How to find all the strings in the thread stack?

To find the all the strings in the thread stack, you’ll need to know about a few things before we jump into code, in windbg there is something called as pseudo registers, and they are very handy to use, one of them is “$csp”, This is the current call stack pointer. This pointer is the register that is most representative of call stack depth; then there is something known as $teb, this points to thread environment block and poi(@$teb+4) always points to the stack base. You can also confirm it using !teb

Here is the output:

0:002> ?poi(@$teb+4)
Evaluate expression: 40566784 = 026b0000
0:002> !teb
TEB at 7ffda000
    ExceptionList:        026affdc
  StackBase:            026b0000
    StackLimit:           026af000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7ffda000
    EnvironmentPointer:   00000000
    ClientId:             00000c70 . 00000c90
    RpcHandle:            00000000
    Tls Storage:          0023db88
    PEB Address:          7ffd4000
    LastErrorValue:       1008
    LastStatusValue:      c000007c
    Count Owned Locks:    0
    HardErrorMode:        0

Now, there are a few more things to know, which would be pretty clearer after seeing the code.

1) You can set the value of an inbuilt alias using “r <alias_name> =” notation (e.g. r@$t0 = 2, sets the value of inuilt alias $t0 to 2)
2) “s” is a command to search strings, use –su or –sa to look for unicode or ascii strings respectively. @$t0 and @$t1 tells the command to search in the range starting from the value of @$t0 and ending at @$t1

Using the above concepts, you can easily construct the command below easily.

r @$t0=@$csp;r @$t1=poi(@$teb+4);s- sa @$t0 @$t1
r @$t0=@$csp;r @$t1=poi(@$teb+4);s- su @$t0 @$t1


Bye, got to get back to my work ..

Comments (0)

Skip to main content