instead of
some command
copy output
bp paste
enter
im able to automate it only upto certain extent till here
ntdll!DbgBreakPoint:
7c901230 cc int 3
0:000> bp ntdll!NtContinue “dt _context Eip poi(esp+4)”
0:000> g
ntdll!_CONTEXT
+0x0b8 Eip : 0x7c810867
but after this i cant find how to extract the output and set another bp
ntdll!DbgBreakPoint:
7c901230 cc int 3
0:000> bp ntdll!NtContinue “bp dt _context Eip poi(esp+4)”
0:000> g
Bp expression 'dt ’ could not be resolved, adding deferred bp
Couldn’t resolve error at ‘_context Eip poi(esp+4)’
are there any cool tricks that i could use for scenerios like this
There may very well be something that does this builtin, but I do not
know of it. The only thing that I can think of even in the ballpark is
‘.shell’ I’ve never used it, and I don’t think that it will really do
what you want, at least reasonably speaking, but it might be worth a
look. Failing that, it would be quite easy to write a WinDbg extension
that took two commands, but you would have to do the filtering.
Good luck,
mm
raj_r wrote:
i would want to use the output of some debugger commands to some other
debugger commands
for example
i want to automate setting a breakpoint on this output ie i want to
set a bp on 0x7c810867 in one go instead of copy pasting
instead of
some command
copy output
bp paste
enter
im able to automate it only upto certain extent till here
ntdll!DbgBreakPoint:
7c901230 cc int 3
0:000> bp ntdll!NtContinue “dt _context Eip poi(esp+4)”
0:000> g
ntdll!_CONTEXT
+0x0b8 Eip : 0x7c810867
but after this i cant find how to extract the output and set another bp
ntdll!DbgBreakPoint:
7c901230 cc int 3
0:000> bp ntdll!NtContinue “bp dt _context Eip poi(esp+4)”
0:000> g
Bp expression 'dt ’ could not be resolved, adding deferred bp
Couldn’t resolve error at ‘_context Eip poi(esp+4)’
are there any cool tricks that i could use for scenerios like this
On 12/19/07, Martin O’Brien wrote: > There may very well be something that does this builtin, but I do not > know of it. The only thing that I can think of even in the ballpark is > ‘.shell’ I’ve never used it, and I don’t think that it will really do > what you want, at least reasonably speaking, but it might be worth a > look. Failing that, it would be quite easy to write a WinDbg extension > that took two commands, but you would have to do the filtering. > > Good luck, > > mm > > > > raj_r wrote: > > i would want to use the output of some debugger commands to some other > > debugger commands > > > > for example > > i want to automate setting a breakpoint on this output ie i want to > > set a bp on 0x7c810867 in one go instead of copy pasting > > > > 0:000> dt _context Eip poi(esp+4) > > ntdll!_CONTEXT > > +0x0b8 Eip : 0x7c810867 > > > > like bp "output of this command " > > > > instead of > > some command > > copy output > > bp paste > > enter > > > > im able to automate it only upto certain extent till here > > > > ntdll!DbgBreakPoint: > > 7c901230 cc int 3 > > 0:000> bp ntdll!NtContinue “dt _context Eip poi(esp+4)” > > 0:000> g > > ntdll!_CONTEXT > > +0x0b8 Eip : 0x7c810867 > > > > > > but after this i cant find how to extract the output and set another bp > > > > ntdll!DbgBreakPoint: > > 7c901230 cc int 3 > > 0:000> bp ntdll!NtContinue “bp dt _context Eip poi(esp+4)” > > 0:000> g > > Bp expression 'dt ’ could not be resolved, adding deferred bp > > Couldn’t resolve error at ‘_context Eip poi(esp+4)’ > > > > are there any cool tricks that i could use for scenerios like this > > > > regards > > > > raj_r > > > > — > You are currently subscribed to windbg as: xxxxx@gmail.com > To unsubscribe send a blank email to xxxxx@lists.osr.com >
