【调试技术】Windbg 插件

文章目录

1. 1. 相关插件推荐
   1. 1.1. MEX
   2. 1.2. Logexts
2. 2. 编写自定义插件
   1. 2.1. 使用 C++ 编写
3. 3. JavaScript 脚本
   1. 3.1. 模板
   2. 3.2. 基础函数
   3. 3.3. 获取寄存器
   4. 3.4. 判断当前进程是32还是64

概述

编写、使用 WinDbg 插件

参考文章

微软官方：

• Create custom views of C++ objects - Visual Studio (Windows) | Microsoft Learn - 阅力值 ⭐⭐⭐⭐

相关插件推荐

MEX

参考文章：在WinDbg里使用MEX调试扩展 - 活着的虫子 - 博客园

Logexts

官方文档：使用调试器和 Logexts.dll - Windows drivers | Microsoft Learn

编写自定义插件

使用 C++ 编写

!wow6432threadread  ffffcf0f726e6080

JavaScript 脚本

参考链接

• JavaScript Debugger Scripting - Windows drivers | Microsoft Learn - 阅力值 ⭐⭐⭐⭐

用法示例：

• cheatsheets/windbg_cheatsheet.md at main · Sukkula/cheatsheets - 阅力值 ⭐⭐⭐⭐⭐

• 0vercl0k/windbg-scripts: A bunch of JavaScript extensions for WinDbg.

• Debugger data model, Javascript & x64 exception handling

模板

// Root of Script
host.diagnostics.debugLog("***>; Code at the very top (root) of the script is always run \n");

function initializeScript()
{
    // Add code here that you want to run every time the script is loaded. 
    // We will just send a message to indicate that function was called.
    host.diagnostics.debugLog("***>; initializeScript was called \n");
}

function invokeScript()
{
    // Add code here that you want to run every time the script is executed. 
    // We will just send a message to indicate that function was called.
    host.diagnostics.debugLog("***>; invokeScript was called \n");
}

function uninitializeScript()
{
    // Add code here that you want to run every time the script is unloaded. 
    // We will just send a message to indicate that function was called.
    host.diagnostics.debugLog("***>; uninitialize was called\n");
}

function main()
{
    // main is just another function name in JavaScript
    // main is not called by .scriptload or .scriptrun  
    host.diagnostics.debugLog("***>; main was called \n");
}

基础函数

let logln = function (e) {
    host.diagnostics.debugLog(e + "\n");
}

function read_u32(addr) {
    return host.memory.readMemoryValues(addr, 1, 4)[0];
}

function read_u64(addr) {
    return host.memory.readMemoryValues(addr, 1, 8)[0];
}

function callPrintf(showTxt, execTxt)
{
    host.namespace.Debugger.Utility.Control.ExecuteCommand(".printf /D \"<link cmd=\\\""
        + execTxt + "\\\">" + showTxt + "</link>\"", false);
    logln("");
}

获取寄存器

let Regs = host.currentThread.Registers.User;
let Args = [ Regs.rcx, Regs.rdx, Regs.r8 ];

判断当前进程是32还是64

let ProcessIs64 = function() {
    let Is64Bit = true;
    try { host.createPointerObject(0, 'nt', '_KGDTENTRY64*'); } catch(e) { Is64Bit = false; }
    return Is64Bit;
}