Windbg script的notepad++语法高亮配置文件

经常写复杂的windbg脚本的程序员肯定知道,windbg脚本的宏替换的执行方式,让人非常的不舒服。另外windbg的脚本也没有一个好用的语法高亮编辑器,所以让脚本写起来更加痛苦。前者看来是已成定局,很难解决了。不过后者还是有机会改善的,闲暇之余,写了一个notepad++上的windbg脚本的语法高亮配置文件。以上一篇文章中的windbg脚本为例,高亮效果如下图:

20131015164715

导入方式也非常简单,点击[语言]菜单下的define your language,在弹出的对话框中点击导入按钮,导入配置文件即可。

20131015164704

下载脚本wds

Debugging

Windbg内核调试查看窗口句柄信息的脚本

十一长假瞬间就结束了,整一周都在玩,也没有研究什么好玩的东西,这里就分享一个以前写的windbg脚本吧。通途是内核调试查看窗口句柄信息。用法很简单,例如 $$>a<hwnd.wds 000207B8。运行结果如下图:

20131007195716

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
$$ Convert HWND to tagWnd
$$ Author: nighxie
$$ Blog: 0cch.net
.if (${/d:$arg1}) {
.if (${/d:$arg2}) {
.if (${$arg2} == 1) {
r $t0 = nt!PsActiveProcessHead
.for (r $t1 = poi(@$t0);(@$t1 != 0) & (@$t1 != @$t0);r $t1 = poi(@$t1)) {
r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
as /x ${/v:$ProcAddr} @$t2;
as /ma ${/v:$ImageName} @@c++(&@$t2->ImageFileName[0]);
.block {
$$ .echo ${$ImageName}
.if ($sicmp("${$ImageName}", "explorer.exe") == 0) {
.echo Found the process at ${$ProcAddr};
.process /p /r ${$ProcAddr};
ad ${/v:$ImageName};
ad ${/v:$ProcAddr};
.break;
}
}
ad ${/v:$ImageName};
ad ${/v:$ProcAddr};
}
}
}
r @$t1 = ${$arg1};
r @$t0 = win32k!gSharedInfo;
.if ((@$t1&0xffff) < @@C++(((win32k!tagSHAREDINFO *)@$t0)->psi->cHandleEntries)) {
r @$t0 = @@C++(((win32k!tagSHAREDINFO *)@$t0)->aheList);
r @$t0 = @@C++(@$t0+(@$t1&0xffff)*sizeof(win32k!_HANDLEENTRY));
r @$t0 = poi(@$t0);
.printf "HWND: %p\n", @@C++(((win32k!tagWnd *)@$t0)->head.h);
.printf /D "tagWnd * @ %p\n", @$t0;
.if (@@C++(((win32k!tagWnd *)@$t0)->strName.Buffer) != 0) {
.printf "Window Name: %mu\n", @@C++(((win32k!tagWnd *)@$t0)->strName.Buffer);
}
.printf /D "tagCLS * @ pcls) win32k!tagCLS\">%p\n", @@C++(((win32k!tagWnd *)@$t0)->pcls);
.if (@@C++(((win32k!tagWnd *)@$t0)->pcls->lpszAnsiClassName) != 0) {
.printf "Window Class Name: %ma\n", @@C++(((win32k!tagWnd *)@$t0)->pcls->lpszAnsiClassName);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->spwndNext) != 0) {
.printf "Next Wnd: %p\n", @@C++(((win32k!tagWnd *)@$t0)->spwndNext->head.h);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->spwndPrev) != 0) {
.printf "Previous Wnd: %p\n", @@C++(((win32k!tagWnd *)@$t0)->spwndPrev->head.h);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->spwndParent) != 0) {
.printf "Parent Wnd: %p\n", @@C++(((win32k!tagWnd *)@$t0)->spwndParent->head.h);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->spwndChild) != 0) {
.printf "Child Wnd: %p\n", @@C++(((win32k!tagWnd *)@$t0)->spwndChild->head.h);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->spwndOwner) != 0) {
.printf "Own Wnd: %p\n", @@C++(((win32k!tagWnd *)@$t0)->spwndOwner->head.h);
}
.if (@@C++(((win32k!tagWnd *)@$t0)->lpfnWndProc) != 0) {
.printf /D "pfnWndProc: head.pti->pEThread)->Tcb.Process);u @@C++(((win32k!tagWnd *)@$t0)->lpfnWndProc)\">%p\n", @@C++(((win32k!tagWnd *)@$t0)->lpfnWndProc);
}
.printf "Visiable: %d\n", @@C++((((win32k!tagWnd *)@$t0)->style & (1<<28)) != 0);
.printf "Child: %d\n", @@C++((((win32k!tagWnd *)@$t0)->style & (1<<30)) != 0);
.printf "Minimized:%d\n", @@C++((((win32k!tagWnd *)@$t0)->style & (1<<29)) != 0);
.printf "Disabled: %d\n", @@C++((((win32k!tagWnd *)@$t0)->style & (1<<27)) != 0);
.printf "Window Rect { %d, %d, %d, %d}\n", @@C++(((win32k!tagWnd *)@$t0)->rcWindow.left), @@C++(((win32k!tagWnd *)@$t0)->rcWindow.top), @@C++(((win32k!tagWnd *)@$t0)->rcWindow.right), @@C++(((win32k!tagWnd *)@$t0)->rcWindow.bottom);
.printf "Clent Rect { %d, %d, %d, %d}\n", @@C++(((win32k!tagWnd *)@$t0)->rcClient.left), @@C++(((win32k!tagWnd *)@$t0)->rcClient.top), @@C++(((win32k!tagWnd *)@$t0)->rcClient.right), @@C++(((win32k!tagWnd *)@$t0)->rcClient.bottom);
}
.else {
.printf "HWND is out of range.\n";
}
}
.else {
.echo "Usage $$>a<${$arg0} HWND(HEX)"
.echo "e.g. $$>a<${$arg0} 0x60962"
}

DebuggingTips