“raj_r” wrote in message news:xxxxx@windbg… > thanks Martin , > > i already played with .shell it simply barfs trying to process all > those string outputs as shell commands for processing > > it looks like simple request but i cant for the life of me find > something easy enough to do this > > > 0:000> .shell -ci “dt _context Eip poi(esp+4)” > Microsoft Windows XP [Version 5.1.2600] > (C) Copyright 1985-2001 Microsoft Corp. > > G:\windbg>ntdll!_CONTEXT > ‘ntdll!_CONTEXT’ is not recognized as an internal or external command, > operable program or batch file. > > G:\windbg> +0x0b8 Eip : ?? > ‘+0x0b8’ is not recognized as an internal or external command, > operable program or batch file. > > G:\windbg>Memory read error 00c9f7aa > ‘Memory’ is not recognized as an internal or external command, > operable program or batch file. > > or like this > > 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr “Eip” > +0x0b8 Eip : ?? > .shell: Process exited > > > 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr /c:Eip > +0x0b8 Eip : ?? > .shell: Process exited > > > regards > > raj_r > > > On 12/19/07, Martin O’Brien wrote: >> There may very well be something that does this builtin, but I do not >> know of it. The only thing that I can think of even in the ballpark is >> ‘.shell’ I’ve never used it, and I don’t think that it will really do >> what you want, at least reasonably speaking, but it might be worth a >> look. Failing that, it would be quite easy to write a WinDbg extension >> that took two commands, but you would have to do the filtering. >> >> Good luck, >> >> mm >> >> >> >> raj_r wrote: >> > i would want to use the output of some debugger commands to some other >> > debugger commands >> > >> > for example >> > i want to automate setting a breakpoint on this output ie i want to >> > set a bp on 0x7c810867 in one go instead of copy pasting >> > >> > 0:000> dt _context Eip poi(esp+4) >> > ntdll!_CONTEXT >> > +0x0b8 Eip : 0x7c810867 >> > >> > like bp "output of this command " >> > >> > instead of >> > some command >> > copy output >> > bp paste >> > enter >> > >> > im able to automate it only upto certain extent till here >> > >> > ntdll!DbgBreakPoint: >> > 7c901230 cc int 3 >> > 0:000> bp ntdll!NtContinue “dt _context Eip poi(esp+4)” >> > 0:000> g >> > ntdll!_CONTEXT >> > +0x0b8 Eip : 0x7c810867 >> > >> > >> > but after this i cant find how to extract the output and set another bp >> > >> > ntdll!DbgBreakPoint: >> > 7c901230 cc int 3 >> > 0:000> bp ntdll!NtContinue “bp dt _context Eip poi(esp+4)” >> > 0:000> g >> > Bp expression 'dt ’ could not be resolved, adding deferred bp >> > Couldn’t resolve error at ‘_context Eip poi(esp+4)’ >> > >> > are there any cool tricks that i could use for scenerios like this >> > >> > regards >> > >> > raj_r >> > >> >> — >> You are currently subscribed to windbg as: xxxxx@gmail.com >> To unsubscribe send a blank email to xxxxx@lists.osr.com >> >
Impressive, Scott. WinDbg does have a nice natural syntax. If you
still have months left on your calendar, Doron posted a beauty using
‘dl’ a while back that makes this one look clear.
Thanks,
mm
Scott Noone wrote:
Prepare for the WinDBG Cryptic Command of the Day (maybe we should start a
calendar)
In KM you can do it through a pseudo register since those are supported by
the r? command:
r? @$t0 = ((nt!_CONTEXT*)0x12345678)->Eip; bp @$t0
I don’t know if this works in user mode or if it results in more or less
work, but thought I’d share.
