WinDbg常用命令大全

Common WinDbg Commands (Thematically Grouped) By Robert Kuster, November 2007. All rights reserved. www.software.rkuster.com 1) Built-in help commands 9) Exceptions, events, and crash analysis 17) Information about variables 2) General WinDbg's commands (clear screen, ..) 10) Loaded modules and image information 18) Memory 3) Debugging sessions (attach, detach, ..) 11) Process related information 19) Manipulating memory ranges 4) Expressions and commands 12) Thread related information 20) Memory: Heap 5) Debugger markup language (DML) 13) Breakpoints 21) Application Verifier 6) Main extensions 14) Tracing and stepping (F10, F11) 22) Logging extension (logexts.dll) 7) Symbols 15) Call stack 8) Sources 16) Registers 1) Built-in help commands C md V ar i a n t s / P a r a ms D e s c r i p t i o n ? ? ? /D Display regular commands Display regular commands as DML .help .help .help /D .help /D a* Display . commands Display . commands in DML format (top bar of links is given) Display . commands that start with a* (wildcard) as DML .chain .chain .chain /D Lists all loaded debugger extensions Lists all loaded debugger extensions as DML (where extensions are linked to a .extmatch) .extmatch .extmatch /e ExtDLL FunctionFilter .extmatch /D /e ExtDLL FunctionFilter Show all exported functions of an extension DLL. FunctionFilter= wildcard string Same in DML format (functions link to "!ExtName.help FuncName" commands) Example: .extmatch /D /e uext * (show all exported functions of uext.dll) .hh .hh .hh Text Open WinDbg's help Text = text to look up in the help file index Example: .hh dt 2) General WinDbg's commands (show version, clear screen, etc.) C md V ar i a n t s / P a r a ms D e s c r i p t i o n version Dump version info of debugger and loaded extension DLLs vercommand Dump command line that was used to start the debugger vertarget Version of target computer CTRL+ALT+V Toggle verbose mode ON/OFF In verbose mode some commands (such as register dumping) have more detailed output. n n [8 | 10 | 16] Set number base .formats .formats Expression Show number formats = evaluates a numerical expression or symbol and displays it in multiple numerical formats (hex, decimal, octal, binary, time, ..) Example 1: .formats 5 Example 2: .formats poi(nLocal1) == .formats @@($!nLocal1) .cls Clear screen .lastevent Displays the most recent exception or event that occurred (why the debugger is waiting?) .effmach .effmach .effmach . .effmach # .effmach x86 | amd64 | ia64 | ebc Dump effective machine (x86, amd64, ..): Use target computer's native processor mode Use processor mode of the code that is executing for the most recent event Use x86, amd64, ia64, or ebc processor mode This setting influences many debugger features: -> which processor's unwinder is used for stack tracing -> which processor's register set is active .time display time (system-up, process-up, kernel time, user time) 3) Debugging sessions (attach, detach, ..) C md V ar i a n t s / P a r a ms D e s c r i p t i o n .attach PID attach to a process .detach ends the debugging session, but leaves any user-mode target application running q q, qq Quit = ends the debugging session and terminates the target application Remote debugging: q= no effect; qq= terminates the debug server .restart Restart target application 4) Expressions and commands C md V ar i a n t s / P a r a ms D e s c r i p t i o n ; Command separator (cm1; cm2; ..) ? ? Expression ?? Expression Evaluate expression (use default evaluator) Evaluate c++ expression .expr .expr .expr /q .expr /s c++ .expr /s masm Choose default expression evaluator Show current evaluator Show available evaluators Set c++ as the default expression evaluator Set masm as the default expression evaluator * * [any text] Comment Line Specifier Terminated by: end of line $$ $$ [any text] Comment Specifier Terminated by: end of line OR