Windbg: Using .shell to search text

  • Article

To me one of the most useful commands when using windbg is .shell. According to Debugging Tools For Windows documentation

“The .shell command launches a shell process and redirects its output to the debugger, or to a specified file.”

So, why would I find that interesting and useful in my day to day work to launch a shell process ? Maybe to impress friends (that know nothing about debugging) with strange commands or make it sound very complicated. Well, actually I use .shell in one of the most simple tasks we all do everyday and that´s finding text. Now you might be thinking, so why don´t you use Ctrl+F and find what you want ? (We will talk about this in a couple of minutes)

So, has I was saying, I use it a lot to find text inside memory dumps and this saves me time. Since .shell launches a shell process, the key here is to use the old FIND command from DOS to help us. FIND allows to search for text inside a file. If you open a command line and do FIND /? You will see something like below.

Searches for a text string in a file or files.

FIND [/V] [/C] [/N] [/I] [/OFF[LINE]] "string" [[drive:][path]filename[ ...]]

  /V Displays all lines NOT containing the specified string.

  /C Displays only the count of lines containing the string.

  /N Displays line numbers with the displayed lines.

  /I Ignores the case of characters when searching for the string.

  /OFF[LINE] Do not skip files with offline attribute set.

  "string" Specifies the text string to find.

  [drive:][path]filename

             Specifies a file or files to search.

If a path is not specified, FIND searches the text typed at the prompt

or piped from another command.

 

The sample below is an example (a very simple one) of finding a specific string in the call stack. I use it a lot to find specific values inside objects properties but i´m sure you will find other useful uses for this command.

 

0:000:x86> .shell -ci "~*kb" FIND /I "BaseCachedThreadroutine"

0c8ffdb0 75721c6b 00512fe0 0c8ffdc8 76c9e3f3 rpcrt4!BaseCachedThreadRoutine+0x9e

0effff60 75721c6b 00512fe0 0effff78 76c9e3f3 rpcrt4!BaseCachedThreadRoutine.shell: Process exited

 

The argument –ci specifies that the output of the command “~*kb” is to be used as input for FIND command. There are some more options that you can look at Debugging Tools For Windows help.

Till next time. Have Fun!!!

Bruno