http://blog.csdn.net/wesley2005/article/details/51501514
Directory:
(1) U-command (Disassembly)
(2) DT command (view data structure)
(3) ln command (find the nearest symbol)
(4) X command (displays the symbol of the module)
(5) k command (show call stack)
(6) d command (displayed in data mode)
(7) B command (breakpoint)
(8) LM LMVM (Display module information)
(9). Reload (Reload module)
(!process)!thread. Process. Thread (view process thread information)
(one)!object (View object information)
(!devnode) (View device object)
(+) G command (continue execution)
(+) operators (MASM) (operator,poi,by,& under Assembly, conditional breakpoints most useful)
() e command (write memory data)
(+)!ca command (view controlarea of Session)
(+) r command (view modify register)
With
(1) U-command (Disassembly)
UF icsf! Sfdirectorycontrol
You can view the assembly code for the entire function
U icsf! Sfdirectorycontrol icsf! sfdirectorycontrol+0x30
Can see 30-byte assembly instructions
UB icsf! Sfdirectorycontrol L30
You can view the 30-byte assembly instructions above the Sfdirectorycontrol
(2) DT command (view data structure)
DT NT!_IRP-R2
You can view the level two structure,
In order to know iogetcurrentirpstacklocation macro actually take is _IRP. Tail (0x040). Overlay (0x000). Currentstacklocation (0x020).
In other words, theirp+0x60 store is the address of _io_stack_location .
Instance:
DT Nt!_irp Poi (ebp+0x0c)-r2 * Note: dispatch, the address of the IRP parameter is stored in ebp+0ch
Show results (omit part):
+0x040 Tail: __unnamed
+0x000 Overlay: __unnamed
+0x000 Devicequeueentry: _kdevice_queue_entry
+0x000 Drivercontext: [4] (NULL)
+0x010 Thread:0x822934d8 _ethread
+0x014 auxiliarybuffer:0x8225bc30 "???"
+0x018 listentry: _list_entry [0x0-0x0]
+0x020 currentstacklocation: _io_stack_location
+0x020 Packettype:0x822f29ac
+0x024 Originalfileobject:0x822ecde8 _file_object
Then, you can get the address of IRPSP 0x822f29ac.
(3) ln command (find the nearest symbol)
0:kd> Ln 804e23a2
(804E23A2) nt! IopfCallDriver | (804e2417) nt! Kiinserttimertable
Exact matches:
(4) X command (displays the symbol of the module)
X nt!*
Displays all the symbols for NT
(5) k command (show call stack)
Kd
Direct display of all stack conditions
Kb
Show Top 3 parameters
Kp
Displays the call stack, and all parameter values and their types
Kc
Displays only the module name and address of the call stack (does not show the address of the call stack)
(6) d command (displayed in data mode)
Da
Display ASCII code
dc
Display characters by single byte
Db
Display by single byte
Dd
Display in 4-byte order
Dd
8-byte display (64-bit common)
Df
Display by floating point
Dp
4-byte or 8-byte display (depending on whether it is a 32-bit system or a 64-bit system)
Dw
Display in 2-byte order
Dw
Display characters by 2 bytes
Dyb
Press bits to display (one byte group)
Dyd
Press bits to display (4 bytes in one group)
(7) B command (breakpoint)
BP 0040108c
BP myexe!main+5c
BP source.c:31
Breakpoint at the specified address
bp myexe!main+5c "J 0!=eax ' DD @eax; GC '; ' GC ' ")
Under conditional breakpoints, how to write expressions can refer to Ben Boven's operators (MASM)
Bl
Show All Breakpoints
BC 1
BC 1-4
BC *
Delete Breakpoint
BD 1
BD 1-4
BD *
Invalidate a breakpoint
BA R4 Dspd!g_global
Under Hardware breakpoints
Bu dspd! DriverEntry
Down delay breakpoint (when the drive image is loaded, the next breakpoint)
BM dspd!openf*
Under Fuzzy breakpoint
(8) LM LMVM (Display module information)
Lm
Show all loading modules
LMVM DSPrivateData64
Displays details of the specified module
(9). Reload (Reload module)
. Reload Dsprivatedata64.sys
. reload/f /I Dsprivatedata64.sys (/f Force load,/I ignores PDB mismatch)
. reload/u dsprivatedata64.sys (unload module)
(!process)!thread. Process. Thread (view process thread information)
!process 0 0
Show All Processes
!process 0x843423 0
Show process Information
. Process 0x843423
Switch to the specified process
. process/i 0x843423
Switch to the specified process after entering the G command
. Thread 0x87668432
Switch to the specified thread
!thread 0x87668432 0
View Thread Information
(one)!object (View object information)
!object \
View information for a specified object
(!devnode) (View device object)
!devnode 0 1
View all Device objects
(+) G command (continue execution)
G
Continue execution
Gu
Execution to this function returns
(+) operators (MASM) (assembly operator,poi,by,&, conditional breakpoint most useful)
View WinDbg Help for operators (MASM)
poi (@ebp)
The address (EBP) points to the pointer. Under kernel debugging, it is the target machine environment. Under User debugging, it is the compilation environment.
by (0x8423d435)
The byte to which the address points
$vvalid(Address, Length)
Specifies whether the range of memory is valid
&! | etc, $SCMP, etc.
() e command (write memory data)
EB 0x838de64c 1
Writes to the specified address memory by single byte
EW (2 bytes)
Ed (4 bytes)
EP (pointer)
EQ (8 bytes)
EA (ASCII string)
EU (Unicode string)
Eza (ASCII string, NULL end)
Ezu (Unicode string, null end)
(+)!ca command (View controlarea of section)
Kd>!ca Ff8636e8
Controlarea @ff8636e8
segment:e1b74548 Flink 0 blink:0
Section ref 0 PFN ref 6c Mapped Views:1
User Ref 1 Subsections 5 Flush count:0
File Object ff86df88 modwritecount 0 System views:0
Waitfordel 0 Paged Usage 380 nonpaged usage E0
Flags (10000a0) Image File haduserreference
(+) r command (view modify register)
kd>Reax
eax=00000000
Check register, also can use, [email protected] and so on
kd>reax=1
eax=00000001
Set the value of the Register
Often used in breakpoints, such as
kd> BP vdiskbus! Initmanager+0xb3 "[Email PROTECTED]=0;GC]
Learn to use common WinDbg commands (u, DT, LN, x)