{"id":20568761,"url":"https://github.com/yardenshafir/windbg_scripts","last_synced_at":"2025-04-05T13:05:42.046Z","repository":{"id":45550310,"uuid":"266141601","full_name":"yardenshafir/WinDbg_Scripts","owner":"yardenshafir","description":"Useful scripts for WinDbg using the debugger data model","archived":false,"fork":false,"pushed_at":"2024-03-27T12:38:36.000Z","size":1870,"stargazers_count":408,"open_issues_count":0,"forks_count":67,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-03-29T12:04:24.526Z","etag":null,"topics":["debugging","linq","windbg","windbg-scripts","windows"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yardenshafir.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-05-22T15:16:05.000Z","updated_at":"2025-03-23T12:54:28.000Z","dependencies_parsed_at":"2023-01-20T16:31:16.577Z","dependency_job_id":"ac14733e-73bd-4001-bd29-4fe274d25dfd","html_url":"https://github.com/yardenshafir/WinDbg_Scripts","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yardenshafir%2FWinDbg_Scripts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yardenshafir%2FWinDbg_Scripts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yardenshafir%2FWinDbg_Scripts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yardenshafir%2FWinDbg_Scripts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yardenshafir","download_url":"https://codeload.github.com/yardenshafir/WinDbg_Scripts/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247339155,"owners_count":20923014,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debugging","linq","windbg","windbg-scripts","windows"],"created_at":"2024-11-16T04:54:32.375Z","updated_at":"2025-04-05T13:05:42.019Z","avatar_url":"https://github.com/yardenshafir.png","language":"JavaScript","readme":"# WinDbg_Scripts\nUseful scripts for WinDbg using the debugger data model\n\nUsage, examples, explanations and general rants (also available in PDF form here):\n\nhttps://medium.com/@yardenshafir2/windbg-the-fun-way-part-1-2e4978791f9b  \u003c/br\u003e\nhttps://medium.com/@yardenshafir2/windbg-the-fun-way-part-2-7a904cba5435\n\n## Useful Commands and Syntax\n- \u003cb\u003e__iserror(x)\u003c/b\u003e   \nReturns true if a statement throws an error.\n```\ndx @$curprocess.Io.Handles.Where(h =\u003e !__iserror(h.Type == \"File\") \u0026\u0026 h.Type == \"File\")\n```\n\n- \u003cb\u003eSelectMany\u003c/b\u003e  \nFlattens a nested collection, for example runs a query on all threads in all processes and flattens the results\n```\ndx @$cursession.Processes.SelectMany(p =\u003e p.Threads.Select(t =\u003e t.KernelObject.ThreadName))\n```\n\n- \u003cb\u003eConditional Operations\u003c/b\u003e\n```\ndx @$curthread.KernelObject.ActiveImpersonationInfo != 0 ? @$curthread.KernelObject.ClientSecurity.ImpersonationLevel : \"Not Impersonating\"\n```\n\n- \u003cb\u003eExecuting a Legacy Command\u003c/b\u003e\n```\ndx @$printSecurityDescriptor = (sd =\u003e Debugger.Utility.Control.ExecuteCommand(\"!sd \" + ((__int64)sd).ToDisplayString(\"x\") + \" 1\"))\n```\n\n- \u003cb\u003eCast Pointer to Function Address\u003c/b\u003e\n```\ndx @$curprocess.Threads.Select(t =\u003e (void(*)())t.KernelObject.StartAddress)\n```\n\n## String Types and Conversions\nWinDbg uses regular, null terminated strings.\nThat can be challenging when trying to compare them with Windows strings, which can be counted strings (ANSI or UNICODE strings) or wide strings.\nTo fix that, you can cast Windows strings into \"regular\" strings with .ToDisplayString:\n- .ToDisplayString(\"s\"): convert a char array (not a wide string) to a string. Outout string will be wrapped in double quotes.\n- .ToDisplayString(\"sb\"): convert a char array (not a wide string) to a string. Outout string will not be wrapped in double quotes.\n- .ToDisplayString(\"su\"): convert a wchar_t array (wide string) to a string. Outout string will be wrapped in double quotes.\n\nTo convert a counted string to a basic string, convert the Buffer field of the counted string using .ToDisplayString(). For example, to convert an ANSI_STRING to a string:\n```\ndx (@$CountedString-\u003eBuffer).ToDisplayString(\"sb\")\n```\n\nAs another example, you can create a helper function to compare a user-defined path to the ObjectName field of an OBJECT_ATTRIBUTES structure. ObjectName is a wide string so use .ToDisplayString(\"su\"), and wrap the requested string in double quotes to match the output received from .ToDisplayString(\"su\").\nIn this helper function, the two arguments are:\n- o: a pointer to an OBJECT_ATTRIBUTES structure\n- p: a string to be compared to the ObjectName field of the OBJECT_ATRIBUTES structure passed in argument o\n```\ndx @$comparePathFromObjAttr = ((o, p) =\u003e (((nt!_OBJECT_ATTRIBUTES*)o)-\u003eObjectName-\u003eBuffer).ToDisplayString(\"su\") == \"\\\"\" + p + \"\\\"\")\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyardenshafir%2Fwindbg_scripts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyardenshafir%2Fwindbg_scripts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyardenshafir%2Fwindbg_scripts/lists"}