“raj_r” wrote in message news:xxxxx@windbg… >> thanks Martin , >> >> i already played with .shell it simply barfs trying to process all >> those string outputs as shell commands for processing >> >> it looks like simple request but i cant for the life of me find >> something easy enough to do this >> >> >> 0:000> .shell -ci “dt _context Eip poi(esp+4)” >> Microsoft Windows XP [Version 5.1.2600] >> (C) Copyright 1985-2001 Microsoft Corp. >> >> G:\windbg>ntdll!_CONTEXT >> ‘ntdll!_CONTEXT’ is not recognized as an internal or external command, >> operable program or batch file. >> >> G:\windbg> +0x0b8 Eip : ?? >> ‘+0x0b8’ is not recognized as an internal or external command, >> operable program or batch file. >> >> G:\windbg>Memory read error 00c9f7aa >> ‘Memory’ is not recognized as an internal or external command, >> operable program or batch file. >> >> or like this >> >> 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr “Eip” >> +0x0b8 Eip : ?? >> .shell: Process exited >> >> >> 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr /c:Eip >> +0x0b8 Eip : ?? >> .shell: Process exited >> >> >> regards >> >> raj_r >> >> >> On 12/19/07, Martin O’Brien wrote: >>> There may very well be something that does this builtin, but I do not >>> know of it. The only thing that I can think of even in the ballpark is >>> ‘.shell’ I’ve never used it, and I don’t think that it will really do >>> what you want, at least reasonably speaking, but it might be worth a >>> look. Failing that, it would be quite easy to write a WinDbg extension >>> that took two commands, but you would have to do the filtering. >>> >>> Good luck, >>> >>> mm >>> >>> >>> >>> raj_r wrote: >>>> i would want to use the output of some debugger commands to some other >>>> debugger commands >>>> >>>> for example >>>> i want to automate setting a breakpoint on this output ie i want to >>>> set a bp on 0x7c810867 in one go instead of copy pasting >>>> >>>> 0:000> dt _context Eip poi(esp+4) >>>> ntdll!_CONTEXT >>>> +0x0b8 Eip : 0x7c810867 >>>> >>>> like bp "output of this command " >>>> >>>> instead of >>>> some command >>>> copy output >>>> bp paste >>>> enter >>>> >>>> im able to automate it only upto certain extent till here >>>> >>>> ntdll!DbgBreakPoint: >>>> 7c901230 cc int 3 >>>> 0:000> bp ntdll!NtContinue “dt _context Eip poi(esp+4)” >>>> 0:000> g >>>> ntdll!_CONTEXT >>>> +0x0b8 Eip : 0x7c810867 >>>> >>>> >>>> but after this i cant find how to extract the output and set another bp >>>> >>>> ntdll!DbgBreakPoint: >>>> 7c901230 cc int 3 >>>> 0:000> bp ntdll!NtContinue “bp dt _context Eip poi(esp+4)” >>>> 0:000> g >>>> Bp expression 'dt ’ could not be resolved, adding deferred bp >>>> Couldn’t resolve error at ‘_context Eip poi(esp+4)’ >>>> >>>> are there any cool tricks that i could use for scenerios like this >>>> >>>> regards >>>> >>>> raj_r >>>> >>> — >>> You are currently subscribed to windbg as: xxxxx@gmail.com >>> To unsubscribe send a blank email to xxxxx@lists.osr.com >>> > > >
Impressive, Scott. WinDbg does have a nice natural syntax.
I agree, although you forgot the tags around that.
However, it’s hard to know how to do any better. I’ve used low-level debuggers a large number of PC and mainframe operating systems over the decades. All of them must have made sense to someone at some point, but feature creep makes them all essentially devolve into Sanscrit. gdb on Linux has a lot of things I like, but there are still a lot of corners I’m afraid to crawl into. We’ve even written a couple of hardware debuggers, and although they always start out pure and beautiful, sooner or later we find a need we didn’t anticipate, and the patch ends up introducing generic ugliness.
I’ve used several debuggers (including one we wrote) that had a Forth interpreter at the core. Now, Forth is not the most natural language in the world, but it is at least consistent.
The key, in my opinion, is discoverability. You should be able to figure out what you need without having to resort to Google. The old Win3/Win95/Win98 kernel debugger had this. gdb has this. WinDbg used to have this, but I, for one, would never have come up with Scott’s command on my own.
– Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
ntdll!DbgBreakPoint:
7c901230 cc int 3
0:000> bp ntdll!NtContinue “r? @$t0 =
((ntdll!_context*)@@(poi(esp+4)))->Eip;bp $t0;g”
0:000> bl
0 e 7c90d619 0001 (0001) 0:**** ntdll!ZwContinue “r? @$t0 =
((ntdll!_context*)@@(poi(esp+4)))->Eip;bp $t0;g”
0:000> g
Breakpoint 1 hit
eax=010563b8 ebx=7ffdf000 ecx=020bffb5 edx=0000004a esi=00c9f736 edi=00c9f6f2
eip=7c810867 esp=0006fffc ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202
kernel32!BaseProcessStartThunk:
7c810867 33ed xor ebp,ebp
thanks a lot
raj_r
On 12/19/07, Scott Noone wrote: > Prepare for the WinDBG Cryptic Command of the Day (maybe we should start a > calendar) > > In KM you can do it through a pseudo register since those are supported by > the r? command: > > r? @$t0 = ((nt!_CONTEXT*)0x12345678)->Eip; bp @$t0 > > I don’t know if this works in user mode or if it results in more or less > work, but thought I’d share. > > -scott > > Scott Noone > Software Engineer > OSR Open Systems Resources, Inc. > http://www.osronline.com > > > “raj_r” wrote in message news:xxxxx@windbg… > > thanks Martin , > > > > i already played with .shell it simply barfs trying to process all > > those string outputs as shell commands for processing > > > > it looks like simple request but i cant for the life of me find > > something easy enough to do this > > > > > > 0:000> .shell -ci “dt _context Eip poi(esp+4)” > > Microsoft Windows XP [Version 5.1.2600] > > (C) Copyright 1985-2001 Microsoft Corp. > > > > G:\windbg>ntdll!_CONTEXT > > ‘ntdll!_CONTEXT’ is not recognized as an internal or external command, > > operable program or batch file. > > > > G:\windbg> +0x0b8 Eip : ?? > > ‘+0x0b8’ is not recognized as an internal or external command, > > operable program or batch file. > > > > G:\windbg>Memory read error 00c9f7aa > > ‘Memory’ is not recognized as an internal or external command, > > operable program or batch file. > > > > or like this > > > > 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr “Eip” > > +0x0b8 Eip : ?? > > .shell: Process exited > > > > > > 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr /c:Eip > > +0x0b8 Eip : ?? > > .shell: Process exited > > > > > > regards > > > > raj_r > > > > > > On 12/19/07, Martin O’Brien wrote: > >> There may very well be something that does this builtin, but I do not > >> know of it. The only thing that I can think of even in the ballpark is > >> ‘.shell’ I’ve never used it, and I don’t think that it will really do > >> what you want, at least reasonably speaking, but it might be worth a > >> look. Failing that, it would be quite easy to write a WinDbg extension > >> that took two commands, but you would have to do the filtering. > >> > >> Good luck, > >> > >> mm > >> > >> > >> > >> raj_r wrote: > >> > i would want to use the output of some debugger commands to some other > >> > debugger commands > >> > > >> > for example > >> > i want to automate setting a breakpoint on this output ie i want to > >> > set a bp on 0x7c810867 in one go instead of copy pasting > >> > > >> > 0:000> dt _context Eip poi(esp+4) > >> > ntdll!_CONTEXT > >> > +0x0b8 Eip : 0x7c810867 > >> > > >> > like bp "output of this command " > >> > > >> > instead of > >> > some command > >> > copy output > >> > bp paste > >> > enter > >> > > >> > im able to automate it only upto certain extent till here > >> > > >> > ntdll!DbgBreakPoint: > >> > 7c901230 cc int 3 > >> > 0:000> bp ntdll!NtContinue “dt _context Eip poi(esp+4)” > >> > 0:000> g > >> > ntdll!_CONTEXT > >> > +0x0b8 Eip : 0x7c810867 > >> > > >> > > >> > but after this i cant find how to extract the output and set another bp > >> > > >> > ntdll!DbgBreakPoint: > >> > 7c901230 cc int 3 > >> > 0:000> bp ntdll!NtContinue “bp dt _context Eip poi(esp+4)” > >> > 0:000> g > >> > Bp expression 'dt ’ could not be resolved, adding deferred bp > >> > Couldn’t resolve error at ‘_context Eip poi(esp+4)’ > >> > > >> > are there any cool tricks that i could use for scenerios like this > >> > > >> > regards > >> > > >> > raj_r > >> > > >> > >> — > >> You are currently subscribed to windbg as: xxxxx@gmail.com > >> To unsubscribe send a blank email to xxxxx@lists.osr.com > >> > > > > > > — > You are currently subscribed to windbg as: xxxxx@gmail.com > To unsubscribe send a blank email to xxxxx@lists.osr.com >
It took me a couple of days to get dl to work properly :(. It is certainly faster to use dp and just know offset of the LIST_ENTRY within your structure than trying to remember the dl syntax. Sigh. Perhaps a debugger extension that took the field name, typename and list head would be easier than dl…
d
-----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Martin O’Brien Sent: Wednesday, December 19, 2007 10:10 AM To: Kernel Debugging Interest List Subject: Re:[windbg] redirecting output from debugger commands
Impressive, Scott. WinDbg does have a nice natural syntax. If you still have months left on your calendar, Doron posted a beauty using ‘dl’ a while back that makes this one look clear.
Thanks,
mm
Scott Noone wrote: > Prepare for the WinDBG Cryptic Command of the Day (maybe we should start a > calendar) > > In KM you can do it through a pseudo register since those are supported by > the r? command: > > r? @$t0 = ((nt!_CONTEXT*)0x12345678)->Eip; bp @$t0 > > I don’t know if this works in user mode or if it results in more or less > work, but thought I’d share. > > -scott > > Scott Noone > Software Engineer > OSR Open Systems Resources, Inc. > http://www.osronline.com > > > “raj_r” wrote in message news:xxxxx@windbg… >> thanks Martin , >> >> i already played with .shell it simply barfs trying to process all >> those string outputs as shell commands for processing >> >> it looks like simple request but i cant for the life of me find >> something easy enough to do this >> >> >> 0:000> .shell -ci “dt _context Eip poi(esp+4)” >> Microsoft Windows XP [Version 5.1.2600] >> (C) Copyright 1985-2001 Microsoft Corp. >> >> G:\windbg>ntdll!_CONTEXT >> ‘ntdll!_CONTEXT’ is not recognized as an internal or external command, >> operable program or batch file. >> >> G:\windbg> +0x0b8 Eip : ?? >> ‘+0x0b8’ is not recognized as an internal or external command, >> operable program or batch file. >> >> G:\windbg>Memory read error 00c9f7aa >> ‘Memory’ is not recognized as an internal or external command, >> operable program or batch file. >> >> or like this >> >> 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr “Eip” >> +0x0b8 Eip : ?? >> .shell: Process exited >> >> >> 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr /c:Eip >> +0x0b8 Eip : ?? >> .shell: Process exited >> >> >> regards >> >> raj_r >> >> >> On 12/19/07, Martin O’Brien wrote: >>> There may very well be something that does this builtin, but I do not >>> know of it. The only thing that I can think of even in the ballpark is >>> ‘.shell’ I’ve never used it, and I don’t think that it will really do >>> what you want, at least reasonably speaking, but it might be worth a >>> look. Failing that, it would be quite easy to write a WinDbg extension >>> that took two commands, but you would have to do the filtering. >>> >>> Good luck, >>> >>> mm >>> >>> >>> >>> raj_r wrote: >>>> i would want to use the output of some debugger commands to some other >>>> debugger commands >>>> >>>> for example >>>> i want to automate setting a breakpoint on this output ie i want to >>>> set a bp on 0x7c810867 in one go instead of copy pasting >>>> >>>> 0:000> dt _context Eip poi(esp+4) >>>> ntdll!_CONTEXT >>>> +0x0b8 Eip : 0x7c810867 >>>> >>>> like bp "output of this command " >>>> >>>> instead of >>>> some command >>>> copy output >>>> bp paste >>>> enter >>>> >>>> im able to automate it only upto certain extent till here >>>> >>>> ntdll!DbgBreakPoint: >>>> 7c901230 cc int 3 >>>> 0:000> bp ntdll!NtContinue “dt _context Eip poi(esp+4)” >>>> 0:000> g >>>> ntdll!_CONTEXT >>>> +0x0b8 Eip : 0x7c810867 >>>> >>>> >>>> but after this i cant find how to extract the output and set another bp >>>> >>>> ntdll!DbgBreakPoint: >>>> 7c901230 cc int 3 >>>> 0:000> bp ntdll!NtContinue “bp dt _context Eip poi(esp+4)” >>>> 0:000> g >>>> Bp expression 'dt ’ could not be resolved, adding deferred bp >>>> Couldn’t resolve error at ‘_context Eip poi(esp+4)’ >>>> >>>> are there any cool tricks that i could use for scenerios like this >>>> >>>> regards >>>> >>>> raj_r >>>> >>> — >>> You are currently subscribed to windbg as: xxxxx@gmail.com >>> To unsubscribe send a blank email to xxxxx@lists.osr.com >>> > > >
Ah, yes, anything involving !list is incredibly amusing. The debugger docs
actually have a similar example and I use it in Debug Lab to demonstrate how
out of control the syntax can get.
I’d say you’re definitely way better off writing an extension at that point.
