WINDBG调试命令集锦

最新推荐文章于 2023-07-20 10:40:18 发布

cosmoslife

最新推荐文章于 2023-07-20 10:40:18 发布

阅读量972

点赞数

分类专栏： Windows编程

Windows编程专栏收录该内容

441 篇文章 6 订阅

订阅专栏

Debugging Tools for Windows
Debuggers
Debugger Reference

Commands:
1.? 表达式（U/K）
? 4+5
0:003> ? 4*5
Evaluate expression: 20 = 00000014

2.进程（U）
displays all processes.
|
|*

displays the currently active process.
|.

displays the process that originally caused the exception (or that the debugger originally attached to).
|#

The following command displays process number 2.
|2

select the process
|2 s

3.线程（U）
displays all threads.
~
~*

displays the currently active thread.

displays the thread that originally caused the exception (or that was active when the debugger attached to the

process).
~#

displays thread number 2.
~2

select the thread
~2 s

show all thread status
~* k

free the thread
~2 f

unfreeze the thread
~2 u

suspend the thread
~2 n
resume the thread
~2 m

3.加汇编
a
enter

4.内存断点
ba w4/r4/e4/i4 address

5.普通断点
bp address
bp model!func

bu model!func

bm model!fu*c

6.查看内存
d/db/dw/dd/dq
du/da/ds/dS/dds/dqs
dl LIST_ENTRY
dl address MaxCount size(of element)

dds address L100

db adress1-address2
db adress L100

dt mt //全局变量
dt nt!_PEB address
dt nt!_PEB
dt nt!_P*

dt mt -a gn //显示mt 中数组gn的值

dt mt mtsub1 mtsub2 address//显示mt中一些子域的类型
dt mt mtsub1. address//显示子域中的值

dt nt!_PEB 7ffdf000
dt nt!_PEB Ldr 7ffdf000
+0x00c Ldr : 0x00191ea0

dt nt!_PEB Ldr Ldr. 7ffdf000
   +0x00c Ldr : 0x00191ea0
      +0x000 Length : 0x28
      +0x004 Initialized : 0x1 ''
      +0x008 SsHandle : (null)
      +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x191ee0 - 0x192848 ]
      +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x191ee8 - 0x192850 ]
      +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x191f58 - 0x192858 ]
      +0x024 EntryInProgress : (null)

Now display the CriticalSectionTimeout field:
dt nt!_PEB CriticalSectionTimeout 7ffdf000
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000

Now expand the CriticalSectionTimeout structure subfields one level deep:
dt nt!_PEB CriticalSectionTimeout. 7ffdf000
   +0x070 CriticalSectionTimeout : 0xffffe86d`079b8000
      +0x000 LowPart                 : 0x79b8000
      +0x004 HighPart                : -6035
      +0x000 u                       : __unnamed
      +0x000 QuadPart                : -25920000000000

Now expand the CriticalSectionTimeout structure subfields two levels deep:
dt nt!_PEB CriticalSectionTimeout.. 7ffdf000
   +0x070 CriticalSectionTimeout   : 0xffffe86d`079b8000
      +0x000 LowPart                  : 0x79b8000
      +0x004 HighPart                 : -6035
      +0x000 u                        :
         +0x000 LowPart                  : 0x79b8000
         +0x004 HighPart                 : -6035
      +0x000 QuadPart                 : -25920000000000

7.查看指针
dda/dpa/dqa ascii
ddp/dpp/dqp dword or qword
ddu/dpu/dqu unicode

8改写内存
eb/ed/dD/ef/ep/eq/ew
ea/eu/eza/ezu
e

eb address value
ea address "string"
e adress value

8.加载模块
lm n t(显示模块，时间戳）
lm m s*（显示匹配名称）
lm vm 模块名称(非文件名称)

9.查看堆栈
k
kb //ebp retaddr first three param x!y
kc //x!y
kp //所有参数，包括类型，名字和值，需要符号表
kv //FPO frame pointer omission calling convention information

