Getting instruction size on WinDbg

Fernando_Roberto · July 26, 2016, 10:15am

Hi everyone,

Does anyone know if there is a WinDbg command or extension that would tell us the size of a given instruction? I’m wondering if was possible to build a script that would move some code, but I’d need to know the size of a given instruction to prevent moving just part of it.

Thanks in advance,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

osronline_ntdev · July 26, 2016, 12:19pm

I dont know an extension doing instruction lenght disassembling.

Its not very elegant (and not sure if it will work well), but maybe you can
play with .foreach and u command:

r @$t0 = 0
.foreach(myVariable {u ${$arg1} L 1})
{
r @$t0 = @$t0 + 1
.if(@$t0==3)
{
.if($spat(“${myVariable}”, “??”)==1){.printf “1”}
.if($spat(“${myVariable}”, “???”)==1){.printf “2”}
.if($spat(“${myVariable}”, “???”)==1){.printf
“3”}
.if($spat(“${myVariable}”, “???”)==1){.printf “4”}
.if($spat(“${myVariable}”, “???”)==1){.printf “5”}
.if($spat(“${myVariable}”, “???”)==1){.printf “6”}
.if($spat(“${myVariable}”, “???”)==1){.printf “7”}
.if($spat(“${myVariable}”, “???”)==1){.printf “8”}
$$ etc…
}
}

Instead of calling .printf you can set a register to use the result in
other scripts.

On Tue, Jul 26, 2016 at 4:13 PM, wrote:

> Hi everyone,
>
> Does anyone know if there is a WinDbg command or extension that would tell
> us the size of a given instruction? I’m wondering if was possible to build
> a script that would move some code, but I’d need to know the size of a
> given instruction to prevent moving just part of it.
>
> Thanks in advance,
> –
> Fernando Roberto da Silva
> DriverEntry Kernel Development
> http://www.driverentry.com.br
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>

–
Javier Vicente Vallejo
http://www.vallejo.cc</http:>

Fernando_Roberto · July 26, 2016, 1:11pm

Hi Javier,

Regardless of working well, I can see I will learn a lot playing with that script.
Many thanks for your help.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

raj_r · July 26, 2016, 5:55pm

the code below can disassemble and set a PseudoRegister ($t19) to the
size of Current instruction (default is $eip)

usage

0:000> .load dislen
0:000> !dislen
0:000> ? @$t19
Evaluate expression: 1 = 00000001
0:000> u @$ip l1
ntdll!LdrpDoDebuggerBreak+0x2c:
77c404f6 cc int 3
0:000> !dislen 77c404f7
0:000> ? @$t19
Evaluate expression: 3 = 00000003
0:000> u 77c404f7 l1
ntdll!LdrpDoDebuggerBreak+0x2d:
77c404f7 8975fc mov dword ptr [ebp-4],esi

as an example hete is script to disassemble arbitrary address using
this extension

$$ script to disassemble at ip and 10 instructions from ip
r $t18 = 0
r $t19 = 0
.for(r $t0=0; @$t0<10; r $t0=@$t0+1)
{
!dislen (@$ip + @$t18)
r $t18 = @$t18+@$t19
}
u @$ip l1
u @$ip + @$t18 l1
r $t18 = 0
r $t19 = 0

code for extension (compiled with ewdk )

/* compiled and linked with
cl /LD /nologo /W4 /analyze /Ox /Zi /EHsc dislen.cpp /link
/DEF:dislen.def /DEBUG /RELEASE
def file contents
EXPORTS
DebugExtensionInitialize
dislen
help */
#include
#pragma warning( push )
#pragma warning ( disable : ALL_CODE_ANALYSIS_WARNINGS )
#include <engextcpp.cpp>
#pragma warning( pop )
class EXT_CLASS : public ExtExtension
{
public:
EXT_COMMAND_METHOD(dislen);
};
EXT_DECLARE_GLOBALS();
EXT_COMMAND( dislen, “Disssemble and Set $t19 to sizeof($ip)”,
“{;e,d=@$ip;!dislen address;}” )
{
CHAR Buffer[0x200] = {0};
ULONG DisassemblySize = NULL;
ULONG64 EndOffset = NULL;
ULONG64 StartOffset = GetUnnamedArgU64(0);
m_Control->Disassemble( StartOffset,DEBUG_DISASM_EFFECTIVE_ADDRESS,
Buffer, sizeof(Buffer),&DisassemblySize, &EndOffset);
ULONG Count = 1;
DEBUG_VALUE Val;
Val.Type = DEBUG_VALUE_INT64;
Val.I64 = EndOffset-StartOffset;
ULONG Start = 0;
m_Registers2->GetPseudoIndexByName(“$t19” , &Start );
m_Registers2->SetPseudoValues(DEBUG_REGSRC_DEBUGGEE
,Count,NULL,Start,&Val);
}

On 7/26/16, xxxxx@driverentry.com.br wrote:
> Hi Javier,
>
> Regardless of working well, I can see I will learn a lot playing with that
> script.
> Many thanks for your help.
>
> Regards,
> –
> Fernando Roberto da Silva
> DriverEntry Kernel Development
> http://www.driverentry.com.br
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
></http:></http:></engextcpp.cpp>

raj_r · July 27, 2016, 6:37am

just some more stuff for archive

we can use the latest natvis to display the length of an arbitrary input
though at present natvis doesn’t seem to offer a way to assign the
results or some way to use the results in scripts ( i posted a query
asking about the assignable uses of natvis expressions but iirc no one
replied to that thread )

natvis appears to be quiet useful for display purposes

the script below uses both natvis results and the results from
extension posted one thread above

:\>cat c:\ilen.txt

g runasm!main+0x15
u @eip l1
.foreach /pS 2 /ps 100 (var { u @$ip l1 } ) { dx @$ilen = “var” ; dx
@$ilen.Length /2 }
.load dislen
!dislen
.echo now we will be executing the !dislen command from dislen
extension and confirm the natvis result
? @$t19
q

:\>cdb -c “$$>a< c:\ilen.txt” e:\test\runasm\runasm.exe | tail -n 8

runasm!main+0x15:
002e12e5 6666660f1f840000000000 nop word ptr [eax+eax]
@$ilen = “6666660f1f840000000000” : 6666660f1f840000000000
Length : 0x16
@$ilen.Length /2 : 0xb
now we will be executing the !dislen command from dislen extension and
confirm the natvis result
Evaluate expression: 11 = 0000000b
quit:

On 7/27/16, raj r wrote:
> the code below can disassemble and set a PseudoRegister ($t19) to the
> size of Current instruction (default is $eip)
>
> usage
>
> 0:000> .load dislen
> 0:000> !dislen
> 0:000> ? @$t19
> Evaluate expression: 1 = 00000001
> 0:000> u @$ip l1
> ntdll!LdrpDoDebuggerBreak+0x2c:
> 77c404f6 cc int 3
> 0:000> !dislen 77c404f7
> 0:000> ? @$t19
> Evaluate expression: 3 = 00000003
> 0:000> u 77c404f7 l1
> ntdll!LdrpDoDebuggerBreak+0x2d:
> 77c404f7 8975fc mov dword ptr [ebp-4],esi
>
>
> as an example hete is script to disassemble arbitrary address using
> this extension
>
> $$ script to disassemble at ip and 10 instructions from ip
> r $t18 = 0
> r $t19 = 0
> .for(r $t0=0; @$t0<10; r $t0=@$t0+1)
> {
> !dislen (@$ip + @$t18)
> r $t18 = @$t18+@$t19
> }
> u @$ip l1
> u @$ip + @$t18 l1
> r $t18 = 0
> r $t19 = 0
>
> code for extension (compiled with ewdk )
>
> /* compiled and linked with
> cl /LD /nologo /W4 /analyze /Ox /Zi /EHsc dislen.cpp /link
> /DEF:dislen.def /DEBUG /RELEASE
> def file contents
> EXPORTS
> DebugExtensionInitialize
> dislen
> help */
> #include
> #pragma warning( push )
> #pragma warning ( disable : ALL_CODE_ANALYSIS_WARNINGS )
> #include <engextcpp.cpp>
> #pragma warning( pop )
> class EXT_CLASS : public ExtExtension
> {
> public:
> EXT_COMMAND_METHOD(dislen);
> };
> EXT_DECLARE_GLOBALS();
> EXT_COMMAND( dislen, “Disssemble and Set $t19 to sizeof($ip)”,
> “{;e,d=@$ip;!dislen address;}” )
> {
> CHAR Buffer[0x200] = {0};
> ULONG DisassemblySize = NULL;
> ULONG64 EndOffset = NULL;
> ULONG64 StartOffset = GetUnnamedArgU64(0);
> m_Control->Disassemble( StartOffset,DEBUG_DISASM_EFFECTIVE_ADDRESS,
> Buffer, sizeof(Buffer),&DisassemblySize, &EndOffset);
> ULONG Count = 1;
> DEBUG_VALUE Val;
> Val.Type = DEBUG_VALUE_INT64;
> Val.I64 = EndOffset-StartOffset;
> ULONG Start = 0;
> m_Registers2->GetPseudoIndexByName(“$t19” , &Start );
> m_Registers2->SetPseudoValues(DEBUG_REGSRC_DEBUGGEE
> ,Count,NULL,Start,&Val);
> }
>
>
>
>
> On 7/26/16, xxxxx@driverentry.com.br
> wrote:
>> Hi Javier,
>>
>> Regardless of working well, I can see I will learn a lot playing with
>> that
>> script.
>> Many thanks for your help.
>>
>> Regards,
>> –
>> Fernando Roberto da Silva
>> DriverEntry Kernel Development
>> http://www.driverentry.com.br
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software
>> drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http:
>>
></http:></http:></engextcpp.cpp>