Windbg simple command

 

Windbg simple command

 

_ Stdcall: stack structure of the call Convention
EBP + 8 | the first parameter of the Function
EBP + 4 | return address of the Function
EBP | EBP
Ebp-4 | local variable

 

1. Short commands
2. Meta command (.)
3. Extended command (!)

Obtain the process peb ============================================ ======================================

! Peb

Obtain the thread Teb =============================================== ======================================

! Teb

Show the returned errors from the system function ================================================ ======================

! GLE

Debugging ============================================== ======================================

T: One-step execution
~. T: One-step execution in the current thread (preventing thread switching)
P: Step by Step
PC: Execute to the next subroutine call
G: continue execution
G address: Continue to the specified address
Gu: execution to return
~ 0 Gu: Freeze all other threads except Thread 0
U. L4: disassemble the function to find a suitable pause point for execution.

 

Pseudo register ============================================ ======================================

R + name
Name: Code
$ Proc: current process
$ Thread: current thread
$ Tpid: current process ID
$ TID: ID of the current thread
$ Peb: Process Control Block
$ Teb: thread environment Block

 

What is the code currently executed by the processor? ======================
U (unassaembly) disassembly command
U.: disassemble the eight commands on the current $ IP address.
Uf.: disassemble the entire function that contains the current $ IP
UB.: disassemble the eight commands before the current $ IP Address
U. L2: disassemble the two commands after the current $ IP Address
UB. L2: disassemble the two commands after the current $ IP Address
U .. + A: decompile 10 commands between $ IP + 10

 

What is the current call stack =========================================== ==================================
K (stack back trace) stack backtracking command
KP 5: displays the first five functions and their parameters in the call stack.
KF 5: display the first five functions. The first digit is the stack size used by the function.
K = stack base pointer stack top pointer command pointer: When K Command cannot parse stack, You can manually specify

 

Set the breakpoint ==================================================== ======================================
BP: The parameter can be 1. Set the breakpoint address 2. breakpoint options 3. breakpoint limit 4. A string indicates the command to be executed when the breakpoint is triggered (which can be separated by a comma)
Example :~ 0 BP program! CClass: func "resp; G"
Set the breakpoint on Thread 0 and execute the "resp" and "G" commands when the breakpoint is triggered.
BL: list all breakpoints
BC: Clear all breakpoints
Use breakpoints in the kernel:
Bp ntdll! Points that all processes of rtlallocateheap will trigger
BP/P @ $ proc NTDLL! Rtlallocateheap "! Process-1 0; G ": in Ntdll! Set a breakpoint on relallocateheap. the breakpoint is triggered only when eprocess is @ $ proc and the command is executed.
When using the user mode:
BM program! * Class *: Add a breakpoint to all methods of the class.
Bu OLE32! Coinitializeex uses a latency breakpoint on a dynamic linked library that is not loaded. It is automatically set when the Linked Library is loaded.

 

What is the value of a variable? ======================================

DV: DV without parameters displays the value of a local variable.
DV program! Gfun *: displays the value of the matching mode.
DV/I: display the symbol type in Column 2nd (public/private ?) And parameter type (local variable, parameter ..)
DV/V variable name: display the address where the variable is stored

DT: Data Type of the parsing variable
DT this: parses the type of this variable (for a class pointer)
DT class name address: resolves the memory of the specified address according to the class structure of the Class Name

 

How to view the memory =========================================================== ======================================
DC address length: for example, DC 0x005f0ea0 L4: four dual-word data on 0x005f0ea0 are stored.
Dd address: View data on the address
Du address: the Unicode string on the output address.
Da address: An ASCII string in the forwarding address.
DB address length: for example, DB 0x005f0ea0 L4: convert four bytes into a byte array
DYB address length: it is converted to four bytes in binary format, and converted to four double characters in binary format.
DYD address length: Four floating point numbers
DP * address: Read the address repeatedly in a certain format. For example, DPU converts the address array to a unicode string for output.

 

How to search for memory =============================================== ======================================
S-d l0000000/4 c0000005: Search for c0000005 in the 256mb before the address space

 

Set the memory access breakpoint ==================================================== ==================================
Ba W4 gGlobal + 0: write operations on 4 bytes at gGlobal + 0 address

 

What is contained in the memory location? ==============================
! Address/register/Heap/null: If it is null, all memory areas are enumerated and detailed information is provided.

 

How to change the value of the address ================================================ ==================================
Ed address value: