To find the all the strings in the thread stack, you’ll need to know about a few things before we jump into code, in windbg there is something called as pseudo registers, and they are very handy to use, one of them is “$csp”, This is the current call stack pointer. This pointer is the register that is most representative of call stack depth; then there is something known as $teb, this points to thread environment block and poi(@$teb+4) always points to the stack base. You can also confirm it using !teb
Here is the output:
0:002> ?poi(@$teb+4) Evaluate expression: 40566784 = 026b0000 0:002> !teb TEB at 7ffda000 ExceptionList: 026affdc StackBase: 026b0000 StackLimit: 026af000 SubSystemTib: 00000000 FiberData: 00001e00 ArbitraryUserPointer: 00000000 Self: 7ffda000 EnvironmentPointer: 00000000 ClientId: 00000c70 . 00000c90 RpcHandle: 00000000 Tls Storage: 0023db88 PEB Address: 7ffd4000 LastErrorValue: 1008 LastStatusValue: c000007c Count Owned Locks: 0 HardErrorMode: 0
Now, there are a few more things to know, which would be pretty clearer after seeing the code.
1) You can set the value of an inbuilt alias using “r <alias_name> =” notation (e.g. r@$t0 = 2, sets the value of inuilt alias $t0 to 2) 2) “s” is a command to search strings, use –su or –sa to look for unicode or ascii strings respectively. @$t0 and @$t1 tells the command to search in the range starting from the value of @$t0 and ending at @$t1
Using the above concepts, you can easily construct the command below easily.
r @$t0=@$csp;r @$t1=poi(@$teb+4);s- sa @$t0 @$t1 r @$t0=@$csp;r @$t1=poi(@$teb+4);s- su @$t0 @$t1
Bye, got to get back to my work ..