Home

Awesome

WinDbg_Scripts

Useful scripts for WinDbg using the debugger data model

Usage, examples, explanations and general rants (also available in PDF form here):

https://medium.com/@yardenshafir2/windbg-the-fun-way-part-1-2e4978791f9b </br> https://medium.com/@yardenshafir2/windbg-the-fun-way-part-2-7a904cba5435

Useful Commands and Syntax

dx @$curprocess.Io.Handles.Where(h => !__iserror(h.Type == "File") && h.Type == "File")
dx @$cursession.Processes.SelectMany(p => p.Threads.Select(t => t.KernelObject.ThreadName))
dx @$curthread.KernelObject.ActiveImpersonationInfo != 0 ? @$curthread.KernelObject.ClientSecurity.ImpersonationLevel : "Not Impersonating"
dx @$printSecurityDescriptor = (sd => Debugger.Utility.Control.ExecuteCommand("!sd " + ((__int64)sd).ToDisplayString("x") + " 1"))
dx @$curprocess.Threads.Select(t => (void(*)())t.KernelObject.StartAddress)

String Types and Conversions

WinDbg uses regular, null terminated strings. That can be challenging when trying to compare them with Windows strings, which can be counted strings (ANSI or UNICODE strings) or wide strings. To fix that, you can cast Windows strings into "regular" strings with .ToDisplayString:

To convert a counted string to a basic string, convert the Buffer field of the counted string using .ToDisplayString(). For example, to convert an ANSI_STRING to a string:

dx (@$CountedString->Buffer).ToDisplayString("sb")

As another example, you can create a helper function to compare a user-defined path to the ObjectName field of an OBJECT_ATTRIBUTES structure. ObjectName is a wide string so use .ToDisplayString("su"), and wrap the requested string in double quotes to match the output received from .ToDisplayString("su"). In this helper function, the two arguments are:

dx @$comparePathFromObjAttr = ((o, p) => (((nt!_OBJECT_ATTRIBUTES*)o)->ObjectName->Buffer).ToDisplayString("su") == "\"" + p + "\"")