Windbg debugging command 5 (LN, pseudo register)

Windbg debugging command 5 (LN, pseudo register)

1.Ln

The ln command displays the or recent symbol at the given address.

LnIndicates list near. The ln command will give the symbols related to a specific address as much as possible. If there is no symbol, it can precisely match this address, then, the debugger will use the pointer algorithm to run the symbols near this address,

Returns the symbol of the operation result.

0: 000> ln 01012475
(01012475) calc! Winmaincrtstartup | (0101263c) calc! _ Cxxframehandler
Exact matches:
Calc! Winmaincrtstartup = <no type information>
0: 000> ln 01012475 + 1
(01012475) calc! Winmaincrtstartup + 0x1 | (0101263c) calc! _ Cxxframehandler

We found that the first display is exact matches: indicates that an address is precisely matched. If not, we need to be careful whether the module is optimized. After optimization, a function, it may be split into multiple parts.

They are located at different addresses, and the optimized image can be viewed through LM: there will be a perf identifier

This name can be of great help when you are viewing a part of the data but do not know the content indicated by this part of the data.

 

2.Pseudo register

It is difficult for users who occasionally use the debugger to remember the instruction pointer Register names (or other names) of all platforms. To overcome this problem, the debugger development team has introduced various pseudo registers, the debugger maps these pseudo registers to different hardware architectures in the form of $ name. Like Standard registers, if you want to use pseudo registers in expressions, you must use escape characters @

$ Exentry
Entry address of the current process

0: 002> r $ exentry
$ Exentry = 01012475

Generally, you can directly break the breakpoint,

This corresponds to imagebase + addressofentrypoint (_ image_optional_header) in the PE file)

 

$ IP

Instruction Pointer register

In the X86 architecture, $ IP = EIP

In x64 architecture, $ IP = rip

In the itanium architecture, $ IP = IIP

0:000> r @$ip$ip=7c92120e0:000> r eipeip=7c92120e

Note that $ IP and EIP are shown below, although they are the same in x86.

$ Ra

Return address of the current function

0: 000> r $ Ra
$ Ra = 7c95e612
0: 000> KB
Childebp retaddr ARGs to child
0012fb1c 7c95e612 7ffdd000 7ffde000 00000000 NTDLL! Dbgbreakpoint
0012fc94 7c940000f 0012fd30 7c920000 0012fce0 NTDLL! Ldrpinitializeprocess + 0 xffa
0012fd1c 7c92e437 0012fd30 7c920000 00000000 NTDLL! _ Ldrpinalize + 0x183
00000000 00000000 00000000 00000000 NTDLL! Kiuserapcdispatcher + 0x7

Actually, it corresponds to the current thread. If you want to view the return address of the current function of all threads:

0:000> ~* r $ra$ra=77d191be$ra=7c92df2c$ra=7c92df3c$ra=7c970010

 

$ Reregulatory

The main value register. After the function call returns, the function result will be placed in this register. According to the different processor architecture, the value of $ reregulatory is

In the X86 architecture, $ reregulatory = eax

In the x64 architecture, $ reregulatory = Rax

In the itanium architecture, $ reregulatory = ret0

0: 000> r $ reregulatory

1. $ Rereg = 00251eb4
2. 0: 000> r eax
3. Eax = 00251eb4

0:000> r $retreg$retreg=00251eb40:000> r eaxeax=00251eb4

$ CSP

The current stack pointer. According to the processor architecture, the values of $ CSP are

In the X86 architecture, $ CSP = ESP

In x64 architecture, $ CSP = RSP

In the itanium architecture, $ CSP = BSP

0: 000> r $ CSP

1. $ CSP = 0012fb24
2. 0: 000> r ESP
3. ESP = 0012fb24

0:000> r $csp$csp=0012fb240:000> r espesp=0012fb24

 

$ Tpid

ID of the current process (PID)

0: 000> r $ tpid

1. $ Tpid = 12713f4

0:000> r $tpid$tpid=000013f4

$ Tid

ID of the current thread (tid0

0: 000> r $ tid

1. $ Tid = 201714a0

0:000> r $tid$tid=000014a0