| Find out which modules, in a user or kernel memory dump, have been patched |
!for_each_module "!chkimg -d @#ModuleName"
|
| Display all the files an application is attempting to write to |
bp kernel32!CreateFileW ".if ( ( poi(@esp+8) & 0x40000000 ) != 0x0) {du /c 100 poi(@esp+4);g;} .else {g;}"
|
| Display information about the virtual addresses that contain the value 0x12345678 |
.foreach ( MyHits { s -[1]d 0x0 L?0x20000000 0x12345678 } ) {.echo MyHits ; !address MyHits }
|
| Load symbols for all user and kernel modules in a complete memory dump |
!for_each_process ".process @#Process; .reload -f -user"
|
| Find the pool tag "Abcd" within all loaded kernel mode drivers on a system |
!for_each_module s-a @#Base @#End "Abcd"
|
| Use an external command to process the output of the debugger |
.shell -i - -ci "!process 0 6" findstr "THREAD Ticks"
|
The above command displays the amount of time each waiting thread in the system has been in the wait state
|
Display the number of threads in every process in the system
|
!for_each_process "dt @#Process nt!_EPROCESS -c -o UniqueProcessId ActiveThreads"
|
| Script to display a list of critical sections in a process (similar to !locks and !cs) |
r $t0 = ntdll!RtlCriticalSectionList ;
.for( r $t1 = poi(@$t0) ; (@$t1 != 0) & (@$t1 != @$t0) ; r $t1 = poi(@$t1) )
{
r? $t2 = #CONTAINING_RECORD(@$t1, ntdll!_RTL_CRITICAL_SECTION_DEBUG, ProcessLocksList);
r? $t3 = (ntdll!_RTL_CRITICAL_SECTION *) @@c++(@$t2->CriticalSection);
.printf "CS=%p Owner=%p LockCount=%N\n", @$t3 , @@c++(@$t3->OwningThread), @@c++(@$t3->LockCount);
}
|