Windbg Getting Started: (1) Common windbg commands

1. logopen logfile. Log

This command is used to create a windbg log file. From the creation of this file to the call of. logclose, all the debug processes will be logged to the logfile. log file. This is useful for recalling and tracking the debugging process.

2 bp module! Functionname(Or memory address)

This command is used to insert a breakpoint in a specified place. WhenProgramWhen a breakpoint is run, an interruption is generated and waits for the user to process it (this process is called hitting the breakpoint hit ). Multiple interruptions can be added to the program. This command is commonly used for dynamic program debugging, but is not required for static dump files.

3 BL

This command is used to list all power-off information.

0: 000> BP mydebug! Callfast
0: 000> BL
0 e 00401430 0001 (0001) 0: *** mydebug! Callfast

4 ln an address(This address can be the value of register, module! Function and so on, as long as it can represent the memory address)

This command is used to list functions near the specified address (list nearest function)

Ln 1, 00401430
D: \ study \ mydebug. cpp (48)
(00401430) mydebug! Callfast | (004014f0) mydebug! Myfunction

 

5 DD memory address(The optional parameter lx indicates the display length. The default length is 8)

The function of this command is to take every 4 bytes as a unit to display the content starting from the specified memory address. By default, 32 consecutive memory addresses are displayed, that is, 32*4 bytes of content. Of course, displaying too much meaningless memory content will only interfere with us, so we can also specify the number of unit blocks to be displayed, as shown in

Dd ESP L4 indicates that the four unit blocks starting from the specified ESP address are displayed, that is, 16 bytes of content in a row.

Dd ESP
0012fe04 0012feb8 00000000 7ffdd000 cccccccc
0012fe14 cccccccc cccccccccc
0012fe24 cccccccccc cccccccc cccccccccc
0012fe34 cccccccc cccccccccc
0012fe44 cccccccc 00000000
0012fe54 00000000 00000004 004310d8 0012feb8
0012fe64 00401402 00000006 0012ff18 00000000
0012fe74 7ffdd000 cccccccc

0: 000> dd ESP L4
0012fe04 0012feb8 00000000 7ffdd000 cccccccc

This command is commonly used

6 dB memory address (LX default length is 8)

The function of this command is very similar to that of DD, but the memory unit block size displayed in dB is a byte, and the direction displayed in the DB is exactly the opposite (high-low ). Compared with DD, this command has the advantage that it displays its corresponding ASCII code on the right side, which is particularly useful when viewing strings in a memory.

DB 00431124
00431124 52 65 73 75 6C 74 20 6f-66 20 74 68 65 20 64 69 result of the Di
00431134 76 69 73 69 6f 6e 20 6f-66 20 25 64 20 62 79 20 vision of % d
00431144 25 64 20 69 73 20 3A 25-64 00 00 00 00 00 00 00 00 00 00% D is: % d .......
00431154 00 00 00 00 69 33 38 36-5c 63 68 6B 65 73 70 2E... i386 \ chkesp.
00431164 63 00 00 00 00 00 00 00-54 68 65 20 76 61 6C 75 C ...... The valu
00431174 65 20 6f 66 20 45 53 50-20 77 61 73 20 6e 6f 74 E of ESP was not
00431184 20 70 72 6f 70 65 72 6c-79 20 73 61 76 65 64 20 properly saved
00431194 61 63 72 6f 73 73 20 61-20 66 75 6e 63 74 69 6f sort ss a functio

This command displays 16x8 consecutive content starting from memory 00431124, And the rightmost display is its corresponding ASCII code value.

7 da memory address

This command is used to display the string value of the specified memory address, instead of displaying the content of eight consecutive unit blocks like DD and DB, but ends with an ending character, therefore, it is particularly useful when viewing strings in the specified memory.

0: 000> da 00431124
00431124 "result of the division of % d"
00431144 "% d is: % d"
This command only displays the value of the string starting with 00431124 and then terminates automatically. The effect of using DB is shown above.

8 K, kb, Kv, kN

The K command is used to display the content of all call stacks. KB and the address of the first three double words used to transmit parameters are displayed.

KV is added based on kb and its calling rule (calling convention) is displayed ).

KN: the frame number of the Call Stack frames is displayed on the leftmost Side Based on kb ,. You can use the. Frame command to select the corresponding call stack frame for debugging. For example, DV can view the input parameter values of the current call stack frame and the values of temporary variables in the function body.

