WinDbg Debug Command Note 1

First, WinDbg commonly used knowledge:

1. Debug commands in WinDbg are divided into three types: basic commands, meta-commands, and extended commands . The basic command and META commands are the debugger's own, and the meta-command always takes "." , and the extended command is added externally, always with an exclamation point "!" Beginning

The basic commands are minimal, about 40 or so. To enumerate all the basic commands, use the following command:

• ?

There are more than 100 meta-commands, use the following command to enumerate all meta-commands:

• . Help [/d]

2. Basic information

• Version displays the operating system's release information and the version information of the WinDbg itself, and the configuration of WinDbg is closely related to the operating system, so it is necessary to display the version information of the operating system together.
• Time to view the system times. This includes the current time of the system, and the duration of the system's uptime, and the duration of the current process in user mode

3. Basic settings

• . CLS Clear-screen command
• n [8|10|16] software defaults to 16 binary, but sometimes we also need to change the default binary to octal or decimal

4. Start debugging

Q | QQ | QD thoroughly finishes commissioning

. DUMP/MFH C:\test.dmp saved as a DMP file

Second, symbol and source code

What is a symbol file? Compilers and linker when creating binary image files (such as EXE, DLL, SYS), the associated suffix named. dbg,. Sym, or. pdb files that contain image file compilation, symbolic information generated during linking, are called symbol files. Specifically, the symbolic information includes the following:

• Global variables (type, name, address);
• Local variables (type, name, address);
• function (name, prototype, address);
• variable, struct type definition;

1. There are several commands you can use to enumerate the list of modules

• LM [Options] [a Address] [m Pattern | M pattern][/v]
• LM v uses the/V option to list the details of the module, including: module name, module address, module size, image name, timestamp, and corresponding symbol file information (including type, path, type, compiler, symbol loading status).

LM v A 00400000 shows details of the module with address 00400000

　　

• !DH [flag] module address

　　dH is the abbreviation of display header, literal translation is "show file header" meaning, it can display very detailed PE header information.

2. Threads and processes

Both the list of processes and threads can be displayed, and the details of the specified process or thread can be displayed. Debug commands can provide more detailed process information than taskmgr, which is indispensable during debugging.

Multiple commands can display a list of processes, but they are generally only used in specific situations: |,. tlist,!process, and!dml_proc.

　　

　

WinDbg Debug Command Note 1