I really like using C/C++ expressions from WinDbg. It’s a natural way to extract information from C and C++ applications if you know these programming languages; therefore, I think it’s useful to share how to do this.
First, let’s talk about poi().
poi() is used to get pointer-sized data. Think about the * operator for C and C++.
Therefore, poi is the best operator to use if you want pointer-sized data.
The double question mark (??) command evaluates and displays the value of an expression according to the C++ expression rules.
Now, let me show you how to get a pointer value using poi() and ??.
The single question mark (?) is used to evaluate expressions.
Tip: By using ?, you can easily convert a number from hexadecimal to decimal or vice versa. Remember to use the prefix 0x for hexadecimal and 0n for decimal.
Finally, we have the C++ expression parser - @@c++() - that supports all forms of C++ expression syntax, such as:
- Numbers in C++ expressions
- Characters and strings in C++ expressions
- Symbols in C++ expressions. (see WinDbg documentation for details)
- Operators in C++ expressions
- Registers and pseudo-registers in C++ expressions
- Macros in C++ expressions
For more information, you may want to read the Magic Pointers article.
Here you can see scripts that use the ??, @@c++() or poi() commands.