使用Windbg脚本我想检查任何函数的参数中是否存在某个字符串。
0:000> g
Breakpoint 0 hit
eax=00000001 ebx=00000000 ecx=00422fc6 edx=00000000 esi=03d574e8 edi=00000005
eip=76d8fd3f esp=000cf7ac ebp=000cf7c8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
USER32!MessageBoxW:
76d8fd3f 8bff mov edi,edi
0:000> du poi(esp+8)
03d574e8 "Cannot find "hello""
此处传递给MessageBoxW
的第二个参数是Cannot find "hello"
。
所以我想检查第二个参数中是否存在字符串hello
。
根据此MSDN article,我尝试了以下命令,但它无效:
0:000> r $t1 = poi(esp+8)
0:000> as /mu $MSG $t1
0:000> .echo ${$MSG}
Cannot find "hello"
0:000> .if ($spat(@"${MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
NotFound
我猜它应该返回Found
!
感谢。
答案 0 :(得分:10)
在您使用的.if
命令中,${MSG}
由于缺少 $ 而无法替换。尝试搜索 MSG 作为证据:
0:001> .if ($spat(@"${MSG}","*MSG*") == 0) {.echo NotFound} .else {.echo Found}
Found
它被替换为
0:001> .if ($spat(${$MSG},"*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '(Cannot find "hello","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
但缺少的内容在无法之前有引号。它也被替换为
0:001> .if ($spat("${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '("Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
但是,引号由字符串内的引号关闭。此外,@
符号无效:
0:001> .if ($spat(@"${$MSG}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Syntax error at '(@"Cannot find "hello"","*hello*") == 0) {.echo NotFound} .else {.echo Found}'
所以这是恕我直言,他们忘了在WinDbg中考虑转义字符的情况之一。非常令人沮丧,总是错误的来源。
幸运的是有PyKD并且检查字符串的代码是
>>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
True
reg("esp")
获取ESP寄存器的值。 +8
当然增加了8个。 ptrPtr()
从该地址获取指针大小的值。 loadWStr()
从该值读取,直到它达到NUL字符。 "hello" in
执行查找操作。您也可以使用.find("hello")>0
。
以下是我尝试的方法:
0:003> .dvalloc 2000
Allocated 2000 bytes starting at 00470000
0:003> eu 00470000 "Cannot find \"hello\""
0:003> du 00470000
00470000 "Cannot find "hello""
0:003> ep 00470000+1008 00470000
0:003> r esp=00470000+1000
0:003> .load E:\debug\Extensions\pykd\x86\pykd.dll
0:003> !pycmd
Python 2.7.8 |Anaconda 2.1.0 (32-bit)| (default, Jul 2 2014, 15:13:35) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> "hello" in loadWStr(ptrPtr(reg("esp")+8))
True
>>> exit()
您可以将以下代码放入.PY文件
from pykd import *
print "hello" in loadWStr(ptrPtr(reg("esp")+8))
然后在没有交互式控制台的情况下运行它:
0:003> !py e:\debug\hello.py
True
在WinDbg中,您需要删除引号。一种方法是.foreach
:
0:001> .foreach (token {.echo $MSG}){.echo ${token}}
Cannot
find
hello
输出不再包含引号。让我们将此输出分配给另一个别名:
0:001> as /c NOQ .foreach (token {.echo ${$MSG}}){.echo ${token}}
使用这个新别名,您的命令将起作用:
0:001> .if ($spat("${NOQ}","*hello*") == 0) {.echo NotFound} .else {.echo Found}
Found
答案 1 :(得分:1)
来自评论:
让我们看看我是否得到任何基于WDS的答案。
很难相信你想要去长流浪汉。但好吧,这就是WinDbg内置解决方案:
r $t9=1;.foreach /ps fffff (endaddr {s -[1]w 00570000 L1000 0}) {.foreach /ps fffff (findaddr {s -[1]u 00570000 ${endaddr} "hello"}) {r $t9=2} }; .if (@$t9==2) { .echo "Found"} .else {.echo "Not Found"}
它做什么?好吧,我把它作为练习留给你,下面的剧透。
r $t9=1;
将T9伪寄存器设置为定义的值,以便它不会意外地等于稍后用于比较的值。
s -[1]w 00570000 L1000 0
在内存中搜索值为0的DWORD(w
),它等于字符串的Unicode结尾。[1]
仅将输出限制为地址。
.foreach /ps fffff (endaddr { ... }) {...};
将地址分配给endaddr变量。如果有很多,/ps fffff
会跳过其他调查结果。
s -[1]u 00570000 ${endaddr} "hello"
执行内存搜索,这次是对于Unicode字符串(u
),也限制地址输出([1]
)。
.foreach /ps fffff (findaddr {...}) {...}
获取搜索的输出。 findaddr变量在这里未使用,但在最终命令中可能很有用,具体取决于您要实现的目标。
r $t9=2
将T9伪寄存器更改为表示找到搜索词的值。
.if (@$t9==2) { ... } .else { ... }
基于T9伪寄存器执行某些操作。
答案 2 :(得分:1)
@deb如果找到匹配是主要要求,你可以尝试这样的事情
0:000> .printf "%y\n" , @eip
USER32!MessageBoxW (7e466534)
0:000> $ ----------------------------------------------------------------------------------------------------------------------
0:000> du poi(@esp+8)
00408168 "cannot find "hello""
0:000> $ ----------------------------------------------------------------------------------------------------------------------
0:000> .foreach /pS 1 /ps 100 (place { dpu @esp+8 l1 }) { s -u place l100 "\"hello\"" }
00408180 0022 0068 0065 006c 006c 006f 0022 0000 ".h.e.l.l.o."...
0040827a 0022 0068 0065 006c 006c 006f 0022 0020 ".h.e.l.l.o.". .
0:000> $ ----------------------------------------------------------------------------------------------------------------------
0:000> .foreach /pS 1 /ps 100 (place { dpu @esp+8 l1 }) { s -u place l100 "\"z\"" }
0:000> $ ----------------------------------------------------------------------------------------------------------------------
0:000> .foreach /pS 1 /ps 100 (place { dpu @esp+8 l1 }) { s -u place l100 "\"zoop\"" }
0:000> $ ----------------------------------------------------------------------------------------------------------------------
0:000> .foreach /pS 1 /ps 100 (place { dpu @esp+8 l1 }) { s -[l 20]u place l100 "can" }
00408168 0063 0061 006e 006e 006f 0074 0020 0066 c.a.n.n.o.t. .f.
0040819c 0063 0061 006e 006e 006f 0074 0020 0066 c.a.n.n.o.t. .f.
004081d0 0063 0061 006e 006e 006f 0074 0020 0066 c.a.n.n.o.t. .f.
00408204 0063 0061 006e 006e 006f 0074 0020 0066 c.a.n.n.o.t. .f.
00408238 0063 0061 006e 006e 006f 0074 0020 0066 c.a.n.n.o.t. .f.
0:000> $ ----------------------------------------------------------------------------------------------------------------------
0:000> .foreach /pS 1 /ps 100 (place { dpu @esp+8 l1 }) { s -[1]u place l100 "can" }
0x00408168
0x0040819c
0x004081d0
0x00408204
0x00408238
0:000> $ ----------------------------------------------------------------------------------------------------------------------
0:000> .foreach /pS 1 /ps 100 (place { dpu @esp+8 l1 }) { .foreach (vlace { s -[1]u place l100 "can"} ) {du vlace} }
00408168 "cannot find "hello""
0040819c "cannot find "iello""
004081d0 "cannot find "jello""
00408204 "cannot find "fello""
00408238 "cannot find "kello""
0:000> $ ----------------------------------------------------------------------------------------------------------------------
0:000> .foreach /pS 1 /ps 100 (place { dpu @esp+8 l1 }) { .foreach (vlace { s -[1]u place l100 "ello"} ) {du vlace} }
00408184 "ello""
004081b8 "ello""
004081ec "ello""
00408220 "ello""
00408254 "ello""
0040827e "ello" baby"
0:000> $ ----------------------------------------------------------------------------------------------------------------------
0:000> lsf msgboxw.cpp
msgboxw.cpp
0:000> $ ----------------------------------------------------------------------------------------------------------------------
0:000> ls 0,15
1: #include <windows.h>
2: #pragma comment(lib,"user32.lib")
3: int main (void)
4: {
5: MessageBoxW(0,L"cannot find \"hello\"",L"test",0);
6: MessageBoxW(0,L"cannot find \"iello\"",L"test",0);
7: MessageBoxW(0,L"cannot find \"jello\"",L"test",0);
8: MessageBoxW(0,L"cannot find \"fello\"",L"test",0);
9: MessageBoxW(0,L"cannot find \"kello\"",L"test",0);
10: MessageBoxW(0,L"saying \"hello\" baby",L"test",0);
11: return 0;
12: }
13:
14:
0:000> $ ----------------------------------------------------------------------------------------------------------------------