├── CommandPrograms
    ├── cmcallbacks.wbs
    ├── listprocs.wbs
    └── pscallbacks.wbs
├── JavaScript
    └── ListProcs.js
└── README.md


/CommandPrograms/cmcallbacks.wbs:
--------------------------------------------------------------------------------
  1 | $$ cmcallbacks.wbs
  2 | $$
  3 | $$ Version 2
  4 | $$
  5 | $$ This script walks the list of registered Configuration Manager (registry)
  6 | $$ callbacks
  7 | $$
  8 | $$ Currently tested platforms: 
  9 | $$
 10 | $$  Win8.1 x64
 11 | $$
 12 | $$  Win7 x64
 13 | $$
 14 | $$  WinXP x86
 15 | $$
 16 | $$ OSR Open Systems Resources, inc.
 17 | $$
 18 | $$ http://www.osr.com
 19 | $$ http://www.osronline.com
 20 | $$
 21 | $$
 22 | $$ To run:
 23 | $$
 24 | $$ $$><cmcallbacks.wbs
 25 | 
 26 | .echo ************************************************
 27 | .echo * This command brought to you by osronline.com *
 28 | .echo ************************************************
 29 | .echo
 30 | 
 31 | $$ Start off by creating some aliases that will make this script more readable
 32 | 
 33 | $$ Globals
 34 | 
 35 | aS ${/v:BuildNumber} "low(dwo(nt!NtBuildNumber))";
 36 | 
 37 | aS ${/v:CmCallBackCount} "dwo(nt!CmpCallBackCount)";
 38 | 
 39 | $$ Pre-Vista uses an array of callbacks
 40 | aS ${/v:CmCallBackBase}  "nt!CmpCallBackVector";
 41 | 
 42 | 
 43 | $$ Vista and later has a list of callbacks
 44 | aS ${/v:CmCallBackListHead} "@@c++((nt!_LIST_ENTRY *)@@masm(nt!CallbackListHead))";
 45 | 
 46 | $$ Can't seem to find a type for the entries in the list, so offsets it is
 47 | aS ${/v:CallBackOffsetx86} "0x1C";
 48 | aS ${/v:CallBackOffsetx64} "0x28";
 49 | 
 50 | 
 51 | $$ variables
 52 | 
 53 | aS ${/v:listEntry} "@$t0";
 54 | aS ${/v:i} "@$t1";
 55 | aS ${/v:cmEntry} "@$t2";
 56 | aS ${/v:functionPtr} "@$t3";
 57 | 
 58 | $$ The .block is necessary to make sure that all of the above aliases are evaluated
 59 | .block 
 60 | {
 61 |     .echo **********************************;
 62 |     .echo * Printing registry callbacks... *;
 63 |     .echo **********************************;
 64 |     .echo
 65 |     .if (${BuildNumber} <= 0n3790)
 66 |     {
 67 |         $$ Pre-Vista callbacks. These work like the Ps callbacks (see pscallbacks.wbs)
 68 | 
 69 |         $$ Walk the CM notification routines
 70 |         r ${cmEntry} = ${CmCallBackBase};
 71 | 
 72 |         .for (r ${i} = 0; ${i} < ${CmCallBackCount}; r ${i} = ${i} + 1) 
 73 |         {
 74 | 
 75 |             $$ This points to a function, though the bottom bits are control info.
 76 |             $$ So, mask those off
 77 |             r ${functionPtr} = (poi(${cmEntry}) & -8);
 78 | 
 79 |             $$ Unassemble the first instruction
 80 |             .if (@$ptrsize == 4) 
 81 |             {
 82 |                 $$ 32bit systems seem to have more control info ahead of the function
 83 |                 $$ pointer, so skip that.
 84 |                 u poi(${functionPtr} + 4) l1; 
 85 |             }
 86 |             .else
 87 |             {
 88 |                 u poi(${functionPtr}) l1;
 89 |             }
 90 | 
 91 |             $$ Walk to the next entry in the array
 92 |             r ${cmEntry} = ${cmEntry} + @$ptrsize;
 93 | 	    .echo --------------------------------------------;
 94 |         }
 95 |     }
 96 |     .else
 97 |     {
 98 |         $$ Vista and later callbacks
 99 | 
100 |         $$ Get the Flink value of the head. Note that r? is required
101 |         $$ to use the C++ syntax in the r statement. Also, the type is
102 |         $$ assigned to the resulting register
103 | 
104 |         r? ${listEntry} = @@c++(${CmCallBackListHead}->Flink)
105 |       
106 |         $$ And loop while we have entries...
