Series Windbg command syntax rules (b)

Others 2019-08-26 16:12:32 views: null

Second, the string wildcard syntax

Some debugger command with a string parameter accepts a variety of wildcards. These types of parameters support the following grammatical functions:

  •  An asterisk (*) means zero or more characters.
  • Question mark (?) Represents any single character.
  • Contains the list of characters in brackets ([]) represents any single character in the list. The list is only one character matches. In these brackets, you can use a hyphen (-) specified range. For example, prog [er-t7] am matching "progeam", "program", "progsam", "progtam" and "prog7am".
  • Number sign (#) indicates that zero or more characters. For example, lo # p and "lp", "lop", "loop", "loop" and the like match. You can also be a combination of digital symbols in parentheses, so m [ia] #n and "mn", "min", "man", "maan", "main", "mian", "miin", "miain" etc. match.
  • Plus sign (+) indicates that one or more characters. For example, the lo p lo + p the same, but the lo + p "lp" mismatch. Similarly, m [ia] + n with m [ia] n the same, except m [ia] + n and "mn" mismatch. A? + B and A * B, except that A? + B and "AB" mismatch.
  • If you must specify the text number sign (#), question mark (?), Left bracket ([), right bracket (]), the asterisk (*) or plus sign (+) character, you must add a backslash character (\ ). If you do not hyphen enclosed in brackets, the hyphen is always literal. But the text does not specify the hyphen in the list in parentheses.
Parameter specifies the symbols also supports some additional features. In addition to the standard string wildcard characters may be used an underscore (_) before the text expressions used to specify the symbol. When this expression and symbol matching, the debugger will underscore seen as any number of underscores, or even zero. This feature works only when matching symbols. It generally does not apply to a string wildcard expressions.
Third, register grammar
The debugger can control and floating point registers. When used in an expression register, should be added at sign (@) in register before. This symbol tells the debugger at the following text is the name of the register. If you are using masm expression syntax, you can omit some very common sign at the register. On an x86-based systems, may be omitted eax, ebx, ecx, edx, esi, edi, ebp, at eip and efl symbol registers. However, less common register, if you specify a debugger with no sign of the first attempts at interpretation of text as hexadecimal numbers. If the text contains non-hexadecimal characters, the debugger next interpretation of text as symbols. Finally, if the debugger can not find symbols match, the debugger will interpret the text as a register. If you are using C ++ expression syntax, you always need AT- symbol.
r (registers) command is an exception to this rule. The debugger will always be interpreted as its first parameter register. (At sign required or allowed.) If the second parameter R command is interpreted in accordance with the default expression syntax. If the default expression syntax is C ++, you must use the following command to copy the EBX register into the EAX register. 
0:000> r eax = @ebx

Based mark on x86 processors

X86-based processor may use a plurality of registers, called flag.

Register and thread

Each thread has its own register values. These values are stored in the thread execution in CPU registers, when executed in another thread in memory. In user mode, any reference is interpreted as a register associated with the current thread's register. For more information on the current thread, see control processes and threads. In kernel mode, any reference register are interpreted as the register associated with the current context register. Register can be set to match the particular thread context, context record or trap frame. You can only display the most important register is the register context specific, and can not change their values.

Fourth, the pseudo-register grammar

Debugger Support for storing a plurality of pseudo-register certain value. The debugger will automatically be set to some pseudo-registers useful values. User-defined pseudo-registers are written or read integer variable. All pseudo-registers are at the beginning with a dollar sign ($). If you are using MASM syntax, you can add the at sign (@) before the dollar sign. This symbol tells the debugger at the following tag is a register or a pseudo register, rather than symbols. If you omit the at sign, debugger response will be slower, because it must search the entire symbol table.

For example, the following two commands produce the same output, but the second command faster.

0:000> ? $exp
Evaluate expression: 143 = 0000008f
0:000> ? @$exp
Evaluate expression: 143 = 0000008f

If there is a pseudo-register the same name and symbol, at sign (@) must be added. If you are using C ++ expression syntax, you always need at sign (@).

 r (registers) command is an exception to this rule. The debugger will always be interpreted as its first parameter register or pseudo-register. (You do not need or are not allowed at the @ symbol.) If there is a second parameter r command is interpreted according to the default expression syntax. If the default expression syntax is C ++, you must use the following commands to a pseudo-register $ $ copy Tl T2 pseudo-register.

