Jaa


Special Command: Using ??, @@c++() and poi() with C/C++ Expressions

I really like using C/C++ expressions from WinDbg. It’s a natural way to extract information from C and C++ applications if you know these programming languages; therefore, I think it’s useful to share how to do this.

First, let’s talk about poi().

poi() is used to get pointer-sized data. Think about the * operator for C and C++.

For example:

 

Therefore, poi is the best operator to use if you want pointer-sized data.

The double question mark ( ?? ) command evaluates and displays the value of an expression according to the C++ expression rules.

Now, let me show you how to get a pointer value using poi() and ?? .

The single question mark ( ? ) is used to evaluate expressions.

Tip: By using ?, you can easily convert a number from hexadecimal to decimal or vice versa. Remember to use the prefix 0x for hexadecimal and 0n for decimal.

Examples:

Finally, we have the C++ expression parser - @@c++() - that supports all forms of C++ expression syntax, such as:

- Numbers in C++ expressions

- Characters and strings in C++ expressions

- Symbols in C++ expressions. (see WinDbg documentation for details)

- Operators in C++ expressions

- Registers and pseudo-registers in C++ expressions

- Macros in C++ expressions

Examples:

 

For more information, you may want to read the Magic Pointers article.

Here you can see scripts that use the ?? , @@c++() or poi() commands.

Comments

  • Anonymous
    March 03, 2008
    PingBack from http://msdnrss.thecoderblogs.com/2008/03/04/special-commands-using-c-and-poi-with-cc-expressions/

  • Anonymous
    March 03, 2008
    PingBack from http://www.secure-software-engineering.com/2008/03/04/special-commands-using-c-and-poi-with-cc-expressions/

  • Anonymous
    September 19, 2008
    Hi, I'm trying to learn how to use C/C++ expressions in WinDbg. Thanks for your article! I am having trouble with the following: 0:000> ?? * (long*) ((@esp)+12) == -13 bool true 0:000> .if  (-13 == -13) {.echo do whatever} do whatever so far, so good. But how do I use this in a conditional? --- 0:000> .if  (?? * (long*) ((@esp)+12) == -13) {.echo do whatever} Syntax error at '?? * (long*) ((@esp)+12) == -13) {.echo do whatever}' 0:000> .if  (? * (long*) ((@esp)+12) == -13) {.echo do whatever} Syntax error at '? * (long*) ((@esp)+12) == -13) {.echo do whatever}

  • Anonymous
    September 20, 2008
    The comment has been removed

  • Anonymous
    September 22, 2008
    Yes, thank you for your detailed explanation, that was very helpful! I guess I was confused when to use ?, when @@c++ and when ?? , but you cleared it up. Apologies if my question was unclear; I understand how to use registers, but I was trying to use a parameter on the stack, and it seemed I had to cast it the way I did.