< a > WinDbg introduction

Source: Internet
Author: User

Excerpt from blog http://www.pediy.com/kssd/pediy10/94457.html

1. Download and install

WinDbg is a free and powerful debugging tool released by Microsoft.

The WinDbg is included in the WDK and can be downloaded independently. official: http://www.microsoft.com/whdc/devtoo...g/default.mspx

2. Introduction to Windows

WinDbg has several windows, the function is similar to the ollydbg. The name and purpose of the window are as follows:

3. Symbols, source path settings
WinDbg is a very powerful source debugging tool. If we have the source code of the program, it is generally possible to generate its symbol file. While debugging with WinDbg, because the WinDbg itself does not automatically recognize the symbol file, so we need to set.
You can open the corresponding dialog box by opening the menu file Symbol file path and the file Source file path.




You can enter the directory directly in the Source Path edit box, or you can select it via the button browse. Multiple directories are separated by semicolons.

  A symbol is something that identifies a function, variable, or tag of a program. For example, it is easy to use the BP WinMain (the main function of the program I used to test) and the BP function name (a function in the program) by loading the target file with the source code and the program symbol.
What if there is no source code? It had to use Microsoft's public symbol library. The so-called public symbol library, can be understood as WinDbg to some of Microsoft's system function recognition.

To set up a common symbol file, simply enter the path in the edit box of the set symbol file. The general input form is:
Srv*g:\symbols*http://msdl.microsoft.com/download/symbols
The meaning is probably to download the symbol from Http://msdl.microsoft.com/download/symbols's address to G:\symbols (the directory that you set to save the symbol). Then you can use the. Reload command to reload the new symbol file WinDbg. Refer to WinDbg's help documentation for specific usage.

4. Working Space

workspaces are tools that WinDbg use to save the current work environment. For example, you can save the current working window layout, symbol path settings, etc., and do not reset when loading again.

For example, the current workspace is not loaded with any debug files, so it is the default open environment for WinDbg. All the settings here, including the window layout. Symbol source path settings, etc., can be saved according to user needs. WinDbg offers a variety of storage options, including

Save Workspace---saved directly (saved to default file)
Save Workspace as---Save As (saved to user-specified file)
--------------------------------------------------------------------------
the above two ways of saying the file is not really a file, but WinDbg in the registry to store the work space items.
the registry location is: Hkey_current_user\software\microsoft\windbg\workspaces
This key usually contains four sub-keys user, Kernel, Dump, Explicit, the first 3 sub-keys to save the user state debugging, kernel debugging, debugging the dump file using the Save Workspace way system default saving path, Explicit is used to record a named workspace saved using the Save Workspace as method. Sometimes you may find that there is no subkey, because your WinDbg has not debugged a file that uses that type of debugging.
For example, I have these entries in the Hkey_current_user\software\microsoft\windbg\workspaces registry:

that means that my WinDbg has not yet been debugged for dump files.

then expand the user subkey to see:

as you can see, I've debugged 3 programs in the user state, which are CrackMe3.exe, CrackMe32.exe, and Adsfsf.exe, and saved using the Save Workspace method.

Some people may ask, sometimes after I debug the program did not choose Save workspace but directly close WinDbg will also automatically save the workspace. This is because your WinDbg uses the "Always Save" way.
You can open the Settings dialog box by opening the menu----view----Options:

A red box in the diagram is a reminder of when the work space is closed.
Select Always ask to ask the user whether to save when the workspace is closed;
Select "Always save" to save the workspace automatically when it is closed;
Select "Never Save" to never save.

In addition, WinDbg also provides another way of saving "save WorkSpace to File", in the same way as the above two ways, but to save the workspace as a file in the form of a disk, Users can then use a USB flash drive or other means to transfer the environment of the workspace to other machines.

When you open a workspace, when you originally used the default Save method, WinDbg automatically opens the corresponding workspace file when you open the target file.

In addition, after loading the debugging target changes the workspace and saves, does not change the WinDbg default startup environment, only changes the debugging target corresponding workspace saves the file, but only when the WinDbg has not loaded any debugging target the change will affect the original boot environment.

5. Common Operations and commands
F9: Set a breakpoint, as long as the cursor location (in the gray bar) to press the F9 key, and then press the F9 key will delete the breakpoint.

F10: One step at a walk. Each time you press this key to execute an instruction in an disassembly window, you encounter a call such as a subroutine that does not enter its code.

F8 or F11: Step into. The function is similar to step by step (F10), the difference is to encounter the call and other sub-program will enter into it, the first will stay in the sub-program on the first instruction.

F7: Runs to the selected location. The function is to run directly to the cursor at the location of the pause.

SHIFT+F11: Run to jump out function.

F5: Run. Press this key if the corresponding breakpoint is not set, the program being debugged will start running directly.

Or you can press SHIFT+F11 multiple times until you jump to user code.

Note that if a row in the Disassembly window shows blue, it does not necessarily mean that the row is the address currently being executed. In WinDbg's Disassembly window, each time the number of lines of code displayed is fixed, you can view the front and back code through the previous and next buttons in the upper right corner of the window or the mouse wheel, and each time it appears in the middle, it will show blue. To return to the currently executing instruction, just click on the menu Edit > Go to current instruction.

6. Summary
After Nightxie Daniel's point, know that the breakpoint under the BU can be saved to the workspace. Thanks for the lift.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.