Does $scmp() $sicmp() $spat() take Expressions ?

Your alias is ultimately resolving to an address but the operators expect
quoted strings:

1: kd> as ${/v:foo} @@c++((char
*)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

1: kd> al
Alias Value


foo @@c++((char
*)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

1: kd> ? ${foo}
Evaluate expression: -2065147404 = 84e859f4

So, this would be the same as passing, 0x84e859f4 to the string compare
operation:

1: kd> ? $scmp(84e859f4,“foa”)
Syntax error at ‘(84e859f4,“foa”)’

What you want is the alias to become the string pointed to by that address,
which is where the /ma switch comes in:

1: kd> as /ma ${/v:foo} @@c++((char
*)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
1: kd> al
Alias Value


foo sndvol32.exe

Now you can pass that to the string operations (adding quotes, which is not
implied in the alias):

1: kd> ? $scmp(“${foo}”,“foa”)
Evaluate expression: 1 = 00000001
1: kd> ? $scmp(“${foo}”,“sndvol32.exe”)
Evaluate expression: 0 = 00000000

Note that I always enclose my aliases in the expression evaluator operator,
“${}” so that it’s explicit that I’m talking about an alias.

-scott
OSR

“raj_r” wrote in message news:xxxxx@windbg…

i was trying to use the function $scmp in and was providing it with an
expression and a literal string for compare
and it simply errs with syntax error (quoting . single quoting ,
escaped quoting plain raw expression , alias evaluation of expression
nothing seem to work

it just seems to work with two literals like $scmp(“what the *” ,“what the
*”)

if i do $scmp (foo , “What the *”)

where foo might be @@C++ (XXX *)@@masm(poi(someglobal)->memberofstruct
then i get syntax error

is expressions supported ?

in $spat() it is documented that i can use wilcards for “Pattern” but
i get syntax error there too

and the beauty is
if foo is an alias to some expression and

if i do say $spat ( “foo” , foo);

the echoed back output with error shows me that

the engine has replaced both the foo with expression :slight_smile: and still
finds some syntax error

any pointers ?? how to use this functions in script ?

lkd> ?? (char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName
char * 0x85f8e57c
“windbg.exe”

lkd> as foo @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
lkd> al
Alias Value


foo @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

lkd> ? foo
Evaluate expression: -2047285892 = 85f8e57c
lkd> da foo
85f8e57c “windbg.exe”

lkd> ? $scmp(foo,foo)
Syntax error at ‘(foo,foo)’
lkd> ? $scmp(“foo”,“foo”)
Evaluate expression: 0 = 00000000
lkd> ? $scmp(“foo”,“foa”)
Evaluate expression: -1 = ffffffff
lkd> ? $scmp(“foo”,“fo”)
Evaluate expression: -1 = ffffffff
lkd> ? $scmp(“foo”,foo)
Syntax error at ‘(“@@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)”,foo)’
lkd> ? $spat(“foo”,foo)
Syntax error at ‘(“@@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)”,foo)’
lkd> ? $spat(foo,foo)
Syntax error at ‘(foo,foo)’

Ladies & gentlemen, how about that MVP Snoone?

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: Wednesday, October 03, 2012 12:32 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] Does $scmp() $sicmp() $spat() take Expressions ?

Your alias is ultimately resolving to an address but the operators expect
quoted strings:

1: kd> as ${/v:foo} @@c++((char
*)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileN
ame)

1: kd> al
Alias Value


foo @@c++((char
*)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileN
ame)

1: kd> ? ${foo}
Evaluate expression: -2065147404 = 84e859f4

So, this would be the same as passing, 0x84e859f4 to the string compare
operation:

1: kd> ? $scmp(84e859f4,“foa”)
Syntax error at ‘(84e859f4,“foa”)’

What you want is the alias to become the string pointed to by that address,
which is where the /ma switch comes in:

1: kd> as /ma ${/v:foo} @@c++((char
*)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileN
ame)
1: kd> al
Alias Value


foo sndvol32.exe

Now you can pass that to the string operations (adding quotes, which is not
implied in the alias):

1: kd> ? $scmp(“${foo}”,“foa”)
Evaluate expression: 1 = 00000001
1: kd> ? $scmp(“${foo}”,“sndvol32.exe”)
Evaluate expression: 0 = 00000000

Note that I always enclose my aliases in the expression evaluator operator,
“${}” so that it’s explicit that I’m talking about an alias.

-scott
OSR

“raj_r” wrote in message news:xxxxx@windbg…

i was trying to use the function $scmp in and was providing it with an
expression and a literal string for compare and it simply errs with syntax
error (quoting . single quoting , escaped quoting plain raw expression ,
alias evaluation of expression nothing seem to work

it just seems to work with two literals like $scmp(“what the *” ,“what the
*”)

if i do $scmp (foo , “What the *”)

where foo might be @@C++ (XXX *)@@masm(poi(someglobal)->memberofstruct
then i get syntax error

is expressions supported ?

in $spat() it is documented that i can use wilcards for “Pattern” but i get
syntax error there too

and the beauty is
if foo is an alias to some expression and

if i do say $spat ( “foo” , foo);

the echoed back output with error shows me that

the engine has replaced both the foo with expression :slight_smile: and still finds some
syntax error

any pointers ?? how to use this functions in script ?

lkd> ?? (char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName
char * 0x85f8e57c
“windbg.exe”

lkd> as foo @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
lkd> al
Alias Value


foo @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

lkd> ? foo
Evaluate expression: -2047285892 = 85f8e57c
lkd> da foo
85f8e57c “windbg.exe”

lkd> ? $scmp(foo,foo)
Syntax error at ‘(foo,foo)’
lkd> ? $scmp(“foo”,“foo”)
Evaluate expression: 0 = 00000000
lkd> ? $scmp(“foo”,“foa”)
Evaluate expression: -1 = ffffffff
lkd> ? $scmp(“foo”,“fo”)
Evaluate expression: -1 = ffffffff
lkd> ? $scmp(“foo”,foo)
Syntax error at ‘(“@@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)”,foo)’
lkd> ? $spat(“foo”,foo)
Syntax error at ‘(“@@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)”,foo)’
lkd> ? $spat(foo,foo)
Syntax error at ‘(foo,foo)’


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Scott Noone wrote:

Your alias is ultimately resolving to an address but the operators expect
quoted strings:

1: kd> as /ma ${/v:foo} @@c++((char
*)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

How can you type that with a straight face? It makes my head hurt.
Does using a debugger really have to be as incomprehensible as
programming in APL?

