//Breakpoint related
bp + Address set Breakpoint BL shows breakpoints that have been set BU + address sets breakpoints, but this type of breakpoint is logged the next time it is started BC Clear Breakpoints For the range of breakpoints, you can use * to match,-to represent a range, to express multiple available, number separated
Program Entry pseudo Register In the WinDbg there is a pseudo register called $exentry, which records the entry point of the program. So let's just type in the command entry field. BP $exentry (BP is the command for the next breakpoint, detailed usage can refer to WinDbg's help documentation)
//debug Symbols
LD KERNERL32//Loading symbols for KERNERL32 modules LM m k*//display modules that have been loaded, starting with K ln//Displays the name of the module that has been recently manipulated DT DBG2//Detection module
[[[[[[[[[[[[]]]]]]]]]]]] X kernerl32!k* displays all functions in module kernerl32 that begin with K DV Display local variable values DV/I/T/V Displays the type of the local variable, the value-related information. X <module>!*/? Displays the symbol for the specified module x ARGC View the value of the variable ARGC. DT ARGC View variable values DT _peb 7FFDD00 Displays the contents of the memory address 7ffdd00 as a PEB structure. DD 12000 L4 View four characters after address 12000 DDS 12000 L100 View the stack on the start of address 12000, followed by the contents of the 100 DWORD, if there is a debug symbol, the symbol will be displayed. This method to track the stack. (see EBP First, then use this method) DD EBP + 4, return address, EBP + 8 first parameter
[[[[[[[[[]]]]]]]]] . Kill kills the debug process . Restart re-commissioning
[[[[[]]]]]]]]]]]]]] K Show Call Stack , KN plus serial number only. KB Displays the first three parameters. The first parameter ebp+8; the second ebp+0x0c; the third Ebp+0x10;dd ebp+0x14 is the fourth parameter KP Display function parameter type, value The KP F-F switch shows the difference of the neighboring stack base, allowing the stack's health to be inferred.
[[[[[[[[[[]]]]]]]]]] | Show process ~ Show Threads ~0 s switch to line Line 0
[[[[[[[[[]]]]]]]]] DV Display function parameters & local variables, note that DV is related to the stack frame, the different stack frames display different local variables. @1, kn show all stack frames @2,. Frame Select the stack frame you want to view @3, dv/i/v/t shows the local variable information in the stack frame. @3, dv/i/v/t display variable based on the address of the stack frame If there is no private symbol, DV cannot display variable information. VC generated debug Symbols *.pdb windbg do not know, need to be set to c++/general/debuginfo= C7 compatible ===== Sympath + c:\nasm Add symbol search Path . sympath Display Symbol search path Display a certain range of memory !db L 32:results in bytes being displayed (as hexadecimal bytes), View PE Information !DH [Options] Address: View module PE information !dh-f: Display file headers !dh-s: section headers !dh-a: All Header informations View struct members DT Nt!_eprocess View the current IRQL !irql Viewing verifier detection statistics !verifier View a memory address belonging to that module !pool Address !lmi Address: View the main information of the module !PCR can view the currently executing threads and IRQL, and other information // Why doesn ' t the WinDBG command!IRQL always return to the correct IRQL for my target? [Answer by Jake Oshins, jakeo_at_windows_dot_microsoft_dot_com workaround provided by James Antognini, Antognini_at_ Mindspring_dot_nospam_dot_com, August 2003] !IRQL currently only produces useful results in a crashdump, not a live system. To retrieve the IRQL in a live system you should instead use the!PCR command. !processfield: List members of eprocess The command before the! number, meaning it comes from the debugger's extension module ―kdextx86.dll. This command displays the members of the eprocess structure that the kernel uses to represent a process, which does not have a formal description of the document, and its offsets. Although the command lists only the offset of the member, you can easily guess the correct type. For example, Lockevent is located at 0x70 and its next member has an offset of 0x80. The member occupies 16 bytes, which is very similar to the kevent structure.
!threadfields: List Ethread members This is another powerful option offered by Kdextx86.dll. Similar to!processfields, it lists the members of the ETHREAD structure that are not documented and their offsets. The kernel uses it to represent a single thread.
//Process information !tep !peb, showing PEB (process information)
//Show Related DT ntdll!*teb* Lists the name of the structure that matches the wildcard character Dt-v-R Ntdll!_teb List member information for structure _TEB
//Show variable address R $PEB Display the address of the module PEB
//View error Messages !gle
//Tips for setting breakpoints The breakpoint can be set directly in: kernel32! BaseProcessStart 1), first display all loaded modules with LM 2), DT our_exe_name!*main*//Search for the address in our program module that contains main (note: If the symbol is not loaded, it cannot be displayed!) ) 3), if present, set breakpoints at Our_exe_name!*main ======= Command SoftICE ollydbg Run F5 F9 Step into F11 F7 Step over F10 F8 Set Break Point F8 F2 Search Memory
5. Find String In step 1 when we ran the program, we recorded the string "wrong Serial, try again!" that prompted the registration error, and now we are going to find the location of the string in memory. Input command S–a 00400000 L53000 "wrong" The command means to search for the string "wrong" in ASCII form in the memory address 00400000 backwards 53,000 bytes. S, which is the command to invoke the lookup -A, specifying the use of ASCII code to find 00400000, specify the memory address to start looking for. L53000, which shows the 53000-byte search to be in 00400000. This value and 00400000 can be obtained from STUD_PE. 00400000 is the load address of the program, and 53000 is the size of the image, which is the amount of memory that the program occupies after it is loaded into memory. Using these two values, you can basically search the entire memory range used by the program. "Wrong", there is no more explanation, is the string we are looking for. However, WinDbg does not support fuzzy search, so the string entered here must be completely correct. Memory Access Breakpoint
6. Under Memory Access Breakpoint In WinDbg, the BA command represents break on access, which is interrupted on access. We enter in the command line: BA R 1 0044108c The command means a read breakpoint in bytes at the location of memory 0044108c. The meanings of the elements in the command can refer to the Help documentation, which is not verbose here. Enter BL to view breakpoint usage:
Address arithmetic ? 0x33 + 0x44 After the operation will be calculated and
3. Viewing and modifying data It is unavoidable to view and modify the data during debugging To view memory: DB/DW/DD/DQ [Address] byte/word/double word/four-word way to view data DA/DU [Address] ASCII string/unicode string way to view the specified address Other commonly used, such as view structure DT Nt!_eprocess DT Nt!_eprocess 89330da0 (0x89330da0 as the object pointer) To modify Memory: EB/EW/ED/EQ/EF/EP Address [Values] BYTE/Word/double word/four words/floating point/Pointer/ Ea/eu/eza/ezu Address [Values] ASCII string/unicode string/null-terminated ASCII string/null-terminated Unicode string Search Memory: S-[b/w/d/q/a/u] Range Target Search byte/Word/double word/Four characters/ascii string/unicode string
2. Breakpoints It is of course very important to debug breakpoints. Common commands: bp [Address]or[symbol] breaks at the specified address You can use addresses or symbols, such as bp 80561259 (WinDbg default 16 binary) BP mydriver! Getkernelpath BP mydriver! getkernelpath+0x12 bp [Address]/P eprocess is only interrupted when the current process is eprocess This is very common, like your BP nt!. Ntterminateprocess, but just want to break down when a process triggers this breakpoint, add this parameter, because the code in the kernel is common to each process, so this command is useful bp [Address]/t Ethread is only interrupted when the front thread is ethread and is used similar to the/p parameter Bu [address]or[symbol] Next unresolved breakpoint (that is, this breakpoint requires deferred parsing) This is also very common, such as our driver named Mydriver.sys, then the drive load before the break down BU mydriver! DriverEntry, The driver can then be loaded and then broken in the drive entrance, and this is not required by the debug symbol support BL lists all breakpoints, l=list Bc[id] Clear Breakpoint, C=clear,id is the number of the breakpoint when BL is viewed Bd[id] Disable breakpoint, D=disable,id is the breakpoint number Be[id] Enable breakpoint, E=enable,id is the breakpoint number |
|