table of Contents
Dian commissioning a drive.
Write drivers inevitably debugging. So tell us about where WinDbg common commands.
1. Thread
| command | effect |
|---|---|
| ~* | Show all threads |
| ~. | Displays the current active thread |
| ~# | Displays the current abnormal thread |
| a ~ | Showing num threads. |
| Surely, ~ s | Switch to the first thread num |
| ~*kb | Show all the thread's stack |
Additional command
| command | effect |
|---|---|
| .detach | Cancel your additional debugging process |
| .attach pid | Additional you want to debug process. Requires 16 hex pid |
2. Breakpoints
| command | effect |
|---|---|
| with | It lists the system has some breakpoints |
| bc | Clear breakpoint example: bc 1 -10 removing breakpoints 1-10 of bc * Clear all. |
| bd | Disable a breakpoint, but not cleared. |
| be | Activate the breakpoint. |
| bp [address] [module name] [offset] | Under breakpoints bp xxModule! DisPatchRead + 0x30 |
| bu module!fun | bu function module name plus the lower point. |
| bm module!fun* | Support wildcards are not supported plus offset download. |
| ba [w only] [r only] [as much] address | W support of memory write breakpoint breakpoint representative length len. Address represents the address length len w r breakpoint read write memory, e performed. |
| bp /p eprocess [address][func] | Can break down the process, just call this code with a xx process when it will break down |
| bp /t ethread [address][fun] | Thread endpoint. Will be able to break down a thread calls. |
Difference:
the breakpoint is dead at bp breakpoint function name has changed but still where the breakpoint.
Bu automatically lower the point with you, you need not worry about the function will become.
In the new windbg in, bp failures automatically. replaced bu.
3. Memory View command
dt command to see some of the structural
| command | effect |
|---|---|
| dt nt!_EPROCESS | Nt View EPROCESS structure defined in module |
| dt nt!_EPROCESS -r | List structure structure |
| dt nt P*xxx | Wildcard manner, with a list of all the attachment structure starting with P |
| dt Address structure | You know the address of the structure where the input can be interpreted as the structure of this memory. |
| x nt!Zw | Find all functions that begin Zw. |
Memory data display command type
| command | effect |
|---|---|
| db [address] [L number] | And display the value in one byte Ascii character |
| dw [address] [L number] | 2 bytes according to the display memory |
| dd [address] [L number] | Displayed in four bytes of memory |
| dp [address] [L number] | 32-bit equivalent to dd. 64 is equivalent to the dq |
| dq [address] [L number] | Display memory 8 bytes |
| df [address] [L number] | In the display memory 4 byte floating point |
db 0x800000 L4 byte display memory in a display of length 4 * sizeof (db) th
bytes.
Read memory pointer in
our commands that start with d above you can see this value. This value might be stored pointer.
Unless we can only be performed once d command, the following command can be directly
| command | effect |
|---|---|
| ddp | |
| dpp | |
| dqp | |
| black | |
| dpu | |
| dqu | |
| good | |
| dpa | |
| dqa |
d represents 4 bytes. Q represents eight bytes at p-bit 32-bit .64 next 4 bytes 8 bytes.
so p can be transformed flexibly.
Therefore, the above command can be simplified to
| command | effect |
|---|---|
| dpa | |
| dpu | |
| dpp [only] | Displays the value of the local variable |
| dps | |
| dv | Displays the value of the local variables, the variables to see starting address is ebp-xxx |
p: DWORD或者Qword
a: Ascii
u: UNICODE
所以上面的命令可以解析一下
如:
dpa
d: 命令前缀
p: 根据32位还是64位,分别以4个字节.或者8个字节显示
a: Ascii吗.
所以意思就是: 解析地址里面的值.如果是指针.则以32/64位显示为AscII码.
字符相关
| 命令 | 作用 |
|---|---|
| da | 显示ascii值 |
| du | 显示unicode值 |
| ds | 显示ANSI_STRING的值 |
| dS | 显示UNICODE_STRING的值.注意大小写. |
4.修改内存命令
| 命令 | 作用 |
|---|---|
| eb [address] value | 修改一个字节,很重要.可以改代码的机器码. |
| ed [address] value | 修改4个字节 |
| eD [address] value | |
| ef [address] value | 修改float内存 |
| ep [address] value | 修改指针内存 |
| eq [address] value | |
| ew [address] value | |
| ea [address] value | |
| eu [address] value | |
| eza[address] value | |
| ezu [address]value |
关于修改内存.只需要熟悉 eb ed即可.
5.栈相关操作命令
| 命令 | 作用 |
|---|---|
| kv | 显示当前栈的调用情况.显示函数的前3个参数 |
| !irp address | 查看当前Irp的值. |
| kp | 显示当前栈,显示当前函数的所有参数 |
| ChiEbp | RetAddre | Args |
|---|---|---|
| 上一层的EBP | 当前函数返回地址 | 当前调用函数的参数 |
6.进程线程命令(内核命令)
| 命令 | 作用 |
|---|---|
| !process 0 0 | 列出系统进程信息 |
| !process 0 7 | 列出系统进程详细信息 |
| !process EPROCESS 7 | 列出进程详细信息 |
| .process /p EPROCESS | 进入该进程上下文,如果不切换查看他的信息查看不到. |
| .thread ETHREAD | 进入该线程上下文 |
| !thread ETHREAD | 查看线程结构 |
| .logopen d:\xx.txt | 开关语句. 显示的所有内容都重定向到xx.txt |
| .logclose | 上面设置了开关,下面就要进行关闭. |