我知道exists命令:~*k,它显示所有线程,我知道existing命令~[id_thread],它显示id_thread的堆栈。我只想看到在windbg中加载的属于某个库的线程。
WinDbg的脚本功能在处理字符串和搜索时受到限制。您需要调用一个shell。也许以下内容对你来说就足够了:
~*e ? @$tid; .shell -ci "k" findstr "kernel32"
因此,我建议您使用PyKd-WinDbg扩展。请注意,您需要一个具有正确比特度的Python安装,并且每个比特度都有一个pip install pykd。
快速而肮脏的方法是使用dbgCommand()并解析输出。更好的方法是使用API。
我不是PyKD专家,但像这样的东西对我有用:
import sys
print("Python version:", sys.version)
print("Script path: " + sys.argv[0])
from pykd import *
if len(sys.argv) < 2:
print("Usage: findlib <library>")
exit(1)
lib = sys.argv[1]
try:
offset = expr(lib)
except DbgException:
print(f"{lib} is not a valid module")
exit()
print(f"Finding {lib} at {offset:08x}")
modules = getModulesList()
for module in modules:
if module.begin() == offset:
begin = module.begin()
end = module.end()
threads = getProcessThreads()
for thread in threads:
setCurrentThread(thread)
# print(f"Examining thread {thread:08x}")
frames = getStack()
found = False
for frame in frames:
try:
# unfortunately findSymbol() hangs for me if no symbols are available
# otherwise it would have been a much cleaner approach
# and no messing with the module list
# dll, method, offset = frame.findSymbol()
if begin <= frame.ip < end:
found = True
except SymbolException:
pass
if found:
print(f"Found on thread with TEB {thread:08x}")
在WinDbg:中的使用
.load <path_to_ext>pykd
!py <path_to_script>findlib kernel32