diff --git a/MEX/Mex.exe b/MEX/Mex.exe index 9ca9460..898eeeb 100644 Binary files a/MEX/Mex.exe and b/MEX/Mex.exe differ diff --git a/MEX/README.txt b/MEX/README.txt index 4aeb8fc..5399729 100644 --- a/MEX/README.txt +++ b/MEX/README.txt @@ -1,11 +1,11 @@ kd> !load mex -Mex External 3.0.0.7148 Loaded! +Mex External 3.0.0.7172 Loaded! kd> !mex -Mex currently has 324 extensions available. Please specify a keyword to search. +Mex currently has 255 extensions available. Please specify a keyword to search. Or browse by category: -All PowerShell[6] SystemCenter[3] IE[6] RDS[2] Excel[4] Word[6] VB[5] MAPI[24] MSO[3] Outlook[15] Networking[12] Process[7] Mex[2] Kernel[27] DotNet[32] Decompile[15] Utility[40] Thread[27] Binaries[6] General[23] -7: kd> !mex.help -all +All PowerShell[6] SystemCenter[3] Networking[12] Process[5] Mex[2] Kernel[27] DotNet[32] Decompile[15] Utility[40] Thread[27] Binaries[6] General[22] +kd> !mex.help -all Command Description Category Owner =========================================== ======================================================================================================================================================== ============ =========== addr Display information about an address Kernel mexfeedback @@ -13,7 +13,6 @@ afd Afd Command Help aspnetcache (!aspnetcache) Display the ASP.NET Cache DotNet mexfeedback aspxpagesext Like !aspxpages, but more powerful DotNet mexfeedback atom Dumps user mode atom table Utility mexfeedback -autod Enable or disable AutoDiscover tracing output for Outlook Outlook mexfeedback backtrace (!bt) Displays the stack backtrace for the specified index into ntdll!RtlpStackTraceDatabase General mexfeedback base64 (!b64) Displays or saves base64 data General mexfeedback beep Beeps Utility mexfeedback @@ -22,14 +21,12 @@ bits2 (!b2) Executes a command with all possible bl Replaces the built in breakpoint list (bl) command with DML'd version Utility mexfeedback bp Replaces the built in breakpoint (bp) command with a DML'd version Utility mexfeedback cache (!c) Cache the output of a command to replay later Utility mexfeedback -celement (!_mce) Dump mshtml!CElement object from address IE mexfeedback chkall Shortcut for !chkimg against all modules Binaries mexfeedback classtype (!ct) Tries to determine the C++ class type of a pointer General mexfeedback clipboard2 Gets/Sets text on the clipboard, or enable/disable clipboard access Utility mexfeedback clrstack2 (!ck2) Prints the stack trace of a managed thread DotNet mexfeedback clusdisk Shows all the disk cluster is aware of for W2k3 - W28R2 General mexfeedback codescope Prints all available code analysis checklists Decompile mexfeedback -colescript (!_jscole) Dump jscript!COleScript object from address IE mexfeedback commandline (!cl) Prints out the command line of a process General mexfeedback comment Displays the comments for the dump Utility mexfeedback computername (!cn) Computer Name Command Help Utility mexfeedback @@ -38,8 +35,6 @@ context (!w) Prints out the current implicit proc cordll (!cordll) Displays available CLR versions DotNet mexfeedback count Counts the number of lines returned by a command Utility mexfeedback criticalsection (!cs) CS - Displays details for a critical section General mexfeedback -crypt32 Dumps crypt32.dll info Process mexfeedback -cscriptbody Dumps information about a vbscript!CScriptBody object VB mexfeedback cut Filters output, removing unwanted areas Utility mexfeedback da Displays an ANSI string Utility mexfeedback dae (!DumpAllExceptions) Replacement for !dae DotNet mexfeedback @@ -60,48 +55,26 @@ driverobject (!drvo) Displays details about a driver obje dtpool (!dtp) Displays information about a pool allocation, if it is a known pooltag we will 1. Try to run the correct extension, or 2. Just dt the structure for you. Kernel mexfeedback du Displays a Unicode string Utility mexfeedback dumpaspnetsession Prints information on ASP.NET InProc Sessions DotNet mexfeedback -dumpattachmentcol (!dac) Dumps an object which inherits from AttachmentCol Outlook mexfeedback -dumpattachmentobject (!dao) Dumps an object which inherits from AttachmentObject Outlook mexfeedback -dumpccnctconnprovhttp (!dccph) Dumps an emsmdb32!CCnctConnProvHTTP object MAPI mexfeedback -dumpcnct (!cnct) Dumps an emsmdb32!CNCT object MAPI mexfeedback -dumpcontactinfo (!dci) Dumps an CMsoContactInfo object Outlook mexfeedback -dumpcontextlinks (!dcl) Dumps the chain of context links of type outlook!OMContextLink Outlook mexfeedback dumpdataset Dumps a list of all DataSet objects DotNet mexfeedback dumpdotsourcedfiles Outputs any dot sourced Powershell files optionally with their accompanying script blocks PowerShell mexfeedback dumpdynamicassemblies2 (!dda2) Like !DumpDynamicAssemblies, but better DotNet mexfeedback -dumpgcalloc (!