semicolon .echo .echo String .echo "String" Echo Comment -> comment text + echo it Terminated by: end of line OR semicolon With the $$ token or the * token the debugger will ignore the inputted text without echoing it. 5) Debugger markup language (DML) Starting with the 6.6.07 version of the debugger a new mechanism for enhancing output from the debugger and extensions was included: DML. DML allows output to include directives and extra non-display information in the form of tags. Debugger user interfaces parse out the extra information to provide new behaviors. DML is primarily intended to address two issues: Linking of related information Discoverability of debugger and extension functionality C md V ar i a n t s / P a r a ms D e s c r i p t i o n .dml_start Kick of to other DML commands .prefer_dml .prefer_dml [1 | 0] Global setting: should DML-enhanced commands default to DML? Note that many commands like k, lm, .. output DML content thereafter. .help /D .help has a new DML mode where a top bar of links is given .chain /D .chain has a new DML mode where extensions are linked to a .extmatch .extmatch /D .extmatch has a new DML format where exported functions link to "!ExtName.help FuncName" commands lmD lm has a new DML mode where module names link to lmv commands kM k has a new DML mode where frame numbers link to a .frame/dv .dml_flow .dml_flow StartAddr TargetAddr Allows for interactive exploration of code flow for a function. 1. Builds a code flow graph for the function starting at the given start address (similar to uf) 2. Shows the basic block given the target address plus links to referring blocks and blocks referred to by the current block Example: .dml_flow CreateRemoteThread CreateRemoteThread+30 6) Main extensions C md V ar i a n t s / P a r a ms D i s p l a y s u p p o r t e d c om ma n d s f o r . . !Ext.help General extensions !Exts.help -||- !Uext.help User-Mode Extensions (non-OS specific) !Ntsdexts.help User-Mode Extensions (OS specific) !logexts.help Logger Extensions !clr10\sos.help Debugging managed code !wow64exts.help Wow64 debugger extensions !Wdfkd.help Kernel-Mode driver framework extensions !Gdikdx.help Graphics driver extensions .. !NAME.help !NAME.help FUNCTION Display detailed help about an exported function NAME = placeholder for extension DLL FUNCTION = placeholder for exported function Example: !Ntsdexts.help handle (show detailed help about !Ntsdexts.handle) 7) Symbols C md V ar i a n t s / P a r a ms D e s c r i p t i o n ld ld ModuleName ld * Load symbols for Module Load symbols for all modules !sym !sym !sym noisy !sym quiet Get state of symbol loading Set noisy symbol loading (debugger displays info about its search for symbols) Set quiet symbol loading (=default) x x [Options] Module!Symbol x /t .. x /v .. x /a .. x /n .. x /z .. Examine symbols: displays symbols that match the specified pattern with data type verbose (symbol type and size) sort by address sort by name sort by size ("size" of a function symbol is the size of the function in memory) ln ln Addr List nearest symbols = display the symbols at or near the given Addr. Useful to: determine what a pointer is pointing to when looking at a corrupted stack to determine which procedure made a call .sympath .sympath .sympath+ Display or set symbol search path Append directories to previous symbol path .symopt .symopt .symopt+ Flags .symopt- Flags displays current symbol options add option remove option .symfix .symfix .symfix+ DownstreamStore Set symbol store path to automatically point to http://msdl.microsoft.com/ download/symbols + = append it to the existing path DownstreamStore = directory to be used as a downstream store. Default is WinDbgInstallationDir\Sym. .reload .reload .reload [/f | /v] .reload [/f | /v] Module Reload symbol information for all modules** f = force immediate symbol load (overrides lazy loading); v = verbose mode Module = for Module only **Note: The .reload command does not actually cause symbol information to be read. It just lets the debugger know that the symbol files may have changed, or that a new module should be added to the module list. To force actual symbol loading to occur use the /f option, or the ld (Load Symbols) command. Collapse x *! list all modules x ntdll!