Nsryjdtyk

In Windbg I have a script that iterates through the frames of a stack and does a good job of pulling back things of interest, echoing them to the Command Window (it just sniffs things out that could require further investigation).

In certain frames, there will be a this that I'm interested in some details of. I can certainly extract the details fine, but I'd like to get the actual class type from it too. I know that if I then do a dv /t I will see something like the following:

0:115> .frame 14

0:115> dv /t

class foo1 * this = 0x00000000e9ed0010

I would like a way of being able to pass just foo1 to a .printf command.

In frames that have more than simply this, I can restrict output by using the pattern dv /t this obviously, but is there a good way of having something like what follows in a frame and me being able to extract just foo1?

0:115> .frame 17

0:115> dv /t

class foo1 * this = 0x00000000f3e2f568

class foo2 * bar2 = 0x0000000000000001

bool _somebool = true

Doing what follows is very close to the limited output I'd like... but I just want to neaten it up.

0:115> .frame 17

0:115> dv /t this

class foo1 * this = 0x00000000f3e2f568

Following the example code from blabb:

0:000> dv /t

class Time * this = 0x001efb24

int h = 0n23

int m = 0n59

int s = 0n59

0:000> dv /t this

class Time * this = 0x001efb24

0:000> some command

Time

The third command is what I'm looking for.

What I understood is: you need a command that takes foo1 as a parameter and gives an output like dv /t but just for all foo1.

IMHO, it's hardly possible with builtin WinDbg functionality. You could fiddle around with .foreach inculding $spat and the like.

One possibility is .shell along with the command line tool findstr or Cygwin grep. But that's not convenient, because it always outputs Process started etc. You could again work around this using .foreach and skipping some tokens, but that's tedious.

There are grep implementations for WinDbg such as long123king's grep plugin and if I recall correctly, there's also a grep implementation in PDE.

Then there is pykd, which has the powers of Python and let's you do basically anything.

i am not sure i understand what you need

but have you given the new dx expression evaluator a try

for example

0:000> dv /t

class Time * this = 0x001efb24

int h = 0n23

int m = 0n59

int s = 0n59

0:000> dv /t this

class Time * this = 0x001efb24

0:000> dx @$curstack.Frames[0].LocalVariables

@$curstack.Frames[0].LocalVariables                

    this             : 0x1efb24 [Type: Time *]

0:000> dx @$curstack.Frames[0].LocalVariables.this

@$curstack.Frames[0].LocalVariables.this                 : 0x1efb24 [Type: Time *]

    [+0x000] hour             : 23 [Type: int]

    [+0x004] minute           : 59 [Type: int]

    [+0x008] second           : 59 [Type: int]

you can enhance this with javascript to fine tune it to you needs

here is how you can enhance this with javascript

make a file whateverfoo.js with contents below

function log(logstr) {

    return host.diagnostics.debugLog(logstr + "n")

}

function locvartgttyp(frameno)

{

    log( host.currentThread.Stack.Frames[frameno].LocalVariables.this.targetType.name)

}

and use it like

:>echo %wdbg%

"c:Program FilesWindows Kits10Debuggersx86cdb.exe"



:>%wdbg% time.exe



Microsoft (R) Windows Debugger Version 10.0.17763.132 X86



0:000> g time!main



time!main:

01237a80 55              push    ebp

0:000> tc;t



time!Time::Time:

01231140 55              push    ebp



0:000> dv /t

class Time * this = 0x00000002

int h = 0n23

int m = 0n59

int s = 0n59



0:000> .load jsprovider



0:000> .scriptload c:wdscrlocvar.js



JavaScript script successfully loaded from 'c:wdscrlocvar.js'



0:000> dx @$scriptContents.locvartgttyp(0)

Time *



@$scriptContents.locvartgttyp(0)

0:000>