Kernel debugging-windbg operation!

For the windbg search tutorials on the Internet, most of them are one or two replies, and most of them are not kernel debugging.

Here we will summarize some windbg operation methods and tips, and list some common commands for query.

Lm (view the current symbolic link information)

Windbg 10 Debugging commands

U: decompile machine code
When checking whether the crash dump is correct, you have used this command. The U command has three formats:
1. U <from> decompile eight machine codes from the address <from>.
2. All machine codes between U <from> <to> decompile <from> and <to>.
3. When U does not provide any parameters, decompilation starts from the position where the last u command was stopped.
Of course, it is annoying to decompile code into segments, but if you only want to know what happened at a specific address, it is the most convenient method. Perhaps the most interesting feature of the U command is that it can parse the symbols referenced by the code-even if the target module does not have the exported symbols.

DB, DW, and DD: Dump memory bytes, words, and Dwords
If the memory data you are currently interested in is binary, the debugger's hexadecimal dump command will be able to complete this task. Based on your judgment on the source address data type, select dd (for bytes), DW (for words), and DD (for Dwords ).
1. DB displays the data in the specified memory range as two parts: the left side is a hexadecimal representation (every two 8 bits), and the right side is the corresponding ASCI code.
2. DW is only displayed in hexadecimal notation (16 bits)
3. DW is only displayed in hexadecimal notation (32 bits)
This group of commands can use the same parameters as the U command. Note: The address content indicated by <to> is also displayed. If no parameter exists, the following 128 bytes are displayed.

X: Check the symbol
The X command is very important. It can create a list based on the installed symbol files. The typical usage is as follows:
1. x *! * Display all available symbol modules. After the startup, only the ntoskrnl.exe symbol is available. The symbols of other modules can be loaded using the. Reload command.
2. x <module>! <Filter> the symbol name in the symbol file of the display module <module>. <filter> can include wildcards? And *. <Module> must belong to x *! * Name of the listed modules. For example, X nt! * All symbols found in the kernel symbol file ntoskrnl. dbg will be listed, X win32k! * The symbols provided by win32k. dbg are listed. If the debugger reports "couldn't resolv 'X .... ', And try to load all the symbol files again with. Reload.
3. x <filter> displays a subset of all available symbols, which does not match the <filter> expression. Essentially, this is x <module>! A deformation of <filter>, Here <module>! Ignored. A virtual address is displayed along with the symbol name. The function name corresponds to the function entry address. For a variable, it is the base address of the change volume. It is worth noting that it can output many internal symbols (internal symbols), which cannot be found in the export tables of executable files.

LN: List recent symbols
Ln is my favorite command. Because it can quickly and easily access installed symbol files. It is an ideal supplement to the X command. However, the latter applies to the addresses that list all system symbols. The ln command is used to search for symbols by address or name.
1. ln <address> displays the address indicated by <address> and the symbol information of the two adjacent addresses.
2. ln <symbol> resolves the symbol name to its corresponding virtual address. The process is similar to ln <address>. Like the X command, the debugger knows all exported and some internal symbols. Therefore, it is of great help to find out the exact meaning of unknown pointers in The Decompilation list or hexadecimal dump. Note that u, DB, DW, and DD also use symbol files.

! Processfield: List eprocess members
Before this command! It means it comes from the extended modules of the debugger-kdextx86.dll. This command shows the members and offsets of the kernel used to represent the eprocess structure of a process (this structure does not have formal instructions.
Although this command only lists the member offsets, you can easily guess the correct type. For example, if lockevent is at 0x70, its next member offset is 0x80. The member occupies 16 bytes, which is similar to the kevent structure.

! Threadfields: List ETHREAD members
This is another powerful option provided by kdextx86.dll. And! Similar to processfields, processfields lists undocumented members of the ethread structure and their offsets. The kernel uses it to represent a thread.

! Drivers: List loaded drivers
Kdextx86.dll is awesome .! Drivers lists the details of the currently running kernel and file system modules. If you check the crash dump, this command lists the system status at the moment the system crashes. Example 1-3 is the summary output on my machine. Note: in the last line of output, the driver address that causes Windows 2000 to crash is 0xbecc2000, which is obviously the address displayed after w2k_kill.sys triggers a blue screen.
Note:
In the new i386kd.exe (Ver: 6.3.00133 ,! The driver command is no longer supported. The LM command is replaced. This command is generally used: LM T N

! Sel: Check the selector Value
! SEL is implemented in kdextx86.dll. It is used to display 16 consecutive memory selectors in ascending order of addresses ). You can use this command repeatedly until "selector is invalid" is displayed ". In Chapter 4th, we will discuss memory selector, and then I will provide an indication column code to demonstrate how to crack selectors in your program.
Note:
In the new debugger, this command is no longer supported and replaced by the DG command. Its general usage is: DG. Pay attention to the. symbol at the end. The DG command can list up to 256 selectors. The online help of the debugger is described in detail.

Kd> X nt! Keservicedescriptortable *
8046e100 nt! Keservicedescriptortableshadow = <no type information>
8046e0c0 nt! Keservicedescriptortable = <no type information>

Kd> ln 8046e100
(8046e100) NT! Keservicedescriptortableshadow | (8046e140) NT! Mmsectionextendresource
Exact matches:
NT! Keservicedescriptortableshadow = <no type information>

2. Download the symbols of the System File

Symchk c: \ winnt \ system32 \ ntoskrnl.exe/s srv x c: \ symbols * http://msdl.microsoft.com/download/symbols

Symchk: Failed files = 0
Symchk: passed + ignored files = 1

3. view the Signal Status of the event object

! Object \ basenamedobjects
DT-B nt! _ Kevent XXXXXXXX

4. view the lasterror Value

! GLE

5. Specify the hexadecimal format. 0x/0n/0 T/0y indicates 16/10/8/2 hexadecimal respectively.

? 0x12345678 + 0n10
Evaluate expression: 305419906 = 12345682

6. Filter command window output information

. Prompt_allow-Reg + dis-Ea-Src-sym

7. Formats command

Display expression values in multiple formats
0: 000>. Formats @ eax
Evaluate expression:
HEX: 00181eb4
Decimal: 1580724
Octal: 00006017264
Binary: 00000000 00011000 00011110 10110100
Chars :....
Time: Mon Jan 19 19 15:05:24 1970
Float: Low 2.21507e-039 high 0
Double: 7.80981e-318

8. Exception Handling

There are several commands such as Sx, sxd, sxe, sxi, sxn, and sxr to set the exception and event handling methods. For example:
0: 000> sxe LD
It can be interrupted when the DLL is loaded.

9. Switch the process during kernel debugging

Lkd>! Process 0 0
Lkd>. Process XXXXXXXX

10. You can create a windbg.exe shortcut on the desktop, and then set the properties of the shortcut as follows:

C: \ windbg \ windbg.exe-c ". prompt_allow + dis-reg-Ea-Src-sym ;. enable_unicode 1 ;. enable_long_status 1 ;. logopen/T c: \ dbglog \ dbglog.txt"

11. Local kernel debugging

Use File/kernel debug... In the menu, you can open the kernel debugging selection window, select the last local option page, and then debug the local machine in the kernel mode. At this time, all commands that will suspend the system will not be used, but the system memory can be read and written. In addition, it is convenient to view the system structure, for example, DT nt! _ Eprocess.