* list all symbols of ntdll x /t /v MyDll!* list all symbol in MyDll with data type, symbol type and size x kernel32!*LoadLib* list all symbols in kernel32 that contain the word LoadLib .sympath+ C:\MoreSymbols add symbols from C:\MoreSymbols (folder location) .reload /f @"ntdll.dll" Immediately reload symbols for ntdll.dll. .reload /f @"C:\WINNT\System32\verifier.dll" Reload symbols for verifier. Use the given path. Also check the "!lmi" command. 8) Sources C md V ar i a n t s / P a r a ms D e s c r i p t i o n .srcpath .srcpath .srcpath+ DIR Display or set source search path Append directory to the searched source path .srcnoisy {1|0} Controls noisy source loading .lines [-e | -d | -t] Toggle source line support: enable; disable; toggle l (small letter L) l+l, l-l l+o, l-o l+s, l-s l+t, l-t show line numbers suppress all but [s] source and line number source mode vs. assembly mode 9) Exceptions, events, and crash analysis C md V ar i a n t s / P a r a ms D e s c r i p t i o n g g gH gN Go Go exception handled Go not handled .lastevent What happened? Shows most recent event or exception !analyze !analyze -v !analyze -hang !analyze -f Display information about the current exception or bug check; verbose User mode: Analyzes the thread stack to determine whether any threads are blocking other threads. See an exception analysis even when the debugger does not detect an exception. sx sx sxe sxd sxn sxi sxr Show all event filters with break status and handling break first-chance break second-chance notify; don't break ignore event reset filter settings to default values .exr .exr-1 .exr Addr display most recent exception record display exception record at Addr .ecxr displays exception context record (registers) associated with the current exception !cppexr Addr Display content and type of C++ exception Collapse exr -1 display most recent exception .exr 7c901230 display exception at address 7c901230 !cppexr 7c901230 display c++ exception at address 7c901230 10) Loaded modules and image information C md V ar i a n t s / P a r a ms D e s c r i p t i o n lm lm[ v | l | k | u | f ] [m Pattern] lmD List modules; verbose | with loaded symbols | k-kernel or u-user only symbol info | image path; pattern that the module name must match DML mode of lm; lmv command links included in output !dlls !dlls !dlls -i !dlls -l !dlls -m !dlls -v !dlls -c ModuleAddr !dlls -? all loaded modules with load count by initialization order by load order (default) by memory order with version info only module at ModuleAddr brief help !imgreloc ImgBaseAddr information about relocated images !lmi Module detailed info about a module (including exact symbol info) !dh !dh ImgBaseAddr !dh -f ImgBaseAddr !dh -s ImgBaseAddr !dh -h Dump headers for ImgBaseAddr f = file headers only s = section headers only h = brief help The !lmi extension extracts the most important information from the image header and displays it in a concise summary format. It is often more useful than !dh. Collapse lm display all loaded and unloaded modules lmv m kernel32 display verbose (all possible) information for kernel32.dll lmD DML variant of lm !dlls -v -c kernel32 display information for kernel32.dll, including load-count !lmi kernel32 display detailed information about kernel32, including symbol information !dh kernel32 display headers for kernel32 11) Process related information C md V ar i a n t s / P a r a ms D e s c r i p t i o n !dml_proc (DML) displays current processes and allows drilling into processes for more information | (pipe) Print status of all processes being debugged .tlist lists all processes running on the system !peb display formatted view of the process's environment block (PEB) Collapse !peb Dump formatted view of processes PEB (only some information) r $peb Dump address ob PEB. $peb == pseudo-register dt ntdll!