none
Comparing function arguments with a pattern not working in Windbg RRS feed

  • Question

  • Below command displays the arguments and their values in that function

    0: kd> dv

          ImageName = 0x89263100 "\Windows\System32\regapi.dll"

          ProcessId = 0x00000bd8

          ImageInfo = 0x8295e840

          StringEnd = 0x5780 ''

          ImageLoadInfo = struct _WMI_IMAGELOAD_INFORMATION

          EventData = struct _EVENT_DATA_DESCRIPTOR [3]

    Now I am trying to parse the entire arguments to check if regapi.dll is present in the argument values. But in the output I get syntax error. How to fix this, when the returned string already contains quotes in it?

    0: kd> r $t0 = 0;.foreach (v { dv }) { .if ($spat("v", "*regapi*")) { r $t0 = 1;.echo found } }; .if($t0 = 0) { .echo Not Found }}

    found

    Syntax error at '(""\Windows\System32\regapi.dll"", "*regapi*")) { r $t0 = 1;.echo found } '

    -rahul


    Tuesday, April 16, 2013 12:25 PM

Answers

  • Not sure how to fix your method, but it's possible in a slightly different way. Here's my locals:

    kd> dv
             status = 0
            process = 0x995616c0
      FullImageName = 0xa0e49098 "\Device\HarddiskVolume2\Windows\System32\ThumbnailExtractionHost.exe"
          ProcessId = 0x0000080c
          ImageInfo = 0x9e521bfc

    So in my case I'm working with FullImageName (instead of ImageName). The way I did it was to alias the UNICODE_STRING image name and then provide that to $spat. The use of an alias also requires an arbitrary .block{} (see http://analyze-v.com/?p=765):

    kd> as /msu ${/v:imagePath} @@c++(FullImageName); .block{ .if ($spat("${imagePath}", "*Extract*")) {.echo yes} .else {.echo no}}
    yes
    kd> as /msu ${/v:imagePath} @@c++(FullImageName); .block{ .if ($spat("${imagePath}", "*junk*")) {.echo yes} .else {.echo no}}
    no

    -scott

    OSR


    OSR Online

    • Marked as answer by rahul sundar Tuesday, May 7, 2013 7:24 AM
    Tuesday, April 23, 2013 7:02 PM