Windbg is a debugging tool on the powerful win platform. Now we will introduce its basic functions.
Add the program code debugee. cpp to be debugged as follows:
// debugee.cpp : Defines the entry point for the console application.//#include "stdafx.h"void loop(void){for (int i = 0; i < 1000; i ++){printf("loop [%d]\n", i);}}int main(int argc, char* argv[]){printf("Hello World!\n");loop();return 0;}
========================================================== ======================================
Breakpoint
========================================================== ======================================
Set the symbol breakpoint. If the symbol table file is correctly loaded (specified by-y or Ctrl + S ).
BM debugee! Main
Set a breakpoint at the main function entry. Use the tab key to check whether there is a prompt.
Set a breakpoint on the row number of the source file. If the source file path is specified correctly (-srcpath or Ctrl + p)
BP 'debugee. cpp: 10'
BP ': 10'
The conditional breakpoint command stops when I = 500. Otherwise, the GC starts from the breakpoint:
BP 'debugee. cpp: 10' "J (POI (I) = 500)''; 'gc '"
Stop when execution reaches 800 or above
BP 'debugee. cpp: 10' "J (POI (I)> 0n800)''; 'gc '"
Hardware data breakpoint, a cool feature (the number of real hardware breakpoints is limited, and the number of CPU Dr registers)
Start at the memory location of variable IWriteWhen the size is 4 bytes, the breakpoint
Ba W 4 I
Start at the memory location of variable IReadWhen the size is 4 bytes, the breakpoint
Ba R 4 I
Command breakpoint
First, let's look at the disassembly of a loop function in U.
0:000> u debugee!loopdebugee!loop [H:\temp\debugee\debugee.cpp @ 7]:0040d6f0 55 push ebp0040d6f1 8bec mov ebp,esp0040d6f3 83ec44 sub esp,44h0040d6f6 53 push ebx0040d6f7 56 push esi0040d6f8 57 push edi0040d6f9 8d7dbc lea edi,[ebp-44h]0040d6fc b911000000 mov ecx,11h0:000> udebugee!loop+0x11 [H:\temp\debugee\debugee.cpp @ 7]:0040d701 b8cccccccc mov eax,0CCCCCCCCh0040d706 f3ab rep stos dword ptr es:[edi]0040d708 c745fc00000000 mov dword ptr [ebp-4],00040d70f eb09 jmp debugee!loop+0x2a (0040d71a)0040d711 8b45fc mov eax,dword ptr [ebp-4]0040d714 83c001 add eax,10040d717 8945fc mov dword ptr [ebp-4],eax0040d71a 817dfce8030000 cmp dword ptr [ebp-4],3E8h0:000> udebugee!loop+0x31 [H:\temp\debugee\debugee.cpp @ 8]:0040d721 7d13 jge debugee!loop+0x46 (0040d736)0040d723 8b4dfc mov ecx,dword ptr [ebp-4]0040d726 51 push ecx0040d727 681c204200 push offset debugee!`string' (0042201c)0040d72c e82f39ffff call debugee!printf (00401060)0040d731 83c408 add esp,80040d734 ebdb jmp debugee!loop+0x21 (0040d711)0040d736 5f pop edi0:000> udebugee!loop+0x47 [H:\temp\debugee\debugee.cpp @ 12]:0040d737 5e pop esi0040d738 5b pop ebx0040d739 83c444 add esp,44h0040d73c 3bec cmp ebp,esp0040d73e e89d39ffff call debugee!_chkesp (004010e0)0040d743 8be5 mov esp,ebp0040d745 5d pop ebp0040d746 c3 ret
Okay. Then, call printf to stop it.
BC *
Ba E 1 0x0040d72c
Note: When the BA e command breakpoint is executed, the byte limit must be 1,
========================================================== ======================================
Statement Control
========================================================== ======================================
Execute a sentence. When a function is encountered, it flies over, which is equivalent to the Next of GDB and the F10 of VC.
P
Execute a sentence. When a function is encountered, it is followed in, which is equivalent to the step of GDB and F11 of VC.
T
Execute a RET statement to stop. It is generally used to complete a sub-function and is executed to the position that the sub-function will return soon.
What is the difference between PT and TT? What if the current RET command is used?
