I want to debug an application running on Windows by setting a breakpoint on a certain address, waiting till the breakpoint is hit, keeping the application paused for a certain period of time and then continuing. All of this should be done in an unattended fashion (e.g. a script).
To do this, I chose to use WinDbg since the scripting support seems promising.
Starting WinDbg and attaching to the process by process name can e.g. be done by invoking the following command:
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -pn my-executable.exe
Setting the breakpoint is done with the bu command:
bu 0x1337
Continuing works with the g command.
Delaying can be done with the .sleep command:
.sleep milliseconds
For writing WinDbg scripts this PDF might be helpful.
How can I piece it all together? I didn't figure out how delaying after hitting a breakpoint can be done nor do I know how to perform all of those actions (including attaching) from the command line alone without loading up the WinDbg GUI at all.
what for you need to sleep
you can embed the script commands and pass it to and instance of windbg
with -c switch the command below lists the modules and quits the session
windbg -c "lm;q" calc.exe
you can put it inside a batfile and run the batfile
like
cdb -c "bu %2 \".sleep 5000;g\";g" %1.exe
a gif showing how i broke on winmain slept for 5 seconds before allowing the exe to run below
Related
I use ebook-convert.exe from a batch file, and on one of my machines (old Windows vista laptop), any calls ebook-convert.exe prevent further commands in a batch file from running (in that .bat file, or in that cmd shell instance for instance). The conversion to .mobi actually succeeds, prints no errors even in -v -v full verbose mode. I tried versions 1.20.0 and 0.9.6 of calibre portable. It seems to be related to the executable itself, and not to the specific conversion job (just running it with -h flag has same effect). I tried running cmd in administrator mode, wrapping it with 'call' command, nothing helps. Assuming the calibre issue is a black hole that can't be solved, is there a DOS trick I could possibly try to keep batch commands running no matter what odd thing happens with ebook-convert.exe on that machine?
Using call in a batch file should work on normal console programs but it is possible for programs to "escape" if they really want to.
Using Start instead might work but it does not wait by default and its syntax is not sane:
Start /B /WAIT c:\path\without\spaces.exe optionalParameter
or
Start "" /B /WAIT "c:\path\w i t h\spaces.exe" optionalParameter
Remove /B to run the application in a new console.
Another option is to call ping localhost and For (to get the file size with %%~zA) in a loop until the size of the destination file stops increasing. This is a bit of a hack and might not work, it depends on how the converter opens the file and how often it flushes the writes.
I'm setting up a .cmd script to be run on startup for a pseudo-server (It's actually a laptop, but that's irrelevant) to automatically launch pageant, load an SSH key, connect to an SSH server using Putty (Pageant would automatically authenticate with the key), then launch mIRC which in turn has a series of scripts setup to operate as an IRC bot and automatically connect to networks using putty as an SSH tunnel.
With that in mind, I have the below code in a startup.cmd file:
"C:\Program Files (x86)\PuTTY\pageant.exe" c:\Path\To\Private\Key.ppk
"C:\Program Files (x86)\PuTTY\putty.exe" -ssh user#host
"C:\Program Files (x86)\mIRC\mirc.exe"
EXIT
When I test run this file, the command prompt runs the first line, launches pageant, and then sits there and does nothing until I close pageant completely. I believe I have an idea on what the issue here is, but I can't find any information on how to resolve this in a batch file.
I do know on linux systems, if I were running a bash script to do something similar, I would want to have a & symbol at the end of each line to tell it to run the next command without waiting for the previous command to finish executing. I did try that in the batch script in the off chance that would work (It didn't).
For those who may ask, this is on Windows 8.1 64 bit. The user running this script is not an administrator.
I can't comment to expand on Squashman's suggestion, so let me answer here.
In your case, if you only want to have Pageant running in the background, without interacting with it, I think it's best to run:
START "" /B <your command>
The /B parameter will spawn the process without launching a new window for it, which seems like something you'd like to avoid (anyway, it's probably closest to the behaviour you can obtain in Linux with &).
Please note that if you close the window from which you spawned this process, it will terminate as well.
I want to start a process that takes a commandline. Using gflags I want to enable page heap and allow windbg to attach to the process each time it starts.
How can I add the commandline parameter in the gflags UI?
You don't. And you're mixing up pretty unrelated things.
PageHeap
To enable the heap verification ("PageHeap") you set the configuration you want using the GFlags utility, either using the GUI or passing it the approporiate command-line arguments (See GFlags and PageHeap). Either way, this setting it global for all binaries with the name you define.
Debugging
To run the program under the debugger each and every time it starts you'd probably want to use the Debugger setting under Image File Execution Options. You can set it too using GFlags. Tick the Debugger checkbox in the Image File tab (after specifying the EXE name and hitting tab) and enter the path to the debugger.
The way this mechanism works is that (somewhere) inside CreateProcess there's a test whether or not IFEO\Debugger is set for the program you're trying to run, and if it is set, whatever set in the Debugger value is executed **and it is passed the original command line*.
