[Windbg Script] Digging the Call Stack


Windbg has a lot of commands and command variations, so sometimes you may forget some of them, like when you need to dig a call stack to extract more information. Or maybe you remember the commands to get the call stack details, but you need to make sure you get the entire stack. Or yet you may want a way to quickly dig the stack and get information first from the frames and then from the local variables without spending too much time typing commands or using the arrow keys.


If you see yourself in one of these scenarios, this script is for you!


This script enables you to quickly get the following information from the call stack:


      ANSI strings.


      Unicode strings.


      Symbols.


      Pointer references.


      Local variables by frames.  (requires private symbols)


 


The interface is very simple and probably not so beautiful. Be glad I’m not part of the Windows GUI team. J


 


These are two screenshots to give you an idea:


 




 


 



 


Source code – DIG_STACK.TXT:


 


$$


$$ =============================================================================


$$ Dig information from the current call stack: 


$$ – Unicode Strings


$$ – ANSI Strings


$$ – Symbols


$$ – Pointer references


$$ – Local variables by frames


$$


$$ Compatibility: Win32, should work on Win64.


$$


$$ Usage: $$>< to run the script.


$$


$$ If necessary change the filename below to include your path and filename.


$$ By default it uses the WinDbg path and the default file name is DIG_STACK.TXT


$$


$$ Roberto Alexis Farah


$$ Blog: http://blogs.msdn.com/debuggingtoolbox/


$$


$$ All my scripts are provided “AS IS” with no warranties, and confer no rights.


$$ =============================================================================


$$


.block


{


    as ${/v:ScriptName} MYSCRIPTS\\DIG_STACK.txt


}


.block


{


    .printf /D “<link cmd=\”dpu @$csp poi(@$teb+0x4);ad ${/v:ScriptName}; $$><${ScriptName}\”><b>Unicode Strings</b></link>\n\n”


    .printf /D “<link cmd=\”dpa @$csp poi(@$teb+0x4);ad ${/v:ScriptName}; $$><${ScriptName}\”><b>ANSI Strings</b></link>\n\n”


    .printf /D “<link cmd=\”dps @$csp poi(@$teb+0x4);ad ${/v:ScriptName}; $$><${ScriptName}\”><b>Symbols</b></link>\n\n”   


    .printf /D “<link cmd=\”dpp @$csp poi(@$teb+0x4);ad ${/v:ScriptName}; $$><${ScriptName}\”><b>Pointer References</b></link>\n\n”


    .printf /D “<link cmd=\”kpM 2000;ad ${/v:ScriptName}; $$><${ScriptName}\”><b>Local Variables by Frames</b></link>\n”       


}


$$ ===========================================================================


 


 


Read me.

Comments (18)

  1. Naveen says:

    Cool post. Keep up the great job.

  2. Baruch Frost says:

    This is a really useful script. Thank you so much for publishing it!  Great work!!!

  3. Douglas Mello says:

    Farah… great post, great blog, great work!!!

    Congratulations,

    Douglas Mello.

  4. nativecpp says:

    Hi,

    I have used Windbg but am new to the script. So, I copied and pasted the script source code and got the following syntax error

    ^ Syntax error in ‘;    as MYSCRIPTS\DIG_STACK.txt; MYSCRIPTS\DIG

    Any idea where I copied wrong ? BTW, my windbg version is 6.6.

    Thanks

  5. Hi nativecpp,

    This error happens when you call the script twice, so the alias value is not replaced but added to the previous one.

    You can verify it using the al command. It list the aliases and their values.

    I guess you got an error, then tried to run the script again and got this error.

    Try it:

    – Create a MYSCRIPTS folder in the location you are using Windbg. In my case is:

    c:debuggersmyscripts

    – Put the DIG_STACK.TXT in this folder.

    – To execute run $$><MYSCRIPTSDIG_STACK.TXT

    If you get a different error after doing that, like a Syntax Error it might indicate the line with sintax error should be part of the previous line. (no line break)

    Let me know if it works.

