//Breakpoint related
bp + Address set Breakpoint
BL shows breakpoints that have been set
BU + address sets breakpoints, but this type of breakpoint is logged the next time it is started
BC Clear Breakpoints
For the range of breakpoints, you can use * to match,-to represent a range, to express multiple available, number separated
Program Entry pseudo Register
In the WinDbg there is a pseudo register called $exentry, which records the entry point of the program. So let's just type in the command entry field.
BP $exentry
(BP is the command for the next breakpoint, detailed usage can refer to WinDbg's help documentation)
//debug Symbols
LD KERNERL32//Loading symbols for KERNERL32 modules
LM m k*//display modules that have been loaded, starting with K
ln//Displays the name of the module that has been recently manipulated
DT DBG2//Detection module
[[[[[[[[[[[[]]]]]]]]]]]]
X kernerl32!k* displays all functions in module kernerl32 that begin with K
DV Display local variable values
DV/I/T/V Displays the type of the local variable, the value-related information.
X <module>!*/? Displays the symbol for the specified module
x ARGC View the value of the variable ARGC.
DT ARGC View variable values
DT _peb 7FFDD00 Displays the contents of the memory address 7ffdd00 as a PEB structure.
DD 12000 L4 View four characters after address 12000
DDS 12000 L100 View the stack on the start of address 12000, followed by the contents of the 100 DWORD, if there is a debug symbol, the symbol will be displayed. This method to track the stack. (see EBP First, then use this method)
DD EBP + 4, return address, EBP + 8 first parameter
[[[[[[[[[]]]]]]]]]
. Kill kills the debug process
. Restart re-commissioning
[[[[[]]]]]]]]]]]]]]
K Show Call Stack
, KN plus serial number only.
KB Displays the first three parameters. The first parameter ebp+8; the second ebp+0x0c; the third Ebp+0x10;dd ebp+0x14 is the fourth parameter
KP Display function parameter type, value
The KP F-F switch shows the difference of the neighboring stack base, allowing the stack's health to be inferred.
[[[[[[[[[[]]]]]]]]]]
| Show process
~ Show Threads
~0 s switch to line Line 0
[[[[[[[[[]]]]]]]]]
DV Display function parameters & local variables, note that DV is related to the stack frame, the different stack frames display different local variables.
@1, kn show all stack frames
@2,. Frame Select the stack frame you want to view
@3, dv/i/v/t shows the local variable information in the stack frame.
@3, dv/i/v/t display variable based on the address of the stack frame
If there is no private symbol, DV cannot display variable information.
VC generated debug Symbols *.pdb windbg do not know, need to be set to c++/general/debuginfo= C7 compatible
=====
Sympath + c:\nasm Add symbol search Path
. sympath Display Symbol search path
Display a certain range of memory
!db L 32:results in bytes being displayed (as hexadecimal bytes),
View PE Information
!DH [Options] Address: View module PE information
!dh-f: Display file headers
!dh-s: section headers
!dh-a: All Header informations
View struct members
DT Nt!_eprocess
View the current IRQL
!irql
Viewing verifier detection statistics
!verifier
View a memory address belonging to that module
!pool Address
!lmi Address: View the main information of the module
!PCR can view the currently executing threads and IRQL, and other information
//
Why doesn ' t the WinDBG command!IRQL always return to the correct IRQL for my target?
[Answer by Jake Oshins, jakeo_at_windows_dot_microsoft_dot_com workaround provided by James Antognini, Antognini_at_ Mindspring_dot_nospam_dot_com, August 2003]
!IRQL currently only produces useful results in a crashdump, not a live system. To retrieve the IRQL in a live system you should instead use the!PCR command.
!processfield: List members of eprocess
The command before the! number, meaning it comes from the debugger's extension module ―kdextx86.dll. This command displays the members of the eprocess structure that the kernel uses to represent a process, which does not have a formal description of the document, and its offsets.
Although the command lists only the offset of the member, you can easily guess the correct type. For example, Lockevent is located at 0x70 and its next member has an offset of 0x80. The member occupies 16 bytes, which is very similar to the kevent structure.
!threadfields: List Ethread members
This is another powerful option offered by Kdextx86.dll. Similar to!processfields, it lists the members of the ETHREAD structure that are not documented and their offsets. The kernel uses it to represent a single thread.