Clearly, what the worlds needs most right now is a Windbg clone with an
embedded Python interpreter…


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks Scott

well i must have been fooled by the cannot evaluate result when i used
? foo with /ma

lkd> as /ma foo @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
lkd> al
Alias Value


foo firefox.exe
lkd> ? foo
Couldn’t resolve error at ‘firefox.exe’
lkd> ? ${foo}
Couldn’t resolve error at ‘firefox.exe’
lkd> as /ma ${/v:foo} @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
lkd> al
Alias Value


foo firefox.exe
lkd> ? ${foo}
Couldn’t resolve error at ‘firefox.exe’
lkd> ? foo
Couldn’t resolve error at ‘firefox.exe’
lkd> foo
Couldn’t resolve error at ‘irefox.exe’
lkd> as ${/v:foo} @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
lkd> al
Alias Value


foo @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
lkd> ? foo
Evaluate expression: -2047151724 = 85faf194
lkd> ?? foo
char * 0x85faf194
“firefox.exe”
lkd> as foo @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
lkd> al
Alias Value


foo @@c++((char *)@@c++((nt!_eprocess
*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
lkd> ?? foo
char * 0x85faf194
“firefox.exe”
lkd> ? foo
Evaluate expression: -2047151724 = 85faf194

since ? foo & ?? foo was returning result for plain alias i tried
using it in script and it was returning back syntax error

On 10/4/12, Scott Noone wrote:
> Your alias is ultimately resolving to an address but the operators expect
> quoted strings:
>
> 1: kd> as ${/v:foo} @@c++((char
> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>
> 1: kd> al
> Alias Value
> ------- -------
> foo @@c++((char
> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>
> 1: kd> ? ${foo}
> Evaluate expression: -2065147404 = 84e859f4
>
> So, this would be the same as passing, 0x84e859f4 to the string compare
> operation:
>
> 1: kd> ? $scmp(84e859f4,“foa”)
> Syntax error at ‘(84e859f4,“foa”)’
>
> What you want is the alias to become the string pointed to by that address,
>
> which is where the /ma switch comes in:
>
> 1: kd> as /ma ${/v:foo} @@c++((char
> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
> 1: kd> al
> Alias Value
> ------- -------
> foo sndvol32.exe
>
> Now you can pass that to the string operations (adding quotes, which is not
>
> implied in the alias):
>
> 1: kd> ? $scmp(“${foo}”,“foa”)
> Evaluate expression: 1 = 00000001
> 1: kd> ? $scmp(“${foo}”,“sndvol32.exe”)
> Evaluate expression: 0 = 00000000
>
> Note that I always enclose my aliases in the expression evaluator operator,
>
> “${}” so that it’s explicit that I’m talking about an alias.
>
> -scott
> OSR
>
>
> “raj_r” wrote in message news:xxxxx@windbg…
>
> i was trying to use the function $scmp in and was providing it with an
> expression and a literal string for compare
> and it simply errs with syntax error (quoting . single quoting ,
> escaped quoting plain raw expression , alias evaluation of expression
> nothing seem to work
>
> it just seems to work with two literals like $scmp(“what the *” ,“what the
>
> *”)
>
> if i do $scmp (foo , “What the *”)
>
> where foo might be @@C++ (XXX *)@@masm(poi(someglobal)->memberofstruct
> then i get syntax error
>
> is expressions supported ?
>
> in $spat() it is documented that i can use wilcards for “Pattern” but
> i get syntax error there too
>
> and the beauty is
> if foo is an alias to some expression and
>
> if i do say $spat ( “foo” , foo);
>
> the echoed back output with error shows me that
>
> the engine has replaced both the foo with expression :slight_smile: and still
> finds some syntax error
>
> any pointers ?? how to use this functions in script ?
>
>
> lkd> ?? (char *)@@c++((nt!_eprocess
> *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName
> char * 0x85f8e57c
> “windbg.exe”
>
>
> lkd> as foo @@c++((char *)@@c++((nt!_eprocess
> *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
> lkd> al
> Alias Value
> ------- -------
> foo @@c++((char *)@@c++((nt!_eprocess
> *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>
> lkd> ? foo
> Evaluate expression: -2047285892 = 85f8e57c
> lkd> da foo
> 85f8e57c “windbg.exe”
>
> lkd> ? $scmp(foo,foo)
> Syntax error at ‘(foo,foo)’
> lkd> ? $scmp(“foo”,“foo”)
> Evaluate expression: 0 = 00000000
> lkd> ? $scmp(“foo”,“foa”)
> Evaluate expression: -1 = ffffffff
> lkd> ? $scmp(“foo”,“fo”)
> Evaluate expression: -1 = ffffffff
> lkd> ? $scmp(“foo”,foo)
> Syntax error at ‘(“@@c++((char *)@@c++((nt!_eprocess
> *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)”,foo)’
> lkd> ? $spat(“foo”,foo)
> Syntax error at ‘(“@@c++((char *)@@c++((nt!_eprocess
> *)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)”,foo)’
> lkd> ? $spat(foo,foo)
> Syntax error at ‘(foo,foo)’
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

“Tim Roberts” wrote in message news:xxxxx@windbg…

How can you type that with a straight face?

Who said I did? I’ll have to get a live webcam going in the office :slight_smile:

It’s not that bad once you get a feel for the operators and the quirkiness
of the two evaluators. This expression also takes a bit of a leap of faith
that (*(PsActiveProcessHead+4))-88) actually means something, so you have to
have some idea about the data structures involved if you’re going to have a
chance.

Clearly, what the worlds needs most right now is a Windbg clone with an
embedded Python interpreter…

Someone wrote a Python extension:

http://pykd.codeplex.com/

I keep meaning to take the time to learn Python so I can evaluate if this
actually works. If someone who already knows Python wants to try it and let
me know their experience I’d like to hear about it.

-scott

“Tim Roberts” wrote in message news:xxxxx@windbg…

Scott Noone wrote:

Your alias is ultimately resolving to an address but the operators expect
quoted strings:

1: kd> as /ma ${/v:foo} @@c++((char
*)@@c++((nt!_eprocess*)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)

How can you type that with a straight face? It makes my head hurt.
Does using a debugger really have to be as incomprehensible as
programming in APL?

Clearly, what the worlds needs most right now is a Windbg clone with an
embedded Python interpreter…


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

This expression also takes a bit of a leap of faith that
(*(PsActiveProcessHead+4))-88) actually means something

hehe i knew anyone dealing with debuggers day in day out would figure
that constants in a jiffy

it is far more easy to type in constants than typing text that spans
multiple lines in the command window

instead of 4 and 88 you would need about two lines of bs to get the same thing

if you want something that is more os friendly expression you would
need something like below

lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
*)@@masm(nt!PsActiveProcessHead))->Blink) -
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
char * 0x85faf194
“firefox.exe”

blink = 4
activeprocesslinks = 88
->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))

On 10/4/12, Scott Noone wrote:
> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>How can you type that with a straight face?
>
> Who said I did? I’ll have to get a live webcam going in the office :slight_smile:
>
> It’s not that bad once you get a feel for the operators and the quirkiness
> of the two evaluators. This expression also takes a bit of a leap of faith
> that (*(PsActiveProcessHead+4))-88) actually means something, so you have to
>
> have some idea about the data structures involved if you’re going to have a
>
> chance.
>
>>Clearly, what the worlds needs most right now is a Windbg clone with an
>>embedded Python interpreter…
>
> Someone wrote a Python extension:
>
> http://pykd.codeplex.com/
>
> I keep meaning to take the time to learn Python so I can evaluate if this
> actually works. If someone who already knows Python wants to try it and let
>
> me know their experience I’d like to hear about it.
>
> -scott
>
>
>
> “Tim Roberts” wrote in message news:xxxxx@windbg…
>
> Scott Noone wrote:
>> Your alias is ultimately resolving to an address but the operators expect
>> quoted strings:
>>
>> 1: kd> as /ma ${/v:foo} @@c++((char
>> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>
> How can you type that with a straight face? It makes my head hurt.
> Does using a debugger really have to be as incomprehensible as
> programming in APL?
>
> Clearly, what the worlds needs most right now is a Windbg clone with an
> embedded Python interpreter…
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

and one needs to quote too even if you make an alias is what i was
actually missing to grasp :slight_smile:

it now works and i get a bool result if i use it like below and
comments on os and / or structure offset independentness and /or
robust welcome

lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
*)@@masm(nt!PsActiveProcessHead))->Blink) -
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
lkd> al
Alias Value


foo firefox.exe
lkd> ? $scmp(foo,“firefox.exe”)
Syntax error at ‘(foo,“firefox.exe”)’
lkd> ? $scmp(${foo},“firefox.exe”)
Syntax error at ‘(firefox.exe,“firefox.exe”)’ <---------- look at this :slight_smile:
lkd> ? $scmp(“${foo}”,“firefox.exe”)
Evaluate expression: 0 = 00000000

