The Graph view in Cutter is empty
Reverse Engineering Asked on December 23, 2020
Following this question, I’m trying to figure out how cscript.exe parses the .wsh Windows Script Host control files. First I tried WinDbg, but Radare2-Cutter seems like a much nicer software TBH. What I did:
- Opened the
C:WindowsSystem32cscript.exe - Imported the previously downloaded official Microsoft symbols
File > Import PDB > cscript.pdb View > Refresh Contents
However, the Graph tab shows empty:
Graph (Empty)
No function detected. Cannot display graph.
I would appreciate it if you could help me know what is the problem and how I can solve it.
P.S. Any other help towards solving the original problem is also highly appreciated. ?
One Answer
debugging using cdb (windbg console)
open a elevated command prompt
run
cdb -c "bp cscript!CscriptFile::create;g;kc;r;du@rcx;" cscript hell.vbs
this sets a break point on create and dumps the stack when bp is hit
you can see cscript!CscriptEngine::Compile function parsing and compiling the file after this
Breakpoint 0 hit
Call Site
cscript!CScriptFile::Create
cscript!CHost::RunStandardScript
cscript!CHost::Execute
cscript!CHost::Main
cscript!main
cscript!_mainCRTStartup
cscript!mainCRTStartup
KERNEL32!BaseThreadInitThunk
ntdll!RtlUserThreadStart
rax=0000000000000000 rbx=000000e91cdff380 rcx=000002404a919a58
rdx=0000000000000000 rsi=000000e91cdff600 rdi=000002404c6109a8
rip=00007ff617175b14 rsp=000000e91cdfeb58 rbp=0000000000000000
r8=000000e91cdff600 r9=0000000000000000 r10=000002404a8fb2f0
r11=000000e91cdfeb60 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=000000e91cdff6c8
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
cscript!CScriptFile::Create:
00007ff6`17175b14 48895c2410 mov qword ptr [rsp+10h],rbx ss:000000e9`1cdfeb68=0000000000000000
00000240`4a919a58 "c:hell.vbs"
the function which Creates ,Loads ,Compiles And Executes the Script
0:000> uf /c cscript!CHost::RunStandardScript
cscript!CHost::RunStandardScript (00007ff6`17171d88)
cscript!CHost::RunStandardScript+0x39 (00007ff6`17171dc1):
call to cscript!CScriptFile::Create (00007ff6`17175b14)
cscript!CHost::RunStandardScript+0x4c (00007ff6`17171dd4):
call to cscript!CScriptFile::Load (00007ff6`17171cd0)
cscript!CHost::RunStandardScript+0x74 (00007ff6`17171dfc):
call to cscript!CScriptingEngine::Compile (00007ff6`1717589c)
cscript!CHost::RunStandardScript+0x96 (00007ff6`17171e1e):
call to ntdll!LdrpDispatchUserCallTarget (00007ffd`f574c510)
cscript!CHost::RunStandardScript+0xc3 (00007ff6`17171e4b):
call to ntdll!LdrpDispatchUserCallTarget (00007ffd`f574c510)
cscript!CHost::RunStandardScript+0xd5 (00007ff6`17171e5d):
call to cscript!CTimer::Stop (00007ff6`17174478)
cscript!CHost::RunStandardScript+0x614f (00007ff6`17177ed7):
call to cscript!CHost::ReportLoadError (00007ff6`1717b930)
cscript!CHost::RunStandardScript+0x6165 (00007ff6`17177eed):
call to cscript!CTimer::Start (00007ff6`1717d3dc)
cscript!CHost::RunStandardScript+0x6183 (00007ff6`17177f0b):
call to ntdll!LdrpDispatchUserCallTarget (00007ffd`f574c510)
0:000>
Answered by blabb on December 23, 2020
Add your own answers!
Ask a Question
Get help from others!
Recent Answers
- Lex on Does Google Analytics track 404 page responses as valid page views?
- Joshua Engel on Why fry rice before boiling?
- Peter Machado on Why fry rice before boiling?
- haakon.io on Why fry rice before boiling?
- Jon Church on Why fry rice before boiling?
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?