//Process information
!tep
!peb, showing PEB (process information)
//Show Related
DT ntdll!*teb* Lists the name of the structure that matches the wildcard character
Dt-v-R Ntdll!_teb
List member information for structure _TEB
//Show variable address
R $PEB Display the address of the module PEB
//View error Messages
!gle
//Tips for setting breakpoints
The breakpoint can be set directly in: kernel32! BaseProcessStart
1), first display all loaded modules with LM
2), DT our_exe_name!*main*//Search for the address in our program module that contains main (note: If the symbol is not loaded, it cannot be displayed!) )
3), if present, set breakpoints at Our_exe_name!*main
=======
Command SoftICE ollydbg
Run F5 F9
Step into F11 F7
Step over F10 F8
Set Break Point F8 F2
Search Memory
5. Find String
In step 1 when we ran the program, we recorded the string "wrong Serial, try again!" that prompted the registration error, and now we are going to find the location of the string in memory.
Input command
S–a 00400000 L53000 "wrong"
The command means to search for the string "wrong" in ASCII form in the memory address 00400000 backwards 53,000 bytes.
S, which is the command to invoke the lookup
-A, specifying the use of ASCII code to find
00400000, specify the memory address to start looking for.
L53000, which shows the 53000-byte search to be in 00400000. This value and 00400000 can be obtained from STUD_PE. 00400000 is the load address of the program, and 53000 is the size of the image, which is the amount of memory that the program occupies after it is loaded into memory. Using these two values, you can basically search the entire memory range used by the program.
"Wrong", there is no more explanation, is the string we are looking for. However, WinDbg does not support fuzzy search, so the string entered here must be completely correct.
Memory Access Breakpoint
6. Under Memory Access Breakpoint
In WinDbg, the BA command represents break on access, which is interrupted on access.
We enter in the command line:
BA R 1 0044108c
The command means a read breakpoint in bytes at the location of memory 0044108c. The meanings of the elements in the command can refer to the Help documentation, which is not verbose here.
Enter BL to view breakpoint usage:
Address arithmetic
? 0x33 + 0x44
After the operation will be calculated and
3. Viewing and modifying data
It is unavoidable to view and modify the data during debugging
To view memory:
DB/DW/DD/DQ [Address] byte/word/double word/four-word way to view data
DA/DU [Address] ASCII string/unicode string way to view the specified address
Other commonly used, such as view structure
DT Nt!_eprocess
DT Nt!_eprocess 89330da0 (0x89330da0 as the object pointer)
To modify Memory:
EB/EW/ED/EQ/EF/EP Address [Values]
BYTE/Word/double word/four words/floating point/Pointer/
Ea/eu/eza/ezu Address [Values]
ASCII string/unicode string/null-terminated ASCII string/null-terminated Unicode string
Search Memory:
S-[b/w/d/q/a/u] Range Target
Search byte/Word/double word/Four characters/ascii string/unicode string
2. Breakpoints
It is of course very important to debug breakpoints.
Common commands:
bp [Address]or[symbol] breaks at the specified address
You can use addresses or symbols, such as
bp 80561259 (WinDbg default 16 binary)
BP mydriver! Getkernelpath
BP mydriver! getkernelpath+0x12
bp [Address]/P eprocess is only interrupted when the current process is eprocess
This is very common, like your BP nt!. Ntterminateprocess, but just want to break down when a process triggers this breakpoint, add this parameter, because the code in the kernel is common to each process, so this command is useful
bp [Address]/t Ethread is only interrupted when the front thread is ethread and is used similar to the/p parameter
Bu [address]or[symbol] Next unresolved breakpoint (that is, this breakpoint requires deferred parsing)
This is also very common, such as our driver named Mydriver.sys, then the drive load before the break down BU mydriver! DriverEntry,
The driver can then be loaded and then broken in the drive entrance, and this is not required by the debug symbol support
BL lists all breakpoints, l=list
Bc[id] Clear Breakpoint, C=clear,id is the number of the breakpoint when BL is viewed
Bd[id] Disable breakpoint, D=disable,id is the breakpoint number
Be[id] Enable breakpoint, E=enable,id is the breakpoint number |
|