_jsgca) Dump jscript Garbage Collector Alloc from address IE mexfeedback dumphttpruntime2 Dumps the HttpRuntime objects on the heap DotNet mexfeedback dumpinfo (!di) Display dump information Utility mexfeedback -dumppersona Dumps an CMsoPersona object Outlook mexfeedback -dumpprintfieldinfo (!dpfi) Dumps a RGPFI array of PrintFieldInfo structures Outlook mexfeedback dumppsvariables Outputs the Powershell Variables of the currently running script on the current thread PowerShell mexfeedback -dumpreminderdialog (!drd) Dumps the reminder dialog from OUTLOOK!g_pReminder Outlook mexfeedback -dumprpcs Finds MAPI RPCs using olmapi32!g_ServerReqMgrList MAPI mexfeedback -dumpsharedlock (!dsl) Dumps the mso!CSharedLock object for the current thread MSO mexfeedback dumpstackpscommands Outputs the commands, cmdlets, etc. found on the current thread including those referenced by other objects on the thread. PowerShell mexfeedback dumpstackpsobjects Outputs the PSObjects found on the current thread including those referenced by other objects on the thread. PowerShell mexfeedback dumpstackstrings (!dss) Displays all the strings on the stack Thread mexfeedback -dumpsubmitters Dumps SUBMITTER_REC records MAPI mexfeedback -dumpsystemstring (!systemstring) Dumps a pstprx32!Microsoft::System::String MAPI mexfeedback -dumptasks Dumps SERVER_REQ_TASK_REC records MAPI mexfeedback dumptime Time Information Utility mexfeedback -dumpvar (!dumpvt) Dumps a VARIANT at the given address VB mexfeedback dumpwcfmessage (!wcfmsg) Dumps information about a WCF buffered message DotNet mexfeedback dumpwindowsurfaces (!dws) Dump window surfaces to a directory Kernel mexfeedback -dumpwrappercontexts (!dwc) Dumps Outlook wrapper contexts from outlook!OMPerTypeList::s_pHead Outlook mexfeedback eresource (!eres) Displays details for a nt!_ERESOURCE Kernel mexfeedback -err Interprets an error code MAPI mexfeedback evt Show detail for a nt!_KEVENT Kernel mexfeedback exec Runs a series of commands. Use this instead of using semicolons Utility mexfeedback executive Displays details on threads waiting on the executive Thread mexfeedback fileobject (!fo) Displays information about a given file object Kernel mexfeedback fileserver (!fs) Displays thread running the SRV.sys or SRV2.sys drivers, excluding threads waiting on inbound work General mexfeedback -filetime (!ft) Dumps a FILETIME at the given address MAPI mexfeedback finalizable (!finalizable) Displays information about finalizable objects in the GC Heap DotNet mexfeedback -findunkobj (!fuo) Finds all emsmdb32!UNKOBJ objects in memory (potentially slow) MAPI mexfeedback fixthis Preface a broken command with this one to open an email and send it to the Mex team (e.g. !fixthis !otherMexCommandThatDidNotWork Mex mexfeedback -fncinfo Dumps information about a vbscript!FncInfo object VB mexfeedback -foldobj Dumps a folder which inherits from emsmdb32!FOLDOBJ MAPI mexfeedback foreachcpu (!fec) Executes a command on each processor Kernel mexfeedback foreachframe (!fef) An implementation of !for_each_frame that supports filtering and sets the context before executing Thread mexfeedback foreachitem (!fei) Iterates through a list, executing a command for each item. Utility mexfeedback @@ -114,15 +87,11 @@ foreachthread (!fet) An implementation of .for_each_threa gatewait Shows threads with a state of GateWait Thread mexfeedback gchandleinfo (!gchandle) Displays information on GC Handles DotNet mexfeedback gcheapinfo (!gchi) Get info on the managed GC Heap DotNet mexfeedback -genericarray (!ga) Dumps an Outlook GenericArray Outlook mexfeedback grep Search the output of a command for a specific string or pattern Utility mexfeedback -guid Dumps a GUID at the given address MAPI mexfeedback handlefind (!hf) Find handles for a given kernel object General mexfeedback head Displays the first X lines of a command's output Utility mexfeedback help Help General mexfeedback -hidefsurf Encapsulates visualization of the HiDef RDP surfaces RDS mexfeedback httpheaders Print the contents of an HttpHeaderCollection DotNet mexfeedback -httptrace Enable or Disable HTTP tracing output for Outlook Outlook mexfeedback if (!mif) Condition detection based on command output Utility mexfeedback il Prints the IL for the specified method Decompile mexfeedback ilspy