Learn to use common WinDbg commands (u, DT, LN, x)

http://blog.csdn.net/wesley2005/article/details/51501514

Directory:

(1) U-command (Disassembly)

(2) DT command (view data structure)

(3) ln command (find the nearest symbol)

(4) X command (displays the symbol of the module)

(5) k command (show call stack)

(6) d command (displayed in data mode)

(7) B command (breakpoint)

(8) LM LMVM (Display module information)

(9). Reload (Reload module)

(!process)!thread. Process. Thread (view process thread information)

(one)!object (View object information)

(!devnode) (View device object)

(+) G command (continue execution)

(+) operators (MASM) (operator,poi,by,& under Assembly, conditional breakpoints most useful)

() e command (write memory data)

(+)!ca command (view controlarea of Session)

(+) r command (view modify register)

With

(1) U-command (Disassembly)

UF icsf! Sfdirectorycontrol

You can view the assembly code for the entire function

U icsf! Sfdirectorycontrol icsf! sfdirectorycontrol+0x30

Can see 30-byte assembly instructions

UB icsf! Sfdirectorycontrol L30

You can view the 30-byte assembly instructions above the Sfdirectorycontrol

(2) DT command (view data structure)

DT NT!_IRP-R2
You can view the level two structure,

In order to know iogetcurrentirpstacklocation macro actually take is _IRP. Tail (0x040). Overlay (0x000). Currentstacklocation (0x020).

In other words, theirp+0x60 store is the address of _io_stack_location .

Instance:

DT Nt!_irp Poi (ebp+0x0c)-r2 * Note: dispatch, the address of the IRP parameter is stored in ebp+0ch

Show results (omit part):

+0x040 Tail: __unnamed
+0x000 Overlay: __unnamed
+0x000 Devicequeueentry: _kdevice_queue_entry
+0x000 Drivercontext: [4] (NULL)
+0x010 Thread:0x822934d8 _ethread
+0x014 auxiliarybuffer:0x8225bc30 "???"
+0x018 listentry: _list_entry [0x0-0x0]
+0x020 currentstacklocation: _io_stack_location
+0x020 Packettype:0x822f29ac
+0x024 Originalfileobject:0x822ecde8 _file_object
Then, you can get the address of IRPSP 0x822f29ac.

(3) ln command (find the nearest symbol)

0:kd> Ln 804e23a2
(804E23A2) nt!  IopfCallDriver | (804e2417) nt! Kiinserttimertable
Exact matches:

(4) X command (displays the symbol of the module)

X nt!*

Displays all the symbols for NT

(5) k command (show call stack)

Kd

Direct display of all stack conditions

Kb

Show Top 3 parameters

Kp

Displays the call stack, and all parameter values and their types

Kc

Displays only the module name and address of the call stack (does not show the address of the call stack)

(6) d command (displayed in data mode)

Da

Display ASCII code

dc

Display characters by single byte

Db

Display by single byte

Dd

Display in 4-byte order

Dd

8-byte display (64-bit common)

Df

Display by floating point

Dp

4-byte or 8-byte display (depending on whether it is a 32-bit system or a 64-bit system)

Dw

Display in 2-byte order

Dw

Display characters by 2 bytes

Dyb

Press bits to display (one byte group)

Dyd

Press bits to display (4 bytes in one group)

(7) B command (breakpoint)

BP 0040108c

BP myexe!main+5c

BP source.c:31

Breakpoint at the specified address

bp myexe!main+5c "J 0!=eax ' DD @eax; GC '; ' GC ' ")

Under conditional breakpoints, how to write expressions can refer to Ben Boven's operators (MASM)

Bl

Show All Breakpoints

BC 1

BC 1-4

BC *

Delete Breakpoint

BD 1

BD 1-4

BD *

Invalidate a breakpoint

BA R4 Dspd!g_global

Under Hardware breakpoints

Bu dspd! DriverEntry

Down delay breakpoint (when the drive image is loaded, the next breakpoint)

BM dspd!openf*

Under Fuzzy breakpoint

(8) LM LMVM (Display module information)

Lm

Show all loading modules

LMVM DSPrivateData64

Displays details of the specified module

(9). Reload (Reload module)

. Reload Dsprivatedata64.sys

. reload/f /I Dsprivatedata64.sys (/f Force load,/I ignores PDB mismatch)

. reload/u dsprivatedata64.sys (unload module)

(!process)!thread. Process. Thread (view process thread information)

!process 0 0

Show All Processes

!process 0x843423 0

Show process Information

. Process 0x843423

Switch to the specified process

. process/i 0x843423

Switch to the specified process after entering the G command

. Thread 0x87668432

Switch to the specified thread

!thread 0x87668432 0

View Thread Information

(one)!object (View object information)

!object \

View information for a specified object

(!devnode) (View device object)

!devnode 0 1

View all Device objects

(+) G command (continue execution)

G

Continue execution

Gu

Execution to this function returns

(+) operators (MASM) (assembly operator,poi,by,&, conditional breakpoint most useful)

View WinDbg Help for operators (MASM)

poi (@ebp)

The address (EBP) points to the pointer. Under kernel debugging, it is the target machine environment. Under User debugging, it is the compilation environment.

by (0x8423d435)

The byte to which the address points

$vvalid(Address, Length)

Specifies whether the range of memory is valid

&! | etc, $SCMP, etc.

() e command (write memory data)

EB 0x838de64c 1

Writes to the specified address memory by single byte

EW (2 bytes)

Ed (4 bytes)

EP (pointer)

EQ (8 bytes)

EA (ASCII string)

EU (Unicode string)

Eza (ASCII string, NULL end)

Ezu (Unicode string, null end)

(+)!ca command (View controlarea of section)

Kd>!ca Ff8636e8

Controlarea @ff8636e8
segment:e1b74548 Flink 0 blink:0
Section ref 0 PFN ref 6c Mapped Views:1
User Ref 1 Subsections 5 Flush count:0
File Object ff86df88 modwritecount 0 System views:0
Waitfordel 0 Paged Usage 380 nonpaged usage E0
Flags (10000a0) Image File haduserreference

(+) r command (view modify register)

kd>Reax

eax=00000000

Check register, also can use, [email protected] and so on

kd>reax=1

eax=00000001

Set the value of the Register

Often used in breakpoints, such as

kd> BP vdiskbus! Initmanager+0xb3 "[Email PROTECTED]=0;GC]

Learn to use common WinDbg commands (u, DT, LN, x)