So if you set
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\foo.exe\Debugger
to be C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe and then try to execute C:\Users\d_blk\Desktop\foo.exe -param 1 -param 2, Windows runs
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe C:\Users\d_blk\Desktop\foo.exe -param 1 -param 2
and WinDbg passes everything after foo.exe to the target program (as noted here).
So you see, there's no need to set the command-line arguments to the program you're debugging anywhere but wherever you're running it.
The only connection between PageHeap and IFEO\Debugger is that you can control both of them through the GFlags utility.
Caveats
Note all the usual caveats for using IFEO\Debugger. For example:
The caller gets from CreateProcess a handle to WinDbg, not the target process (and process ID, etc.).
Any information in a non-default STARTUPINFO argument applies to WinDbg, not the target process. Same for lpEnvironment I guess.
If that doesn't affect you great. If it does, an alternative might be adding an unhandled exception at the beginning of your program, and setting WinDbg as the post-mortem debugger (AeDebug)
I have a batch file to run an application (I used to write some basic code in the 80s in DOS), and I need it to "re-execute" the application every x hours. The thing I cannot find is how to "close" (or stop) the application before running the code again, so it wont keep opening several cmd.exe windows with every loop. I am a total noob at coding but I know the principles of batch files
My actual .bat looks like this
setx some-minor-adjustments
application.exe -couple-of-variables
Then, it opens the usual cmd.exe window, and keeps running the application forever. What I need to do is, somehow, "refresh" (close and re-execute) the application automatically every x hours.
Closing the cmd.exe window is just fine to close the application, nothing more is needed in that sense (like data to save for example)
A friend suggested the cron command but it seems to be for other purposes. I also find over the Internet that I should use the start command to open the application in a new cmd.exe window, or something like that
Any ideas? Thanks in advance!
On Windows, the Task Scheduler is used instead of CRON.
Tasks in task scheduler can be set to shut down after a set time if you can be sure of the maximum duration.
You can also add an exit command after the main command if the main command can be assumed to finish (or spawns to a separate process).
:BEGIN
start /b mspaint
ping -n 6 localhost
tskill mspaint
GOTO BEGIN
This should work on all versions of Windows. Just keep in mind that you have to change the number 6 to the number of seconds of delay you want plus one i.e., the above ping statement will produce a delay of 5 seconds. Similarly, to produce a delay of 1 hour, you will have to write
ping -n 3601 localhost
Also make sure that the batch file is in the same folder as your executable otherwise you will have to specify full path.
Note: You can use mspaint.exe in the start command but for the tskill command, parameter should be only mspaint(no extensions). Using #echo off won't be of much help in this case as the ping requests are echoed back and can't be turned off. You can instead use a batch-to-exe converter and create a silent windowless executable. The -n parameter of ping can be very large but has to be in seconds.
I'm maintainning a Windows Search property handler project, it is loaded by SearchFilterHost.exe. I don’t know when SearchFilterHost.exe will be launched, don’t know the command line arguments usage, and I find SearchFilterHost.exe will exit one or two minutes after started, so it’s difficult to use the debugger to attach the process then debug the DLL it loaded.
How to debug a Windows Search property handler?
Debugging Protocol Handlers in MSDN talks about how to do this. It involves adding registry entries to make SearchIndexer and SearchFilterHost a little more friendly to debug. You probably will need to take ownership of the registry branch(es) to be able to change the values. Just doing the first set may be enough for you to be able to directly attach to SearchFilterHost.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
Windows Search
Gathering Manager
DebugFilters = 1
DisableBackOff = 1 may also be helpful
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Image File Execution Options
SearchIndexer.exe
Debugger = <path to debugger> <debugger options>
Example using the ntsd debugger
Debugger = C:\debuggers\ntsd.exe -odGx -c: "sxe ld mydll.dll;g"
Option Description
-o Tells ntsd.exe to debug child prcoesses.
-d Pipes ntsd.exe through the kernel debugger to ensure the debugger is lauched on the right desktop (system context).
-g Tells ntsd.exe to exit immediately when the child terminates.
-x Disables first-chance break on access violation exceptions. The second occurrence of an access violation will break into the debugger.
-c Sets the order of commands passed ntsd.exe.
Once you have things set up, restart the WSearch service, tweak your searched file, and things should happen.
Also, here's an old thread of others' experiences. Among other things, it talks about using the MSDN tool IFiltTst in your project's debug settings.
In your Project properties window, open ‘configuration properties’, ‘debugging’; and enter the following settings:
Debugger to launch: Local Windows Debugger
Command: C:\<your path here>\IFiltTst.Exe
Command arguments: /i "D:\<your project test folder>\<good file>.<extention to filter>" /v 3 /t 5 /l /d
Working directory: /i "D:\<your project test folder>
Attach: No
Leave all other settings as default.
Both methods require your DLL to be registered so it will be found by Search.