All geek questions in one place

WinDbg: how to find out what happened in WinDbg?

How can I automate the debugging process?

I have a WinDbg script with some basic commands that I want to run when there was a break in the process / application that I connected to WinDbg. How to find out that there is a gap in WinDbg and how to run the script automatically ?

+4
source share
3 answers

You can use the command line parameter when setting a breakpoint to run any windbg command. Ask to run this script.

Sort of:

bp <address to set break> "$$><c:\\temp\\dbgscript.txt;g"

I believe that you should do the same with the sx command if you mean "when an exception is thrown," "when a break occurred in the process."

+2
source

Python example:

 from pykd import * def bpCallback(): if is64bitSystem(): objAttr = typedVar( "ntdll", "_OBJECT_ATTRIBUTES", reg("r8") ) else: objAttr = typedVar( "ntdll", "_OBJECT_ATTRIBUTES", ptrPtr(reg("esp") + 0xC) ) name = loadUnicodeString( objAttr.ObjectName ) dprintln( "NtCreateFile: " + name ) return DEBUG_STATUS_GO_HANDLED if not isWindbgExt(): startProcess("notepad.exe") if not isDumpAnalyzing() and not isKernelDebugging(): nt = loadModule("ntdll") b1 = bp( nt.NtCreateFile, bpCallback ) # wait for user break, exceptions or process exit go() dprintln( "stopped" ) else: dprintln( "The debugger must be connected to live usermode process" )

Python extension for windbg is not available here: pykd.codeplex.com

+2
source

Are you running the application with windbg enabled or are you debugging JIT? If the latter (i.e. you rely on tuning in HKLM \ Softare \ Microsoft \ Windows NT \ AEDebug \ Debugger), simply change the value of the Debugger key to use the -c command to run the command after the debugger joins.

Assuming the first, you can try to start the debug server using a named pipe or tcp (using the .server command). You can then write a console application to start the cdb instance as a client, to connect to the aforementioned windbg server, and have the parse stdout application until you see the debugger prompt. You can then effectively automate your debugging session from this point. Thus, it reduces the parsing exercise, possibly wrapped in FSM, depending on how complex you want to get.

+1
source

Source: https://habr.com/ru/post/1308128/

More articles:


All Articles