I need to compare a string, passed as an argument to WinDbg with a string from memory. How can this be achieved?
For example, the string is located in a specific offset within the loaded PE. So, I can easily read the string by executing da /c 100 <addr>.
But, how can I use this string, to compare it with arg1, in a WinDbg script, using .if? (and $SPAT(), I guess)
I was trying to read the output of the da command into an Alias or a User-Defined Register, but I was unsuccessful.
You can assign a string to an alias using as /c:
0:012> as /c Hello .printf "%ma", 06130000
0:012> .echo @"${Hello}"
Hello world
You can then use $spat() on it:
0:012> ? $spat(@"${Hello}","*ell*")
Evaluate expression: 1 = 00000000`00000001
0:012> ? $spat(@"${Hello}","x*")
Evaluate expression: 0 = 00000000`00000000
To control the pattern from the command line, set another alias using the -c command line switch:
windbg -c "as Pattern *ell*"
// this line is from the command line argument
0:006> as Pattern *ell*
0:006> .dvalloc 1000
Allocated 1000 bytes starting at 04610000
0:006> ea 04610000 "Hello world"
0:006> as /c Hello .printf "%ma", 04610000
0:006> .echo ${Pattern}
*ell*
0:006> .echo ${Hello}
Hello world
0:006> ? $spat(@"${Hello}", @"${Pattern}")
Evaluate expression: 1 = 00000001