WinDbg: Find thread id after CreateThread call

bu kernel32!CreateThread “r $t0= poi(@esp+0n24);gu;r $t1 = poi(@$t0)”

 

Result at $t1

WinDbg automation: Collect all binaries loaded by process

This windbg script collects all binaries (dll and exe) that are currently loaded by process.

This useful operation is required if it is planned to create memory dump and process it on another machine. So you need the all (in worst case) binaries from dumped process.

It is placed here https://github.com/DmitryKrinitsyn/WinDbg

How to use:

  1. Obtain “cb.wds” script. Check it out from git repository or just copy+paste text and save it as “cb.wds” file.
  2. Store “cb.wds” file somewhere it can be easy referred from WinDbg, for example WinDbg’s installation folder (C:\Program Files\Debugging Tools for Windows (x86)\)
  3. Enter WinDbg’s command line “$$>a< cb.wds <local path to store binaries>
  4. Enjoy J

Comments, suggestions and new proposed desired WinDbg automations are highly appreciated.