WinDbg Debugging Command detailed

http://www.yiiyee.cn/Blog/windbg/

1. Overview

After the user successfully installs the Microsoft Windows Debugging toolset, you can find four debugger programs in the installation directory: CDB.exe, Ntsd.exe, Kd.exe, and Windbg.exe. where CDB.exe and Ntsd.exe can only debug the user program, Kd.exe mainly for kernel debugging, and sometimes for user state debugging, the above three of a common feature is that only the console interface to the command line form work.

Windbg.exe in the user state, the kernel state can play a debugging function, especially important, it is no longer a command-line format but the use of a visual user interface. So in most cases, when we talk about Windows debugging tools, we're pointing directly at WinDbg, not the first three.

WinDbg in both user state and kernel state, both debugging modes are supported, namely, "Live Debugging Mode (living)" and "ex post Debugging Mode (postmortem)". The so-called real-time mode, is being debugged target object (target) is currently running, the debugger can be real-time analysis, modify the state of the target, such as registers, memory, variables, debug EXE executable program or double-click Dual-machine real-time debugging belong to this mode; the so-called ex-post mode, Is that the target object (target) that is being debugged is finished, and now it is just an afterthought to analyze the snapshot it retains, which is called a dump file (dump file).

Another major advantage of WinDbg is that it supports source-level debugging, just like a VC-led debugger.

Although the user interface is provided, WinDbg ultimately requires users to enter commands to direct their actions. This is his command window.

Each debug command has its own scope, some commands can only be used for kernel debugging, some commands can only be used for user debugging, and some commands can only be used for active debugging. But users do not have to remember this many, once in an environment, the use of unsupported commands, will display the "No export XXX found" words. Take the!process command, it displays process information, but it can only be used in kernel debugging, which is the following scenario if used in user debugging:

0:001>!process
No export process found

1.1 asking for help

Let's start by looking at how to get useful help in the process of using. The debugging commands in WinDbg are divided into three types: basic commands, meta commands, and extended commands. The basic commands and Meta commands are brought by the debugger, and the meta command always takes "." , and the extension command is externally joined, always with an exclamation point "!" Beginning. A variety of debugging commands thousands of, we first have to find ways to enumerate them, and obtain the use of methods.

The basic commands are at least, about 40 or so. Enumerate all the basic commands, using the following command: ?

There are more than 100 meta commands, using the following command to enumerate all meta commands:. Help [/d]

If you use the "/d" parameter, the list of commands is displayed in DML format. DML is an HTML-like identity language, as described below. The following illustration shows a meta command with the beginning of the letter A in DML format:

Finally speak the extension command. The so-called extended command, as the name implies, can be "extended". Extended commands are exposed from dynamic connection libraries, typically with DLL file names to represent a class of extended command sets, first we need to search out how many of these DLL files are in the system, using the following command:. chain [/d]

This command can give a list of extended command sets. As with the. Help command, you can also use the/d parameter to display in DML format. As shown below:

 0:001>. Chain Extension DLL Search Path:c:\program Files (x86) \ Windows Kits\8.0\debuggers\x64\winxp; Extension DLL chain:dbghelp:image 6.2.9200.20512, API 6.2.6, built Fri Sep modified 13:45:49 [Path:c:\progra M Files (x86) \ Windows Kits\8.0\debuggers\x64\dbghelp.dll] ext:image 6.2.9200.16384, API 1.0.0, built Thu June 26 10:11 : [Path:c:\program Files (x86) \ Windows Kits\8.0\debuggers\x64\winext\ext.dll] exts:image 6.2.9200.163 1.0.0, API built Thu 10:15:20 [Path:c:\program Files (x86) \ Windows Kits\8.0\debuggers\x64\winxp\e Xts.dll] Uext:image 6.2.9200.16384, API 1.0.0, built Thu June 10:15:09 [Path:c:\program Files (x86) \w indows Kits\8.0\debuggers\x64\winext\uext.dll] ntsdexts:image 6.2.9200.16384, API 1.0.0, built Thu June 26 10:16:01 20 [Path:c:\program Files (x86) \ Windows Kits\8.0\debuggers\x64\winxp\ntsdexts.dll] 

the top two lines show the search path for the extension module. Next, a total of six WinDbg modules are listed: WDFKD, DBGHELLP, ext, exts, Uext, and ntsdexts. You can view the version information and the mirrored file path to these extension modules. How do I list the extended commands that are contained in an extension library? Most extension modules can use the following command:! Module name. Help

In addition, the extended command module is extensible. If a reader obtains from a third party, or writes an extended debug module on its own, it can be dynamically loaded/unloaded through the. load/.unload command. 1.2 DML Language

DML (Debugger Markup Language Debugger Markup Language), like HTML, can be linked from one place to another. The difference is that the content of the DML link needs to be clicked by the user before it is dynamically generated. Typically used to display a large amount of information and extended functionality in a streamlined manner.

DML has a lot of practical functions, if the user does not know where to start, the best is to enter the. Dml_start command, start the DML tour.

The DML link guides the user through the debugging information in a more visual way, making the debugging tool more user-friendly than the pure instruction format. DML, like a slight wrapper over the original instruction, makes the blunt instructions softer. So it is recommended that the reader always turn DML on by default. PREFER_DML 1

Start DML. PREFER_DML 0

Close DML.