On 10/4/12, raj_r wrote:
> This expression also takes a bit of a leap of faith that
> (*(PsActiveProcessHead+4))-88) actually means something
>
> hehe i knew anyone dealing with debuggers day in day out would figure
> that constants in a jiffy
>
> it is far more easy to type in constants than typing text that spans
> multiple lines in the command window
>
> instead of 4 and 88 you would need about two lines of bs to get the same
> thing
>
> if you want something that is more os friendly expression you would
> need something like below
>
> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
> )@@masm(nt!PsActiveProcessHead))->Blink) -
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
> char * 0x85faf194
> “firefox.exe”
>
> blink = 4
> activeprocesslinks = 88
> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>
>
>
> On 10/4/12, Scott Noone wrote:
>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>How can you type that with a straight face?
>>
>> Who said I did? I’ll have to get a live webcam going in the office :slight_smile:
>>
>> It’s not that bad once you get a feel for the operators and the
>> quirkiness
>> of the two evaluators. This expression also takes a bit of a leap of
>> faith
>> that (
(PsActiveProcessHead+4))-88) actually means something, so you have
>> to
>>
>> have some idea about the data structures involved if you’re going to have
>> a
>>
>> chance.
>>
>>>Clearly, what the worlds needs most right now is a Windbg clone with an
>>>embedded Python interpreter…
>>
>> Someone wrote a Python extension:
>>
>> http://pykd.codeplex.com/
>>
>> I keep meaning to take the time to learn Python so I can evaluate if this
>> actually works. If someone who already knows Python wants to try it and
>> let
>>
>> me know their experience I’d like to hear about it.
>>
>> -scott
>>
>>
>>
>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>
>> Scott Noone wrote:
>>> Your alias is ultimately resolving to an address but the operators
>>> expect
>>> quoted strings:
>>>
>>> 1: kd> as /ma ${/v:foo} @@c++((char
>>> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>>
>> How can you type that with a straight face? It makes my head hurt.
>> Does using a debugger really have to be as incomprehensible as
>> programming in APL?
>>
>> Clearly, what the worlds needs most right now is a Windbg clone with an
>> embedded Python interpreter…
>>
>> –
>> Tim Roberts, xxxxx@probo.com
>> Providenza & Boekelheide, Inc.
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

We used to refer to this as “death by insidious quoting”. Most
interpreted languages that allow quoted strings usually suffer from this;
every Unix shell (and the shells had inconsistent rules for how to handle
them), and in general the problem is that you need to know how many levels
of macros the parameter is passed through to know how many quotes to add.
C finally solved this with the # (and ##) preprocessor operators. It
mostly works, most of the time.
joe

and one needs to quote too even if you make an alias is what i was
actually missing to grasp :slight_smile:

it now works and i get a bool result if i use it like below and
comments on os and / or structure offset independentness and /or
robust welcome

lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
*)@@masm(nt!PsActiveProcessHead))->Blink) -
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
lkd> al
Alias Value


foo firefox.exe
lkd> ? $scmp(foo,“firefox.exe”)
Syntax error at ‘(foo,“firefox.exe”)’
lkd> ? $scmp(${foo},“firefox.exe”)
Syntax error at ‘(firefox.exe,“firefox.exe”)’ <---------- look at this :slight_smile:
lkd> ? $scmp(“${foo}”,“firefox.exe”)
Evaluate expression: 0 = 00000000

On 10/4/12, raj_r wrote:
>> This expression also takes a bit of a leap of faith that
>> (*(PsActiveProcessHead+4))-88) actually means something
>>
>> hehe i knew anyone dealing with debuggers day in day out would figure
>> that constants in a jiffy
>>
>> it is far more easy to type in constants than typing text that spans
>> multiple lines in the command window
>>
>> instead of 4 and 88 you would need about two lines of bs to get the same
>> thing
>>
>> if you want something that is more os friendly expression you would
>> need something like below
>>
>> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
>> )@@masm(nt!PsActiveProcessHead))->Blink) -
>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>> char * 0x85faf194
>> “firefox.exe”
>>
>> blink = 4
>> activeprocesslinks = 88
>> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>>
>>
>>
>> On 10/4/12, Scott Noone wrote:
>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>>How can you type that with a straight face?
>>>
>>> Who said I did? I’ll have to get a live webcam going in the office :slight_smile:
>>>
>>> It’s not that bad once you get a feel for the operators and the
>>> quirkiness
>>> of the two evaluators. This expression also takes a bit of a leap of
>>> faith
>>> that (
(PsActiveProcessHead+4))-88) actually means something, so you
>>> have
>>> to
>>>
>>> have some idea about the data structures involved if you’re going to
>>> have
>>> a
>>>
>>> chance.
>>>
>>>>Clearly, what the worlds needs most right now is a Windbg clone with an
>>>>embedded Python interpreter…
>>>
>>> Someone wrote a Python extension:
>>>
>>> http://pykd.codeplex.com/
>>>
>>> I keep meaning to take the time to learn Python so I can evaluate if
>>> this
>>> actually works. If someone who already knows Python wants to try it and
>>> let
>>>
>>> me know their experience I’d like to hear about it.
>>>
>>> -scott
>>>
>>>
>>>
>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>
>>> Scott Noone wrote:
>>>> Your alias is ultimately resolving to an address but the operators
>>>> expect
>>>> quoted strings:
>>>>
>>>> 1: kd> as /ma ${/v:foo} @@c++((char
>>>> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>>>
>>> How can you type that with a straight face? It makes my head hurt.
>>> Does using a debugger really have to be as incomprehensible as
>>> programming in APL?
>>>
>>> Clearly, what the worlds needs most right now is a Windbg clone with an
>>> embedded Python interpreter…
>>>
>>> –
>>> Tim Roberts, xxxxx@probo.com
>>> Providenza & Boekelheide, Inc.
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

so i have this in a script file

as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
*)@@masm(nt!PsActiveProcessHead))->Blink) -
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
bu nt!PspCreateProcess “.block { gu;.if ( $scmp(‘${foo}’,‘calc.exe’)
== 0 ) {.echo ‘calc started’;g;} .else {.printf ‘%ma’ , ${foo}; } }”

run the script

kd> $<.\scripts\logret.txt

kd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
*)@@masm(nt!PsActiveProcessHead))->Blink) -
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
kd> bu nt!PspCreateProcess “.block { gu;.if (
$scmp(‘${foo}’,‘calc.exe’) == 0 ) {.echo ‘calc started’;g;} .else
{.printf ‘%ma’ , ${foo}; } }”
breakpoint 0 redefined
kd> al
Alias Value


foo cmd.exe
kd> bl
0 e 805802e7 0001 (0001) nt!PspCreateProcess “.block { gu;.if (
$scmp(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc started’;g;} .else
{.printf ‘%ma’ , cmd.exe; } }”