_PEB Dump PEB struct dt ntdll!_PEB @$peb -r Recursively (-r) dump PEB of our process 12) Thread related information C md V ar i a n t s / P a r a ms D e s c r i p t i o n ~ ~ ~* [Command] ~. [Command] ~# [Command] ~Number [Command] ~~[TID] [Command] ~Ns list threads all threads current thread thread that caused the current event or exception thread whose ordinal is Number thread whose thread ID is TID (the brackets are required) switch to thread N (new current thread) [Command]: works for a few regular commands such as k, r ~e ~* e CommandString ~. e CommandString ~# e CommandString ~Number e CommandString Execute thread-specific commands (CommandString = one or more commands to be executed) for: all threads current thread thread which caused the current event thread with ordinal ~f ~Thread f Freeze thread (see ~ for Thread syntax) ~u ~Thread u Unfreeze thread (see ~ for Thread syntax) ~n ~Thread n Suspend thread = increment thread's suspend count ~m ~Thread m Resume thread = decrement thread's suspend count !teb display formatted view of the thread's environment block (TEB) !tls !tls -1 !tls SlotIdx !tls [-1 | SlotIdx] TebAddr -1 = dump all slots for current thread SlotIdx = dump only specified slot TebAddr = specify thread; if omitted, the current thread is used .ttime display thread times (user + kernel mode) !runaway [Flags: 0 | 1 | 2] display information about time consumed by each thread (0-user time, 1-kernel time, 2-time elapsed since thread creation). quick way to find out which threads are spinning out of control or consuming too much CPU time !gle !gle !gle -all Dump last error for current thread Dump last error for all threads Point of interest: SetLastError( dwErrCode ) checks the value of kernel32!g_ dwLastErrorToBreakOn and possibly executes a DbgBreakPoint. if ((g_dwLastErrorToBreakOn != 0 ) && (dwErrCode == g_ dwLastErrorToBreakOn)) DbgBreakPoint(); The downside is that SetLastError is only called from within KERNEL32.DLL. Other calls to SetLastError are redirected to a function located in NTDLL.DLL, RtlSetLastWin32Error. !error !error ErrValue !error ErrValue 1 Decode and display information about an error value Treat ErrValue value as an NTSTATUS code Collapse ~* k call stack for all threads ~ !uniqstack ~2 f Freeze Thread TID=2 ~# f Freeze the thread causing the current exception ~3 u Unfreeze Thread TID=3 ~2e r; k; kd == ~2r; ~2k; ~2kd ~*e !gle will repeat every the extension command !gle for every single thread being debugged !tls -1 Dump all TLS slots for current thread !runaway 7 1 (user time) + 2 (kernel time) + 4 (time elapsed since thread start) !teb Dump formatted view of our threads TEB (only some information) dt ntdll!_TEB @$teb Dump TEB of current thread 13) Breakpoints C md V ar i a n t s / P a r a ms D e s c r i p t i o n bl List breakpoints bc bc * bc # [#] [#] Clear all breakpoints Clear breakpoint # be be * be # [#] [#] Enable all bps Enable bp # bd bd * bd # [#] [#] Disable all bps Disable bp # bp bp [Addr] bp [Addr] ["CmdString"] [~Thrd] bp[#] [Options] [Addr] [Passes] ["CmdString"] Set breakpoint at address CmdString = Cmd1; Cmd2; .. Executed every time the BP is hit. ~Thrd == thread that the bp applies too. # = Breakpoint ID Passes = Activate breakpoint after #Passes (it is ignored before) bu bu [Addr] See bp .. Set unresolved breakpoint. bp is set when the module gets loaded bm bm SymPattern bm SymPattern ["CmdString"] [~Thrd] bm [Options] SymPattern [#Passes] ["CmdString"] Set symbol breakpoint. SymPattern can contain wildcards CmdString = Cmd1; Cmd2; .. Executed