Can WinDbg script extract an EPROCESS address from command output?

Can WinDbg’s script processor do string processing and use the results as
addresses? Here’s an example of what I’d like to do –

I want to know when ssonsvr.exe has terminated. To do this, I want to
monitor writes to the Type field of the object header of the process object.
I can manually do this with the following WinDbg commands:

First, getting the EPROCESS address of ssonsvr.exe –

kd> !process 0 0 ssonsvr.exe
PROCESS 85d1a020 SessionId: 0 Cid: 094c Peb: 7ffde000 ParentCid: 0910
DirBase: 24240560 ObjectTable: e1047890 HandleCount: 24.
Image: ssonsvr.exe

The number after the string ‘PROCESS’ is the _EPROCESS address that I’m
interested in. Taking that address, I can get the encapsulating object
header. (For demonstration purposes, this is done in steps but normally I’d
just take the object address and subtract 0x18 from it to get the same

First, get the encapsulating object:

kd> !object 85d1a020
Object: 85d1a020 Type: (867c6e38) Process
ObjectHeader: 85d1a008 (old version)
HandleCount: 1 PointerCount: 8

Embedded in the return string is ObjectHeader: and the following address is
where the object header is located. Using that address, we can gain access to

kd> dt nt!_OBJECT_HEADER 85d1a008
+0x000 PointerCount : 8
+0x004 HandleCount : 1
+0x004 NextToFree : 0x00000001
+0x008 Type : 0x867c6e38 _OBJECT_TYPE
<snipped for brevity>

When Type changes then the process object is no longer valid so I want to
set a break point when this address is written to. For convenience, I’ll go
ahead and write some cosmetic space and follow that with a stack dump. This
is done with

kd> ba w4 85d1a008+8 ".echo *** end of ssonsvr ***;.echo*;kb200"

This break point is the real meat of the matter. Is it possible to write a
WinDbg script that would automate the essentials of the above example?

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.