107 |     
108 |         .while (${listEntry} != ${CmCallBackListHead}) 
109 |         {
110 |             $$ Dump the callback
111 | 
112 |             .if (@$ptrsize == 4)
113 |             {
114 |                 u poi(${listEntry} + ${CallBackOffsetx86}) l1
115 |             }
116 |             .else
117 |             {
118 |                 u poi(${listEntry} + ${CallBackOffsetx64}) l1
119 |             }
120 | 
121 |             $$ Move on to the next entry. Our r? command makes sure
122 |             $$ that ${listEntry} is typed appropriately
123 | 
124 |             r? ${listEntry} = @@c++(${listEntry}->Flink);
125 | 
126 |             .echo --------------------------------------------;
127 |   
128 |          }
129 |      }
130 | 
131 | }
132 | 
133 | 
134 | $$ Clean up our aliases
135 | ad ${/v:listEntry};
136 | ad ${/v:BuildNumber};
137 | ad ${/v:CmCallBackCount};
138 | ad ${/v:CmCallBackListHead};
139 | ad ${/v:CallBackOffsetx86};
140 | ad ${/v:CallBackOffsetx64};
141 | ad ${/v:CmCallBackBase};
142 | ad ${/v:i};
143 | ad ${/v:cmEntry};
144 | ad ${/v:functionPtr};
145 | 
146 | 


--------------------------------------------------------------------------------
/CommandPrograms/listprocs.wbs:
--------------------------------------------------------------------------------
 1 | $$
 2 | $$ listprocs.wbs
 3 | $$
 4 | $$ Walk the current list of processes
 5 | $$
 6 | $$ OSR Open Systems Resources, inc.
 7 | $$
 8 | $$ http://www.osr.com
 9 | $$ http://www.osronline.com
10 | $$
11 | $$
12 | $$ To run:
13 | $$
14 | $$ $$><listprocs.wbs
15 | $$
16 | 
17 | .echo ************************************************
18 | .echo * This command brought to you by osronline.com *
19 | .echo ************************************************
20 | 
21 | 
22 | $$ Global aliases
23 | 
24 | $$ Note that we use ${/v:} around all of our alias names. This shuts
25 | $$ alias expansion OFF for these names. Without these, multiple invocations
26 | $$ of the script can cause issues
27 | 
28 | $$ Cast the active process list head as a LIST_ENTRY pointer
29 | 
30 | aS ${/v:PsActiveProcessHead} "@@c++((nt!_LIST_ENTRY *)@@masm(nt!PsActiveProcessHead))"
31 | 
32 | $$ This is the offset of the list entry that PsActiveProcessHead points to
33 | 
34 | aS ${/v:ProcessLinksOffset} "@@c++(#FIELD_OFFSET(nt!_EPROCESS, ActiveProcessLinks))"
35 | 
36 | $$ And the offset to the 16 character ANSI name
37 | 
38 | aS ${/v:ImageNameOffset}    "@@c++(#FIELD_OFFSET(nt!_EPROCESS, ImageFileName))"
39 | 
40 | $$ Locals
41 | 
42 | aS ${/v:listEntry} "@$t0"
43 | aS ${/v:currProc}  "@$t1"
44 | 
45 | $$ Force the script to evaluate the above aliases with a .block
46 | .block 
47 | {
48 | 
49 |     $$ Get the Flink value of the head. Note that r? is required
50 |     $$ to use the C++ syntax in the r statement. Also, the type is
51 |     $$ assigned to the resulting register
52 | 
53 |     r? ${listEntry} = @@c++(${PsActiveProcessHead}->Flink)
54 |     
55 |     $$ And loop while we have entries...
56 |     
57 |     .while (${listEntry} != ${PsActiveProcessHead}) 
58 |     {
59 | 
60 |         $$ Get the base of the struct from the list pointer. 
61 |         $$ Note that #CONTAINING_RECORD would also work
62 | 
63 |         r ${currProc} = ${listEntry} - ${ProcessLinksOffset}
64 |         
65 |         $$ Dump the ASCII 16 character name in the process
66 | 
67 |         da ${currProc} + ${ImageNameOffset}
68 | 
69 |         $$ Move on to the next entry. Our r? command makes sure
70 |         $$ that ${listEntry} is typed appropriately
71 | 
72 |         r? ${listEntry} = @@c++(${listEntry}->Flink)
73 | 
74 |      }
75 | }
76 | 
77 | $$ /v: suppresses the alias expansion
78 | 
79 | ad ${/v:currProc}
80 | ad ${/v:listEntry}
81 | ad ${/v:ProcessLinksOffset}
82 | ad ${/v:ImageNameOffset}
83 | ad ${/v:PsActiveProcessHead}
84 | 
85 |         


--------------------------------------------------------------------------------
/CommandPrograms/pscallbacks.wbs:
--------------------------------------------------------------------------------
  1 | $$
  2 | $$ pscallbacks.wbs
  3 | $$
  4 | $$ Walk the current list of image and process notification callbacks
  5 | $$
  6 | $$ OSR Open Systems Resources, inc.
