Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
To find the all the strings in the thread stack, you’ll need to know about a few things before we jump into code, in windbg there is something called as pseudo registers, and they are very handy to use, one of them is “$csp”, This is the current call stack pointer. This pointer is the register that is most representative of call stack depth; then there is something known as $teb, this points to thread environment block and poi(@$teb+4) always points to the stack base. You can also confirm it using !teb
Here is the output:
0:002> ?poi(@$teb+4)
Evaluate expression: 40566784 = 026b0000
0:002> !teb
TEB at 7ffda000
ExceptionList: 026affdc
StackBase: 026b0000
StackLimit: 026af000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7ffda000
EnvironmentPointer: 00000000
ClientId: 00000c70 . 00000c90
RpcHandle: 00000000
Tls Storage: 0023db88
PEB Address: 7ffd4000
LastErrorValue: 1008
LastStatusValue: c000007c
Count Owned Locks: 0
HardErrorMode: 0
Now, there are a few more things to know, which would be pretty clearer after seeing the code.
1) You can set the value of an inbuilt alias using “r <alias_name> =” notation (e.g. r@$t0 = 2, sets the value of inuilt alias $t0 to 2)
2) “s” is a command to search strings, use –su or –sa to look for unicode or ascii strings respectively. @$t0 and @$t1 tells the command to search in the range starting from the value of @$t0 and ending at @$t1
Using the above concepts, you can easily construct the command below easily.
r @$t0=@$csp;r @$t1=poi(@$teb+4);s- sa @$t0 @$t1
r @$t0=@$csp;r @$t1=poi(@$teb+4);s- su @$t0 @$t1
Bye, got to get back to my work ..