0:000> r $t1 = @$t2

4.1, automatic pseudo-register

The debugger automatically sets the following pseudo-register:

Pseudo-register description

$ it

Effective address of the last instruction has been executed. If the instruction is not a valid address, the debugger displays the "Error register error." If this instruction has two valid address, the debugger displays the first address.

$ Ea2

The second effective address of the last instruction has been executed. If two instruction does not have a valid address, the debugger displays the "Error register error."

$exp

The last expression is evaluated.

$ out

The return address on the stack is currently located.

This address is particularly useful in the implementation of the command. For example, G @ $ RA continues, return address (although until you find the (Go Up) gu is the "single-step" is more accurate and effective method for the current function).

$ip

Instruction pointer register.

X86-based processor: the same EIP . Itanium-based processors: the relevant IIP . (For more information, see the explanation following this table). X64-based processor: the same RIP .

$ eventip

At the time of the event the current instruction pointer. This pointer is usually matched with $ ip , unless you switch threads or manually change the value of the instruction pointer.

$ PREVIP

At the time the instruction pointer to an event. (Break into the debugger counted as one event.)

$relip

Instruction pointer associated with the current event. A branch track, this pointer is a pointer to the branch source.

$scopeip

The current instruction pointer local context (also called a scope ).

$ exentry

Address of the first entry point of an executable file of the current process.

$ retreg

The main return value registers.

X86-based processor: the same eax . Itanium-based processors: the same ret0 . X64-based processor: the same RAX .

$ retreg64

Registered in the 64-bit format main return value.

x86 processor: the same edx: eax right.

$csp

The current call stack pointer. This pointer is the most representative of the call stack depth register.

X86-based processor: the same as ESP . Itanium-based processors: the same as BSP . X64-based processor: the same RSP .

$p

Finally, a value of d \ * (display memory) the print command.

$proc

Address the current process (ie, address EPROCESS block).

$thread

Address the current thread. In the kernel mode debugger, this address is the address of the block ETHREAD. Debugging in user mode, this address is the Thread Environment Block (TEB) address.

$

Process Environment Block current process (PEB) address.

$ teb

The current thread's Thread Environment Block (TEB) address.

$tpid

The current process has a thread process ID (PID).

$ time

The thread ID of the current thread.

$ dtid

  

$dpid

  

$ shouted

  

$bpNumber

Address corresponding breakpoint. For example, US BP3 (or US BP03 ) refers to a breakpoint breakpoint ID 3. Digital is always a decimal number. If any breakpoints ID for the amount , $ BP number evaluates to zero. For more information about breakpoints, see Using Breakpoints .

$frame

The current frame index. This index is the same frame number .frame (provided the local context) command.

$ dbgtime

According to current time debugger running on the computer.

$callret

The return value of the last function .call (function calls) use or call .fnret / s command. Data type $ callret is the data type of the return value.

$ removed

  

$extin

  

$clrex

  

$lastclrex

托管仅调试:上一次遇到公共语言运行时 (CLR) 异常对象的地址。

$ptrsize

指针的大小。 在内核模式下,此大小是目标计算机上的指针大小。

$pagesize

在一页上的内存字节数。 在内核模式下,此大小为目标计算机上的页面大小。

$pcr

  

$pcrb

  

$argreg

  

$exr_chance

当前的异常记录的可能性。

$exr_code

当前的异常记录异常代码。

$exr_numparams

当前的异常记录中的参数数量。

$exr_param0

当前的异常记录中的参数 0 的值。

$exr_param1

当前的异常记录中的值的参数 1。

$exr_param2

当前的异常记录中的参数 2 的值。

$exr_param3

当前的异常记录中的参数 3 的值。

$exr_param4

当前的异常记录中的参数 4 的值。

$exr_param5

当前的异常记录中的参数 5 的值。

$exr_param6

当前的异常记录中的参数 6 的值。

$exr_param7

当前的异常记录中的值的参数 7。

$exr_param8

当前的异常记录中的参数 8 的值。

$exr_param9

当前的异常记录中的值的参数 9。

$exr_param10

当前的异常记录中的参数 10 的值。

$exr_param11

当前的异常记录中的参数 11 的值。

$exr_param12

当前的异常记录中的值的参数 12。

$exr_param13

当前的异常记录中的值的参数 13。

$exr_param14

当前的异常记录中的值为 14 个参数。

$bug_code

如果发生了错误检查,这是错误代码。 适用于实时内核模式调试和内核故障转储。

$bug_param1

如果发生了错误检查,这是参数 1 的值。 适用于实时内核模式调试和内核故障转储。

$bug_param2

如果发生了错误检查,这是参数 2 的值。 适用于实时内核模式调试和内核故障转储。

$bug_param3

如果发生了错误检查,这是参数 3 的值。 适用于实时内核模式调试和内核故障转储。

$bug_param4

如果发生了错误检查,这是参数 4 的值。 适用于实时内核模式调试和内核故障转储。
在某些调试场景中,这些伪寄存器中的一些可能不可用。例如,在调试用户模式小型转储或某些内核模式转储文件时,不能使用$peb、$tid和$tpid。在某些情况下,您可以从~(thread status)而不是$tid学习线程信息。不能在第一个调试器事件上使用$previp伪寄存器。除非是分支跟踪,否则不能使用$relip伪寄存器。如果使用不可用的伪寄存器,则会出现语法错误。

 一个包含结构的地址的伪寄存器(比如$线程)、$、$、$和$将根据C++表达式计算器中的适当数据类型进行评估,但不是在表达式求值器中。例如,命令?$teb显示teb的地址,而命令??@$teb显示整个teb结构。有关详细信息,请参见计算表达式。在基于Itanium的处理器上,IIP寄存器是捆绑对齐的,这意味着它指向包含当前指令的捆绑中的插槽0,即使正在执行不同的插槽。所以IIP不是完整的指令指针。$IP伪寄存器是实际的指令指针,包括bundle和slot。其他持有地址指针的伪寄存器($ra、$retreg、$eventip、$previp、$relip和$exentry)的结构与所有处理器上的$ip相同。

您可以使用r命令更改$ip的值。此更改也会自动更改相应的寄存器。当执行恢复时,它将恢复到新的指令指针地址。这个寄存器是唯一可以手动更改的自动伪寄存器。注意:在masm语法中,可以用句点(.)表示$ip伪寄存器。。在此期间之前不添加at符号(@),也不将该期间用作r命令的第一个参数。在C++表达式中不允许使用此语法。自动伪寄存器类似于自动别名。但是,可以将自动别名与别名相关的令牌(如$)一起使用,并且不能将伪寄存器与此类令牌一起使用

4.2、用户定义的伪寄存器

有20个用户定义的伪寄存器($t0、$t1、…$t19)。 这些伪寄存器是可以通过调试器读写的变量。您可以在这些伪寄存器中存储任何整数值。它们作为循环变量尤其有用。 若要写入到一个这些伪寄存器,使用 r (寄存器) 命令,如以下示例所示。 
0:000> r $t0 = 7
0:000> r $t1 = 128*poi(MyVar)
  与所有伪寄存器一样,您可以在任何表达式中使用用户定义的伪寄存器,如下例所示。 
0:000> bp $t3 
0:000> bp @$t4 
0:000> ?? @$t1 + 4*@$t2

除非使用?与R命令一起切换。如果使用此开关,伪寄存器将获取分配给它的任何类型。例如,下面的命令将unicode_string**类型和0x0012ffbc值分配给$t15。

0:000> r? $t15 = * (UNICODE_STRING*) 0x12ffbc
  启动调试器时,用户定义的伪寄存器使用零作为默认值。 注意,别名$u0、$u1、…$u9不是伪寄存器,尽管它们的外观相似。
4.3、示例
下面的示例设置了当前线程调用每次命中的断点NtOpenFile但在其他线程调用时,则不会命中此断点NtOpenFile 
kd> bp /t @$thread nt!ntopenfile

下面的示例执行一个命令,直到寄存器保留指定的值。首先,在名为“eaxstep”的脚本文件中放入以下条件步进代码。

.if (@eax == 1234) { .echo 1234 } .else { t "$<eaxstep" }

接下来,发出以下命令。

t "$<eaxstep"

调试器执行一个步骤,然后运行您的命令。在这种情况下,调试器运行脚本,该脚本显示1234或重复该过程。

Guess you like

Origin www.cnblogs.com/yilang/p/11411467.html
Recommended
Ranking
稀疏数组(狂神)
Windows11 system configuration Pycharm installation tutorial
[From the springboard machine ssh to the intranet target server] Configure vscode to achieve remote connection
Architecture python program
C language test code binary tree search
Questions about University website maintenance
echarts sized digital dashboards
Layui table click event
fantasy function
Windows turns on CPU virtualization + turns off Hyper-V
Daily
More
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)

Code World

© 2018 codetd.com