As follows:

0: 000> K
* ** Stack trace for last set context-. Thread/. cxr resets it
Childebp retaddr
0012fe60 00401402 mydebug! Callfast + 0x60 [D: \ study \ mydebug. cpp @ 58]
0012feb8 00401393 mydebug! Callwithstd + 0x42 [D: \ study \ mydebug. cpp @ 44]
0012ff18 0040130a mydebug! Callwithcdecl + 0x43 [D: \ study \ mydebug. cpp @ 37]
0012ff80 00401969 mydebug! Main + 0x9a [D: \ study \ mydebug. cpp @ 28]
0012ffc0 77e6f23b mydebug! Maincrtstartup + 0xe9 [crt0.c @ 206]
0012fff0 00000000 Kernel32! Baseprocessstart + 0x23
0: 000> KB
* ** Stack trace for last set context-. Thread/. cxr resets it
Childebp retaddr ARGs to child
0012fe60 00401402 00000006 0012ff18 00000000 mydebug! Callfast + 0x60 [D: \ study \ mydebug. cpp @ 58]
0012feb8 00401393 004310d8 00000004 00000006 mydebug! Callwithstd + 0x42 [D: \ study \ mydebug. cpp @ 44]
0012ff18 0040130a 0043101c 00000004 00000006 mydebug! Callwithcdecl + 0x43 [D: \ study \ mydebug. cpp @ 37]
0012ff80 00401969 00000001 000000e90 000000dc0 mydebug! Main + 0x9a [D: \ study \ mydebug. cpp @ 28]
0012ffc0 77e6f23b 00000000 00000000 7ffdd000 mydebug! Maincrtstartup + 0xe9 [crt0.c @ 206]
0012fff0 00000000 00401880 00000000 78746341 Kernel32! Baseprocessstart + 0x23
0: 000> kV
* ** Stack trace for last set context-. Thread/. cxr resets it
Childebp retaddr ARGs to child
0012fe60 00401402 00000006 0012ff18 00000000 mydebug! Callfast + 0x60 [D: \ study \ mydebug. cpp @ 58]
0012feb8 00401393 004310d8 00000004 00000006 mydebug! Callwithstd + 0x42 [D: \ study \ mydebug. cpp @ 44]
0012ff18 0040130a 0043101c 00000004 00000006 mydebug! Callwithcdecl + 0x43 [D: \ study \ mydebug. cpp @ 37]
0012ff80 00401969 00000001 000000e90 000000dc0 mydebug! Main + 0x9a [D: \ study \ mydebug. cpp @ 28]
0012ffc0 77e6f23b 00000000 00000000 7ffdd000 mydebug! Maincrtstartup + 0xe9 [crt0.c @ 206]
0012fff0 00000000 00401880 00000000 78746341 Kernel32! Baseprocessstart + 0x23 (FPO: [non-FPO])
KN
# Childebp retaddr
00 0012fe60 00401402 mydebug! Callfast + 0x60 [D: \ study \ mydebug. cpp @ 58]
01 0012feb8 00401393 mydebug! Callwithstd + 0x42 [D: \ study \ mydebug. cpp @ 44]
02 0012ff18 0040130a mydebug! Callwithcdecl + 0x43 [D: \ study \ mydebug. cpp @ 37]
03 0012ff80 00401969 mydebug! Main + 0x9a [D: \ study \ mydebug. cpp @ 28]
04 0012ffc0 77e6f23b mydebug! Maincrtstartup + 0xe9 [crt0.c @ 206]
05 0012fff0 00000000 Kernel32! Baseprocessstart + 0x23

// Call stack frame number displayed on the left

Run. Frame frameno, such as. Frame 0, and select the corresponding call stack frame. Then dv can view the parameter values in the stack.

9. Sympath + sympath

This command should be the first one to describe. When we start to analyze a dump file, we must first load its symbol (generally suffixed with. PDB,. DBD), then we need to specify its symbol path, and then re-import it. The command is as follows:

. Sympath + c: \ mydump \

. Reload

If you only need to display the symbol search path,. sympath.

How do I set the automatic loading symbols file path for windbg?

We can add an environment variable: _ nt_symbol_path to set the path of the symbols file. in this way, after windbg is started, when the symbols file needs to be loaded, it will automatically search based on the path specified by _ nt_symbol_path.

For example: _ nt_symbol_path: srvv * c: \ localsymbols * \ symbolserver \ publicsymbol

10 R

This command is used to display the value of each register.