That’s pretty much it, the problem with the script before was that it set
the alias before it set the breakpoint. In order for it to work properly,
setting the alias had to be part of the conditional breakpoint expression.
In the end, much easier to put everything into a script and have the
conditional expression launch the script.
-scott
“raj_r” wrote in message news:xxxxx@windbg…
I’ll let you deal with that one when you get to it though
you may as well say how now so that the archive has an informational thread
coz i found another route and made it more generic
if i get struck on one rock i tend to simply flow away through its
sides till i eventually reach the ocean
here is how i did what i wanted
F:\windbg\scripts>type logcrap.txt
bu nt!PspCreateProcess “gu; $$>a< .\scripts\testscr.txt ${$arg1}”
F:\windbg\612windbg\scripts>type testscr.txt
as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
*)@@masm(nt!PsActiveProces
sHead))->Blink) - @@c++(#FIELD_OFFSET(nt!_EPROCESS ,
ActiveProcessLinks)) + @@c++(#FIELD_OFFSET(nt!_EPROCESS ,
ImageFileName)))
.block { .if ($scmp(“${foo}”,“${$arg1}”) == 0) {.echo ${$arg1}.exe started
stopp
ing windbg;} .else { .echo ${foo};g }}
kd> sxe ibp;.reboot
Shutdown occurred at (Thu Oct 4 23:37:10.125 2012 (UTC +
5:30))…unloading all symbol tables.
Waiting to reconnect…
Connected to Windows XP 2600 x86 compatible target at (Thu Oct 4
23:37:23.093 2012 (UTC + 5:30)), ptr64 FALSE
cut version info
nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> $$>a< .\scripts\logcrap.txt smss.exe
kd> bl
0 e 805802e7 0001 (0001) nt!PspCreateProcess “gu; $$>a<
.\scripts\testscr.txt smss.exe”
kd> g
smss.exe.exe started stopping windbg <-----------------------------
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 81291830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1000b50 HandleCount: 35.
Image: System
PROCESS ffb5a998 SessionId: none Cid: 0194 Peb: 7ffdd000 ParentCid:
0004
DirBase: 06c37000 ObjectTable: e17fd5d0 HandleCount: 0.
Image: smss.exe
kd> we can now set process specific bps on smss.exe as Eprocess is now
available but with no active threads yet
kd> lets break on logonui.exe
kd> $$>a< .\scripts\logcrap.txt logonui.exe
breakpoint 0 redefined
kd> bl
0 e 805802e7 0001 (0001) nt!PspCreateProcess “gu; $$>a<
.\scripts\testscr.txt logonui.exe”
kd> g
autochk.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
logonui.exe.exe started stopping windbg
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
kd> lets break on some autorun malware say calc.exe
kd> $$>a< .\scripts\logcrap.txt calc.exe
breakpoint 0 redefined
kd> bl
0 e 805802e7 0001 (0001) nt!PspCreateProcess “gu; $$>a<
.\scripts\testscr.txt calc.exe”
kd> g
svchost.exe
spoolsv.exe
userinit.exe
explorer.exe
ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5
vmusrvc.exe
calc.exe.exe started stopping windbg
nt!NtCreateProcessEx+0x7e:
8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
kd> if there is a process creation windbg will let me know in kernel
mode who wants sxe cpr:process
kd> btw pavel lebedynsky posted a sequence to break in kernel mode in
another thread
kd> might have to check it as it talks about ntuserProcessXXX api and
resetting of global flags and loading of kernel symbols +ksl flag in
!gflag
F:\windbg\scripts>
On 10/4/12, Scott Noone wrote:
> “raj_r” wrote in message news:xxxxx@windbg…
>>so i have this in a script file
> …
>>kd> g
>>Syntax error at ‘(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
>>started’;g;} .else {.printf ‘%ma’ , cmd.exe; } ‘
>
> You still want the double quotes. However, in this case you’re doing a
> conditional breakpoint:
>
> bu address “command”
>
> So the quotes need to be escaped. Something like:
>
> “.block {gu; .if ( $scmp("${foo}","calc.exe") == 0 ) {.echo ‘calc
> started’;} .else {.printf "${foo}"; g} }”
>
> (Note that I also changed your printf statement as the alias is not an
> address, it’s a string!)
