Windbg: Using .shell to search text
To me one of the most useful commands when using windbg is .shell. According to Debugging Tools For Windows documentation
“The .shell command launches a shell process and redirects its output to the debugger, or to a specified file.”
So, why would I find that interesting and useful in my day to day work to launch a shell process ? Maybe to impress friends (that know nothing about debugging) with strange commands or make it sound very complicated. Well, actually I use .shell in one of the most simple tasks we all do everyday and that´s finding text. Now you might be thinking, so why don´t you use Ctrl+F and find what you want ? (We will talk about this in a couple of minutes)
So, has I was saying, I use it a lot to find text inside memory dumps and this saves me time. Since .shell launches a shell process, the key here is to use the old FIND command from DOS to help us. FIND allows to search for text inside a file. If you open a command line and do FIND /? You will see something like below.
Searches for a text string in a file or files.
FIND [/V] [/C] [/N] [/I] [/OFF[LINE]] "string" [[drive:][path]filename[ ...]]
/V Displays all lines NOT containing the specified string.
/C Displays only the count of lines containing the string.
/N Displays line numbers with the displayed lines.
/I Ignores the case of characters when searching for the string.
/OFF[LINE] Do not skip files with offline attribute set.
"string" Specifies the text string to find.
Specifies a file or files to search.
If a path is not specified, FIND searches the text typed at the prompt
or piped from another command.
The sample below is an example (a very simple one) of finding a specific string in the call stack. I use it a lot to find specific values inside objects properties but i´m sure you will find other useful uses for this command.
0:000:x86> .shell -ci "~*kb" FIND /I "BaseCachedThreadroutine"
0c8ffdb0 75721c6b 00512fe0 0c8ffdc8 76c9e3f3 rpcrt4!BaseCachedThreadRoutine+0x9e
0effff60 75721c6b 00512fe0 0effff78 76c9e3f3 rpcrt4!BaseCachedThreadRoutine.shell: Process exited
The argument –ci specifies that the output of the command “~*kb” is to be used as input for FIND command. There are some more options that you can look at Debugging Tools For Windows help.
Till next time. Have Fun!!!