WinDbg scripts (first encounters)
Faced with a dilemma: to write or not to write debugging extensions I looked at the possibility to try scripts.
After spending some hours I wrote the final version of my first script which can enumerate processes in a complete memory dump and output their command line.
You need to save the script below in a text file and use the following command to run it from WinDbg command prompt: $$><script.txt
$$ WinDbg script to get process command line for all processes in complete memory dump
r $t0 = nt!PsActiveProcessHead
.for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0);
r $t1 = poi(@$t1))
{
r? $t2 = #CONTAINING_RECORD(@$t1,
nt!_EPROCESS, ActiveProcessLinks);
.process @$t2
.if (@$peb != 0)
{
.catch
{
r $t3 = @@c++(@$peb->ProcessParameters)
r? $t4 =
@@c++(&((_RTL_USER_PROCESS_PARAMETERS *)
@$t3)->CommandLine)
.printf "_EPROCESS: %N Command Line: %msu\n",
@$t2, @$t4
}
}
}
- Dmitry Vostokov -