kd> g
Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
started’;g;} .else {.printf ‘%ma’ , cmd.exe; } ’
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
kd> g
Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
started’;g;} .else {.printf ‘%ma’ , cmd.exe; } ’
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
kd> g
Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
started’;g;} .else {.printf ‘%ma’ , cmd.exe; } ’
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)

i dont know what syntax i need to give this to

if i use double quotes over foo like “${foo}” it errs
if i escape like "${foo}" it errs
in single quote it errs

also it seems expansion doesn’t take place since iam doing something
stupid with quotes :frowning: or placement of .block

any pointers

On 10/4/12, xxxxx@flounder.com wrote:
> We used to refer to this as “death by insidious quoting”. Most
> interpreted languages that allow quoted strings usually suffer from this;
> every Unix shell (and the shells had inconsistent rules for how to handle
> them), and in general the problem is that you need to know how many levels
> of macros the parameter is passed through to know how many quotes to add.
> C finally solved this with the # (and ##) preprocessor operators. It
> mostly works, most of the time.
> joe
>
>> and one needs to quote too even if you make an alias is what i was
>> actually missing to grasp :slight_smile:
>>
>> it now works and i get a bool result if i use it like below and
>> comments on os and / or structure offset independentness and /or
>> robust welcome
>>
>> lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
>> )@@masm(nt!PsActiveProcessHead))->Blink) -
>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
>> lkd> al
>> Alias Value
>> ------- -------
>> foo firefox.exe
>> lkd> ? $scmp(foo,“firefox.exe”)
>> Syntax error at ‘(foo,“firefox.exe”)’
>> lkd> ? $scmp(${foo},“firefox.exe”)
>> Syntax error at ‘(firefox.exe,“firefox.exe”)’ <---------- look at this
>> :slight_smile:
>> lkd> ? $scmp(“${foo}”,“firefox.exe”)
>> Evaluate expression: 0 = 00000000
>>
>>
>>
>>
>> On 10/4/12, raj_r wrote:
>>> This expression also takes a bit of a leap of faith that
>>> (
(PsActiveProcessHead+4))-88) actually means something
>>>
>>> hehe i knew anyone dealing with debuggers day in day out would figure
>>> that constants in a jiffy
>>>
>>> it is far more easy to type in constants than typing text that spans
>>> multiple lines in the command window
>>>
>>> instead of 4 and 88 you would need about two lines of bs to get the same
>>> thing
>>>
>>> if you want something that is more os friendly expression you would
>>> need something like below
>>>
>>> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
>>> )@@masm(nt!PsActiveProcessHead))->Blink) -
>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>>> char * 0x85faf194
>>> “firefox.exe”
>>>
>>> blink = 4
>>> activeprocesslinks = 88
>>> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>>>
>>>
>>>
>>> On 10/4/12, Scott Noone wrote:
>>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>>>How can you type that with a straight face?
>>>>
>>>> Who said I did? I’ll have to get a live webcam going in the office :slight_smile:
>>>>
>>>> It’s not that bad once you get a feel for the operators and the
>>>> quirkiness
>>>> of the two evaluators. This expression also takes a bit of a leap of
>>>> faith
>>>> that (
(PsActiveProcessHead+4))-88) actually means something, so you
>>>> have
>>>> to
>>>>
>>>> have some idea about the data structures involved if you’re going to
>>>> have
>>>> a
>>>>
>>>> chance.
>>>>
>>>>>Clearly, what the worlds needs most right now is a Windbg clone with an
>>>>>embedded Python interpreter…
>>>>
>>>> Someone wrote a Python extension:
>>>>
>>>> http://pykd.codeplex.com/
>>>>
>>>> I keep meaning to take the time to learn Python so I can evaluate if
>>>> this
>>>> actually works. If someone who already knows Python wants to try it and
>>>> let
>>>>
>>>> me know their experience I’d like to hear about it.
>>>>
>>>> -scott
>>>>
>>>>
>>>>
>>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>>
>>>> Scott Noone wrote:
>>>>> Your alias is ultimately resolving to an address but the operators
>>>>> expect
>>>>> quoted strings:
>>>>>
>>>>> 1: kd> as /ma ${/v:foo} @@c++((char
>>>>> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>>>>
>>>> How can you type that with a straight face? It makes my head hurt.
>>>> Does using a debugger really have to be as incomprehensible as
>>>> programming in APL?
>>>>
>>>> Clearly, what the worlds needs most right now is a Windbg clone with an
>>>> embedded Python interpreter…
>>>>
>>>> –
>>>> Tim Roberts, xxxxx@probo.com
>>>> Providenza & Boekelheide, Inc.
>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

On 03-Oct-2012 22:09, Tim Roberts wrote:

Clearly, what the worlds needs most right now is a Windbg clone with an
embedded Python interpreter…

Sort of… http://pykd.codeplex.com/

– pa

“raj_r” wrote in message news:xxxxx@windbg…

hehe i knew anyone dealing with debuggers day in day out would figure
that constants in a jiffy

it is far more easy to type in constants than typing text that spans
multiple lines in the command window

Absolutely. I use constant values all the time for expressions that I enter,
no point in being OS independent if you’re just doing a one-off command. The
only time it really matters is if you’re writing a script to be used over an
over, in which case you have the luxury of whitespace and comments.

-scott

“raj_r” wrote in message news:xxxxx@windbg…

This expression also takes a bit of a leap of faith that
(*(PsActiveProcessHead+4))-88) actually means something

hehe i knew anyone dealing with debuggers day in day out would figure
that constants in a jiffy

it is far more easy to type in constants than typing text that spans
multiple lines in the command window

instead of 4 and 88 you would need about two lines of bs to get the same
thing

if you want something that is more os friendly expression you would
need something like below

lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
*)@@masm(nt!PsActiveProcessHead))->Blink) -
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
char * 0x85faf194
“firefox.exe”

blink = 4
activeprocesslinks = 88
->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))

On 10/4/12, Scott Noone wrote:
> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>How can you type that with a straight face?
>
> Who said I did? I’ll have to get a live webcam going in the office :slight_smile:
>
> It’s not that bad once you get a feel for the operators and the quirkiness
> of the two evaluators. This expression also takes a bit of a leap of faith
> that (*(PsActiveProcessHead+4))-88) actually means something, so you have
> to
>
> have some idea about the data structures involved if you’re going to have
> a
>
> chance.
>
>>Clearly, what the worlds needs most right now is a Windbg clone with an
>>embedded Python interpreter…
>
> Someone wrote a Python extension:
>
> http://pykd.codeplex.com/
>
> I keep meaning to take the time to learn Python so I can evaluate if this
> actually works. If someone who already knows Python wants to try it and
> let
>
> me know their experience I’d like to hear about it.
>
> -scott
>
>
>
> “Tim Roberts” wrote in message news:xxxxx@windbg…
>
> Scott Noone wrote:
>> Your alias is ultimately resolving to an address but the operators expect
>> quoted strings:
>>
>> 1: kd> as /ma ${/v:foo} @@c++((char
>> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>
> How can you type that with a straight face? It makes my head hurt.
> Does using a debugger really have to be as incomprehensible as
> programming in APL?
>
> Clearly, what the worlds needs most right now is a Windbg clone with an
> embedded Python interpreter…
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

“raj_r” wrote in message news:xxxxx@windbg…

so i have this in a script file

kd> g
Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
started’;g;} .else {.printf ‘%ma’ , cmd.exe; } ’

You still want the double quotes. However, in this case you’re doing a
conditional breakpoint:

bu address “command”

So the quotes need to be escaped. Something like:

“.block {gu; .if ( $scmp("${foo}","calc.exe") == 0 ) {.echo ‘calc
started’;} .else {.printf "${foo}"; g} }”

(Note that I also changed your printf statement as the alias is not an
address, it’s a string!)

Which, yes, is spaghetti. The fact that it’s a conditional breakpoint means
that is has special quoting rules AND that it has to all fit on one line,
which makes it pretty much impossible for a human to parse. The trick that I
use though is to work on the command in a more natural format and then
collapse it when I want to try it (this could also be automated through
scripting, but the manual approach works):

.block
{
gu;
.if ( $scmp("${foo}","calc.exe") == 0 )
{
.echo ‘calc started’;
}
.else
{
.printf "${foo}";
g
}
}

I know that you mentioned you tried it with escape quotes and that it didn’t
work, but I suspect there was something else going on (such as the printf).

Also, I don’t think this script does exactly what you’re expecting. In the
case of this script, the value of ${foo} stays constant and does not
reevaluate for each invocation of the breakpoint. I’ll let you deal with
that one when you get to it though :slight_smile:

-scott

“raj_r” wrote in message news:xxxxx@windbg…

so i have this in a script file

as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
*)@@masm(nt!PsActiveProcessHead))->Blink) -
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
bu nt!PspCreateProcess “.block { gu;.if ( $scmp(‘${foo}’,‘calc.exe’)
== 0 ) {.echo ‘calc started’;g;} .else {.printf ‘%ma’ , ${foo}; } }”

run the script

kd> $<.\scripts\logret.txt

kd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
*)@@masm(nt!PsActiveProcessHead))->Blink) -
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
@@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
kd> bu nt!PspCreateProcess “.block { gu;.if (
$scmp(‘${foo}’,‘calc.exe’) == 0 ) {.echo ‘calc started’;g;} .else
{.printf ‘%ma’ , ${foo}; } }”
breakpoint 0 redefined
kd> al
Alias Value


foo cmd.exe
kd> bl
0 e 805802e7 0001 (0001) nt!PspCreateProcess “.block { gu;.if (
$scmp(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc started’;g;} .else
{.printf ‘%ma’ , cmd.exe; } }”

kd> g
Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
started’;g;} .else {.printf ‘%ma’ , cmd.exe; } ’
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
kd> g
Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
started’;g;} .else {.printf ‘%ma’ , cmd.exe; } ’
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
kd> g
Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
started’;g;} .else {.printf ‘%ma’ , cmd.exe; } ’
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)

i dont know what syntax i need to give this to

if i use double quotes over foo like “${foo}” it errs
if i escape like "${foo}" it errs
in single quote it errs

also it seems expansion doesn’t take place since iam doing something
stupid with quotes :frowning: or placement of .block

any pointers

On 10/4/12, xxxxx@flounder.com wrote:
> We used to refer to this as “death by insidious quoting”. Most
> interpreted languages that allow quoted strings usually suffer from this;
> every Unix shell (and the shells had inconsistent rules for how to handle
> them), and in general the problem is that you need to know how many levels
> of macros the parameter is passed through to know how many quotes to add.
> C finally solved this with the # (and ##) preprocessor operators. It
> mostly works, most of the time.
> joe
>
>> and one needs to quote too even if you make an alias is what i was
>> actually missing to grasp :slight_smile:
>>
>> it now works and i get a bool result if i use it like below and
>> comments on os and / or structure offset independentness and /or
>> robust welcome
>>
>> lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
>> )@@masm(nt!PsActiveProcessHead))->Blink) -
>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
>> lkd> al
>> Alias Value
>> ------- -------
>> foo firefox.exe
>> lkd> ? $scmp(foo,“firefox.exe”)
>> Syntax error at ‘(foo,“firefox.exe”)’
>> lkd> ? $scmp(${foo},“firefox.exe”)
>> Syntax error at ‘(firefox.exe,“firefox.exe”)’ <---------- look at this
>> :slight_smile:
>> lkd> ? $scmp(“${foo}”,“firefox.exe”)
>> Evaluate expression: 0 = 00000000
>>
>>
>>
>>
>> On 10/4/12, raj_r wrote:
>>> This expression also takes a bit of a leap of faith that
>>> (
(PsActiveProcessHead+4))-88) actually means something
>>>
>>> hehe i knew anyone dealing with debuggers day in day out would figure
>>> that constants in a jiffy
>>>
>>> it is far more easy to type in constants than typing text that spans
>>> multiple lines in the command window
>>>
>>> instead of 4 and 88 you would need about two lines of bs to get the same
>>> thing
>>>
>>> if you want something that is more os friendly expression you would
>>> need something like below
>>>
>>> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
>>> )@@masm(nt!PsActiveProcessHead))->Blink) -
>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>>> char * 0x85faf194
>>> “firefox.exe”
>>>
>>> blink = 4
>>> activeprocesslinks = 88
>>> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>>>
>>>
>>>
>>> On 10/4/12, Scott Noone wrote:
>>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>>>How can you type that with a straight face?
>>>>
>>>> Who said I did? I’ll have to get a live webcam going in the office :slight_smile:
>>>>
>>>> It’s not that bad once you get a feel for the operators and the
>>>> quirkiness
>>>> of the two evaluators. This expression also takes a bit of a leap of
>>>> faith
>>>> that (
(PsActiveProcessHead+4))-88) actually means something, so you
>>>> have
>>>> to
>>>>
>>>> have some idea about the data structures involved if you’re going to
>>>> have
>>>> a
>>>>
>>>> chance.
>>>>
>>>>>Clearly, what the worlds needs most right now is a Windbg clone with an
>>>>>embedded Python interpreter…
>>>>
>>>> Someone wrote a Python extension:
>>>>
>>>> http://pykd.codeplex.com/
>>>>
>>>> I keep meaning to take the time to learn Python so I can evaluate if
>>>> this
>>>> actually works. If someone who already knows Python wants to try it and
>>>> let
>>>>
>>>> me know their experience I’d like to hear about it.
>>>>
>>>> -scott
>>>>
>>>>
>>>>
>>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>>
>>>> Scott Noone wrote:
>>>>> Your alias is ultimately resolving to an address but the operators
>>>>> expect
>>>>> quoted strings:
>>>>>
>>>>> 1: kd> as /ma ${/v:foo} @@c++((char
>>>>> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>>>>
>>>> How can you type that with a straight face? It makes my head hurt.
>>>> Does using a debugger really have to be as incomprehensible as
>>>> programming in APL?
>>>>
>>>> Clearly, what the worlds needs most right now is a Windbg clone with an
>>>> embedded Python interpreter…
>>>>
>>>> –
>>>> Tim Roberts, xxxxx@probo.com
>>>> Providenza & Boekelheide, Inc.
>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

I’ll let you deal with that one when you get to it though :slight_smile:

you may as well say how now so that the archive has an informational thread
coz i found another route and made it more generic

if i get struck on one rock i tend to simply flow away through its
sides till i eventually reach the ocean

here is how i did what i wanted

F:\windbg\scripts>type logcrap.txt

bu nt!PspCreateProcess “gu; $$>a< .\scripts\testscr.txt ${$arg1}”

F:\windbg\612windbg\scripts>type testscr.txt

as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY *)@@masm(nt!PsActiveProces
sHead))->Blink) - @@c++(#FIELD_OFFSET(nt!_EPROCESS ,
ActiveProcessLinks)) + @@c++(#FIELD_OFFSET(nt!_EPROCESS ,
ImageFileName)))
.block { .if ($scmp(“${foo}”,“${$arg1}”) == 0) {.echo ${$arg1}.exe started stopp
ing windbg;} .else { .echo ${foo};g }}

kd> sxe ibp;.reboot
Shutdown occurred at (Thu Oct 4 23:37:10.125 2012 (UTC +
5:30))…unloading all symbol tables.
Waiting to reconnect…
Connected to Windows XP 2600 x86 compatible target at (Thu Oct 4
23:37:23.093 2012 (UTC + 5:30)), ptr64 FALSE

cut version info

nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3

kd> $$>a< .\scripts\logcrap.txt smss.exe
kd> bl
0 e 805802e7 0001 (0001) nt!PspCreateProcess “gu; $$>a<
.\scripts\testscr.txt smss.exe”

kd> g

smss.exe.exe started stopping windbg <-----------------------------
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81291830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: e1000b50 HandleCount: 35.
Image: System

PROCESS ffb5a998 SessionId: none Cid: 0194 Peb: 7ffdd000 ParentCid: 0004
DirBase: 06c37000 ObjectTable: e17fd5d0 HandleCount: 0.
Image: smss.exe

kd> we can now set process specific bps on smss.exe as Eprocess is now
available but with no active threads yet
kd> lets break on logonui.exe

kd> $$>a< .\scripts\logcrap.txt logonui.exe
breakpoint 0 redefined
kd> bl
0 e 805802e7 0001 (0001) nt!PspCreateProcess “gu; $$>a<
.\scripts\testscr.txt logonui.exe”

kd> g
autochk.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
logonui.exe.exe started stopping windbg
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
kd> lets break on some autorun malware say calc.exe

kd> $$>a< .\scripts\logcrap.txt calc.exe
breakpoint 0 redefined
kd> bl
0 e 805802e7 0001 (0001) nt!PspCreateProcess “gu; $$>a<
.\scripts\testscr.txt calc.exe”

kd> g
svchost.exe
spoolsv.exe
userinit.exe
explorer.exe
ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5
vmusrvc.exe
calc.exe.exe started stopping windbg
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)

kd> if there is a process creation windbg will let me know in kernel
mode who wants sxe cpr:process
kd> btw pavel lebedynsky posted a sequence to break in kernel mode in
another thread
kd> might have to check it as it talks about ntuserProcessXXX api and
resetting of global flags and loading of kernel symbols +ksl flag in
!gflag

F:\windbg\scripts>

On 10/4/12, Scott Noone wrote:
> “raj_r” wrote in message news:xxxxx@windbg…
>>so i have this in a script file
> …
>>kd> g
>>Syntax error at ‘(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
>>started’;g;} .else {.printf ‘%ma’ , cmd.exe; } ‘
>
> You still want the double quotes. However, in this case you’re doing a
> conditional breakpoint:
>
> bu address “command”
>
> So the quotes need to be escaped. Something like:
>
> “.block {gu; .if ( $scmp("${foo}","calc.exe") == 0 ) {.echo ‘calc
> started’;} .else {.printf "${foo}"; g} }”
>
> (Note that I also changed your printf statement as the alias is not an
> address, it’s a string!)
>
> Which, yes, is spaghetti. The fact that it’s a conditional breakpoint means
>
> that is has special quoting rules AND that it has to all fit on one line,
> which makes it pretty much impossible for a human to parse. The trick that I
>
> use though is to work on the command in a more natural format and then
> collapse it when I want to try it (this could also be automated through
> scripting, but the manual approach works):
>
> .block
> {
> gu;
> .if ( $scmp("${foo}","calc.exe") == 0 )
> {
> .echo ‘calc started’;
> }
> .else
> {
> .printf "${foo}";
> g
> }
> }
>
> I know that you mentioned you tried it with escape quotes and that it didn’t
>
> work, but I suspect there was something else going on (such as the printf).
>
> Also, I don’t think this script does exactly what you’re expecting. In the
>
> case of this script, the value of ${foo} stays constant and does not
> reevaluate for each invocation of the breakpoint. I’ll let you deal with
> that one when you get to it though :slight_smile:
>
> -scott
>
>
>
> “raj_r” wrote in message news:xxxxx@windbg…
>
> so i have this in a script file
>
> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
> *)@@masm(nt!PsActiveProcessHead))->Blink) -
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
> bu nt!PspCreateProcess ".block { gu;.if ( $scmp(’${foo}’,‘calc.exe’)
> == 0 ) {.echo ‘calc started’;g;} .else {.printf ‘%ma’ , ${foo}; } }"
>
> run the script
>
> kd> $<.\scripts\logret.txt
>
> kd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
> *)@@masm(nt!PsActiveProcessHead))->Blink) -
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
> kd> bu nt!PspCreateProcess “.block { gu;.if (
> $scmp(‘${foo}’,‘calc.exe’) == 0 ) {.echo ‘calc started’;g;} .else
> {.printf ‘%ma’ , ${foo}; } }”
> breakpoint 0 redefined
> kd> al
> Alias Value
> ------- -------
> foo cmd.exe
> kd> bl
> 0 e 805802e7 0001 (0001) nt!PspCreateProcess “.block { gu;.if (
> $scmp(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc started’;g;} .else
> {.printf ‘%ma’ , cmd.exe; } }”
>
> kd> g
> Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
> started’;g;} .else {.printf ‘%ma’ , cmd.exe; } '
> nt!NtCreateProcessEx+0x7e:
> 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
> kd> g
> Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
> started’;g;} .else {.printf ‘%ma’ , cmd.exe; } '
> nt!NtCreateProcessEx+0x7e:
> 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
> kd> g
> Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
> started’;g;} .else {.printf ‘%ma’ , cmd.exe; } '
> nt!NtCreateProcessEx+0x7e:
> 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
>
> i dont know what syntax i need to give this to
>
> if i use double quotes over foo like “${foo}” it errs
> if i escape like "${foo}" it errs
> in single quote it errs
>
> also it seems expansion doesn’t take place since iam doing something
> stupid with quotes :frowning: or placement of .block
>
> any pointers
>
> On 10/4/12, xxxxx@flounder.com wrote:
>> We used to refer to this as “death by insidious quoting”. Most
>> interpreted languages that allow quoted strings usually suffer from this;
>> every Unix shell (and the shells had inconsistent rules for how to handle
>> them), and in general the problem is that you need to know how many
>> levels
>> of macros the parameter is passed through to know how many quotes to add.
>> C finally solved this with the # (and ##) preprocessor operators. It
>> mostly works, most of the time.
>> joe
>>
>>> and one needs to quote too even if you make an alias is what i was
>>> actually missing to grasp :slight_smile:
>>>
>>> it now works and i get a bool result if i use it like below and
>>> comments on os and / or structure offset independentness and /or
>>> robust welcome
>>>
>>> lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
>>> )@@masm(nt!PsActiveProcessHead))->Blink) -
>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
>>> lkd> al
>>> Alias Value
>>> ------- -------
>>> foo firefox.exe
>>> lkd> ? $scmp(foo,“firefox.exe”)
>>> Syntax error at ‘(foo,“firefox.exe”)’
>>> lkd> ? $scmp(${foo},“firefox.exe”)
>>> Syntax error at ‘(firefox.exe,“firefox.exe”)’ <---------- look at this
>>> :slight_smile:
>>> lkd> ? $scmp(“${foo}”,“firefox.exe”)
>>> Evaluate expression: 0 = 00000000
>>>
>>>
>>>
>>>
>>> On 10/4/12, raj_r wrote:
>>>> This expression also takes a bit of a leap of faith that
>>>> (
(PsActiveProcessHead+4))-88) actually means something
>>>>
>>>> hehe i knew anyone dealing with debuggers day in day out would figure
>>>> that constants in a jiffy
>>>>
>>>> it is far more easy to type in constants than typing text that spans
>>>> multiple lines in the command window
>>>>
>>>> instead of 4 and 88 you would need about two lines of bs to get the
>>>> same
>>>> thing
>>>>
>>>> if you want something that is more os friendly expression you would
>>>> need something like below
>>>>
>>>> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
>>>> )@@masm(nt!PsActiveProcessHead))->Blink) -
>>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
>>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>>>> char * 0x85faf194
>>>> “firefox.exe”
>>>>
>>>> blink = 4
>>>> activeprocesslinks = 88
>>>> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>>>>
>>>>
>>>>
>>>> On 10/4/12, Scott Noone wrote:
>>>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>>>>How can you type that with a straight face?
>>>>>
>>>>> Who said I did? I’ll have to get a live webcam going in the office :slight_smile:
>>>>>
>>>>> It’s not that bad once you get a feel for the operators and the
>>>>> quirkiness
>>>>> of the two evaluators. This expression also takes a bit of a leap of
>>>>> faith
>>>>> that (
(PsActiveProcessHead+4))-88) actually means something, so you
>>>>> have
>>>>> to
>>>>>
>>>>> have some idea about the data structures involved if you’re going to
>>>>> have
>>>>> a
>>>>>
>>>>> chance.
>>>>>
>>>>>>Clearly, what the worlds needs most right now is a Windbg clone with
>>>>>> an
>>>>>>embedded Python interpreter…
>>>>>
>>>>> Someone wrote a Python extension:
>>>>>
>>>>> http://pykd.codeplex.com/
>>>>>
>>>>> I keep meaning to take the time to learn Python so I can evaluate if
>>>>> this
>>>>> actually works. If someone who already knows Python wants to try it
>>>>> and
>>>>> let
>>>>>
>>>>> me know their experience I’d like to hear about it.
>>>>>
>>>>> -scott
>>>>>
>>>>>
>>>>>
>>>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>>>
>>>>> Scott Noone wrote:
>>>>>> Your alias is ultimately resolving to an address but the operators
>>>>>> expect
>>>>>> quoted strings:
>>>>>>
>>>>>> 1: kd> as /ma ${/v:foo} @@c++((char
>>>>>> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>>>>>
>>>>> How can you type that with a straight face? It makes my head hurt.
>>>>> Does using a debugger really have to be as incomprehensible as
>>>>> programming in APL?
>>>>>
>>>>> Clearly, what the worlds needs most right now is a Windbg clone with
>>>>> an
>>>>> embedded Python interpreter…
>>>>>
>>>>> –
>>>>> Tim Roberts, xxxxx@probo.com
>>>>> Providenza & Boekelheide, Inc.
>>>>>
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

That’s pretty much it, the problem with the script before was that it set
the alias before it set the breakpoint. In order for it to work properly,
setting the alias had to be part of the conditional breakpoint expression.

In the end, much easier to put everything into a script and have the
conditional expression launch the script.

-scott

“raj_r” wrote in message news:xxxxx@windbg…

I’ll let you deal with that one when you get to it though :slight_smile:

you may as well say how now so that the archive has an informational thread
coz i found another route and made it more generic

if i get struck on one rock i tend to simply flow away through its
sides till i eventually reach the ocean

here is how i did what i wanted

F:\windbg\scripts>type logcrap.txt

bu nt!PspCreateProcess “gu; $$>a< .\scripts\testscr.txt ${$arg1}”

F:\windbg\612windbg\scripts>type testscr.txt

as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
*)@@masm(nt!PsActiveProces
sHead))->Blink) - @@c++(#FIELD_OFFSET(nt!_EPROCESS ,
ActiveProcessLinks)) + @@c++(#FIELD_OFFSET(nt!_EPROCESS ,
ImageFileName)))
.block { .if ($scmp(“${foo}”,“${$arg1}”) == 0) {.echo ${$arg1}.exe started
stopp
ing windbg;} .else { .echo ${foo};g }}

kd> sxe ibp;.reboot
Shutdown occurred at (Thu Oct 4 23:37:10.125 2012 (UTC +
5:30))…unloading all symbol tables.
Waiting to reconnect…
Connected to Windows XP 2600 x86 compatible target at (Thu Oct 4
23:37:23.093 2012 (UTC + 5:30)), ptr64 FALSE

cut version info

nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3

kd> $$>a< .\scripts\logcrap.txt smss.exe
kd> bl
0 e 805802e7 0001 (0001) nt!PspCreateProcess “gu; $$>a<
.\scripts\testscr.txt smss.exe”

kd> g

smss.exe.exe started stopping windbg <-----------------------------
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81291830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1000b50 HandleCount: 35.
Image: System

PROCESS ffb5a998 SessionId: none Cid: 0194 Peb: 7ffdd000 ParentCid:
0004
DirBase: 06c37000 ObjectTable: e17fd5d0 HandleCount: 0.
Image: smss.exe

kd> we can now set process specific bps on smss.exe as Eprocess is now
available but with no active threads yet
kd> lets break on logonui.exe

kd> $$>a< .\scripts\logcrap.txt logonui.exe
breakpoint 0 redefined
kd> bl
0 e 805802e7 0001 (0001) nt!PspCreateProcess “gu; $$>a<
.\scripts\testscr.txt logonui.exe”

kd> g
autochk.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
logonui.exe.exe started stopping windbg
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
kd> lets break on some autorun malware say calc.exe

kd> $$>a< .\scripts\logcrap.txt calc.exe
breakpoint 0 redefined
kd> bl
0 e 805802e7 0001 (0001) nt!PspCreateProcess “gu; $$>a<
.\scripts\testscr.txt calc.exe”

kd> g
svchost.exe
spoolsv.exe
userinit.exe
explorer.exe
ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5
vmusrvc.exe
calc.exe.exe started stopping windbg
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)

kd> if there is a process creation windbg will let me know in kernel
mode who wants sxe cpr:process
kd> btw pavel lebedynsky posted a sequence to break in kernel mode in
another thread
kd> might have to check it as it talks about ntuserProcessXXX api and
resetting of global flags and loading of kernel symbols +ksl flag in
!gflag