Once DML is turned on, the output is displayed in DML format by default, like K, which supports DML debugging commands.

DML can also draw a flowchart for a function in a very special way. Its main principle is to use disassembly, similar to UF, but at the logical branch, it will stop disassembly and display branches for the user to select. In addition, it can show the assembly code corresponding to the line number, which is really good. With a little refinement, he can draw a very beautiful flowchart. One of his features is that the disassembly sequence is pushed forward from behind. Just think about it and you'll find it makes sense. If you are pushing, there are too many branches, whereas the reverse branching order is fixed by the user's participation (that is, the user chooses to branch). Dml_flow Findallinffilesa findallinffilesa+30

This is a very simple, practical example of the Findallinffilesa interface functions in the KERNEL32 library disassembly, the effect is similar to the UF command is more powerful. 1.3 Basic Information

This section explains the commands associated with the debugger software itself, such as viewing software versions, startup parameters, and most basic software setup commands. First look at the version command:

This command displays the operating system version information and WinDbg itself version information, WinDbg configuration and operating system is closely related, so it is necessary to display the operating system version information together. Running this command in the kernel environment and the user environment will produce different output. The following figure shows the output from the kernel environment:

0:001> version
Windows 7 version 7601 (Service Pack 1) MP (8 procs) free x64
product:winnt, Suite:singleusert S
Kernel32.dll version:6.1.7601.18015 (win7sp1_gdr.121129-1432)
Machine Name:
Debug session Time:thu Aug 10:11:04.000 2013 (UTC + 8:00)
System uptime:14 days 17:26:44.613
Process uptime:14 days 17:14:25.000
  Ker Nel time:0 days 0:09:02.000
  user time:0 days 0:42:36.000 full
memory user Mini Dump:c:\users\mozhang\appdata\lo CAL\TEMP\DWM. DMP

Microsoft (R) Windows Debugger Version 6.2.9200.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

In addition to WinDbg version information, the above output also includes target system information. To view the version information for the target system purely, use the following Vertarget command: Vertarget

WinDbg supports debugging multiple debugging targets in multiple debugging systems at the same time. Above we list the current debug system version information through the version or Vertarget command, and we can also view the status of the current target system: | |

If you have multiple debugging objects open in windbg, "| |" command lists the list of objects. In order to demonstrate this situation, first in the WinDbg to open the local debug environment, and then two calls to the. opendump command to open two dump files, which also has three target objects being debugged. The following illustration shows the situation:

The active object in the above illustration is a No. 0 object (visible from the decimal point preceding the number 0). The debugger needs to switch between multiple debug destinations using the "s" parameter.  To switch to target 1th, you can use the following command: | | 1 s

The last command is used to view the system time. This includes the current time of the system and the duration of the system's normal operation, and the duration of the current process in user mode. The command format is as follows:. Time

0:001>. Time
Debug Sessions Time:thu Aug 10:11:04.000 2013 (UTC + 8:00)
System uptime:14 days 17:26:44.613 System Runtime Process
uptime:14 days 17:14:25.000//Current process run time
  Kernel time:0 day 0:09:02.000
  User time:0 days 0: 42:36

1.4 Basic Settings

First look at a clear screen command:. CLS

This command helps you make the Gordian knot when the contents of the command window are too messy.

Here's a command to set the default digital system: N [8|10|16]

Software defaults to 16, but sometimes we also need to change the default into octal or decimal. Below is an attempt to find the value of the number 11 below the octal system, as follows:

0:001> N 8
Base is 8
0:001>
Evaluate expression:9 = 00000000 ' 00000009

Finally, a processor mode instruction. About processor mode is worth saying, it's important. The processor mode setting reflects the power of the WinDbg software. For example, a host is a 32-bit system that can simultaneously debug X86, IA64, and X64 target systems--provided that the host's processor mode is set correctly. Available processor mode values are: x86, adm64, IA64, EBC ... effmach x86

Command. Effmach represents the effective Machine type, which is a valid machine type. This command sets the current processor mode to x86 mode. 1.5 format Display

Displays an integer in various formats, including: 16, 10, 8, Binary, string, date, float, and so on. is not very convenient. This command is:. Formats integer

Here's an example of 0X123ABC:

0:001>. Formats 0x123abc
Evaluate expression: Hex
  : 00000000     ' 00123abc
  decimal:1194684
  octal :   0000000000000004435274
  Binary:  00000000 00000000 00000000 00000000 00000000 00010010 00111010 10111100 Chars:.....
  :.
  Time:    Thu 03:51:24 1970
  Float: Low   1.67411e-039 high 0
  Double:  5.90252e-318

1.6 Start Debugging

Now get everyone into the commissioning phase. First look at how to get the debugger to be attached to a running process. For example, IE software in the operation of the crash occurred, open WinDbg after how to debug it. The first step is to put the WinDbg into the crash of IE process. Use the following command format:. Attach PID

or through the Windbg of the boot parameters to mount: Windbg–p PID

In the above two commands, the PID specifies the process ID. If you find it inconvenient to specify a PID, you can also mount it through the process name: WINDBG-PN process Name

For example, you can mount a notepad like this:

WINDBG–PN notepad.exe

The above command mounts the debugger to a process that already exists, and the debugger can create a new process and debug it using different intrusion methods. Use the following command:. Create program Start command line

or WinDbg startup parameters