Automatically extracts the module from the dump, and launches ILSpy DotNet mexfeedback @@ -134,10 +103,8 @@ irpbyfilename (!ibfn) Dump any IRP containing the specifie ldap Displays LDAP client or server details Process mexfeedback listthreads (!lt) Displays a list of threads Thread mexfeedback listticks (!lticks) Show tick counts for threads Kernel mexfeedback -logonobj Dumps an object which inherits from emsmdb32!LOGONOBJ MAPI mexfeedback loop Loops either forwards or backwards through a series of numbers with variable replacement Utility mexfeedback managedthreads (!mthreads) A !threads look-alike, with !aspxpagexext-like output DotNet mexfeedback -mapistruct Dumps a MAPI object MAPI mexfeedback mappeddrives (!mdrives) Displays mapped drives Process mexfeedback messagequeue (!mq) Displays message queue Kernel mexfeedback mheap A DML'd version of !heap. Process mexfeedback @@ -147,29 +114,19 @@ mods Displays modules loaded in a process more Runs a command in paged mode, asking for input every X lines Utility mexfeedback mreg This is a DML'd version of !reg Kernel mexfeedback mrmsg (!msg) Interprets a Windows message Utility mexfeedback -msgobj Dumps a message which inherits from emsmdb32!MSGOBJ MAPI mexfeedback -msodoc Displays detailed information about an object which inherits from mso!CMsoOLDocBase MSO mexfeedback -msprvdrobj Dumps a folder which inherits from emsmdb32!MSPRVDROBJ MAPI mexfeedback mup Displays info for the Multiple UNC Provider (MUP) Networking mexfeedback -nametbl (!_jsnt) Dump jscript!NameTbl object from address IE mexfeedback ncsi Displays Network Connectivity Status Indicator (NCSI) configuration Networking mexfeedback ndao Native Dump ALL Objects - Potentially very slow General mexfeedback ndro Native Dump Register Objects General mexfeedback ndso Native Dump Stack Objects Thread mexfeedback net Net Command Help Networking mexfeedback -notifyobj Dumps a message which inherits from emsmdb32!NOTIFYOBJ MAPI mexfeedback obj Displays details for a given kernel object (object manager) Kernel mexfeedback objectsummary Outputs object analysis summary DotNet mexfeedback -objt Interprets an OBJT MAPI mexfeedback obtrace Dumps the trace information for an object Kernel mexfeedback -olanalyze (!ola) Basic Outlook/MAPI dump analysis Outlook mexfeedback -olcmd (!olglobals) Dumps the command line parameters from OUTLOOK!g_psoclCmdLine Outlook mexfeedback -olic (!officelicense) Dumps the Office Licensing information from mso!vplic MSO mexfeedback oracleclientperfcounters Display System.Data.OracleClient performance counters DotNet mexfeedback outline (!ol) Outlines the calls inside a given function Utility mexfeedback p Displays process details Process mexfeedback parsemem Walks a range of memory and counts unique byte sequences Kernel mexfeedback -parsescripttext (!_jssf) Dump jscript9!ScriptEngine::ParseScriptText object from address IE mexfeedback phandles (!ph) Shows a list of currently open printer handles General mexfeedback pingtrack Pingtrack command Networking mexfeedback printdbcommand Prints information about a DBCommand object DotNet mexfeedback @@ -177,20 +134,12 @@ printexception2 (!pe2) Like !PrintException, with DML printmanifest Prints the assembly manifest for the specified module Decompile mexfeedback printmembers Scans specified module and type [Module!TypeName] and prints all members Decompile mexfeedback printtypes Scans specified [Module] and prints all types Decompile mexfeedback -proxyinfo (!_wpi) Dump wininet!PROXY_INFO object from address IE mexfeedback psrunspace Outputs the runspaces in the process. PowerShell mexfeedback psscriptblock Outputs the script blocks in the process. PowerShell mexfeedback rasmans Displays the rasmans!ConnectionBlockList Networking mexfeedback readfile Read a file from the filesystem and display the output in the debugger Utility mexfeedback ready (!rdy) Shows the currently ready threads Thread mexfeedback -recenterror (!re) Dumps the recent error queue from olmapi32!g_RecentErrInfo MAPI mexfeedback -rmsfldchg (!folderchange) Dumps an emsmdb32!RMSFLDCHG object MAPI mexfeedback -rnotf Dumps a message which inherits from emsmdb32!RNOTF MAPI mexfeedback rollup (!ru) Takes an input value and rolls it up to the appropriate bucket (e.g. bytes to GB) Utility mexfeedback -rop Interprets a ROP MAPI mexfeedback -rot Dumps Outlook's Running Object Table (ROT) Outlook mexfeedback -rpctrace Enable or Disable RPC tracing output for Outlook Outlook mexfeedback -rtime Interprets an rtime value MAPI mexfeedback runaway2 Runaway2.. Replacement