F:\windbg\scripts>

On 10/4/12, Scott Noone wrote:
> “raj_r” wrote in message news:xxxxx@windbg…
>>so i have this in a script file
> …
>>kd> g
>>Syntax error at ‘(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
>>started’;g;} .else {.printf ‘%ma’ , cmd.exe; } ‘
>
> You still want the double quotes. However, in this case you’re doing a
> conditional breakpoint:
>
> bu address “command”
>
> So the quotes need to be escaped. Something like:
>
> “.block {gu; .if ( $scmp("${foo}","calc.exe") == 0 ) {.echo ‘calc
> started’;} .else {.printf "${foo}"; g} }”
>
> (Note that I also changed your printf statement as the alias is not an
> address, it’s a string!)
>
> Which, yes, is spaghetti. The fact that it’s a conditional breakpoint
> means
>
> that is has special quoting rules AND that it has to all fit on one line,
> which makes it pretty much impossible for a human to parse. The trick that
> I
>
> use though is to work on the command in a more natural format and then
> collapse it when I want to try it (this could also be automated through
> scripting, but the manual approach works):
>
> .block
> {
> gu;
> .if ( $scmp("${foo}","calc.exe") == 0 )
> {
> .echo ‘calc started’;
> }
> .else
> {
> .printf "${foo}";
> g
> }
> }
>
> I know that you mentioned you tried it with escape quotes and that it
> didn’t
>
> work, but I suspect there was something else going on (such as the
> printf).
>
> Also, I don’t think this script does exactly what you’re expecting. In
> the
>
> case of this script, the value of ${foo} stays constant and does not
> reevaluate for each invocation of the breakpoint. I’ll let you deal with
> that one when you get to it though :slight_smile:
>
> -scott
>
>
>
> “raj_r” wrote in message news:xxxxx@windbg…
>
> so i have this in a script file
>
> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
> *)@@masm(nt!PsActiveProcessHead))->Blink) -
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
> bu nt!PspCreateProcess ".block { gu;.if ( $scmp(’${foo}’,‘calc.exe’)
> == 0 ) {.echo ‘calc started’;g;} .else {.printf ‘%ma’ , ${foo}; } }"
>
> run the script
>
> kd> $<.\scripts\logret.txt
>
> kd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
> *)@@masm(nt!PsActiveProcessHead))->Blink) -
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
> kd> bu nt!PspCreateProcess “.block { gu;.if (
> $scmp(‘${foo}’,‘calc.exe’) == 0 ) {.echo ‘calc started’;g;} .else
> {.printf ‘%ma’ , ${foo}; } }”
> breakpoint 0 redefined
> kd> al
> Alias Value
> ------- -------
> foo cmd.exe
> kd> bl
> 0 e 805802e7 0001 (0001) nt!PspCreateProcess “.block { gu;.if (
> $scmp(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc started’;g;} .else
> {.printf ‘%ma’ , cmd.exe; } }”
>
> kd> g
> Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
> started’;g;} .else {.printf ‘%ma’ , cmd.exe; } '
> nt!NtCreateProcessEx+0x7e:
> 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
> kd> g
> Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
> started’;g;} .else {.printf ‘%ma’ , cmd.exe; } '
> nt!NtCreateProcessEx+0x7e:
> 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
> kd> g
> Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
> started’;g;} .else {.printf ‘%ma’ , cmd.exe; } '
> nt!NtCreateProcessEx+0x7e:
> 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
>
> i dont know what syntax i need to give this to
>
> if i use double quotes over foo like “${foo}” it errs
> if i escape like "${foo}" it errs
> in single quote it errs
>
> also it seems expansion doesn’t take place since iam doing something
> stupid with quotes :frowning: or placement of .block
>
> any pointers
>
> On 10/4/12, xxxxx@flounder.com wrote:
>> We used to refer to this as “death by insidious quoting”. Most
>> interpreted languages that allow quoted strings usually suffer from this;
>> every Unix shell (and the shells had inconsistent rules for how to handle
>> them), and in general the problem is that you need to know how many
>> levels
>> of macros the parameter is passed through to know how many quotes to add.
>> C finally solved this with the # (and ##) preprocessor operators. It
>> mostly works, most of the time.
>> joe
>>
>>> and one needs to quote too even if you make an alias is what i was
>>> actually missing to grasp :slight_smile:
>>>
>>> it now works and i get a bool result if i use it like below and
>>> comments on os and / or structure offset independentness and /or
>>> robust welcome
>>>
>>> lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
>>> )@@masm(nt!PsActiveProcessHead))->Blink) -
>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
>>> lkd> al
>>> Alias Value
>>> ------- -------
>>> foo firefox.exe
>>> lkd> ? $scmp(foo,“firefox.exe”)
>>> Syntax error at ‘(foo,“firefox.exe”)’
>>> lkd> ? $scmp(${foo},“firefox.exe”)
>>> Syntax error at ‘(firefox.exe,“firefox.exe”)’ <---------- look at this
>>> :slight_smile:
>>> lkd> ? $scmp(“${foo}”,“firefox.exe”)
>>> Evaluate expression: 0 = 00000000
>>>
>>>
>>>
>>>
>>> On 10/4/12, raj_r wrote:
>>>> This expression also takes a bit of a leap of faith that
>>>> (
(PsActiveProcessHead+4))-88) actually means something
>>>>
>>>> hehe i knew anyone dealing with debuggers day in day out would figure
>>>> that constants in a jiffy
>>>>
>>>> it is far more easy to type in constants than typing text that spans
>>>> multiple lines in the command window
>>>>
>>>> instead of 4 and 88 you would need about two lines of bs to get the
>>>> same
>>>> thing
>>>>
>>>> if you want something that is more os friendly expression you would
>>>> need something like below
>>>>
>>>> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
>>>> )@@masm(nt!PsActiveProcessHead))->Blink) -
>>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
>>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>>>> char * 0x85faf194
>>>> “firefox.exe”
>>>>
>>>> blink = 4
>>>> activeprocesslinks = 88
>>>> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>>>>
>>>>
>>>>
>>>> On 10/4/12, Scott Noone wrote:
>>>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>>>>How can you type that with a straight face?
>>>>>
>>>>> Who said I did? I’ll have to get a live webcam going in the office :slight_smile:
>>>>>
>>>>> It’s not that bad once you get a feel for the operators and the
>>>>> quirkiness
>>>>> of the two evaluators. This expression also takes a bit of a leap of
>>>>> faith
>>>>> that (
(PsActiveProcessHead+4))-88) actually means something, so you
>>>>> have
>>>>> to
>>>>>
>>>>> have some idea about the data structures involved if you’re going to
>>>>> have
>>>>> a
>>>>>
>>>>> chance.
>>>>>
>>>>>>Clearly, what the worlds needs most right now is a Windbg clone with
>>>>>> an
>>>>>>embedded Python interpreter…
>>>>>
>>>>> Someone wrote a Python extension:
>>>>>
>>>>> http://pykd.codeplex.com/
>>>>>
>>>>> I keep meaning to take the time to learn Python so I can evaluate if
>>>>> this
>>>>> actually works. If someone who already knows Python wants to try it
>>>>> and
>>>>> let
>>>>>
>>>>> me know their experience I’d like to hear about it.
>>>>>
>>>>> -scott
>>>>>
>>>>>
>>>>>
>>>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>>>
>>>>> Scott Noone wrote:
>>>>>> Your alias is ultimately resolving to an address but the operators
>>>>>> expect
>>>>>> quoted strings:
>>>>>>
>>>>>> 1: kd> as /ma ${/v:foo} @@c++((char
>>>>>> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>>>>>
>>>>> How can you type that with a straight face? It makes my head hurt.
>>>>> Does using a debugger really have to be as incomprehensible as
>>>>> programming in APL?
>>>>>
>>>>> Clearly, what the worlds needs most right now is a Windbg clone with
>>>>> an
>>>>> embedded Python interpreter…
>>>>>
>>>>> –
>>>>> Tim Roberts, xxxxx@probo.com
>>>>> Providenza & Boekelheide, Inc.
>>>>>
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

but the link you shared of codeplex is dead now and not working anymore, you can try gihub or find some more suggestions here

1 Like

but the link you mentioned of codeplex is not working,

Little surprise… the thread is, what… 8 years old?

The link you mentioned is not working.

codeplex is dead.

This thread is dead. Let it rest in peace. Please.

Peter