  6. nativecpp says:

    Hi,

    Thanks for the additional info.

    I believe I have copied the script file into the correct folder as I purposely used an incorrect filename and Windbg complained.

    I ran the script once and nothing happened so I ran again and as you stated, that is why I got this error.

    I thought I would the screen #1 you psoted and because nothing happend, so I ran again.

    What should happen if I ran the script ? πŸ™

    BTW, I ran the script once and as you recommended ran al command and this is what happened:

    0:001> $$><myscriptsdig_stack.txt

    001> al

     Alias            Value  

    ——-          ——-

    ScriptName       MYSCRIPTS\DIG_STACK.txt;

    Thanks

  7. Hi,

    The Read Me talks about this alias problem. It happens when calling the script twice or calling another script that uses same alias names. I got a hard time with this issue when doing my first script.

    The al commands shows you the expected output now and this is one of the approaches I use to debug them. In your case the alias and value are correct.

    I suppose now it’s running fine, right? Can you see the hyperlinks? When you click one of them it shows you the information then presents the links again.

  8. nativecpp says:

    Hi,

    I don’t see any link. In fact, it just executed the command and *nothing* happened. May be I am missing something. Let me tell you my steps:

    1) Open Windbg

    2) Attach notepad process

    3) In the command windows, execute the script.

    Nothing displayed in the command windows.

    Thanks

  9. nativecpp says:

    Just want to clarify that I don’t get any error message and yet don’t see any link at all like screen #1 you posted. That’s why may be somehow my Windbg’s environment is wrong ????

  10. Hum… yes, it may be something with your Windbg.

    Try it using this version: http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

    However, remove your current Windbg installation then install the new one.

    I’m curious. πŸ™‚

  11. nativecpp says:

    My Windbg is 6.6.3.5 and the latest version is 6.6.7.5.   Is your Windbg 6.6.7.5 ?

  12. The version I use at home is 6.6.7.5. Here at MS we have an internal version.

    Anyway, this is the problem, your Windbg version that is too old.

    Take a peek at this article: http://www.microsoft.com/whdc/devtools/debugging/whatsnew.mspx

    DML was introduced in version 6.6.7.5

  13. nativecpp says:

    Great, mystery solved. Thanks. I will update later.

  14. nativecpp says:

    I updated to the latest Windbg and these are my finding:

    1) For some reason, I needed to specify full path as follow:

    0:001> $$><C:Program FilesDebugging Tools for Windowsdig_stack.txt

    2) I modifed the script to reflect this as follow:

    .block

    {

       as ScriptName C:\Program Files\"Debugging Tools for Windows"\MYSCRIPTS\DIG_STACK.txt

    }

    Note that I have to use quote in "Debugging Tools for Windows"

    3) When I clicked Symbols, I got the following

    0:001> .for(r @$t3 = @$csp; @$t3 <= @$t0; r @$t3 = @$t3 + 0xC;){.if(0 != poi(@$t3)){dps @$t3 L1}};ad /q *; $$><${ScriptName}

    00a1ffcc  7c9507a8 ntdll!DbgUiRemoteBreakin+0x2d

    00a1ffd8  00000001

    00a1ffe4  ffffffff

    Memory access error at ‘)){dps @$t3 L1}’

    Am I missing something ? BTW, I just attached notepad and ran the script

    Thanks

  15. Hey nativecpp, good to know it’s working! πŸ™‚

    You did right changing the path.

    This error happens because you used the script on a very small thread call stack. The script uses 0x300 as the call stack range. If you run it on a larger call stack it should run fine.

    Anyway, to avoid this situation I’m changing the script now, so you can try the updated version and see how it’s working.

    Thanks for your feedback!

  16. I just fixed some problems with line breaks, inserted when I put the fix for the article. I just found out it! Now that I copied and pasted it from the blog to notepad and got an error when running it.

  17. New update: This version is simpler, faster and always dumps the entire stack of the thread!