Special Command: Using ??, @@c++() and poi() with C/C++ Expressions

MSDN Blog Postings » Special Commands: Using ??, @@c++() and poi() with C/C++ Expressions

Tue, 04 Mar 2008 13:41:38 GMT

PingBack from http://msdnrss.thecoderblogs.com/2008/03/04/special-commands-using-c-and-poi-with-cc-expressions/

Special Commands: Using ??, @@c++() and poi() with C/C++ Expressions | Secure Software Engineering Blog

Tue, 04 Mar 2008 14:34:11 GMT

PingBack from http://www.secure-software-engineering.com/2008/03/04/special-commands-using-c-and-poi-with-cc-expressions/

Interesting Finds: March 4, 2008

Jason Haley — Tue, 04 Mar 2008 14:35:25 GMT

re: Special Command: Using ??, @@c++() and poi() with C/C++ Expressions

rembo — Fri, 19 Sep 2008 21:23:53 GMT

Hi, I'm trying to learn how to use C/C++ expressions in WinDbg. Thanks for your article! I am having trouble with the following:

0:000> ?? * (long*) ((@esp)+12) == -13

bool true

0:000> .if (-13 == -13) {.echo do whatever}

do whatever

so far, so good.

But how do I use this in a conditional? ---

0:000> .if (?? * (long*) ((@esp)+12) == -13) {.echo do whatever}

Syntax error at '?? * (long*) ((@esp)+12) == -13) {.echo do whatever}'

0:000> .if (? * (long*) ((@esp)+12) == -13) {.echo do whatever}

Syntax error at '? * (long*) ((@esp)+12) == -13) {.echo do whatever}

re: Special Command: Using ??, @@c++() and poi() with C/C++ Expressions

Roberto Farah — Sun, 21 Sep 2008 02:49:17 GMT

I'm not sure if I understand your question, but I'll try to answer it anyway :)

If you are comparing registers you don't need to use a cast, for example:

0:000> r @ecx

ecx=00000030 <-- By default this is hexadecimal.

0:000> .if(@ecx == 0x30){.echo True}

True

0:000> .formats @ecx

Evaluate expression:

Hex: 00000030

Decimal: 48 <-- 0x30 == 0n48

Octal: 00000000060

Binary: 00000000 00000000 00000000 00110000

Chars: ...0 <-- 0x30 = ASCII char 0

Time: Wed Dec 31 16:00:48 1969

Float: low 6.72623e-044 high 0

Double: 2.37152e-322

0:000> .if(@ecx == 0n48){.echo True}

True

0:000> .if(@ecx == '0'){.echo True}

True

The expressions above are equivalent. The content in memory can be interpreted as char, hexadecimal, decimal, octal, binary... you choose.

Now, if you want to compare C/C++ variables, you can use this approach:

class CSize Size = class CSize

0:000> dt Size

Local var @ 0x12f890 Type CSize

+0x000 cx : 30

+0x004 cy : 39

Now I use the C++ expression evaluator:

0:000> .if(@@c++(Size.cx == 30)){.echo True}.else{.echo False}

True

0:000> .if(@@c++(Size.cx == 20)){.echo True}.else{.echo False}

False

Did it answer your question?

re: Special Command: Using ??, @@c++() and poi() with C/C++ Expressions

rembo — Mon, 22 Sep 2008 23:37:45 GMT

Yes, thank you for your detailed explanation, that was very helpful! I guess I was confused when to use ?, when @@c++ and when ?? , but you cleared it up. Apologies if my question was unclear; I understand how to use registers, but I was trying to use a parameter on the stack, and it seemed I had to cast it the way I did.