【调试技术】Windbg 插件

概述：编写、使用 WinDbg 插件

参考文章

微软官方：

• Create custom views of C++ objects - Visual Studio (Windows) | Microsoft Learn - 阅力值 ⭐⭐⭐⭐

相关插件推荐

MEX

参考文章：在WinDbg里使用MEX调试扩展 - 活着的虫子 - 博客园

编写自定义插件

使用 C++ 编写

!wow6432threadread  ffffcf0f726e6080

JavaScript 脚本

参考链接

• JavaScript Debugger Scripting - Windows drivers | Microsoft Learn - 阅力值 ⭐⭐⭐⭐

用法示例：

• cheatsheets/windbg_cheatsheet.md at main · Sukkula/cheatsheets - 阅力值 ⭐⭐⭐⭐⭐

• 0vercl0k/windbg-scripts: A bunch of JavaScript extensions for WinDbg.

• Debugger data model, Javascript & x64 exception handling

模板

// Root of Script
host.diagnostics.debugLog("***>; Code at the very top (root) of the script is always run \n");


function initializeScript()
{
    // Add code here that you want to run every time the script is loaded. 
    // We will just send a message to indicate that function was called.
    host.diagnostics.debugLog("***>; initializeScript was called \n");
}

function invokeScript()
{
    // Add code here that you want to run every time the script is executed. 
    // We will just send a message to indicate that function was called.
    host.diagnostics.debugLog("***>; invokeScript was called \n");
}


function uninitializeScript()
{
    // Add code here that you want to run every time the script is unloaded. 
    // We will just send a message to indicate that function was called.
    host.diagnostics.debugLog("***>; uninitialize was called\n");
}


function main()
{
    // main is just another function name in JavaScript
    // main is not called by .scriptload or .scriptrun  
    host.diagnostics.debugLog("***>; main was called \n");
}

基础函数

let logln = function (e) {
    host.diagnostics.debugLog(e + "\n");
}

function read_u32(addr) {
    return host.memory.readMemoryValues(addr, 1, 4)[0];
}

function read_u64(addr) {
    return host.memory.readMemoryValues(addr, 1, 8)[0];
}

function callPrintf(showTxt, execTxt)
{
    host.namespace.Debugger.Utility.Control.ExecuteCommand(".printf /D \"<link cmd=\\\""
        + execTxt + "\\\">" + showTxt + "</link>\"", false);
    logln("");
}

获取寄存器

let Regs = host.currentThread.Registers.User;
let Args = [ Regs.rcx, Regs.rdx, Regs.r8 ];

判断当前进程是32还是64

let ProcessIs64 = function() {
    let Is64Bit = true;
    try { host.createPointerObject(0, 'nt', '_KGDTENTRY64*'); } catch(e) { Is64Bit = false; }
    return Is64Bit;
}