以下windbg脚本总是失败。我无法弄清楚我做错了什么。
$$
$$ print all imported function names. ${$arg1} base address of a loaded image
$$
.block {
.expr /s c++
r $t1 = ${$arg1} + ((ntdll32!_IMAGE_DOS_HEADER*)${$arg1})->e_lfanew
r $t1 = ${$arg1} + ((ntdll32!_IMAGE_NT_HEADERS*)@$t1)->OptionalHeader.DataDirectory[1].VirtualAddress
r $t0 = 0
aS ${curImpDesc} ((Mydll_00!_IMAGE_IMPORT_DESCRIPTOR*)@$t1)[@$t0]
.while (${curImpDesc}.Name != 0) {
.printf "\n Imported Image: %ma\n", (${$arg1} + ${curImpDesc}.Name)
r $t2 = 0
r $t3 = ${$arg1} + ${curImpDesc}.OriginalFirstThunk
aS ${curThunkData} ((Mydll_00!_IMAGE_THUNK_DATA32*)@$t3)[@$t2]
.while (${curThunkData}.u1.AddressOfData != 0) {
r $t4 = ${$arg1} + ${curThunkData}.u1.AddressOfData
da &(((Mydll_00!_IMAGE_IMPORT_BY_NAME*)@$t4)->Name)
r $t2 = @$t2 + 1
}
r $t0 = @$t0 + 1
}
ad ${curImpDesc}
ad ${curThunkData}
}
我编写了这个脚本来打印导入的图像名称,然后是所有导入的函数名称。如果我逐行运行这个脚本一切正常,我得到了预期的输出。但是,如果我将其作为脚本文件运行,那么我会收到错误 0:065:86> $$>一种与LT; “D:\ import.wds”0x74e70000
Unexpected character in '${curImpDesc}.Name != 0) {;....