To find the all the strings in the thread stack, you’ll need to know about a few things before we jump into code, in windbg there is something called as pseudo registers, and they are very handy to use, one of them is “$csp”, This is the current call stack pointer. This pointer is the register that is most representative of call stack depth; then there is something known as $teb, this points to thread environment block and poi(@$teb+4) always points to the stack base. You can also confirm it using !teb
Here is the output:
Evaluate expression: 40566784 = 026b0000
TEB at 7ffda000
ClientId: 00000c70 . 00000c90
Tls Storage: 0023db88
PEB Address: 7ffd4000
Count Owned Locks: 0
Now, there are a few more things to know, which would be pretty clearer after seeing the code.
1) You can set the value of an inbuilt alias using “r <alias_name> =” notation (e.g. r@$t0 = 2, sets the value of inuilt alias $t0 to 2)
2) “s” is a command to search strings, use –su or –sa to look for unicode or ascii strings respectively. @$t0 and @$t1 tells the command to search in the range starting from the value of @$t0 and ending at @$t1
Using the above concepts, you can easily construct the command below easily.
r @$t0=@$csp;r @$t1=poi(@$teb+4);s- sa @$t0 @$t1
r @$t0=@$csp;r @$t1=poi(@$teb+4);s- su @$t0 @$t1
Bye, got to get back to my work ..