I have a bunch of aliases for accessing global debug variables in my code, which look something like this:
aS _dbg_log_last "dx mymodule!g_dbg_variable_with_a_long_name->logger.log_buffer[mymodule!g_dbg_variable_with_a_long_name->logger.size - 1]"
I am obviously not a fan of the last one with the repetition, so I tried to refactor it to the following:
aS _dbg_log "mymodule!g_dbg_variable_with_a_long_name->logger"
aS _dbg_log_last "dx ${_dbg_log} .log_buffer[${_dbg_log}.size - 1]"
If I copy the contents of the _dbg_log_last alias and run it manually, everything works. But if I actually try to invoke it, I am getting an error:
Error: unexpected token at {_dbg_log}...
So it look like it swallow the $ character when executing the alias. I have tried also unquoting either or both aliases, using as instead of aS, adding /f and other flags to alias interpreter, escaping the $ with \$ or $$, nothing works.
Minimal repro:
aS _foo "1"
aS _bar "dx ${_foo} ,x"
dx ${_foo} ,x
_bar
Expected:
1 ,x : 0x1
1 ,x : 0x1
Actual:
1 ,x : 0x1
Error: Unexpected token at '{_foo} ,x'
As Nietsa says mixing dx with as / aS may not be compatible
but unless you force execute with a .block{} the aliases are not going to be expanded
ill show an example with a public struct see if that helps you
delete prior aliases if any and list
0:000> ad *
0:000> al
No aliases
define new alaises and list
0:000> as foo ((ntdll!_PEB *)@$proc)->ProcessParameters
0:000> as bar ${foo}->DesktopInfo
0:000> al
Alias Value
------- -------
bar ${foo}->DesktopInfo
foo ((ntdll!_PEB *)@$proc)->ProcessParameters
check the simple alias
0:000> ?? ${foo}->WindowTitle
struct _UNICODE_STRING
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe"
+0x000 Length : 0x78
+0x002 MaximumLength : 0x7a
+0x008 Buffer : 0x000002c3`30ca2e3a "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe"
check the compound alias without a surrounding .block{}
0:000> ?? ${bar}
Unexpected character in '${foo}->DesktopInfo'
surround it with a .block to force expansion first
0:000> .block { ?? ${bar} }
struct _UNICODE_STRING
"WinSta0\Default"
+0x000 Length : 0x1e
+0x002 MaximumLength : 0x20
+0x008 Buffer : 0x000002c3`30ca2eb4 "WinSta0\Default"
0:000>
supposedly if you have a script file that is based on foo and bar above as below
.block { ?? ${bar}.Buffer[0] }
.block { ?? ${bar}.Buffer[1] }
.block { ?? ${bar}.Buffer[2] }
.block { ?? ${bar}.Buffer[3] }
.block { ?? ${bar}.Buffer[4] }
.block { ?? ${bar}.Buffer[5] }
.block { ?? ${bar}.Buffer[6] == '1' }
.block { ?? ${bar}.Buffer[6] == '0' }
running the script should yield
0:000> $$>< d:\alias.wds
wchar_t 0x57 'W'
wchar_t 0x69 'i'
wchar_t 0x6e 'n'
wchar_t 0x53 'S'
wchar_t 0x74 't'
wchar_t 0x61 'a'
bool false
bool true
0:000>