windbg脚本查找是否存在唯一的\u ptr<;对象>;是否为空,字符串是否匹配
我大便了。我试图在内存中查找包含特定字符串的对象。windbg脚本查找是否存在唯一的\u ptr<;对象>;是否为空,字符串是否匹配,windbg,Windbg,我大便了。我试图在内存中查找包含特定字符串的对象。 ClassA->name应该等于(18750736-6e77-48a7-9dca-8fdf041e05d2:132257155499245423)和ClassA->classC对象对于有效的ClassA对象,不应该是空的和ClassA->name=ClassA->classC->name2 ClassA { // at offset 0x30 wstring name; // looking for ClassC objects w
ClassA->name
应该等于(18750736-6e77-48a7-9dca-8fdf041e05d2:132257155499245423)
和ClassA->classC
对象对于有效的ClassA
对象,不应该是空的和ClassA->name
=ClassA->classC->name2
ClassA
{
// at offset 0x30
wstring name; // looking for ClassC objects which have name == (18750736-6e77-48a7-9dca-8fdf041e05d2:132257155499245423)
unique_ptr<ClassC> classC; // at offset 0xa8
};
ClassC
{
wstring name2; // name2 == name in a valid object.
};
我无法理解您脚本中的逻辑
1) 搜索宽字符串并获取其地址
然后你开始直接操纵那个地址
我想您知道std::wstring是一种结构
我也认为你知道
上面的搜索结果是std::wstring.c_str()的地址
我还假设您理解std::wstring中的短字符串优化
wstring将并且可以在其自身中嵌入一个短字符串
或提供指向字符串的指针
因此我再次假定您理解该地址与A类没有关系
通过搜索地址空间获得的此地址将位于std::wstring中
(不能是这种情况,因为您的字符串太长,无法调用sso)
或者指向std::wstring在其
构造函数(可能在某些地方的堆中)
减去0x30并将0xa8等添加到此地址都将导致垃圾
您似乎正在将此垃圾地址转换为指向类C的指针
请更正或编辑您的帖子以澄清您的意图
我做了一个快速的黑客来代表你的类a,并在windbg中显示它看一看
0:000> dx Debugger.Utility.Control.ExecuteCommand("s -[w]u 1f0000 l?(285000-1f0000) this").Take(2)
[0x0] : 002eb048 0074 0068 0069 0073 0020 0069 0073 0020 t.h.i.s. .i.s. .
0:000> ?? (foo._Mypair._Myval2->Aname._Mypair._Myval2._Bx._Ptr)
wchar_t * 0x002eb048
"this is Aname's name ANAME"
0:000> dx foo
foo : unique_ptr {...} [Type: std::unique_ptr<A,std::default_delete<A> >]
[<Raw View>] [Type: std::unique_ptr<A,std::default_delete<A> >]
[ptr] : 0x2eaf80 [Type: A *]
[deleter] : default_delete [Type: std::_Compressed_pair<std::default_delete<A>,A *,1>]
[+0x000] bf : "1337" [Type: char [48]]
[+0x030] Aname : "this is Aname's name ANAME" [Type: std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >]
[+0x048] cf : ".???" [Type: char [96]]
[+0x0a8] AnotherClass : empty [Type: std::unique_ptr<C,std::default_delete<C> >]
std::unique\u ptr
0:000> !address 0x18f9d0
Usage: Stack
Base Address: 0018d000
End Address: 00190000
Region Size: 00003000 ( 12.000 kB)
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 00090000
Allocation Protect: 00000004 PAGE_READWRITE
More info: ~0k
0:000> ~0k
# ChildEBP RetAddr
00 0018f9e0 00216f4c smartptr!main+0x198 smartptr.cpp @ 26
01 (Inline) -------- smartptr!invoke_main+0x1c
02 0018fa28 762ced6c smartptr!__scrt_common_main_seh+0xfa
03 0018fa34 779b37eb kernel32!BaseThreadInitThunk+0xe
04 0018fa74 779b37be ntdll!__RtlUserThreadStart+0x70
05 0018fa8c 00000000 ntdll!_RtlUserThreadStart+0x1b
谢谢你指出这些缺点。。我的主要问题是关于如何在windbg脚本中执行条件逻辑?你能回答这个问题吗?请参见脚本中的这一行。//如何查找t是空的还是有值?
0:000> dx &foo
&foo : 0x18f9d0 : unique_ptr {...} [Type: std::unique_ptr<A,std::default_delete<A> > *]
0:000> !address 0x002eb048
Usage: Heap
Base Address: 002e0000
End Address: 002f0000
Region Size: 00010000 ( 64.000 kB)
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 002e0000
Allocation Protect: 00000004 PAGE_READWRITE
More info: heap owning the address: !heap 0x2e0000
More info: heap segment
More info: heap entry containing the address: !heap -x 0x2eb048
0:000> !heap -x 0x002eb048
SEGMENT HEAP ERROR: failed to initialize the extention
Entry User Heap Segment Size PrevSize Unused Flags
-----------------------------------------------------------------------------
002eb040 002eb048 002e0000 002e0000 58 c8 18 busy extra fill
0:000> !address 0x18f9d0
Usage: Stack
Base Address: 0018d000
End Address: 00190000
Region Size: 00003000 ( 12.000 kB)
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 00090000
Allocation Protect: 00000004 PAGE_READWRITE
More info: ~0k
0:000> ~0k
# ChildEBP RetAddr
00 0018f9e0 00216f4c smartptr!main+0x198 smartptr.cpp @ 26
01 (Inline) -------- smartptr!invoke_main+0x1c
02 0018fa28 762ced6c smartptr!__scrt_common_main_seh+0xfa
03 0018fa34 779b37eb kernel32!BaseThreadInitThunk+0xe
04 0018fa74 779b37be ntdll!__RtlUserThreadStart+0x70
05 0018fa8c 00000000 ntdll!_RtlUserThreadStart+0x1b