>
> Which, yes, is spaghetti. The fact that it’s a conditional breakpoint
> means
>
> that is has special quoting rules AND that it has to all fit on one line,
> which makes it pretty much impossible for a human to parse. The trick that
> I
>
> use though is to work on the command in a more natural format and then
> collapse it when I want to try it (this could also be automated through
> scripting, but the manual approach works):
>
> .block
> {
> gu;
> .if ( $scmp("${foo}","calc.exe") == 0 )
> {
> .echo ‘calc started’;
> }
> .else
> {
> .printf "${foo}";
> g
> }
> }
>
> I know that you mentioned you tried it with escape quotes and that it
> didn’t
>
> work, but I suspect there was something else going on (such as the
> printf).
>
> Also, I don’t think this script does exactly what you’re expecting. In
> the
>
> case of this script, the value of ${foo} stays constant and does not
> reevaluate for each invocation of the breakpoint. I’ll let you deal with
> that one when you get to it though
>
> -scott
>
>
>
> “raj_r” wrote in message news:xxxxx@windbg…
>
> so i have this in a script file
>
> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
> *)@@masm(nt!PsActiveProcessHead))->Blink) -
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
> bu nt!PspCreateProcess ".block { gu;.if ( $scmp(’${foo}’,‘calc.exe’)
> == 0 ) {.echo ‘calc started’;g;} .else {.printf ‘%ma’ , ${foo}; } }"
>
> run the script
>
> kd> $<.\scripts\logret.txt
>
> kd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
> *)@@masm(nt!PsActiveProcessHead))->Blink) -
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
> kd> bu nt!PspCreateProcess “.block { gu;.if (
> $scmp(‘${foo}’,‘calc.exe’) == 0 ) {.echo ‘calc started’;g;} .else
> {.printf ‘%ma’ , ${foo}; } }”
> breakpoint 0 redefined
> kd> al
> Alias Value
> ------- -------
> foo cmd.exe
> kd> bl
> 0 e 805802e7 0001 (0001) nt!PspCreateProcess “.block { gu;.if (
> $scmp(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc started’;g;} .else
> {.printf ‘%ma’ , cmd.exe; } }”
>
> kd> g
> Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
> started’;g;} .else {.printf ‘%ma’ , cmd.exe; } '
> nt!NtCreateProcessEx+0x7e:
> 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
> kd> g
> Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
> started’;g;} .else {.printf ‘%ma’ , cmd.exe; } '
> nt!NtCreateProcessEx+0x7e:
> 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
> kd> g
> Syntax error at '(‘cmd.exe’,‘calc.exe’) == 0 ) {.echo ‘calc
> started’;g;} .else {.printf ‘%ma’ , cmd.exe; } '
> nt!NtCreateProcessEx+0x7e:
> 8057fcc2 e8af27f6ff call nt!_SEH_epilog (804e2476)
>
> i dont know what syntax i need to give this to
>
> if i use double quotes over foo like “${foo}” it errs
> if i escape like "${foo}" it errs
> in single quote it errs
>
> also it seems expansion doesn’t take place since iam doing something
> stupid with quotes or placement of .block
>
> any pointers
>
> On 10/4/12, xxxxx@flounder.com wrote:
>> We used to refer to this as “death by insidious quoting”. Most
>> interpreted languages that allow quoted strings usually suffer from this;
>> every Unix shell (and the shells had inconsistent rules for how to handle
>> them), and in general the problem is that you need to know how many
>> levels
>> of macros the parameter is passed through to know how many quotes to add.
>> C finally solved this with the # (and ##) preprocessor operators. It
>> mostly works, most of the time.
>> joe
>>
>>> and one needs to quote too even if you make an alias is what i was
>>> actually missing to grasp
>>>
>>> it now works and i get a bool result if i use it like below and
>>> comments on os and / or structure offset independentness and /or
>>> robust welcome
>>>
>>> lkd> as /ma ${/v:foo} @@c++((char *)@@C++(((nt!_LIST_ENTRY
>>> )@@masm(nt!PsActiveProcessHead))->Blink) -
>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName)))
>>> lkd> al
>>> Alias Value
>>> ------- -------
>>> foo firefox.exe
>>> lkd> ? $scmp(foo,“firefox.exe”)
>>> Syntax error at ‘(foo,“firefox.exe”)’
>>> lkd> ? $scmp(${foo},“firefox.exe”)
>>> Syntax error at ‘(firefox.exe,“firefox.exe”)’ <---------- look at this
>>>
>>> lkd> ? $scmp(“${foo}”,“firefox.exe”)
>>> Evaluate expression: 0 = 00000000
>>>
>>>
>>>
>>>
>>> On 10/4/12, raj_r wrote:
>>>> This expression also takes a bit of a leap of faith that
>>>> ((PsActiveProcessHead+4))-88) actually means something
>>>>
>>>> hehe i knew anyone dealing with debuggers day in day out would figure
>>>> that constants in a jiffy
>>>>
>>>> it is far more easy to type in constants than typing text that spans
>>>> multiple lines in the command window
>>>>
>>>> instead of 4 and 88 you would need about two lines of bs to get the
>>>> same
>>>> thing
>>>>
>>>> if you want something that is more os friendly expression you would
>>>> need something like below
>>>>
>>>> lkd> ?? (char *)@@C++(((nt!_LIST_ENTRY
>>>> )@@masm(nt!PsActiveProcessHead))->Blink) -
>>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ActiveProcessLinks)) +
>>>> @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>>>> char * 0x85faf194
>>>> “firefox.exe”
>>>>
>>>> blink = 4
>>>> activeprocesslinks = 88
>>>> ->imageFilename == @@c++(#FIELD_OFFSET(nt!_EPROCESS , ImageFileName))
>>>>
>>>>
>>>>
>>>> On 10/4/12, Scott Noone wrote:
>>>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>>>>How can you type that with a straight face?
>>>>>
>>>>> Who said I did? I’ll have to get a live webcam going in the office
>>>>>
>>>>> It’s not that bad once you get a feel for the operators and the
>>>>> quirkiness
>>>>> of the two evaluators. This expression also takes a bit of a leap of
>>>>> faith
>>>>> that ((PsActiveProcessHead+4))-88) actually means something, so you
>>>>> have
>>>>> to
>>>>>
>>>>> have some idea about the data structures involved if you’re going to
>>>>> have
>>>>> a
>>>>>
>>>>> chance.
>>>>>
>>>>>>Clearly, what the worlds needs most right now is a Windbg clone with
>>>>>> an
>>>>>>embedded Python interpreter…
>>>>>
>>>>> Someone wrote a Python extension:
>>>>>
>>>>> http://pykd.codeplex.com/
>>>>>
>>>>> I keep meaning to take the time to learn Python so I can evaluate if
>>>>> this
>>>>> actually works. If someone who already knows Python wants to try it
>>>>> and
>>>>> let
>>>>>
>>>>> me know their experience I’d like to hear about it.
>>>>>
>>>>> -scott
>>>>>
>>>>>
>>>>>
>>>>> “Tim Roberts” wrote in message news:xxxxx@windbg…
>>>>>
>>>>> Scott Noone wrote:
>>>>>> Your alias is ultimately resolving to an address but the operators
>>>>>> expect
>>>>>> quoted strings:
>>>>>>
>>>>>> 1: kd> as /ma ${/v:foo} @@c++((char
>>>>>> )@@c++((nt!_eprocess)@@masm(poi(nt!PsActiveProcessHead+4)-88))->ImageFileName)
>>>>>
>>>>> How can you type that with a straight face? It makes my head hurt.
>>>>> Does using a debugger really have to be as incomprehensible as
>>>>> programming in APL?
>>>>>
>>>>> Clearly, what the worlds needs most right now is a Windbg clone with
>>>>> an
>>>>> embedded Python interpreter…
>>>>>
>>>>> –
>>>>> Tim Roberts, xxxxx@probo.com
>>>>> Providenza & Boekelheide, Inc.
>>>>>
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>