Is there a way to get just the src operand register? I hoping for something like:
$r = get_src_op_reg($eip)
Or the like?
Not as far as I know.
You can get the effective address via $ea, but that’s about it directly.
Otherwise (assuming I’m correct), you’re down to parsing the output of u
(et. c.) or IDebugControl::Disassemble() (et. c.)
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@vdalabs.com
Sent: Wednesday, July 14, 2010 9:52 AM
To: Kernel Debugging Interest List
Subject: [windbg] Windbg Disassembly Question
Is there a way to get just the src operand register? I hoping for something
like:
$r = get_src_op_reg($eip)
Or the like?
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Agreed. Cooking up an extension that calls IDebugControl::Disassemble on the
current instruction pointer and parses the result should be relatively
straightforward.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“M. M. O’Brien” wrote in message
news:xxxxx@windbg…
> Not as far as I know.
>
> You can get the effective address via $ea, but that’s about it directly.
>
> Otherwise (assuming I’m correct), you’re down to parsing the output of u
> (et. c.) or IDebugControl::Disassemble() (et. c.)
>
>
> Good luck,
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@vdalabs.com
> Sent: Wednesday, July 14, 2010 9:52 AM
> To: Kernel Debugging Interest List
> Subject: [windbg] Windbg Disassembly Question
>
> Is there a way to get just the src operand register? I hoping for
> something
> like:
>
> $r = get_src_op_reg($eip)
>
> Or the like?
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
What would the regex look like? I mean it could be anything from:
mov ebx,dword ptr [eax+4]
to:
mov ah, al
Couldn’t it?
From: Scott Noone
To: Kernel Debugging Interest List
Sent: Wed, July 14, 2010 11:03:08 AM
Subject: Re:[windbg] Windbg Disassembly Question
Agreed. Cooking up an extension that calls IDebugControl::Disassemble on the
current instruction pointer and parses the result should be relatively
straightforward.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“M. M. O’Brien” wrote in message
news:xxxxx@windbg…
> Not as far as I know.
>
> You can get the effective address via $ea, but that’s about it directly.
>
> Otherwise (assuming I’m correct), you’re down to parsing the output of u
> (et. c.) or IDebugControl::Disassemble() (et. c.)
>
>
> Good luck,
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@vdalabs.com
> Sent: Wednesday, July 14, 2010 9:52 AM
> To: Kernel Debugging Interest List
> Subject: [windbg] Windbg Disassembly Question
>
> Is there a way to get just the src operand register? I hoping for
> something
> like:
>
> $r = get_src_op_reg($eip)
>
> Or the like?
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
With lots of other possibilities as well.
I don’t know off the top of my head, but I would think that it would
certainly be amenable to parsing by regular expression.
Good luck,
mm
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jared DeMott
Sent: Wednesday, July 14, 2010 11:17 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Windbg Disassembly Question
What would the regex look like? I mean it could be anything from:
mov ebx,dword ptr [eax+4]
to:
mov ah, al
Couldn’t it?
From: Scott Noone
To: Kernel Debugging Interest List
Sent: Wed, July 14, 2010 11:03:08 AM
Subject: Re:[windbg] Windbg Disassembly Question
Agreed. Cooking up an extension that calls IDebugControl::Disassemble on the
current instruction pointer and parses the result should be relatively
straightforward.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“M. M. O’Brien” wrote in message
news:xxxxx@windbg…
> Not as far as I know.
>
> You can get the effective address via $ea, but that’s about it directly.
>
> Otherwise (assuming I’m correct), you’re down to parsing the output of u
> (et. c.) or IDebugControl::Disassemble() (et. c.)
>
>
> Good luck,
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@vdalabs.com
> Sent: Wednesday, July 14, 2010 9:52 AM
> To: Kernel Debugging Interest List
> Subject: [windbg] Windbg Disassembly Question
>
> Is there a way to get just the src operand register? I hoping for
> something
> like:
>
> $r = get_src_op_reg($eip)
>
> Or the like?
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Hello,
* On Wed, Jul 14, 2010 at 08:17:22AM -0700 Jared DeMott wrote:
What would the regex look like? I mean it could be anything from:
mov ebx,dword ptr [eax+4]
to:
mov ah, al
Couldn’t it?
Don’t forget “goodies” like LAHF, AAM, DAM and the like, CBW, CWD, CWDE,
CDQ, and others which imply their arguments (that is, these are
implicitly…)
Regards
Spiro.
–
Spiro R. Trikaliotis http://opencbm.sf.net/
http://www.trikaliotis.net/ http://www.viceteam.org/
Now you’re just scaring the OP 
It might still be worth it for him though.
Good thing though is that you don’t have to handle every possible input on
the first iteration, the compiler doesn’t tend to be very exotic in the
commands it spits out.
And it’s just a debugging aid, if it saves you some typing or copy/pasting
most of the time and just bails if it can’t figure out some whack-o
instruction then oh well. I think it’s OK for things like debugger scripts
or extensions to have a very narrow focus, even if it only handles one input
that might be enough to make your life easier.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Spiro Trikaliotis” wrote in message
news:xxxxx@windbg…
> Hello,
>
> * On Wed, Jul 14, 2010 at 08:17:22AM -0700 Jared DeMott wrote:
>> What would the regex look like? I mean it could be anything from:
>> mov ebx,dword ptr [eax+4]
>> to:
>> mov ah, al
>> Couldn’t it?
>
> Don’t forget “goodies” like LAHF, AAM, DAM and the like, CBW, CWD, CWDE,
> CDQ, and others which imply their arguments (that is, these are
> implicitly…)
>
> Regards
> Spiro.
>
> –
> Spiro R. Trikaliotis http://opencbm.sf.net/
> http://www.trikaliotis.net/ http://www.viceteam.org/
>
There is no easy way to do that because there can be multiple “source”
registers. A simple example is,
mov eax, [eax+ebx*2]
If you only care about the special cases like mov m32/r32, r32 then
you can easily do a regex. I’d tokenize it first based on the “,” and
then filter out everything that is not {eax, ebx, ecx, …}.
The ideal solution is definitely to write a plugin that uses a
different disassembly engine that already does this work for you (and
more). I suggest using my friend beatrix’s beaengine. It is my
favorite.
–bruce
On Wed, Jul 14, 2010 at 6:52 AM, wrote:
> Is there a way to get just the src operand register? ?I hoping for something like:
>
> $r = get_src_op_reg($eip)
>
> Or the like?
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
I agree with Snoone’s point that if all you need is basic information, you
can probably get by with a regex, but what Bruce suggests below - different
engine - is what I’ve done is the past as well, when necessary, though I
used diStorm.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bruce Dang
Sent: Wednesday, July 14, 2010 11:30 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Windbg Disassembly Question
There is no easy way to do that because there can be multiple “source”
registers. A simple example is,
mov eax, [eax+ebx*2]
If you only care about the special cases like mov m32/r32, r32 then you can
easily do a regex. I’d tokenize it first based on the “,” and then filter
out everything that is not {eax, ebx, ecx, …}.
The ideal solution is definitely to write a plugin that uses a different
disassembly engine that already does this work for you (and more). I suggest
using my friend beatrix’s beaengine. It is my favorite.
–bruce
On Wed, Jul 14, 2010 at 6:52 AM, wrote:
> Is there a way to get just the src operand register? ?I hoping for
something like:
>
> $r = get_src_op_reg($eip)
>
> Or the like?
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
On 14/07/2010 16:21, M. M. O’Brien wrote:
With lots of other possibilities as well.
Including some that aren’t immediately obvious, where there are implicit
operands and/or side effects.
mov ecx,
cld
rep movsd
mh.