How to use a pseudo-register (e.g. $ t1) as part of the file name for the .writemem windbg command

Question

How to use a pseudo-register (e.g. $ t1) as part of the file name for the .writemem windbg command

In short, I want to create a breakpoint that will save some of the memory in the file and continue, something like this:

bp mymodule!MyReader::issueRead+0x2e ".writemem C:\writemem\write_$t1 rdx L r8; g"

$ t1 is the counter incremented at another breakpoint. The problem is that $ t1 (or $ {$ t1} is not allowed in the file name, and I end up with a file named "write_ $ t1"

+4

windows windbg

Beetle Feb 22 '17 at 8:39

source share

1 answer

Thomas Weller · Accepted Answer · 2017-02-22T11:54:36+0000

WinDbg scripts are always a bit hacked. The following seems to work, although I haven't applied it to a breakpoint yet:

aS /c filename .printf "c:\\writemem\\write_%i", $t1; .block {.writemem ${filename} 00ba0000 L1}; ad filename

When you apply it to a breakpoint, you will probably have to avoid quotes again.

aS , /c . .printf. filename.

WinDbg , .. , filename . .block .

, ad .

How to use a pseudo-register (e.g. $ t1) as part of the file name for the .writemem windbg command

More articles: