Hello,
I’m seeking a way to trace a program in windbg until a special string is referenced for example
imagine I’m seeking for “helloworld” whois located at un unknow location in the program memory.
I want windbg to stop when he is actually matching this string into a register or memory
for example
[eax] == “helloworld”
mov edx,[eax]
windbg would stop because edx contain a address to a string equal to “helloworld”.
what is the best way to accomplish such task?
thanks.
xxxxx@hotmail.com wrote:
I’m seeking a way to trace a program in windbg until a special string
is referenced for exampleimagine I’m seeking for “helloworld” whois located at un unknow
location in the program memory.I want windbg to stop when he is actually matching this string into a
register or memory
for example[eax] == “helloworld”
mov edx,[eax]
windbg would stop because edx contain a address to a string equal to
“helloworld”.what is the best way to accomplish such task?
IF there is one particular instruction that you need to check, this is
possible. Breakpoints can have a set of commands to execute when they
are hit. So, you can put a breakpoint on that one instruction, have it
fetch the contents of the dword at eax, and compare that to a constant.
If it doesn’t compare, you would continue the execution. This takes a
long time, because you have to stop for the breakpoint every time the
instruction comes up.
Something like: bp 0x80102222 “j poi eax != 0x4c4c4548 g”
If you need to break every time that string is loaded anywhere in the
program, your task is hopeless. You would need an instruction-level
simulator, not a debugger.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Alternatively, you could use “ba r ” command to break when the string memory location is being accessed reading.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Tuesday, September 09, 2008 1:24 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Tracing a program until a definded string is referenced
xxxxx@hotmail.com wrote:
>
> I’m seeking a way to trace a program in windbg until a special string
> is referenced for example
>
> imagine I’m seeking for “helloworld” whois located at un unknow
> location in the program memory.
>
> I want windbg to stop when he is actually matching this string into a
> register or memory
> for example
>
> [eax] == “helloworld”
>
> mov edx,[eax]
>
> windbg would stop because edx contain a address to a string equal to
> “helloworld”.
>
> what is the best way to accomplish such task?
IF there is one particular instruction that you need to check, this is
possible. Breakpoints can have a set of commands to execute when they
are hit. So, you can put a breakpoint on that one instruction, have it
fetch the contents of the dword at eax, and compare that to a constant.
If it doesn’t compare, you would continue the execution. This takes a
long time, because you have to stop for the breakpoint every time the
instruction comes up.
Something like: bp 0x80102222 “j poi eax != 0x4c4c4548 g”
If you need to break every time that string is loaded anywhere in the
program, your task is hopeless. You would need an instruction-level
simulator, not a debugger.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
—
You are currently subscribed to windbg as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
If your string is constant, then you could scan physical memory (!search) (for user mode, you would just scan your virtual address
space) for the string, and then break on that address, but I don’t imagine that is what you mean. Otherwise, if I understand you
correctly, you pretty much would have to single step in some way, shape or form. While only certain opcodes could reference memory
in a way that you might be interested in, you would have to evaluate the opcode to determine that, which would either also require
effectively single stepping or something really complicated like simulation or binary translation. No matter how you do this, it is
going to be unbearably slow, and I think you would be be off exploring this outside of WinDbg via the use of a customized simulator
that recorded program activity during a run. This would at least remove the over the wire time, but I would think long and hard
before I did either of these about why it is that you can’t narrow this problem down.
If you decide to proceed in WinDbg, here’s my best guess as to how to do this. You might be able to do this with a conditional
breakpoint in theory, but I’m not sure that you could handle all the permutations on registers within a conditional breakpoint.
That is, since you don’t know what you’re looking for in the way of code that will be doing the referencing, you would have to do
something like if ((eax==) || (ebx=) …), and I haven’t any idea if that works or not. Don’t do this.
I wouldn’t do what you’re considering at all, but if I had to do this in WinDbg, I would try writing an extension that would
disassemble the current instruction and check to see if it referenced memory that matched. This would be a lot of work, and would
also be unbearable to use in practice, because you are still in effect single stepping, plus you have to do all the host side WinDbg
processing, pull the referenced memory, do the comparison, and finally resume execution. Don’t do this either.
Why do you need to do this? Not knowing the address of a pattern you seek is not unusual, nor is not knowing the address of an
instruction that references a certain address, but not knowing either is unusual, and it’s a bit of a problem, at least as I see it.
There has to be some way you can narrow this problem down by specifying some detail. Ideally, there has to be some way to avoid
this problem altogether.
Good luck,
mm
xxxxx@hotmail.com wrote:
Hello,
I’m seeking a way to trace a program in windbg until a special string is
referenced for exampleimagine I’m seeking for “helloworld” whois located at un unknow location
in the program memory.I want windbg to stop when he is actually matching this string into a
register or memory
for example[eax] == “helloworld”
mov edx,[eax]
windbg would stop because edx contain a address to a string equal to
“helloworld”.what is the best way to accomplish such task?
thanks.
Jen-Lung Chiu wrote:
Alternatively, you could use “ba r ” command to break when the string memory location is being accessed reading.
>
Ah, but the “requirements document” said that the string was at an
unknown location in memory…
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
> Sent: Tuesday, September 09, 2008 1:24 PM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] Tracing a program until a definded string is referenced
>
> xxxxx@hotmail.com wrote:
>
>> I’m seeking a way to trace a program in windbg until a special string
>> is referenced for example
>>
>> imagine I’m seeking for “helloworld” whois located at un unknow
>> location in the program memory.
>>
>> I want windbg to stop when he is actually matching this string into a
>> register or memory
>> for example
>>
>> [eax] == “helloworld”
>>
>> mov edx,[eax]
>>
>> windbg would stop because edx contain a address to a string equal to
>> “helloworld”.
>>
>> what is the best way to accomplish such task?
>>
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Could break when the string is allocated/initialized, then you will know the address.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Tuesday, September 09, 2008 1:56 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Tracing a program until a definded string is referenced
Jen-Lung Chiu wrote:
Alternatively, you could use “ba r ” command to break when the string memory location is being accessed reading.
>
Ah, but the “requirements document” said that the string was at an
unknown location in memory…
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
> Sent: Tuesday, September 09, 2008 1:24 PM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] Tracing a program until a definded string is referenced
>
> xxxxx@hotmail.com wrote:
>
>> I’m seeking a way to trace a program in windbg until a special string
>> is referenced for example
>>
>> imagine I’m seeking for “helloworld” whois located at un unknow
>> location in the program memory.
>>
>> I want windbg to stop when he is actually matching this string into a
>> register or memory
>> for example
>>
>> [eax] == “helloworld”
>>
>> mov edx,[eax]
>>
>> windbg would stop because edx contain a address to a string equal to
>> “helloworld”.
>>
>> what is the best way to accomplish such task?
>>
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
—
You are currently subscribed to windbg as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Aren’t you assuming that it is initialized by a constant and/or dynamically allocated? The impression I got from his post is that
he knows nothing about this program.
mm
I think I’m missing something - wouldn’t that be subject to the same problem? That is, presumably he does not have source code, and
he didn’t say that the string is constant or initialized with a constant, so how would he know that something is an allocation that
he is interested in is a way simple enough to use ba <>.
in without getting in to some sort of complicated extension kind of like I mentioned earlier, but just monitors
Jen-Lung Chiu wrote:
Could break when the string is allocated/initialized, then you will know the address.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Tuesday, September 09, 2008 1:56 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Tracing a program until a definded string is referencedJen-Lung Chiu wrote:
> Alternatively, you could use “ba r ” command to break when the string memory location is being accessed reading.
>>
>
> Ah, but the “requirements document” said that the string was at an
> unknown location in memory…
>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com [mailto:xxxxx@lists…osr.com] On Behalf Of Tim Roberts
>> Sent: Tuesday, September 09, 2008 1:24 PM
>> To: Kernel Debugging Interest List
>> Subject: Re: [windbg] Tracing a program until a definded string is referenced
>>
>> xxxxx@hotmail.com wrote:
>>
>>> I’m seeking a way to trace a program in windbg until a special string
>>> is referenced for example
>>>
>>> imagine I’m seeking for “helloworld” whois located at un unknow
>>> location in the program memory.
>>>
>>> I want windbg to stop when he is actually matching this string into a
>>> register or memory
>>> for example
>>>
>>> [eax] == “helloworld”
>>>
>>> mov edx,[eax]
>>>
>>> windbg would stop because edx contain a address to a string equal to
>>> “helloworld”.
>>>
>>> what is the best way to accomplish such task?
>>>
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> You are currently subscribed to windbg as: xxxxx@microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
On 9/10/08, xxxxx@hotmail.com
wrote:
>
> Hello,
>
> I’m seeking a way to trace a program in windbg until a special string is
> referenced for example
>
> imagine I’m seeking for “helloworld” whois located at un unknow location in
> the program memory.
>
> I want windbg to stop when he is actually matching this string into a
> register or memory
> for example
>
> [eax] == “helloworld”
>
> mov edx,[eax]
>
> windbg would stop because edx contain a address to a string equal to
> “helloworld”.
>
> what is the best way to accomplish such task?
>
if you are not going to limit yourself to windbg but are free to use
other debuggers (since you are talking helloworld i assume you are
interested in application debugging only and not kernel mode
debugging)
i can suggest you to try ollydbg
in ollydbg hit ctrl+t
select the condition is true box
in the edit box type
eax == “this” ( “this” is start of the string you are looking as an
example you can enter “hello” for your "helloworld) you know the
string isnt it or are you looking for any string in any register at
any ip kind)
then do ctrl+f11 (trace into)
if there is a match ollydbg will stop automatically
Log data, item 0
Address=00401178
Message=Conditional pause: eax == “this”
EAX 0012FF54 ASCII “this is the crap str that prolly went to some register”
ECX 0040A15F ASCII "trying to do some crap with register string
code for above break
#include <stdio.h>
int main (void)
{
register char *somecrapstring;
char crapstr = {“this is the crap str that prolly went to some register”};
printf(“trying to do some crap with register string\n”);
somecrapstring = crapstr;
printf("see if it worked in debugger %s ",somecrapstring);
return 0;
}
in windbg also you can achieve this with some blah blah like below
r $t1 = poi(eax)
.if ( $t1 == 73696874) { } .else { t "$<strtr.txt>
see the out put below for result but this method is excruciatingly,
painfully, unbearably,hopelessly crawling slow with a very buggy
routine that keeps on spitting error 0x80004005 (unspecified error for
every single step) with a
stack overflow problem in dbgeng -> vsnprintf ->msvcrt _woutput function
0:000> r $t1 = poi(eax)
Memory access error at ‘)’
0:000> .if ( $t1 == 73696874) { } .else { t "$<strtr.txt>Command file caused an implicit wait
Command file execution failed, HRESULT 0x80004005
“Unspecified error”
0:000> r $t1 = poi(eax)
Memory access error at ‘)’
0:000> .if ( $t1 == 73696874) { } .else { t "$<strtr.txt>Command file caused an implicit wait
Command file execution failed, HRESULT 0x80004005
“Unspecified error”
0:000> r $t1 = poi(eax)
Memory access error at ‘)’
0:000> .if ( $t1 == 73696874) { } .else { t "$<strtr.txt>Command file caused an implicit wait
Command file execution failed, HRESULT 0x80004005
“Unspecified error”
0:000> r $t1 = poi(eax)
0:000> .if ( $t1 == 73696874) { } .else { t “$<strtr.txt>0:000>
0:000>
eax=0012ff54 ebx=7ffd9000 ecx=0040a15f edx=ffffffff esi=0040a15f edi=0012ff8b
eip=00401178 esp=0012ff4c ebp=0012ff8c iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
stringloop!_GetExceptDLLinfo+0x11f:
00401178 50 push eax
0:000> da eax
0012ff54 “this is the crap str that prolly”
0012ff74 " went to some register”</strtr.txt></strtr.txt></strtr.txt></strtr.txt></strtr.txt></stdio.h>