Execute the next call command
PC
0:000> pceax=cccccccc ebx=7ffdd000 ecx=00000000 edx=003710d8 esi=00000000 edi=0012ff70eip=004010d6 esp=0012ff20 ebp=0012ff80 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206> 19: printf("Hello World!\n");debugee!main+0x36:004010d6 e875000000 call debugee!printf (00401150)0:000> udebugee!main+0x36 [H:\temp\debugee\debugee.cpp @ 19]:004010d6 e875000000 call debugee!printf (00401150)004010db 83c404 add esp,4004010de c745fc00000000 mov dword ptr [ebp-4],0004010e5 e820ffffff call debugee!ILT+5(?loopYAXXZ) (0040100a)004010ea eb13 jmp debugee!main+0x5f (004010ff)004010ec 682c504200 push offset debugee!`string' (0042502c)004010f1 e85a000000 call debugee!printf (00401150)004010f6 83c404 add esp,4
Go up
Gu
Execute wt at the beginning of the sub-function, display all execution paths of the sub-function, and finally provide statistics
WT
34 0 [ 4] debugee!write_char 70 68 [ 3] debugee!write_string 34 0 [ 4] debugee!write_char 84 102 [ 3] debugee!write_string 742 520 [ 2] debugee!_output 34 0 [ 3] debugee!write_char 789 554 [ 2] debugee!_output 34 0 [ 3] debugee!write_char 808 588 [ 2] debugee!_output 29 1469 [ 1] debugee!printf 7 0 [ 2] debugee!_ftbuf641971 instructions were executed in 641970 events (0 from other threads)Function Name Invocations MinInst MaxInst AvgInstdebugee!_aulldiv 790 17 17 17debugee!_aullrem 790 15 15 15debugee!_flush 299 51 51 51debugee!_ftbuf 300 7 44 43debugee!_isatty 300 14 14 14debugee!_output 300 726 808 792debugee!_stbuf 300 59 59 59debugee!_write 299 330 380 370debugee!get_int_arg 300 12 12 12debugee!loop 1 3323 3323 3323debugee!printf 300 29 37 36debugee!write_char 3190 34 34 34debugee!write_multi_char 300 10 10 10debugee!write_string 600 12 84 43kernel32!WriteConsoleA 299 11 11 11kernel32!WriteConsoleInternal 299 60 61 60kernel32!WriteFile 299 30 30 30kernel32!_SEH_epilog 598 9 9 9kernel32!_SEH_prolog 598 19 19 19kernel32!__security_check_cookie 299 5 5 5ntdll!CsrClientCallServer 299 39 39 39ntdll!KiFastSystemCall 299 2 2 2ntdll!NtRequestWaitReplyPort 598 1 2 1ntdll!ZwRequestWaitReplyPort 299 1 1 1299 system calls were executedCalls System Call 299 ntdll!KiFastSystemCall
========================================================== ======================================
Data Display
========================================================== ======================================
0: 000> DT I
Local var @ 0x12ff28 Type int8030:000> ?? iint 8030:000> ? poi(i)Evaluate expression: 803 = 00000323
========================================================== ======================================
Memory
========================================================== ======================================
Display memory
0:000> db i L200012ff18 16 00 00 00 80 ff 12 00-ea 10 40 00 00 00 00 00 ..........@.....0012ff28 00 00 00 00 ....0:000> ds i L200012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0012ff80 "..."0:000> dd i L200012ff18 00000016 0012ff80 004010ea 000000000012ff28 00000000 7ffd4000 cccccccc cccccccc0012ff38 cccccccc cccccccc cccccccc cccccccc0012ff48 cccccccc cccccccc cccccccc cccccccc0012ff58 cccccccc cccccccc cccccccc cccccccc
Memory search
0:000> n16 ; s i L20 ccbase is 160012ff30 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................0012ff31 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................0012ff32 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................0012ff33 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................0012ff34 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................0012ff35 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................0012ff36 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................0012ff37 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
Memory editing
Set variable I to 20
N 20; Ed I 20 is set to decimal, and the dual-word is edited at the memory position of I (memory address at variable name, poi (I) represents the value of I) and set to 20
Set Source File Options
L + ls settings prompt source file code in the Command window
========================================================== ======================================
Register
========================================================== ======================================
View information about all registers
R
Modify register value
R @ eax = 0x00000323 or R eax = 0x00000323 or N 16; r eax = 323
The N command means to switch the number in hexadecimal notation. N 16 indicates to use hexadecimal notation, and 323 is literally the hexadecimal notation 0x323.
Display and set floating point numbers
0:000> rFfpcw=027F: rn 53 puozdi fpsw=0000: top=0 cc=0000 -------- fptw=FFFFfopcode=0000 fpip=0000:00000000 fpdp=0000:00000000st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000st6= 0.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
RF st0 = 123.5e10
Display and set SSE registers
0:000> rXxmm0=0 0 0 0xmm1=0 0 0 0xmm2=0 0 0 0xmm3=0 0 0 0xmm4=0 0 0 0xmm5=0 0 0 0xmm6=0 0 0 0xmm7=0 0 0 0
RX xmm0 = 1 2 3 4
========================================================== ======================================
Threads and stacks
========================================================== ======================================
Thread and stack operation commands:
Switch to thread 3 (the sequence is encoded according to the sequence created by the thread)
~ 3 S
Suspend current thread
~ N
Suspend all threads
~ * N
Suspend thread 10
~ 10n
Wake up current thread
~ M
Wake up all threads
~ * M
Wake up thread 10
~ 10 m
Display stack, similar to GDB's BT command
K KD kN ~ KD ~ * KN
Move the stack frame to Layer 3. layer 0 is the current execution position.
