Useful scripts for WinDbg using the debugger data model
Usage, examples, explanations and general rants (also available in PDF form here):
https://medium.com/@yardenshafir2/windbg-the-fun-way-part-1-2e4978791f9b
https://medium.com/@yardenshafir2/windbg-the-fun-way-part-2-7a904cba5435
- __iserror(x)
Returns true if a statement throws an error.
dx @$curprocess.Io.Handles.Where(h => !__iserror(h.Type == "File") && h.Type == "File")
- SelectMany
Flattens a nested collection, for example runs a query on all threads in all processes and flattens the results
dx @$cursession.Processes.SelectMany(p => p.Threads.Select(t => t.KernelObject.ThreadName))
- Conditional Operations
dx @$curthread.KernelObject.ActiveImpersonationInfo != 0 ? @$curthread.KernelObject.ClientSecurity.ImpersonationLevel : "Not Impersonating"
- Executing a Legacy Command
dx @$printSecurityDescriptor = (sd => Debugger.Utility.Control.ExecuteCommand("!sd " + ((__int64)sd).ToDisplayString("x") + " 1"))
- Cast Pointer to Function Address
dx @$curprocess.Threads.Select(t => (void(*)())t.KernelObject.StartAddress)
WinDbg uses regular, null terminated strings. That can be challenging when trying to compare them with Windows strings, which can be counted strings (ANSI or UNICODE strings) or wide strings. To fix that, you can cast Windows strings into "regular" strings with .ToDisplayString:
- .ToDisplayString("s"): convert a char array (not a wide string) to a string. Outout string will be wrapped in double quotes.
- .ToDisplayString("sb"): convert a char array (not a wide string) to a string. Outout string will not be wrapped in double quotes.
- .ToDisplayString("su"): convert a wchar_t array (wide string) to a string. Outout string will be wrapped in double quotes.
To convert a counted string to a basic string, convert the Buffer field of the counted string using .ToDisplayString(). For example, to convert an ANSI_STRING to a string:
dx (@$CountedString->Buffer).ToDisplayString("sb")
As another example, you can create a helper function to compare a user-defined path to the ObjectName field of an OBJECT_ATTRIBUTES structure. ObjectName is a wide string so use .ToDisplayString("su"), and wrap the requested string in double quotes to match the output received from .ToDisplayString("su"). In this helper function, the two arguments are:
- o: a pointer to an OBJECT_ATTRIBUTES structure
- p: a string to be compared to the ObjectName field of the OBJECT_ATRIBUTES structure passed in argument o
dx @$comparePathFromObjAttr = ((o, p) => (((nt!_OBJECT_ATTRIBUTES*)o)->ObjectName->Buffer).ToDisplayString("su") == "\"" + p + "\"")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent