Second, the string wildcard syntax
Some debugger command with a string parameter accepts a variety of wildcards. These types of parameters support the following grammatical functions:
- An asterisk (*) means zero or more characters.
- Question mark (?) Represents any single character.
- Contains the list of characters in brackets ([]) represents any single character in the list. The list is only one character matches. In these brackets, you can use a hyphen (-) specified range. For example, prog [er-t7] am matching "progeam", "program", "progsam", "progtam" and "prog7am".
- Number sign (#) indicates that zero or more characters. For example, lo # p and "lp", "lop", "loop", "loop" and the like match. You can also be a combination of digital symbols in parentheses, so m [ia] #n and "mn", "min", "man", "maan", "main", "mian", "miin", "miain" etc. match.
- Plus sign (+) indicates that one or more characters. For example, the lo p lo + p the same, but the lo + p "lp" mismatch. Similarly, m [ia] + n with m [ia] n the same, except m [ia] + n and "mn" mismatch. A? + B and A * B, except that A? + B and "AB" mismatch.
- If you must specify the text number sign (#), question mark (?), Left bracket ([), right bracket (]), the asterisk (*) or plus sign (+) character, you must add a backslash character (\ ). If you do not hyphen enclosed in brackets, the hyphen is always literal. But the text does not specify the hyphen in the list in parentheses.
0:000> r eax = @ebx
Based mark on x86 processors
X86-based processor may use a plurality of registers, called flag.
Register and thread
Fourth, the pseudo-register grammar
Debugger Support for storing a plurality of pseudo-register certain value. The debugger will automatically be set to some pseudo-registers useful values. User-defined pseudo-registers are written or read integer variable. All pseudo-registers are at the beginning with a dollar sign ($). If you are using MASM syntax, you can add the at sign (@) before the dollar sign. This symbol tells the debugger at the following tag is a register or a pseudo register, rather than symbols. If you omit the at sign, debugger response will be slower, because it must search the entire symbol table.
For example, the following two commands produce the same output, but the second command faster.
0:000> ? $exp Evaluate expression: 143 = 0000008f 0:000> ? @$exp Evaluate expression: 143 = 0000008f
If there is a pseudo-register the same name and symbol, at sign (@) must be added. If you are using C ++ expression syntax, you always need at sign (@).
r (registers) command is an exception to this rule. The debugger will always be interpreted as its first parameter register or pseudo-register. (You do not need or are not allowed at the @ symbol.) If there is a second parameter r command is interpreted according to the default expression syntax. If the default expression syntax is C ++, you must use the following commands to a pseudo-register $ $ copy Tl T2 pseudo-register.
0:000> r $t1 = @$t2
4.1, automatic pseudo-register
The debugger automatically sets the following pseudo-register:
Pseudo-register | description |
---|---|
$ it |
Effective address of the last instruction has been executed. If the instruction is not a valid address, the debugger displays the "Error register error." If this instruction has two valid address, the debugger displays the first address. |
$ Ea2 |
The second effective address of the last instruction has been executed. If two instruction does not have a valid address, the debugger displays the "Error register error." |
$exp |
The last expression is evaluated. |
$ out |
The return address on the stack is currently located. This address is particularly useful in the implementation of the command. For example, G @ $ RA continues, return address (although until you find the (Go Up) gu is the "single-step" is more accurate and effective method for the current function). |
$ip |
Instruction pointer register. X86-based processor: the same EIP . Itanium-based processors: the relevant IIP . (For more information, see the explanation following this table). X64-based processor: the same RIP . |
$ eventip |
At the time of the event the current instruction pointer. This pointer is usually matched with $ ip , unless you switch threads or manually change the value of the instruction pointer. |
$ PREVIP |
At the time the instruction pointer to an event. (Break into the debugger counted as one event.) |
$relip |
Instruction pointer associated with the current event. A branch track, this pointer is a pointer to the branch source. |
$scopeip |
The current instruction pointer local context (also called a scope ). |
$ exentry |
Address of the first entry point of an executable file of the current process. |
$ retreg |
The main return value registers. X86-based processor: the same eax . Itanium-based processors: the same ret0 . X64-based processor: the same RAX . |
$ retreg64 |
Registered in the 64-bit format main return value. x86 processor: the same edx: eax right. |
$csp |
The current call stack pointer. This pointer is the most representative of the call stack depth register. X86-based processor: the same as ESP . Itanium-based processors: the same as BSP . X64-based processor: the same RSP . |
$p |
Finally, a value of d \ * (display memory) the print command. |
$proc |
Address the current process (ie, address EPROCESS block). |
$thread |
Address the current thread. In the kernel mode debugger, this address is the address of the block ETHREAD. Debugging in user mode, this address is the Thread Environment Block (TEB) address. |
$ |
Process Environment Block current process (PEB) address. |
$ teb |
The current thread's Thread Environment Block (TEB) address. |
$tpid |
The current process has a thread process ID (PID). |
$ time |
The thread ID of the current thread. |
$ dtid |
|
$dpid |
|
$ shouted |
|
$bpNumber |
Address corresponding breakpoint. For example, US BP3 (or US BP03 ) refers to a breakpoint breakpoint ID 3. Digital is always a decimal number. If any breakpoints ID for the amount , $ BP number evaluates to zero. For more information about breakpoints, see Using Breakpoints . |
$frame |
The current frame index. This index is the same frame number .frame (provided the local context) command. |
$ dbgtime |
According to current time debugger running on the computer. |
$callret |
The return value of the last function .call (function calls) use or call .fnret / s command. Data type $ callret is the data type of the return value. |
$ removed |
|
$extin |
|
$clrex |
|
$lastclrex |
托管仅调试:上一次遇到公共语言运行时 (CLR) 异常对象的地址。 |
$ptrsize |
指针的大小。 在内核模式下,此大小是目标计算机上的指针大小。 |
$pagesize |
在一页上的内存字节数。 在内核模式下,此大小为目标计算机上的页面大小。 |
$pcr |
|
$pcrb |
|
$argreg |
|
$exr_chance |
当前的异常记录的可能性。 |
$exr_code |
当前的异常记录异常代码。 |
$exr_numparams |
当前的异常记录中的参数数量。 |
$exr_param0 |
当前的异常记录中的参数 0 的值。 |
$exr_param1 |
当前的异常记录中的值的参数 1。 |
$exr_param2 |
当前的异常记录中的参数 2 的值。 |
$exr_param3 |
当前的异常记录中的参数 3 的值。 |
$exr_param4 |
当前的异常记录中的参数 4 的值。 |
$exr_param5 |
当前的异常记录中的参数 5 的值。 |
$exr_param6 |
当前的异常记录中的参数 6 的值。 |
$exr_param7 |
当前的异常记录中的值的参数 7。 |
$exr_param8 |
当前的异常记录中的参数 8 的值。 |
$exr_param9 |
当前的异常记录中的值的参数 9。 |
$exr_param10 |
当前的异常记录中的参数 10 的值。 |
$exr_param11 |
当前的异常记录中的参数 11 的值。 |
$exr_param12 |
当前的异常记录中的值的参数 12。 |
$exr_param13 |
当前的异常记录中的值的参数 13。 |
$exr_param14 |
当前的异常记录中的值为 14 个参数。 |
$bug_code |
如果发生了错误检查,这是错误代码。 适用于实时内核模式调试和内核故障转储。 |
$bug_param1 |
如果发生了错误检查,这是参数 1 的值。 适用于实时内核模式调试和内核故障转储。 |
$bug_param2 |
如果发生了错误检查,这是参数 2 的值。 适用于实时内核模式调试和内核故障转储。 |
$bug_param3 |
如果发生了错误检查,这是参数 3 的值。 适用于实时内核模式调试和内核故障转储。 |
$bug_param4 |
如果发生了错误检查,这是参数 4 的值。 适用于实时内核模式调试和内核故障转储。 |
一个包含结构的地址的伪寄存器(比如$线程)、$、$、$和$将根据C++表达式计算器中的适当数据类型进行评估,但不是在表达式求值器中。例如,命令?$teb显示teb的地址,而命令??@$teb显示整个teb结构。有关详细信息,请参见计算表达式。在基于Itanium的处理器上,IIP寄存器是捆绑对齐的,这意味着它指向包含当前指令的捆绑中的插槽0,即使正在执行不同的插槽。所以IIP不是完整的指令指针。$IP伪寄存器是实际的指令指针,包括bundle和slot。其他持有地址指针的伪寄存器($ra、$retreg、$eventip、$previp、$relip和$exentry)的结构与所有处理器上的$ip相同。
您可以使用r命令更改$ip的值。此更改也会自动更改相应的寄存器。当执行恢复时,它将恢复到新的指令指针地址。这个寄存器是唯一可以手动更改的自动伪寄存器。注意:在masm语法中,可以用句点(.)表示$ip伪寄存器。。在此期间之前不添加at符号(@),也不将该期间用作r命令的第一个参数。在C++表达式中不允许使用此语法。自动伪寄存器类似于自动别名。但是,可以将自动别名与别名相关的令牌(如$)一起使用,并且不能将伪寄存器与此类令牌一起使用
4.2、用户定义的伪寄存器
0:000> r $t0 = 7 0:000> r $t1 = 128*poi(MyVar)
0:000> bp $t3 0:000> bp @$t4 0:000> ?? @$t1 + 4*@$t2
除非使用?与R命令一起切换。如果使用此开关,伪寄存器将获取分配给它的任何类型。例如,下面的命令将unicode_string**类型和0x0012ffbc值分配给$t15。
0:000> r? $t15 = * (UNICODE_STRING*) 0x12ffbc
kd> bp /t @$thread nt!ntopenfile
下面的示例执行一个命令,直到寄存器保留指定的值。首先,在名为“eaxstep”的脚本文件中放入以下条件步进代码。
.if (@eax == 1234) { .echo 1234 } .else { t "$<eaxstep" }
接下来,发出以下命令。
t "$<eaxstep"
调试器执行一个步骤,然后运行您的命令。在这种情况下,调试器运行脚本,该脚本显示1234或重复该过程。