Common WinDbg Commands (Thematically Grouped)
By Robert Kuster, November 2007. All rights reserved.
www.software.rkuster.com
1) Built-in help commands 9) Exceptions, events, and crash analysis 17) Information about variables
2) General WinDbg's commands (clear
screen, ..)
10) Loaded modules and image information 18) Memory
3) Debugging sessions (attach, detach, ..) 11) Process related information 19) Manipulating memory ranges
4) Expressions and commands 12) Thread related information 20) Memory: Heap
5) Debugger markup language (DML) 13) Breakpoints 21) Application Verifier
6) Main extensions 14) Tracing and stepping (F10, F11) 22) Logging extension (logexts.dll)
7) Symbols 15) Call stack
8) Sources 16) Registers
1) Built-in help commands
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
?
?
? /D
Display regular commands
Display regular commands as DML
.help
.help
.help /D
.help /D a*
Display . commands
Display . commands in DML format (top bar of links is given)
Display . commands that start with a* (wildcard) as DML
.chain
.chain
.chain /D
Lists all loaded debugger extensions
Lists all loaded debugger extensions as DML (where extensions are linked to
a .extmatch)
.extmatch
.extmatch /e ExtDLL FunctionFilter
.extmatch /D /e ExtDLL FunctionFilter
Show all exported functions of an extension DLL. FunctionFilter= wildcard string
Same in DML format (functions link to "!ExtName.help FuncName" commands)
Example: .extmatch /D /e uext * (show all exported functions of uext.dll)
.hh
.hh
.hh Text
Open WinDbg's help
Text = text to look up in the help file index
Example: .hh dt
2) General WinDbg's commands (show version, clear screen, etc.)
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
version Dump version info of debugger and loaded extension DLLs
vercommand Dump command line that was used to start the debugger
vertarget Version of target computer
CTRL+ALT+V
Toggle verbose mode ON/OFF
In verbose mode some commands (such as register dumping) have more detailed
output.
n n [8 | 10 | 16] Set number base
.formats
.formats Expression Show number formats = evaluates a numerical expression or symbol and displays it
in multiple numerical formats (hex, decimal, octal, binary, time, ..)
Example 1: .formats 5
Example 2: .formats poi(nLocal1) == .formats @@($!nLocal1)
.cls Clear screen
.lastevent
Displays the most recent exception or event that occurred (why the debugger is
waiting?)
.effmach
.effmach
.effmach .
.effmach #
.effmach x86 | amd64 | ia64 | ebc
Dump effective machine (x86, amd64, ..):
Use target computer's native processor mode
Use processor mode of the code that is executing for the most recent event
Use x86, amd64, ia64, or ebc processor mode
This setting influences many debugger features:
-> which processor's unwinder is used for stack tracing
-> which processor's register set is active
.time display time (system-up, process-up, kernel time, user time)
3) Debugging sessions (attach, detach, ..)
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
.attach PID attach to a process
.detach ends the debugging session, but leaves any user-mode target application running
q
q, qq Quit = ends the debugging session and terminates the target application
Remote debugging: q= no effect; qq= terminates the debug server
.restart Restart target application
4) Expressions and commands
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
; Command separator (cm1; cm2; ..)
?
? Expression
?? Expression
Evaluate expression (use default evaluator)
Evaluate c++ expression
.expr
.expr
.expr /q
.expr /s c++
.expr /s masm
Choose default expression evaluator
Show current evaluator
Show available evaluators
Set c++ as the default expression evaluator
Set masm as the default expression evaluator
*
* [any text] Comment Line Specifier
Terminated by: end of line
$$
$$ [any text] Comment Specifier
Terminated by: end of line OR semicolon
.echo
.echo String
.echo "String"
Echo Comment -> comment text + echo it
Terminated by: end of line OR semicolon
With the $$ token or the * token the debugger will ignore the inputted text without
echoing it.
5) Debugger markup language (DML)
Starting with the 6.6.07 version of the debugger a new mechanism for enhancing output from the debugger and extensions was included: DML.
DML allows output to include directives and extra non-display information in the form of tags.
Debugger user interfaces parse out the extra information to provide new behaviors.
DML is primarily intended to address two issues:
Linking of related information
Discoverability of debugger and extension functionality
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
.dml_start Kick of to other DML commands
.prefer_dml
.prefer_dml [1 | 0] Global setting: should DML-enhanced commands default to DML?
Note that many commands like k, lm, .. output DML content thereafter.
.help /D .help has a new DML mode where a top bar of links is given
.chain /D .chain has a new DML mode where extensions are linked to a .extmatch
.extmatch /D
.extmatch has a new DML format where exported functions link to "!ExtName.help
FuncName" commands
lmD lm has a new DML mode where module names link to lmv commands
kM k has a new DML mode where frame numbers link to a .frame/dv
.dml_flow
.dml_flow StartAddr TargetAddr
Allows for interactive exploration of code flow for a function.
1. Builds a code flow graph for the function starting at the given start address
(similar to uf)
2. Shows the basic block given the target address plus links to referring blocks
and blocks referred to by the current block
Example: .dml_flow CreateRemoteThread CreateRemoteThread+30
6) Main extensions
C md V ar i a n t s / P a r a ms D i s p l a y s u p p o r t e d c om ma n d s f o r . .
!Ext.help General extensions
!Exts.help -||-
!Uext.help User-Mode Extensions (non-OS specific)
!Ntsdexts.help User-Mode Extensions (OS specific)
!logexts.help Logger Extensions
!clr10\sos.help Debugging managed code
!wow64exts.help Wow64 debugger extensions
!Wdfkd.help Kernel-Mode driver framework extensions
!Gdikdx.help Graphics driver extensions
..
!NAME.help !NAME.help FUNCTION
Display detailed help about an exported function
NAME = placeholder for extension DLL
FUNCTION = placeholder for exported function
Example: !Ntsdexts.help handle (show detailed help about !Ntsdexts.handle)
7) Symbols
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
ld
ld ModuleName
ld *
Load symbols for Module
Load symbols for all modules
!sym
!sym
!sym noisy
!sym quiet
Get state of symbol loading
Set noisy symbol loading (debugger displays info about its search for symbols)
Set quiet symbol loading (=default)
x
x [Options] Module!Symbol
x /t ..
x /v ..
x /a ..
x /n ..
x /z ..
Examine symbols: displays symbols that match the specified pattern
with data type
verbose (symbol type and size)
sort by address
sort by name
sort by size ("size" of a function symbol is the size of the function in memory)
ln
ln Addr
List nearest symbols = display the symbols at or near the given Addr. Useful to:
determine what a pointer is pointing to
when looking at a corrupted stack to determine which procedure made a
call
.sympath
.sympath
.sympath+
Display or set symbol search path
Append directories to previous symbol path
.symopt
.symopt
.symopt+ Flags
.symopt- Flags
displays current symbol options
add option
remove option
.symfix
.symfix
.symfix+ DownstreamStore
Set symbol store path to automatically point to http://msdl.microsoft.com/
download/symbols
+ = append it to the existing path
DownstreamStore = directory to be used as a downstream store. Default is
WinDbgInstallationDir\Sym.
.reload
.reload
.reload [/f | /v]
.reload [/f | /v] Module
Reload symbol information for all modules**
f = force immediate symbol load (overrides lazy loading); v = verbose mode
Module = for Module only
**Note: The .reload command does not actually cause symbol information to be
read. It just lets the debugger know that the symbol files may have changed, or that
a new module should be added to the module list. To force actual symbol loading to
occur use the /f option, or the ld (Load Symbols) command.
Collapse
x *! list all modules
x ntdll!* list all symbols of ntdll
x /t /v MyDll!* list all symbol in MyDll with data type, symbol type and size
x kernel32!*LoadLib* list all symbols in kernel32 that contain the word LoadLib
.sympath+ C:\MoreSymbols add symbols from C:\MoreSymbols (folder location)
.reload /f @"ntdll.dll" Immediately reload symbols for ntdll.dll.
.reload /f @"C:\WINNT\System32\verifier.dll" Reload symbols for verifier. Use the given path.
Also check the "!lmi" command.
8) Sources
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
.srcpath
.srcpath
.srcpath+ DIR
Display or set source search path
Append directory to the searched source path
.srcnoisy {1|0} Controls noisy source loading
.lines [-e | -d | -t] Toggle source line support: enable; disable; toggle
l (small letter L)
l+l, l-l
l+o, l-o
l+s, l-s
l+t, l-t
show line numbers
suppress all but [s]
source and line number
source mode vs. assembly mode
9) Exceptions, events, and crash analysis
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
g
g
gH
gN
Go
Go exception handled
Go not handled
.lastevent What happened? Shows most recent event or exception
!analyze
!analyze -v
!analyze -hang
!analyze -f
Display information about the current exception or bug check; verbose
User mode: Analyzes the thread stack to determine whether any threads are
blocking other threads.
See an exception analysis even when the debugger does not detect an exception.
sx
sx
sxe
sxd
sxn
sxi
sxr
Show all event filters with break status and handling
break first-chance
break second-chance
notify; don't break
ignore event
reset filter settings to default values
.exr
.exr-1
.exr Addr
display most recent exception record
display exception record at Addr
.ecxr displays exception context record (registers) associated with the current exception
!cppexr Addr Display content and type of C++ exception
Collapse
exr -1 display most recent exception
.exr 7c901230 display exception at address 7c901230
!cppexr 7c901230 display c++ exception at address 7c901230
10) Loaded modules and image information
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
lm
lm[ v | l | k | u | f ] [m Pattern]
lmD
List modules; verbose | with loaded symbols | k-kernel or u-user only symbol info |
image path; pattern that the module name must match
DML mode of lm; lmv command links included in output
!dlls
!dlls
!dlls -i
!dlls -l
!dlls -m
!dlls -v
!dlls -c ModuleAddr
!dlls -?
all loaded modules with load count
by initialization order
by load order (default)
by memory order
with version info
only module at ModuleAddr
brief help
!imgreloc ImgBaseAddr information about relocated images
!lmi Module detailed info about a module (including exact symbol info)
!dh
!dh ImgBaseAddr
!dh -f ImgBaseAddr
!dh -s ImgBaseAddr
!dh -h
Dump headers for ImgBaseAddr
f = file headers only
s = section headers only
h = brief help
The !lmi extension extracts the most important information from the image header
and displays it in a concise summary format. It is often more useful than !dh.
Collapse
lm display all loaded and unloaded modules
lmv m kernel32 display verbose (all possible) information for kernel32.dll
lmD DML variant of lm
!dlls -v -c kernel32 display information for kernel32.dll, including load-count
!lmi kernel32 display detailed information about kernel32, including symbol information
!dh kernel32 display headers for kernel32
11) Process related information
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
!dml_proc
(DML) displays current processes and allows drilling into processes for more
information
| (pipe) Print status of all processes being debugged
.tlist lists all processes running on the system
!peb display formatted view of the process's environment block (PEB)
Collapse
!peb Dump formatted view of processes PEB (only some information)
r $peb Dump address ob PEB. $peb == pseudo-register
dt ntdll!_PEB Dump PEB struct
dt ntdll!_PEB @$peb -r Recursively (-r) dump PEB of our process
12) Thread related information
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
~
~
~* [Command]
~. [Command]
~# [Command]
~Number [Command]
~~[TID] [Command]
~Ns
list threads
all threads
current thread
thread that caused the current event or exception
thread whose ordinal is Number
thread whose thread ID is TID (the brackets are required)
switch to thread N (new current thread)
[Command]: works for a few regular commands such as k, r
~e
~* e CommandString
~. e CommandString
~# e CommandString
~Number e CommandString
Execute thread-specific commands (CommandString = one or more commands to be
executed) for:
all threads
current thread
thread which caused the current event
thread with ordinal
~f ~Thread f Freeze thread (see ~ for Thread syntax)
~u ~Thread u Unfreeze thread (see ~ for Thread syntax)
~n ~Thread n Suspend thread = increment thread's suspend count
~m ~Thread m Resume thread = decrement thread's suspend count
!teb display formatted view of the thread's environment block (TEB)
!tls
!tls -1
!tls SlotIdx
!tls [-1 | SlotIdx] TebAddr
-1 = dump all slots for current thread
SlotIdx = dump only specified slot
TebAddr = specify thread; if omitted, the current thread is used
.ttime display thread times (user + kernel mode)
!runaway
[Flags: 0 | 1 | 2] display information about time consumed by each thread (0-user time, 1-kernel
time, 2-time elapsed since thread creation). quick way to find out which threads are
spinning out of control or consuming too much CPU time
!gle
!gle
!gle -all
Dump last error for current thread
Dump last error for all threads
Point of interest:
SetLastError( dwErrCode ) checks the value of kernel32!g_
dwLastErrorToBreakOn and possibly executes a DbgBreakPoint.
if ((g_dwLastErrorToBreakOn != 0 ) && (dwErrCode == g_
dwLastErrorToBreakOn))
DbgBreakPoint();
The downside is that SetLastError is only called from within KERNEL32.DLL.
Other calls to SetLastError are redirected to a function located in NTDLL.DLL,
RtlSetLastWin32Error.
!error
!error ErrValue
!error ErrValue 1
Decode and display information about an error value
Treat ErrValue value as an NTSTATUS code
Collapse
~* k call stack for all threads ~ !uniqstack
~2 f Freeze Thread TID=2
~# f Freeze the thread causing the current exception
~3 u Unfreeze Thread TID=3
~2e r; k; kd == ~2r; ~2k; ~2kd
~*e !gle will repeat every the extension command !gle for every single thread being debugged
!tls -1 Dump all TLS slots for current thread
!runaway 7 1 (user time) + 2 (kernel time) + 4 (time elapsed since thread start)
!teb Dump formatted view of our threads TEB (only some information)
dt ntdll!_TEB @$teb Dump TEB of current thread
13) Breakpoints
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
bl List breakpoints
bc
bc *
bc # [#] [#]
Clear all breakpoints
Clear breakpoint #
be
be *
be # [#] [#]
Enable all bps
Enable bp #
bd
bd *
bd # [#] [#]
Disable all bps
Disable bp #
bp
bp [Addr]
bp [Addr] ["CmdString"]
[~Thrd] bp[#] [Options] [Addr] [Passes]
["CmdString"]
Set breakpoint at address
CmdString = Cmd1; Cmd2; .. Executed every time the BP is hit.
~Thrd == thread that the bp applies too.
# = Breakpoint ID
Passes = Activate breakpoint after #Passes (it is ignored before)
bu
bu [Addr]
See bp ..
Set unresolved breakpoint. bp is set when the module gets loaded
bm
bm SymPattern
bm SymPattern ["CmdString"]
[~Thrd] bm [Options] SymPattern [#Passes]
["CmdString"]
Set symbol breakpoint. SymPattern can contain wildcards
CmdString = Cmd1; Cmd2; .. Executed every time the BP is hit.
~Thrd == thread that the bp applies too.
Passes = Activate breakpoint after #Passes (it is ignored before)
The syntax bm SymPattern is equivalent to using x SymPattern and then using
bu on each of the results.
ba
ba [r|w|e] [Size] Addr
[~Thrd] ba[#] [r|w|e] [Size] [Options] [Addr]
[Passes] ["CmdString"]
Break on Access: [r=read/write, w=write, e=execute], Size=[1|2|4 bytes]
[~Thrd] == thread that the bp applies too.
# = Breakpoint ID
Passes = Activate breakpoint after #Passes (it is ignored before)
br br OldID NewID [OldID2 NewID2 ...] renumbers one or more breakpoints
Collapse
With bp, the breakpoint location is always converted to an address. In contrast, a bu or a bm breakpoint is always associated with the symbolic value.
Simple Examples
bp `mod!source.c:12` set breakpoint at specified source code
bm myprogram!mem* SymbolPattern is equivalent to using x SymbolPattern
bu myModule!func bp set as soon as myModule is loaded
ba w4 77a456a8 break on write access
bp @@( MyClass::MyMethod ) break on methods (useful if the same method is overloaded and thus present on several addresses)
Breakpoitns with options
Breakpoint that is triggered only once
bp mod!addr /1
Breakpoint that will start hitting after k-1 passes
bp mod!addr k
Breakpoints with commands: The command will be executed when the breakpoint is hit.
Produce a log every time the breakpoint is hit
ba w4 81a578a8 "k;g"
Create a dump every time BP is hit
bu myModule!func ".dump c:\dump.dmp; g"
DllMain called for MYDLL -> check reason
bu MYDLL!DllMain "j (dwo(@esp+8) == 1) '.echo MYDLL!DllMain -> DLL_PROCESS_ATTACH; kn' ; 'g' "
LoadLibraryExW( anyDLL ) called -> display name of anyDLL
bu kernel32!LoadLibraryExW ".echo LoadLibraryExW for ->; du dwo(@esp+4); g"
LoadLibraryExW( MYDLL ) called? -> Break only if LoadLibrary is called for MyDLL
bu kernel32!LoadLibraryExW ";as /mu ${/v:MyAlias} poi(@esp+4); .if ( $spat( \"${MyAlias}\", \"*MYDLL*\" ) != 0 ) { kn; } .else { g }"
The first parameter to LoadLibrary (at address ESP + 4) is a string pointer to the DLL name in question.
The MASM $spat operator will compare this pointer to a predefined string-wildcard, this is *MYDLL* in our example.
Unfortunately $spat can accept aliases or constants, but no memory pointers. This is why we store our string in question to an alias (MyAlias)
first.
Our kernel32!LoadLibraryExW breakpoint will hit only if the pattern compared by $spat matches. Otherwise the application will continue
executing.
Skip execution of a function
bu sioctl!DriverEntry "r eip = poi(@esp); r esp = @esp + 0xC; .echo sioctl!DriverEntry skipped; g"
Right at a function’s entry point the value found on the top of the stack contains the return address
r eip = poi(@esp) -> Set EIP (instruction pointer) to the value found at offset 0x0
DriverEntry has 2x4 byte parameters = 8 bytes + 4 bytes for the return address = 0xC
r esp = @esp + 0xC -> Add 0xC to Esp (the stack pointer), effectively unwinding the stack pointer
bu MyApp!WinMain "r eip = poi(@esp); r esp = @esp + 0x14; .echo WinSpy!WinMain entered; g"
WinMain has 4x4 byte parameters = 0x10 bytes + 4 bytes for the return address = 0x14
Howto set a brekpoint in your code programatically?
kernel32!DebugBreak
ntdll!DbgBreakPoint
__asm int 3 (x86 only)
14) Tracing and stepping (F10, F11)
Each step executes either a single assembly instruction or a single source line, depending on whether the debugger is in assembly mode or
source mode.
Use the l+t and l-t commands or the buttons on the WinDbg toolbar to switch between these modes.
C md V ar i a n t s / P a r a ms D e s c r i p t i o n
g (F5)
g
gu
Go (F5)
Go up = execute until the current function is complete
gu ~= g @$ra
gu ~= bp /1 /c @$csp @$ra;g
-> $csp = same as esp on x86
-> $ra = The return address currently on the stack
p (F10)
p
pr
p Count
p [Count] "Command"
p =StartAddress [Count] ["
本文档为【WinDbg常用命令大全】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。