Windbg Study Notes

2013-04-16

! GLE

! Error

2013-03-26

View the value of the member variable of the class. You cannot enter "?" <Variable_name> ", the variable cannot be found, and the windbg searches for the symbol of the name in all modules.

. Dump [/Ma] c: \ dump \ XXX. dmp */M generate minidump,/Ma generate dump with as many options as possible

! Analyze-V * For dump generated by application crashes (including applications and drivers), after loading the symbols, you can enable windbg to automatically analyze and execute commands! Analyze-v.

~ * Kb * for manual dump, the current thread is generally not a problematic thread, So it depends on all threads, execute commands, and display the call stack of the thread.
. Ecxr * If the crash analysis is the current thread, first view the context and then run kb to view the current crashed code line.

. CLs * clear screen

The windbg commands are classified into standard commands, original commands and extended commands, and the question mark (?) is entered (?) The help information of all standard commands can be displayed. The Meta command starts with a point (.), and the help information of all original commands can be displayed by entering. Help. The extended command uses an exclamation point (!) Start.
Crash Analysis :! Analyze-V
View deadlocks :! Locks
View All threads of the current process :~, ~ * (Including function entry and priority)
View the current active thread :~. ; All thread stacks :~ * Kb ,~~ [0x] conversion ID ,~ Set the current thread number in 1 s
View the current call Stack: kb, (k, kb, KP, Kv, kN check callstack)
View exception record context:. ecxr,. EXR,. cxr (switch context)
View the current thread :! Thread
View one or more critical sections or the entire critical section tree :! CS ,! CS address
Only the locked critical section is displayed :! CS-l
Dump:. Dump [/Ma] E: \ dcrash. dmp
Set breakpoint (break point): BP, BC (clear), BD (disable), be (enable)
View memory: View data in dB/DW/DD/DQ [address] Byte/word/Double/four-character mode
Clear screen:. CLs
Display the CPU consumption time of each thread :! Runaway
When loading a non-strictly matched symbol file, first use. Reload/I and then enter! Sym noisy enables the noise mode.
After attach process exits the debugging mode, Q exits the program directly. QD exits the debugging and the program continues to run.

2013-03-19

S-B/W/D/Q/A/u <address> L <search_length> <pattern> * search for pattern within the length range of search_length

E [A | u | za | zu] <address> <string_value> * modify the memory address as a string

E [B | d | f | p | q | w] <address> <value> * modify the memory address by value!

 

! Address <address> * Display memory address attributes

! Vprot <address>

! Vadumpx

2013-03-18

BP *

Bu * sets a delayed loading command

BM * sets a batch of breakpoints

Ba R1 nret * triggers a hardware breakpoint when reading or writing the first byte of the nret variable

BP 'my. cpp: 100' ". If (POI (myvar)> 5) {. Echo myvar too big ;}. else {. Echo myvar accetable; GC ;}"

TheGCCommand resumes execution from a conditional breakpoint in the same fashion that was used to hit the breakpoint (stepping, tracing, or freely executing ).

 

By/WO/dwo/qwo/poi (<address>) * obtain the value of the 1/2/4/8/pointer length in the address.

 

~ 0 BP msvcr110d! Printf * sets breakpoints for Thread 0

BC/BD/be delete/disable/start breakpoint

 

KN * display the stack frame number

KV * display function call Method

KB * display the first three parameters of the Function

KP * shows the function parameter value, which has a private symbol File

 

DV/I/T/V * shows the parameters of the local variable of the current stack frame

DD <address> L4 * L4 indicates the number of displayed Elements

DT * display data type

DT string

DT-R1 string <address> * The given address data is displayed in the string type.

 

2013-03-15

! Sym noisy/quiet * displays/does not display the process information for loading symbols

. Formats <some number> * displays the hexadecimal form of the number.

Pa | ta @ $ Ra = Gu

PC | TC * One-step execution to the next function call instruction

TB * is executed in one step to the next branch and can only be debugged in kernel mode on x86

PH | th = Tb

Wt * calls the current function

Pt | TT * One-step execution to the next return

2013-03-14

LD <modulename> * load symbols for the specified Module

Lm v M note ** displays the detailed information of the module starting with note.

X/V/T dbgee! Arg ** displays the Symbol Information starting with ARG in the dbgee module.

. Reload/I * load unmatched symbol files

SX * lists the code and status of each event.

The ldrpinitialize function is the earliest code executed by the initial thread of a new process in the user State.

GN/GH * Go With exception not handled/go with exception handled

P * Step

T * trace

 

P | T 2 run the P or t command twice.

2013-03-08

Q * exit Mode

. Detach * detaches the debugger from the debugged process, and the debugged process continues to execute

. Abandon * discards the debugger and the debugged process, and the debugged process does not continue to execute

 

<Path_of_windbg>-p pid * process where the debugging process ID is PID

<Path_of_windbg>-PN <process_name> * debug a process with a specified process name

 

. Kill * Killing the debugged process

. Restart * restart the debugger

 

. Frame * view the current thread stack frame

DV * display local variables

 

~ 0 S * switch to Thread 0

K * displays the current call stack information

2013-03-04

| <System_index> S: switches the system

| <Process_index> S: process switching

~ <Thread_index> S: thread Switching

 

? <Expressions>: evaluate the expression

? @ C ++ (<expressions>): Evaluate the C ++ expression

? @ MASM (<expressions>): Evaluate the MASM expression

 

SRV * D: \ v-Yuzo \ projects \ small projects \ debug \ msftpdbs * http://msdl.microsoft.com/download/symbols

Download the PDB file of the system module.

 

. Reload: Reload the module

 

. Restart

. Restart/F: restart

 

$: Annotation, which can be separated by semicolons

*: Comments. * all comments are followed by the asterisk (*).

 

? @ $ Exentry: displays the entry function of the current module.

? @ $ Pagesize: displays the number of page bytes in the memory of the system of the target.

 

. Echo $ ntnsym * displays windbg-defined aliases

 

As V version * defines the user alias

R $. U <0 ~ 9 >=< alias entity> * modify the entity represented by a fixed alias

 

! For_each_frame! For_each_local DT @ # local * print each local variable of each stack frame

 

BP 'my. cpp: 100' "J (POI (myvar)> 5) '. Echo myvar too big'; '. Echo myvar accetable; GC '"

 

R ECx;. If (ECx> 2) {r ECx}. else {r eax}

 

. Opendump <file_path> * Open the dump file

 

. Create <file_path> * new debugging target of the wearable device