every time the BP is hit. ~Thrd == thread that the bp applies too. Passes = Activate breakpoint after #Passes (it is ignored before) The syntax bm SymPattern is equivalent to using x SymPattern and then using bu on each of the results. ba ba [r|w|e] [Size] Addr [~Thrd] ba[#] [r|w|e] [Size] [Options] [Addr] [Passes] ["CmdString"] Break on Access: [r=read/write, w=write, e=execute], Size=[1|2|4 bytes] [~Thrd] == thread that the bp applies too. # = Breakpoint ID Passes = Activate breakpoint after #Passes (it is ignored before) br br OldID NewID [OldID2 NewID2 ...] renumbers one or more breakpoints Collapse With bp, the breakpoint location is always converted to an address. In contrast, a bu or a bm breakpoint is always associated with the symbolic value. Simple Examples bp `mod!source.c:12` set breakpoint at specified source code bm myprogram!mem* SymbolPattern is equivalent to using x SymbolPattern bu myModule!func bp set as soon as myModule is loaded ba w4 77a456a8 break on write access bp @@( MyClass::MyMethod ) break on methods (useful if the same method is overloaded and thus present on several addresses) Breakpoitns with options Breakpoint that is triggered only once bp mod!addr /1 Breakpoint that will start hitting after k-1 passes bp mod!addr k Breakpoints with commands: The command will be executed when the breakpoint is hit. Produce a log every time the breakpoint is hit ba w4 81a578a8 "k;g" Create a dump every time BP is hit bu myModule!func ".dump c:\dump.dmp; g" DllMain called for MYDLL -> check reason bu MYDLL!DllMain "j (dwo(@esp+8) == 1) '.echo MYDLL!DllMain -> DLL_PROCESS_ATTACH; kn' ; 'g' " LoadLibraryExW( anyDLL ) called -> display name of anyDLL bu kernel32!LoadLibraryExW ".echo LoadLibraryExW for ->; du dwo(@esp+4); g" LoadLibraryExW( MYDLL ) called? -> Break only if LoadLibrary is called for MyDLL bu kernel32!LoadLibraryExW ";as /mu ${/v:MyAlias} poi(@esp+4); .if ( $spat( \"${MyAlias}\", \"*MYDLL*\" ) != 0 ) { kn; } .else { g }" The first parameter to LoadLibrary (at address ESP + 4) is a string pointer to the DLL name in question. The MASM $spat operator will compare this pointer to a predefined string-wildcard, this is *MYDLL* in our example. Unfortunately $spat can accept aliases or constants, but no memory pointers. This is why we store our string in question to an alias (MyAlias) first. Our kernel32!LoadLibraryExW breakpoint will hit only if the pattern compared by $spat matches. Otherwise the application will continue executing. Skip execution of a function bu sioctl!DriverEntry "r eip = poi(@esp); r esp = @esp + 0xC; .echo sioctl!DriverEntry skipped; g" Right at a function’s entry point the value found on the top of the stack contains the return address r eip = poi(@esp) -> Set EIP (instruction pointer) to the value found at offset 0x0 DriverEntry has 2x4 byte parameters = 8 bytes + 4 bytes for the return address = 0xC r esp = @esp + 0xC -> Add 0xC to Esp (the stack pointer), effectively unwinding the stack pointer bu MyApp!WinMain "r eip = poi(@esp); r esp = @esp + 0x14; .echo WinSpy!WinMain entered; g" WinMain has 4x4 byte parameters = 0x10 bytes + 4 bytes for the return address = 0x14 Howto set a brekpoint in your code programatically? kernel32!DebugBreak ntdll!DbgBreakPoint __asm int 3 (x86 only) 14) Tracing and stepping (F10, F11) Each step executes either a single assembly instruction or a single source line, depending on whether the debugger is in assembly mode or source mode. Use the l+t and l-t commands or the buttons on the WinDbg toolbar to switch between these modes. C md V ar i a n t s / P a r a ms D e s c r i p t i o n g (F5) g gu Go (F5) Go up = execute until the current function is complete gu ~= g @$ra gu ~= bp /1 /c @$csp @$ra;g -> $csp = same as esp on x86 -> $ra = The return address currently on the stack p (F10) p pr p Count p [Count] "Command" p =StartAddress [Count] ["