  7 | $$
  8 | $$ http://www.osr.com
  9 | $$ http://www.osronline.com
 10 | $$
 11 | $$
 12 | $$ To run:
 13 | $$
 14 | $$ $$><pscallbacks.wbs
 15 | $$
 16 | 
 17 | .echo ************************************************
 18 | .echo * This command brought to you by osronline.com *
 19 | .echo ************************************************
 20 | 
 21 | $$ Start off by creating some aliases that will make this script more readable
 22 | 
 23 | $$ Globals
 24 | 
 25 | $$ Note that we use ${/v:} around all of our alias names. This shuts
 26 | $$ alias expansion OFF for these names. Without these, multiple invocations
 27 | $$ of the script can cause issues
 28 | 
 29 | aS ${/v:BuildNumber} "low(dwo(nt!NtBuildNumber))";
 30 | aS ${/v:ImageLoadCount} "dwo(nt!PspLoadImageNotifyRoutineCount)";
 31 | aS ${/v:ImageLoadBase} "nt!PspLoadImageNotifyRoutine";
 32 | 
 33 | 
 34 | $$
 35 | $$ Include the Ex callbacks where available
 36 | $$
 37 | 
 38 | .block
 39 | {
 40 |     .if (${BuildNumber} <= 0n3790)
 41 |     {
 42 |         aS ${/v:ProcessNotifyCount} "dwo(nt!PspCreateProcessNotifyRoutineCount)";
 43 |     }
 44 |     .else
 45 |     {
 46 |         aS ${/v:ProcessNotifyCount} "dwo(nt!PspCreateProcessNotifyRoutineCount) + dwo(nt!PspCreateProcessNotifyRoutineExCount)";
 47 |     }
 48 | }
 49 | 
 50 | aS ${/v:ProcessNotifyBase} "nt!PspCreateProcessNotifyRoutine";
 51 | 
 52 | 
 53 | $$ Our options
 54 | 
 55 | aS ${/v:DISPLAY_IMAGE_NOTIFY} "1";
 56 | aS ${/v:DISPLAY_PROCESS_NOTIFY} "2";
 57 | aS ${/v:options} "@$t0";
 58 | 
 59 | 
 60 | $$ variables
 61 | aS ${/v:i} "@$t1";
 62 | aS ${/v:imageEntry} "@$t2";
 63 | aS ${/v:processEntry} "@$t3";
 64 | aS ${/v:functionPtr} "@$t4";
 65 | 
 66 | $$ The .block is necessary to make sure that all of the above aliases are evaluated
 67 | .block
 68 | {
 69 |     r ${options} = 0;
 70 |     $$ Check the parameters. Valid values are:
 71 |     $$
 72 |     $$ i - Image load callbacks only
 73 |     $$ p - Process notification callbacks only
 74 |     $$ * - All callbacks
 75 |     $$
 76 |     .if (${/d:$arg1} == 1)
 77 |     {
 78 |         .if ('${$arg1}' == 'i')
 79 |         {
 80 |             r ${options} = ${DISPLAY_IMAGE_NOTIFY};
 81 |         }
 82 |         .elsif ('${$arg1}' == 'p')
 83 |         {
 84 |             r ${options} = ${DISPLAY_PROCESS_NOTIFY};
 85 |         }
 86 |         .elsif ('${$arg1}' == '*')
 87 |         {
 88 |             r ${options} = ${DISPLAY_IMAGE_NOTIFY} | ${DISPLAY_PROCESS_NOTIFY};
 89 |         }
 90 |         .else
 91 |         {
 92 |             .echo Error! Valid parameters are i,p, and *.
 93 |         }
 94 |     }
 95 |     .else
 96 |     {
 97 |         $$ Default to showing everything.
 98 |         r ${options} = ${DISPLAY_IMAGE_NOTIFY} | ${DISPLAY_PROCESS_NOTIFY};
 99 |     }
100 |     .if ((${options} & ${DISPLAY_IMAGE_NOTIFY}) != 0)
101 |     {
102 |         .echo ************************************;
103 |         .echo * Printing image load callbacks... *;
104 |         .echo ************************************;
105 | 
106 |         $$ Walk the image load notify routines
107 |         r ${imageEntry} = ${ImageLoadBase};
108 | 
109 |         .for (r ${i} = 0; ${i} < ${ImageLoadCount}; r ${i} = ${i} + 1)
110 |         {
111 |             $$ This points to a function, though the bottom bits are control info.
