I really like using C/C++ expressions from WinDbg. It’s a natural way to extract information from C and C++ applications if you know these programming languages; therefore, I think it’s useful to share how to do this.

 

First, let’s talk about poi().

poi() is used to get pointer-sized data. Think about the * operator for C and C++.

For example:

 

 

 

Therefore, poi is the best operator to use if you want pointer-sized data.

 

The double question mark (??) command evaluates and displays the value of an expression according to the C++ expression rules.

 

Now, let me show you how to get a pointer value using poi() and ??.

The single question mark (?) is used to evaluate expressions.

 

Tip: By using ?, you can easily convert a number from hexadecimal to decimal or vice versa. Remember to use the prefix 0x for hexadecimal and 0n for decimal.

 

Examples:

 

 

 

Finally, we have the C++ expression parser - @@c++() - that supports all forms of C++ expression syntax, such as:

 

-      Numbers in C++ expressions

-      Characters and strings in C++ expressions

-      Symbols in C++ expressions. (see WinDbg documentation for details)

-      Operators in C++ expressions

-      Registers and pseudo-registers in C++ expressions

-      Macros in C++ expressions

 

Examples:

 

 

 

 

 

 

For more information, you may want to read the Magic Pointers article.

Here you can see scripts that use the ??, @@c++() or poi() commands.