for !runaway General mexfeedback runcheck (!runchecks) runs the specified check(s) on the specified module(s) Decompile mexfeedback runchecklist runs the specified checklist(s) on the specified module(s) Decompile mexfeedback @@ -217,7 +166,6 @@ suspended Displays details on suspended thread svcreg Dumps the passed in service/driver registry key General mexfeedback svcthreads (!svcthreads) Find threads executing WCF services DotNet mexfeedback t A new implementation of !thread for user & kernel mode Thread mexfeedback -tableobj Dumps a folder which inherits from emsmdb32!TABLEOBJ MAPI mexfeedback tac Writes input to console, last line first. Utility mexfeedback tag Searches kernel modules for a given pooltag Kernel mexfeedback tail Displays the final X lines of a command's output Utility mexfeedback @@ -232,23 +180,12 @@ transition (!trans) Shows the current threads in the tra udescan (!manalyze) Scans dump for known issues and displays them in human-readable format. Utility mexfeedback uniqlines (!ul) Prints each line of output and a count of how many times they appeared Utility mexfeedback uniquestacks (!us) Like the built-in !uniqstacks except it associates thread IDs with the stack traces Thread mexfeedback -unkobj Interprets an UNKOBJ MAPI mexfeedback userrequest Displays details on threads with a wait reason of UserRequest Thread mexfeedback vadmodules (!vadm) Lists the vads of a process. Kernel mexfeedback -vbaproj Displays detailed information about a VBA project (vbe7!ProjItem) VB mexfeedback -vbscript (!vbs) Displays detailed information about vbscript running on the current thread VB mexfeedback ver Displays OS version info Utility mexfeedback -vrdpfb Encapsulates visualization of the RDP frame buffer RDS mexfeedback vss Vss Command Help Kernel mexfeedback wcfperfcounters Dumps performance counters for WCF services DotNet mexfeedback wcftcpconnectionpools (!wtcp) Display WCF Net.TCP connection pools DotNet mexfeedback -wdanalyze Displays Word-specific information (open documents, active document, last fetch, etc.) Word mexfeedback -wddoc (!doc) Displays detailed information about a particular document which inherits from wwlib!DOD Word mexfeedback -wddocs (!docs) Finds currently opened Word documents and templates using wwlib!vpdodUser Word mexfeedback -wdflags Displays information about global flags Word mexfeedback -wdfn Displays detailed information about open files Word mexfeedback -wdt Displays information about last fetch Word mexfeedback -wfp Displays information for the Windows Filtering Platform (WFP) General mexfeedback whocalls Scans all loaded managed modules and finds methods that call [MethodName] Decompile mexfeedback whoimplements Scans all loaded managed modules and finds types that implement [InterfaceName] Decompile mexfeedback whoinherits Scans all loaded managed modules and finds types that inherit [TypeName] Decompile mexfeedback @@ -257,7 +194,6 @@ whopins Scans managed modules and all finds window (!wnd) Displays windows for each desktop. You must be in the context of a given session to see that session's windows Kernel mexfeedback windowstation (!winsta) Display details for windows station(s) Kernel mexfeedback winnsi winnsi Command Help Networking mexfeedback -wldap32 Displays wldap32.dll details (dll responsible for client side LDAP connections) Process mexfeedback wq Displays executive work queue threads Kernel mexfeedback wrcpuratecontrol Displays details on threads with a wait reason of WrCpuRateControl Thread mexfeedback wrexecutive Displays details on threads waiting on the executive Thread mexfeedback @@ -268,8 +204,4 @@ writemodule Writes a module to your temp directo wrlpcreceive (!lpcs) Displays details on LPC/ALPC server threads Thread mexfeedback wrresource Displays details on threads with a wait reason of WrResource Thread mexfeedback x Wrapper for x that adds some DML General mexfeedback -xlanalyze (!xla) Analyzes Excel session and displays debug information. Excel mexfeedback -xlbooks (!xlb) Displays information about open workbooks. Excel mexfeedback -xlvbe Displays information about the Visual Basic Environment (VBE). Excel mexfeedback -xlwindows (!xlw) Displays information about open windows. Excel mexfeedback xx (!x2) Replacement for !x General mexfeedback diff --git a/MEX/x64/mex.dll b/MEX/x64/mex.dll index aece23e..e777109 100644 Binary files a/MEX/x64/mex.dll and b/MEX/x64/mex.dll differ diff --git a/MEX/x86/mex.dll b/MEX/x86/mex.dll index 3332d3c..3177c68 100644 Binary files a/MEX/x86/mex.dll and b/MEX/x86/mex.dll differ