Windbg is a debugging tool that Microsoft exits. Unlike Visual Studio, windbg is a debugger for special use cases. Its debugging methods cover the entire operating system. Sometimes Program The run crash is confusing. Finding the cause is also time-consuming and laborious (possibly due to incorrect methods ). Windbg can help us perform debugging in more detail than Visual Studio, including operating system information, process running status, time and environment variables, assembly commands, and call stack, in many cases, you can find many hidden errors. Therefore, learning and using windbg is a more comprehensive requirement for developers and requires more basic knowledge.
Now let's take debugging a simple program as an example. Let's take a look at the useful information that windbg can provide to us. Run windbg and select File> open executable to open the executable file, and then set the symbol file path (if you want more symbol files about the operating system information, you must download them from the Microsoft website ). Enter X in the command line window and add the executable file name! In additionCodeFunction Name in to obtain the function entry address, so that you can easily set the debugging breakpoint. Input x cpp200803272307! Getconstbuffer obtains the address of getconstbuffer.
Enter the BP (break point) and the function entry address to set the function endpoint. For example, BP 004113c0, and then run the program input g (that is, go) to seeSource codeThe corresponding breakpoint is added to the function. You will see that the program will stop before the corresponding breakpoint when it runs again. It is now stopped under the getconstbuffer function with the address 004113c0. BP can also be input, such as BP cpp200803272307! Getconstbuffer defines the function breakpoint.
Run the K Command to view the current callstack. Continue entering g so that the program runs will see that the program stays at the wrong position. Exception is access violation. The mov command points to the memory written into eax. This is the wrong command. You can use DC to view memory data on eax. That is, you can enter DC eax to view it quickly and find that an error occurs when you modify the character +.
If there is an operating system symbol file, you can continue debugging, that is, view the attributes of the corresponding Memory Page of eax. Enter! Address eax can be viewed, and the memory in this area is directly read, that is, a constant pointer. Therefore, using the mov command may cause program errors.
Enter the U address to view the disassembly instruction! You can also view the memory information by adding the address of a function to address. For example, use X cpp200803272307! Getconstbuffer obtains the address, and then uses U 004113c0 and! Address 004113c0 to view more detailed information.
Windbg can be used for kernel mode debugging and user mode debugging. It can also debug dump files. Since most programmers do not need to perform kernel mode debuggingArticleDoes not introduce the kernel mode debugging. Debugging in kernel mode is very helpful for learning the Windows core. If you are interested in this, read the help files in inside Windows 2000 and windbg.
The main purpose of this article is to introduce the main functions of windbg and related commands. For detailed Syntax of these commands, see the Help file. For many commands mentioned in this article, windbg has corresponding menu options.
How to get help
In the command window, enter. HHWill call up the Help File order.
. Hh keyword
The detailed command about keyword is displayed.
StartDebugger
Windbg can be used for the following debugging:
- Remote debugging: You can debug programs executed on machine B from machine. The procedure is as follows:
. Server npipe: pipe = pipe_name
Pipe_name is the name of this interface.
Windbg-remote npipe: Server = SERVER_NAME, pipe = pipe_name
SERVER_NAME is the name of machine B.
- Dump File debugging: if a problem occurs on your customer's machine, you may not be able to use remote debugging to solve the problem. You can ask your user to append windbg to the problematic process and enter the following in the Command window:
. Dump/Ma file name
Create a dump file. Run the following command to open the dump file:
Windbg-Z dump_file_name
- Local process debugging: You can run a program directly under windbg:
Windbg "path to executable" arguments
You can also append windbg to a running program:
Windbg-p "process ID"
Windbg-PN "process name"
Note that there is a noninvasive mode that can be used to check the status of a process and not execute the process. Of course, in this mode, the execution of the program to be debugged cannot be controlled. This mode can also be used to view a process that has been running under the control of the debugger. The command is as follows:
Windbg-Pv-p "process ID"
Windbg-Pv-PN "process name"
Debug multiple processes and threads
If you want to control the execution of a process and its sub-processes, add-O. There is a new command in windbg.. ChilddbgIt can be used to control sub-process debugging. If you debug several processes at the same time, you can use|Command to display and switch to different processes.
You can have multiple threads in the same process.~Commands can be used to display and switch threads.
Necessary work before debugging
Before debugging, you must set the symbols path. There is no symbol. The call stack you see is basically meaningless. Microsoft's operating system symbol file (PDB) is open to the public. In addition, make sure that you select the option to generate the PDB file when compiling your own program. If the symbolic path is set, the call stack still looks wrong. AvailableLm ,! Sym noisy ,! ReloadTo verify whether the symbolic path is correct.
Windbg also supports source code debugging. You need to use. SrcpathSet the source code path. If you debug the code on the machine where the code is generated, the source code path in the symbol file points to the correct position, so you do not need to set the source code path. If the executed code is generated on another machine, you can copy the source code (keep the original directory structure) to an accessible folder (which can be a network path) set the source code path to the path of the folder. Note that for remote debugging, you need to use. LsrcpathTo set the source code path.
Static commands:
Display call stack: After connecting to a debugging window, you must first know the current execution of the program.K *Command to display the stack of the current thread.~ * KBThe call stacks of all threads are displayed. If the stack is too long, windbg only displays part of the stack.. KframesIt can be used to set the default number of display frames.
Show local variables: GenerallyDVDisplays information about local variables. CTRL + ALT + V can be switched to a more detailed display mode. AboutDVNote that in the optimized codeDVIs most likely inaccurate. Then, you can read the assembly code to find out whether the values you are interested in are stored in registers or stacks. Sometimes the data you Want to know cannot be found in the current frame. If the data is transmitted as a parameter to the current method, you can read the assembly code of the previous one or several frameworks. It is possible that the data is still on a stack address. Static variables are stored in fixed addresses, so it is easier to find static variables.. Frame(Or double-click in the call Stack window) to switch the current framework. Note:DVThe command displays the content of the current framework. You can also observe the values of local variables in the watch window.
Display classes and linked lists:DTThe data structure is displayed. For exampleDTPebThe operating system process structure is displayed. The address that follows the process structure will display the detailed information of this structure:DT peb 7ffdf000.
DLCommand to display some specific linked list structures.
Display the error value of the current thread:! GLEThe previous error value and status value of the current thread are displayed.! ErrorCommand to decode hresult.
Search for or modify memory: UseSCommand to search for byte, word or double word, qword or string. UseECommand to modify the memory.
Calculation Expression:? Command can be used for computing. For the expression format, see the help documentation. UseNCommand to switch the hexadecimal format of the input number.
Displays information about the current thread, process, and module.:! TebDisplays the environment information of the current thread. The most common purpose is to view the starting address of the current thread stack and search for a value in the stack.! PebDisplays the environment information of the current process, such as the path of the execution file.LmDisplays information about the modules loaded in a process.
Display register value:RCommand to display and modify the value of the Register. If you want to use the register value in the expression, add@Symbol (for example, @ eax ).
Show the nearest symbol:Ln Address. If you have a pointer to a C ++ objectLnTo view the object type.
Search for symbols:XCommand can be used to find the address of the global variable or the address of the process.XThe command supports matching symbols.X Kernel32! *Display all visible variables, data structures, and processes in kernel32.dll.
View lock :! LocksDisplays the usage of lock resources for each thread. It is useful for debugging deadlocks.
View handle :! HandleDisplay handle information. If a piece of code causes handle leakage, you only need to use! HandleCommand and compare the differences between the two outputs. There is a command! HtraceIt is useful for debugging handle-related bugs. Enter:
! Htrace-enable
Then use! Htrace handle_valueTo display all call stacks related to the handle.
Show assembly code:U.
Program Execution control command:
Set code breakpoint:BP/BU/BMIt can be used to set code breakpoints. You can specify the number of times a breakpoint is skipped. Assume that a piece of code is Kernel32! Setlasterror may fail many times after running. You can set the following breakpoint:
BP Kernel32! Setlasterror 0x100.
Use after an error occursBLTo display the breakpoint information (note the value displayed in bold ):
0 e 77e7a3b0004f(0100) 0: *** Kernel32! Setlasterror
Restart debugging (. RestartCommand) and set the following breakpoint:
BP Kernel32! Setlasterror 0x100-0x4f
The debugger stops at the last time that the process was called before an error occurs.
You can specify the command string that the debugger should execute when the breakpoint is activated. UseJThe command can be used to set conditional breakpoints:
BP 'mysource. cpp: 100' "J (POI (myvar)" 0n20) ''; 'G '"
The above breakpoint is activated only when the value of myvar is greater than 32 (GCommand
Conditional breakpoints are widely used. You can specify that a breakpoint is activated only under special circumstances. For example, if the input parameter meets certain conditions, the caller is a special process, A global variable is set as a special value.
Set memory breakpoint: BaIt can be used to set memory breakpoints. A common problem during debugging is to track changes in some data. The following breakpoint:
Ba W4 0x40000000 "Kb; G"
All call stacks with 0x40000000 modified can be printed.
Control Program Execution:P, Pa, T, TaAnd other commands can be used to control program execution.
Control exceptions and event handling: The default setting of debugger is to skip the first chance expcetion and interrupt program execution when the second exception (Second Chance exception) occurs.SXCommand to display the debugger settings.SxeAndSxdYou can change the debugger settings.
Sxe CLR
It can control the execution of the interrupted program when a hosting exception occurs. Common debugger events include:
AV access exception
Eh C ++ exception
CLR hosting exception
LD Module Loading
-C options can be used to specify the Debugging commands executed when an event occurs.