/
    >>>>>
    >>>>> I keep meaning to take the time to learn Python so I can evaluate if
    >>>>> this
    >>>>> actually works. If someone who already knows Python wants to try it
    >>>>> and
    >>>>> let
    >>>>>
    >>>>> me know their experience I'd like to hear about it.
    >>>>>
    >>>>> -scott
    >>>>>
    >>>>>
    >>>>>
    >>>>> "Tim Roberts" wrote in message news:[email protected]
    >>>>>
    >>>>> Scott Noone wrote:
    >>>>>> Your alias is ultimately resolving to an address but the operators
    >>>>>> expect
    >>>>>> quoted strings:
    >>>>>>
    >>>>>> 1: kd> as /ma ${/v:foo} @@c++((char
    >>>>>> *)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
    >>>>>
    >>>>> How can you type that with a straight face? It makes my head hurt.
    >>>>> Does using a debugger really have to be as incomprehensible as
    >>>>> programming in APL?
    >>>>>
    >>>>> Clearly, what the worlds needs most right now is a Windbg clone with
    >>>>> an
    >>>>> embedded Python interpreter...
    >>>>>
    >>>>> --
    >>>>> Tim Roberts, [email protected]
    >>>>> Providenza & Boekelheide, Inc.
    >>>>>
    >>>>>
    >>>>> ---
    >>>>> WINDBG is sponsored by OSR
    >>>>>
    >>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
    >>>>> http://www.osr.com/seminars
    >>>>>
    >>>>> To unsubscribe, visit the List Server section of OSR Online at
    >>>>> http://www.osronline.com/page.cfm?name=ListServer
    >>>>>
    >>>>
    >>>
    >>> ---
    >>> WINDBG is sponsored by OSR
    >>>
    >>> For our schedule of WDF, WDM, debugging and other seminars visit:
    >>> http://www.osr.com/seminars
    >>>
    >>> To unsubscribe, visit the List Server section of OSR Online at
    >>> http://www.osronline.com/page.cfm?name=ListServer
    >>>
    >>
    >>
    >>
    >> ---
    >> WINDBG is sponsored by OSR
    >>
    >> For our schedule of WDF, WDM, debugging and other seminars visit:
    >> http://www.osr.com/seminars
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at
    >> http://www.osronline.com/page.cfm?name=ListServer
    >>
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >

    -scott
    OSR

  • toptenalternativetoptenalternative Member Posts: 1

    but the link you shared of codeplex is dead now and not working anymore, you can try gihub or find some more suggestions here

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE