概述
编写、使用 Windbg 插件
参考文章
微软官方:
- Create custom views of C++ objects - Visual Studio (Windows) | Microsoft Learn - 阅力值 ⭐⭐⭐⭐
相关插件推荐
MEX
参考文章:在WinDbg里使用MEX调试扩展 - 活着的虫子 - 博客园
Logexts
官方文档:使用调试器和 Logexts.dll - Windows drivers | Microsoft Learn
编写自定义插件
使用 C++ 编写
!wow6432threadread ffffcf0f726e6080JavaScript 脚本
参考链接
模板
// Root of Script
host.diagnostics.debugLog("***>; Code at the very top (root) of the script is always run \n");
function initializeScript()
{
// Add code here that you want to run every time the script is loaded.
// We will just send a message to indicate that function was called.
host.diagnostics.debugLog("***>; initializeScript was called \n");
}
function invokeScript()
{
// Add code here that you want to run every time the script is executed.
// We will just send a message to indicate that function was called.
host.diagnostics.debugLog("***>; invokeScript was called \n");
}
function uninitializeScript()
{
// Add code here that you want to run every time the script is unloaded.
// We will just send a message to indicate that function was called.
host.diagnostics.debugLog("***>; uninitialize was called\n");
}
function main()
{
// main is just another function name in JavaScript
// main is not called by .scriptload or .scriptrun
host.diagnostics.debugLog("***>; main was called \n");
}基础函数
let logln = function (e) {
host.diagnostics.debugLog(e + "\n");
}
function read_u32(addr) {
return host.memory.readMemoryValues(addr, 1, 4)[0];
}
function read_u64(addr) {
return host.memory.readMemoryValues(addr, 1, 8)[0];
}
function callPrintf(showTxt, execTxt)
{
host.namespace.Debugger.Utility.Control.ExecuteCommand(".printf /D \"<link cmd=\\\""
+ execTxt + "\\\">" + showTxt + "</link>\"", false);
logln("");
}获取寄存器
let Regs = host.currentThread.Registers.User;
let Args = [ Regs.rcx, Regs.rdx, Regs.r8 ];判断当前进程是32还是64
let ProcessIs64 = function() {
let Is64Bit = true;
try { host.createPointerObject(0, 'nt', '_KGDTENTRY64*'); } catch(e) { Is64Bit = false; }
return Is64Bit;
}