0:000> ~kn # ChildEBP RetAddr 00 0012ff80 00401209 debugee!main+0x2a [H:\temp\debugee\debugee.cpp @ 19]01 0012ffc0 77e6f23b debugee!mainCRTStartup+0xe9 [crt0.c @ 206]02 0012fff0 00000000 kernel32!BaseProcessStart+0x230:000> .frame 202 0012fff0 00000000 kernel32!BaseProcessStart+0x23
========================================================== ======================================
Shortcut Key for windbg
========================================================== ======================================
CTRL + S
CTRL + P set the source file path
CTRL + e create a sub-process to start debugging
F6 additional process for debugging
F5 continues to execute go
Shift + F5 stop
CTRL + Shift + F5 restart
F10 single step
F11 and f8.
Shift + F11 step-out function
Alt + 1 command window
Alt + 2 local variables
Alt + 3 Watch
Alt + 4 registers
Alt + 5 memory
Alt + 6 call stack
Alt + 7 Disassembly
Alt + 8 notepad
Alt + 9 process and thread
========================================================== ======================================
Exception Handling
========================================================== ======================================
// Debugee. cpp: defines the entry point for the console application.
//#include "stdafx.h"void loop(void){for (int i = 0; i < 1000; i ++){printf("loop [%d]\n", i);}*(int *)0 = 0;}int main(int argc, char* argv[]){printf("Hello World!\n");try{loop();}catch (...){printf("exception caught.\n");}return 0;}
If the debugger takes over exception handling in the debugging status,
1. IfGNThe debugger will discard the processing and let the stack tracing Code continue to look for the exception handling handler. At this time, if you make a breakpoint on the printf in the catch before executing the GN, You can intercept the exception handling.
2. IfGHThen the debugger tells the operating system that the exception has been handled, so the operating system simply restarts the exception statement and then becomes abnormal... Let's go... However, if you handle exceptions manually at this time, for example, you can set the EIP to a safe location, for example, the next statement.
0040105c e8ef000000 call debugee! Printf (00401150) 00401061 83c408 add ESP, 800401064 ebdb JMP debugee! Loop + 0x21 (00401041) >>> exception in this sentence 00401066 c7050000000000000000 mov dword ptr ds: [0], 0 DS: 0023: 00000000 = ???????? 00401070 5f pop edi00401071 5E pop esi00401072 5B pop ebx00401073 83c444 add ESP, 44h00401076 3bec cmp ebp, esp00401078 e853010000 call debugee! _ Chkesp (004011d0) 0040107d 8be5 mov ESP, ebp0040108f 5d pop ebp00401080 C3 RET
Modify r eip =Zero X 00401070Set it to the next sentence. When the execution is resumed, it will be OK (of course, you can actually fix the exception, for example, assigning the pointer to the write address to the correct value)
========================================================== ======================================
Dump File
========================================================== ======================================
Generate a small dump
. Dump/m f: \ debugee_mini.dmp
Generate dump
. Dump/Ma F: \ debugee_large.dmp
========================================================== ======================================
Source file and symbol table
========================================================== ======================================
0:000> lmstart end module name00400000 0042f000 debugee C (private pdb symbols) H:\temp\debugee\Debug\debugee.pdb77e40000 77f42000 kernel32 (pdb symbols) f:\symbols\kernel32.pdb\DAE455BF1E4B4E249CA44790CD7673182\kernel32.pdb7c800000 7c8c0000 ntdll (pdb symbols) f:\symbols\ntdll.pdb\93E72E109DC84F16AA54797E4DA8C1682\ntdll.pdb0:000> ls 1: // debugee.cpp : Defines the entry point for the console application. 2: // 3: 4: #include "stdafx.h" 5: 6: void loop(void) 7: { 8: for (int i = 0; i < 1000; i ++) 9: { 10: printf("loop [%d]\n", i);0:000> lscCurrent: H:\temp\debugee\debugee.cpp(11)0:000> lsf debugee.cpp
========================================================== ======================================
Symbol Server
========================================================== ======================================
You can set environment variables when windbg or VS is started to debug windows DLL
Set _ nt_symbol_path = symsrv * symsrv. dll * F: \ localsymbols * http://msdl.microsoft.com/download/symbols
You can download the symbol table first.
Symchk.exe/R c: \ windows \ system32/s SRV * c: \ symbolcache \ * http://msdl.microsoft.com/download/symbols
References:
Http://www.windbg.info/doc/1-common-cmds.html
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
