Compartir a través de


How to find all the strings in the thread stack?

To find the all the strings in the thread stack, you’ll need to know about a few things before we jump into code, in windbg there is something called as pseudo registers, and they are very handy to use, one of them is “$csp”, This is the current call stack pointer. This pointer is the register that is most representative of call stack depth; then there is something known as $teb, this points to thread environment block and poi(@$teb+4) always points to the stack base. You can also confirm it using !teb

Here is the output:

0:002> ?poi(@$teb+4)
Evaluate expression: 40566784 = 026b0000
0:002> !teb
TEB at 7ffda000
ExceptionList: 026affdc
    StackBase: 026b0000
StackLimit: 026af000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7ffda000
EnvironmentPointer: 00000000
ClientId: 00000c70 . 00000c90
RpcHandle: 00000000
Tls Storage: 0023db88
PEB Address: 7ffd4000
LastErrorValue: 1008
LastStatusValue: c000007c
Count Owned Locks: 0
HardErrorMode: 0

Now, there are a few more things to know, which would be pretty clearer after seeing the code.

1) You can set the value of an inbuilt alias using “r <alias_name> =” notation (e.g. r@$t0 = 2, sets the value of inuilt alias $t0 to 2)
2) “s” is a command to search strings, use –su or –sa to look for unicode or ascii strings respectively. @$t0 and @$t1 tells the command to search in the range starting from the value of @$t0 and ending at @$t1

Using the above concepts, you can easily construct the command below easily.

r @$t0=@$csp;r @$t1=poi(@$teb+4);s- sa @$t0 @$t1
r @$t0=@$csp;r @$t1=poi(@$teb+4);s- su @$t0 @$t1

 

Bye, got to get back to my work ..