After debugging for quite some time, and looking almost every day at memory dumps you start to think “I really need a command to this, to do that,…” in order to easy on some of the repetitive work and allow you to more quickly focus on the issue itself.
I find debuggers scripts to be a big advantage here, and use them a lot. These are pretty simple to define and use (don´t confuse with debugger extensions. That’s another history). So there are quite a few I keep at hand to ease the pain on some manual work.
I find debuggers scripts to be a big advantage here, and use them a lot. These are pretty simple to define and use (don´t confuse with debugger extensions. That’s another history). So there are quite a few I keep at hand to ease the pain on some manual work.
The sample I’m going to provide is one of the scripts I use most and allows you to understand what needs to be defined and loaded on the debugger.
The purpose on this sample is to find some string on the ouput of a debugger command. Syntax will be
Find “ExecuteCommand” “value_to_find”
The output will all lines that contain value_to_find
First, all you need is notepad. Open notepad and paste the following line
.shell -i - -ci "$param1" FIND /I "$param2"
Save the file as find.txt and place it on a folder.
Next step is to load this script on the debugger. Open windbg.exe and load a memory dump. Below is a sample on how to invoke my script with two parameters and the output that was returned.
Read more: Deviations
Posts