At least you’ll have it in source control and not in some random TXT file on
your drive (cuz I’d love to meet the person who could whip that out from
memory on their first try).
“Martin O’Brien” wrote in message news:xxxxx@windbg… > Impressive, Scott. WinDbg does have a nice natural syntax. If you still > have months left on your calendar, Doron posted a beauty using ‘dl’ a > while back that makes this one look clear. > > Thanks, > > mm > > > Scott Noone wrote: >> Prepare for the WinDBG Cryptic Command of the Day (maybe we should start >> a calendar) >> >> In KM you can do it through a pseudo register since those are supported >> by the r? command: >> >> r? @$t0 = ((nt!_CONTEXT*)0x12345678)->Eip; bp @$t0 >> >> I don’t know if this works in user mode or if it results in more or less >> work, but thought I’d share. >> >> -scott >> >> Scott Noone >> Software Engineer >> OSR Open Systems Resources, Inc. >> http://www.osronline.com >> >> >> “raj_r” wrote in message news:xxxxx@windbg… >>> thanks Martin , >>> >>> i already played with .shell it simply barfs trying to process all >>> those string outputs as shell commands for processing >>> >>> it looks like simple request but i cant for the life of me find >>> something easy enough to do this >>> >>> >>> 0:000> .shell -ci “dt _context Eip poi(esp+4)” >>> Microsoft Windows XP [Version 5.1.2600] >>> (C) Copyright 1985-2001 Microsoft Corp. >>> >>> G:\windbg>ntdll!_CONTEXT >>> ‘ntdll!_CONTEXT’ is not recognized as an internal or external command, >>> operable program or batch file. >>> >>> G:\windbg> +0x0b8 Eip : ?? >>> ‘+0x0b8’ is not recognized as an internal or external command, >>> operable program or batch file. >>> >>> G:\windbg>Memory read error 00c9f7aa >>> ‘Memory’ is not recognized as an internal or external command, >>> operable program or batch file. >>> >>> or like this >>> >>> 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr “Eip” >>> +0x0b8 Eip : ?? >>> .shell: Process exited >>> >>> >>> 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr /c:Eip >>> +0x0b8 Eip : ?? >>> .shell: Process exited >>> >>> >>> regards >>> >>> raj_r >>> >>> >>> On 12/19/07, Martin O’Brien wrote: >>>> There may very well be something that does this builtin, but I do not >>>> know of it. The only thing that I can think of even in the ballpark is >>>> ‘.shell’ I’ve never used it, and I don’t think that it will really do >>>> what you want, at least reasonably speaking, but it might be worth a >>>> look. Failing that, it would be quite easy to write a WinDbg extension >>>> that took two commands, but you would have to do the filtering. >>>> >>>> Good luck, >>>> >>>> mm >>>> >>>> >>>> >>>> raj_r wrote: >>>>> i would want to use the output of some debugger commands to some other >>>>> debugger commands >>>>> >>>>> for example >>>>> i want to automate setting a breakpoint on this output ie i want to >>>>> set a bp on 0x7c810867 in one go instead of copy pasting >>>>> >>>>> 0:000> dt _context Eip poi(esp+4) >>>>> ntdll!_CONTEXT >>>>> +0x0b8 Eip : 0x7c810867 >>>>> >>>>> like bp "output of this command " >>>>> >>>>> instead of >>>>> some command >>>>> copy output >>>>> bp paste >>>>> enter >>>>> >>>>> im able to automate it only upto certain extent till here >>>>> >>>>> ntdll!DbgBreakPoint: >>>>> 7c901230 cc int 3 >>>>> 0:000> bp ntdll!NtContinue “dt _context Eip poi(esp+4)” >>>>> 0:000> g >>>>> ntdll!_CONTEXT >>>>> +0x0b8 Eip : 0x7c810867 >>>>> >>>>> >>>>> but after this i cant find how to extract the output and set another >>>>> bp >>>>> >>>>> ntdll!DbgBreakPoint: >>>>> 7c901230 cc int 3 >>>>> 0:000> bp ntdll!NtContinue “bp dt _context Eip poi(esp+4)” >>>>> 0:000> g >>>>> Bp expression 'dt ’ could not be resolved, adding deferred bp >>>>> Couldn’t resolve error at ‘_context Eip poi(esp+4)’ >>>>> >>>>> are there any cool tricks that i could use for scenerios like this >>>>> >>>>> regards >>>>> >>>>> raj_r >>>>> >>>> — >>>> You are currently subscribed to windbg as: xxxxx@gmail.com >>>> To unsubscribe send a blank email to xxxxx@lists.osr.com >>>> >> >> >> >
Agreed, Tim; as things like this evolve overtime, they tend to devolve
as well, and that’s just the way it is. Your last paragraph is what
makes the whole thing confusing and frustrating to me. How on earth are
you supposed to figure out things like this in any reasonably productive
time frame, as there is not really any incentive to do so, because going
about it a different way, like writing an extension, or in most cases
even just giving up and living without it is a lot more productive than
trying to navigate the documentation and lack of examples. There are a
few specific instances where I did what Doron did with ‘dl,’ which was
pretty much to just insist that I was going to get it to work for no
reason other than to do so, but I pretty much just short circuit the
whole thing and write an extension most of the time, and not uncommonly
come to find that it was not always a very good decision. This is not
one of those cases, as the odds of me either remembering that or even
just typing it correctly are basically zero considering how often I
would use it, but the more general case of what am I missing does
trouble me from time to time, and I wonder whether cleaning up the
documentation and some examples would help with that.
mm
Tim Roberts wrote:
Martin O’Brien wrote:
> Impressive, Scott. WinDbg does have a nice natural syntax.
I agree, although you forgot the tags around that. > > However, it’s hard to know how to do any better. I’ve used low-level > debuggers a large number of PC and mainframe operating systems over the > decades. All of them must have made sense to someone at some point, but > feature creep makes them all essentially devolve into Sanscrit. gdb on > Linux has a lot of things I like, but there are still a lot of corners > I’m afraid to crawl into. We’ve even written a couple of hardware > debuggers, and although they always start out pure and beautiful, sooner > or later we find a need we didn’t anticipate, and the patch ends up > introducing generic ugliness. > > I’ve used several debuggers (including one we wrote) that had a Forth > interpreter at the core. Now, Forth is not the most natural language in > the world, but it is at least consistent. > > The key, in my opinion, is discoverability. You should be able to > figure out what you need without having to resort to Google. The old > Win3/Win95/Win98 kernel debugger had this. gdb has this. WinDbg used > to have this, but I, for one, would never have come up with Scott’s > command on my own. >
Extensions are my approach to these sorts of problems as well, although
I think my tendency to immediately do so when presented with problems
like this does cause me to fail to take advantage of some of WinDbg’s
useful, less well known/documented facilities sometimes.
mm
Scott Noone wrote:
Ah, yes, anything involving !list is incredibly amusing. The debugger docs
actually have a similar example and I use it in Debug Lab to demonstrate how
out of control the syntax can get.
I’d say you’re definitely way better off writing an extension at that point.
At least you’ll have it in source control and not in some random TXT file on
your drive (cuz I’d love to meet the person who could whip that out from
memory on their first try).
“Martin O’Brien” wrote in message > news:xxxxx@windbg… >> Impressive, Scott. WinDbg does have a nice natural syntax. If you still >> have months left on your calendar, Doron posted a beauty using ‘dl’ a >> while back that makes this one look clear. >> >> Thanks, >> >> mm >> >> >> Scott Noone wrote: >>> Prepare for the WinDBG Cryptic Command of the Day (maybe we should start >>> a calendar) >>> >>> In KM you can do it through a pseudo register since those are supported >>> by the r? command: >>> >>> r? @$t0 = ((nt!_CONTEXT*)0x12345678)->Eip; bp @$t0 >>> >>> I don’t know if this works in user mode or if it results in more or less >>> work, but thought I’d share. >>> >>> -scott >>> >>> Scott Noone >>> Software Engineer >>> OSR Open Systems Resources, Inc. >>> http://www.osronline.com >>> >>> >>> “raj_r” wrote in message news:xxxxx@windbg… >>>> thanks Martin , >>>> >>>> i already played with .shell it simply barfs trying to process all >>>> those string outputs as shell commands for processing >>>> >>>> it looks like simple request but i cant for the life of me find >>>> something easy enough to do this >>>> >>>> >>>> 0:000> .shell -ci “dt _context Eip poi(esp+4)” >>>> Microsoft Windows XP [Version 5.1.2600] >>>> (C) Copyright 1985-2001 Microsoft Corp. >>>> >>>> G:\windbg>ntdll!_CONTEXT >>>> ‘ntdll!_CONTEXT’ is not recognized as an internal or external command, >>>> operable program or batch file. >>>> >>>> G:\windbg> +0x0b8 Eip : ?? >>>> ‘+0x0b8’ is not recognized as an internal or external command, >>>> operable program or batch file. >>>> >>>> G:\windbg>Memory read error 00c9f7aa >>>> ‘Memory’ is not recognized as an internal or external command, >>>> operable program or batch file. >>>> >>>> or like this >>>> >>>> 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr “Eip” >>>> +0x0b8 Eip : ?? >>>> .shell: Process exited >>>> >>>> >>>> 0:000> .shell -ci “dt _context Eip poi(esp+4)” findstr /c:Eip >>>> +0x0b8 Eip : ?? >>>> .shell: Process exited >>>> >>>> >>>> regards >>>> >>>> raj_r >>>> >>>> >>>> On 12/19/07, Martin O’Brien wrote: >>>>> There may very well be something that does this builtin, but I do not >>>>> know of it. The only thing that I can think of even in the ballpark is >>>>> ‘.shell’ I’ve never used it, and I don’t think that it will really do >>>>> what you want, at least reasonably speaking, but it might be worth a >>>>> look. Failing that, it would be quite easy to write a WinDbg extension >>>>> that took two commands, but you would have to do the filtering. >>>>> >>>>> Good luck, >>>>> >>>>> mm >>>>> >>>>> >>>>> >>>>> raj_r wrote: >>>>>> i would want to use the output of some debugger commands to some other >>>>>> debugger commands >>>>>> >>>>>> for example >>>>>> i want to automate setting a breakpoint on this output ie i want to >>>>>> set a bp on 0x7c810867 in one go instead of copy pasting >>>>>> >>>>>> 0:000> dt _context Eip poi(esp+4) >>>>>> ntdll!_CONTEXT >>>>>> +0x0b8 Eip : 0x7c810867 >>>>>> >>>>>> like bp "output of this command " >>>>>> >>>>>> instead of >>>>>> some command >>>>>> copy output >>>>>> bp paste >>>>>> enter >>>>>> >>>>>> im able to automate it only upto certain extent till here >>>>>> >>>>>> ntdll!DbgBreakPoint: >>>>>> 7c901230 cc int 3 >>>>>> 0:000> bp ntdll!NtContinue “dt _context Eip poi(esp+4)” >>>>>> 0:000> g >>>>>> ntdll!_CONTEXT >>>>>> +0x0b8 Eip : 0x7c810867 >>>>>> >>>>>> >>>>>> but after this i cant find how to extract the output and set another >>>>>> bp >>>>>> >>>>>> ntdll!DbgBreakPoint: >>>>>> 7c901230 cc int 3 >>>>>> 0:000> bp ntdll!NtContinue “bp dt _context Eip poi(esp+4)” >>>>>> 0:000> g >>>>>> Bp expression 'dt ’ could not be resolved, adding deferred bp >>>>>> Couldn’t resolve error at ‘_context Eip poi(esp+4)’ >>>>>> >>>>>> are there any cool tricks that i could use for scenerios like this >>>>>> >>>>>> regards >>>>>> >>>>>> raj_r >>>>>> >>>>> — >>>>> You are currently subscribed to windbg as: xxxxx@gmail.com >>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com >>>>> >>> >>> > > >
On 12/19/07, Martin O’Brien wrote: How on earth are > you supposed to figure out things like this in any reasonably productive > time frame, as there is not really any incentive to do so, because going > about it a different way, like writing an extension, or in most cases > even just giving up and living without it is a lot more productive than > trying to navigate the documentation and lack of examples
well it took more than 2 hours before i gave up and posted this query i crawled many of my own answers in some time past that dealt with @@poiblah syntax and google as well as help file
a simple query of pipe , piping , redirection and all such common words that one could conjure up in memory in the time frame yields no results in windbg help file
yes i was aware of gdb syntax like x (* ulong *) $esp+4 though i have never seen it being used in windbg help file or google this query and scotts answer actually opened up some ways to experiment with the syntax thats either undocumented or hidden pretty deep inside the helpfile where it is impossible to ferret it out the only chance to find this might be by some accident it seems
