windbg预览版 JavaScript 遍历所有窗口

系统版本win10 64 1903 10.0.18362
先附加到 explorer.exe 进程再执行

"use strict";

function initializeScript()
{
    return [new host.apiVersionSupport(1, 6)];
}

 let logln = function (e) {
        host.diagnostics.debugLog(e + '\n');
    }

    function read_u64(addr) {
        var ret =0;
       try {
            ret = host.memory.readMemoryValues(addr, 1, 8)[0];
        } catch(e) {
            // Error: 64 bit value loses precision on conversion to number
           // logln(e);
            ret = 0
        }
        return ret;
    }

function invokeScript()
{


    let gpKernelHandleTable = host.parseInt64('0xffffb9bb1a9c5758',16);
    gpKernelHandleTable = read_u64(gpKernelHandleTable);


    let gSharedInfo = host.parseInt64('0xffffb9bb1a9c5770',16);

    gSharedInfo = read_u64(gSharedInfo);


   // let i = 0x0392
     for(let i=0;i<0xffff;i++){

        let t1 = gSharedInfo.multiply(i);
        t1 = t1.bitwiseShiftRight(5);
        t1 = t1.multiply(0x18);

       let tagWnd = gpKernelHandleTable.add(t1);
        tagWnd = read_u64(tagWnd);

        if(tagWnd.compareTo(0)==0)
            continue;

        //host.diagnostics.debugLog("tagWnd:",t1.toString(16), "\n");
        //窗口名称 +b8
        let nameof = tagWnd;
        nameof = nameof.add(0xb8);
        nameof = read_u64(nameof);

        if(nameof.compareTo(0)==0)
            continue;

       //host.diagnostics.debugLog("窗口名称偏移地址:",nameof.toString(16), "\n");
        try {
            let wndName = host.memory.readWideString(nameof);
            host.diagnostics.debugLog("index: ",i.toString(16)," tagWnd: ",tagWnd,"  名称:",wndName, "\n");
        } catch(e) {
            // Error: 64 bit value loses precision on conversion to number
            //logln(e);
        }     
    }

    //logln(a);

}

gpKernelHandleTable 和 gSharedInfo 都是导出的



更多【windbg预览版 JavaScript 遍历所有窗口】相关视频教程:www.yxfzedu.com


评论