112 |             $$ So, mask those off
113 |             r ${functionPtr} = (poi(${imageEntry}) & -8);
114 | 
115 |             $$ Unassemble the first instruction
116 |             .if (@$ptrsize == 4)
117 |             {
118 |                 $$ 32bit systems seem to have more control info ahead of the function
119 |                 $$ pointer, so skip that.
120 |                 u poi(${functionPtr} + 4) l1;
121 |             }
122 |             .else
123 |             {
124 |                 u poi(${functionPtr}) l1;
125 |             }
126 | 
127 |             $$ Walk to the next entry in the array
128 |             r ${imageEntry} = ${imageEntry} + @$ptrsize;
129 |             .echo --------------------------------------------;
130 |         }
131 |     }
132 |     .if ((${options} & ${DISPLAY_PROCESS_NOTIFY}) != 0)
133 |     {
134 |         .echo **********************************************;
135 |         .echo * Printing process notification callbacks... *;
136 |         .echo **********************************************;
137 | 
138 |         $$ Walk the process notification routines
139 |         r ${processEntry} = ${ProcessNotifyBase};
140 | 
141 |         .for (r ${i} = 0; ${i} < ${ProcessNotifyCount}; r ${i} = ${i} + 1)
142 |         {
143 |             $$ This points to a function, though the bottom bits are control info.
144 |             $$ So, mask those off
145 |             r ${functionPtr} = (poi(${processEntry}) & -8);
146 | 
147 |             $$ Unassemble the first instruction
148 |             .if (@$ptrsize == 4)
149 |             {
150 |                 $$ 32bit systems seem to have more control info ahead of the function
151 |                 $$ pointer, so skip that.
152 |                 u poi(${functionPtr} + 4) l1;
153 |             }
154 |             .else
155 |             {
156 |                 u poi(${functionPtr}) l1;
157 |             }
158 |             $$ Walk to the next entry in the array
159 |             r ${processEntry} = ${processEntry} + @$ptrsize;
160 |             .echo --------------------------------------------;
161 |         }
162 |     }
163 | }
164 | 	
165 | 
166 | $$ Clean up our aliases
167 | 
168 | ad ${/v:DISPLAY_IMAGE_NOTIFY};
169 | ad ${/v:DISPLAY_PROCESS_NOTIFY};
170 | ad ${/v:options};
171 | ad ${/v:i};
172 | ad ${/v:imageEntry};
173 | ad ${/v:processEntry};
174 | ad ${/v:functionPtr};
175 | ad ${/v:BuildNumber};
176 | ad ${/v:ImageLoadCount};
177 | ad ${/v:ImageLoadBase};
178 | ad ${/v:ProcessNotifyCount};
179 | ad ${/v:ProcessNotifyBase};
180 | 
181 | 


--------------------------------------------------------------------------------
/JavaScript/ListProcs.js:
--------------------------------------------------------------------------------
 1 | //
 2 | // ListProcs.js
 3 | //
 4 | // Walk the current list of processes
 5 | //
 6 | // OSR Open Systems Resources, inc.
 7 | //
 8 | // http://www.osr.com
 9 | // http://www.osronline.com
10 | //
11 | //
12 | // To run:
13 | //  
14 | //   .load jsprovider.dll
15 | //   .scriptload ListProcs.js
16 | //   dx Debugger.State.Scripts.ListProcs.Contents.ListProcs()
17 | //
18 | function ListProcs() {
19 | 
20 |     // Get easy access to the debug output method
21 |     var dbgOutput = host.diagnostics.debugLog;
22 | 
23 |     dbgOutput("List Processes!\n\n");
24 | 
25 |     var processes = host.currentSession.Processes;
26 | 
27 |     for (var process of processes)
28 |     {
29 |         dbgOutput("Found Process:\n");
30 |         dbgOutput("\tName : ", process.Name, "\n");
31 |         dbgOutput("\tId   : ", process.Id, "\n");
32 |     }
33 | 
34 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # windbg-exts
 2 | Various WinDbg extensions and scripts
 3 | 
 4 | 
 5 | ## CommandPrograms ##
 6 | Scripts written using the WinDbg scripting language. No one writes these (except maybe snoone), but we have some so might as well put them here.
 7 | 
 8 | ## JavaScript ##
 9 | Scripts written using JavaScript and the Debugger Object Model (DOM).
10 | 
11 | 


--------------------------------------------------------------------------------