Metacommands

.detach //继续运行
.dump /f file.dmp //全DUMP
.dump /m file.dmp //minidump

.ecxr //异常的环境信息

.enable_unicode 1 //将USHORT显示为UNICODE值

!process 0 0
.process EPB

.reload /f //重新装载模块
.reload /i 强制加载mismatched symbol
.symopt +40

!process 0 0
!process fb667a00 7
.process PEB
!thread ff8632c0 //详细信息，包括堆栈
kd> !thread ff8632c0
THREAD ff8632c0  Cid 38c.380  Teb: 7ffde000  Win32Thread: e1bc1a08(SSDT) WAIT: (WrUserRequest) UserMode Non-Alertable
    ff8543e0  SynchronizationEvent
Not impersonating
Owning Process ff89c7a0
WaitTime (seconds)      16923
Context Switch Count    67                   LargeStack
UserTime                  0:00:00.0000
KernelTime                0:00:00.0093
Start Address 0x77e878c1
Win32 Start Address 0x01003dd0
Stack Init fd536000 Current fd535c20 Base fd536000 Limit fd531000 Call 0
Priority 12 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr  Args to Child
fd535c38 8012d61c 00000000 e1bc1a08 00000001 ntoskrnl!KiSwapThread+0xc5
fd535cbc 801672a2 00000001 00000001 000021bf ntoskrnl!KeWaitForSingleObject+0x1a1
fd535d4c 80161691 0006ff08 00000000 00000000 ntoskrnl!ExFreePool+0xb
fd535d4c a01772a8 0006ff08 00000000 00000000 ntoskrnl!KiSystemService+0xc4
ffffffff 00000000 00000000 00000000 00000000 +0xa01772a8

.thread 线程地址//切换(KERNEL MODE)

r
k

Extensions
1。kernel mode
!callback
!dbgprint
!deadlock

!deadlock 1

Deadlock detected (2 resources in 2 threads):

Thread 0 (8D14F750) took locks in the following order:

    Lock A -- b7906f30 (Spinlock)
    Stack:   dummy!DummyActivateVcComplete+0x63
             dummy!dummyOpenVcChannels+0x2E1
             dummy!DummyAllocateRecvBufferComplete+0x436
             dummy!DummyAllocateComplete+0x55
             NDIS!ndisMQueuedAllocateSharedHandler+0xC9
             NDIS!ndisWorkerThread+0xEE

    Lock B -- dummy!GlobalLock (Spinlock)
    Stack:   dummy!dummyQueueRecvBuffers+0x2D
             dummy!DummyActivateVcComplete+0x90
             dummy!dummyOpenVcChannels+0x2E1
             dummy!DummyAllocateRecvBufferComplete+0x436
             dummy!DummyAllocateComplete+0x55

Thread 1 (8D903030) took locks in the following order:

    Lock B -- dummy!GlobalLock (Spinlock)
    Stack:   dummy!dummyRxInterruptOnCompletion+0x25D
             dummy!DummyHandleInterrupt+0x32F
             NDIS!ndisMDpcX+0x3C
             ntkrnlpa!KiRetireDpcList+0x5D

Lock A -- b7906f30 (Spinlock)
Stack: << Current stack >>

With this information, you have almost everything you need, except the current stack:

0: kd> k
ChildEBP RetAddr
f78aae6c 80664c58 ntkrnlpa!DbgBreakPoint
f78aae74 8066523f ntkrnlpa!ViDeadlockReportIssue+0x2f
f78aae9c 806665df ntkrnlpa!ViDeadlockAnalyze+0x253
f78aaee8 8065d944 ntkrnlpa!VfDeadlockAcquireResource+0x20b
f78aaf08 bfd6df46 ntkrnlpa!VerifierKeAcquireSpinLockAtDpcLevel+0x44
f78aafa4 b1bf2d2d dummy!dummyRxInterruptOnCompletion+0x2b5
f78aafc4 bfde9d8c dummy!DummyHandleInterrupt+0x32f
f78aafd8 804b393b NDIS!ndisMDpcX+0x3c
f78aaff4 804b922b ntkrnlpa!KiRetireDpcList+0x5d

!irp
!irpfind

!pool
!poolfind
!poolused
!poolval

!vpb

kd> !devnode 0 1
Dumping IopRootDeviceNode (= 0x80e203b8)
DevNode 0x80e203b8 for PDO 0x80e204f8
InstancePath is "HTREE\ROOT\0"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x80e56dc8 for PDO 0x80e56f18
    InstancePath is "Root\dmio\0000"
    ServiceName is "dmio"
    State = DeviceNodeStarted (0x308)
    Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x80e56ae8 for PDO 0x80e56c38
    InstancePath is "Root\ftdisk\0000"
    ServiceName is "ftdisk"
    State = DeviceNodeStarted (0x308)
    Previous State = DeviceNodeEnumerateCompletion (0x30d)
    DevNode 0x80e152a0 for PDO 0x80e15cb8
      InstancePath is "STORAGE\Volume\1&30a96598&0&Signature5C34D70COffset7E00Length60170A00"
      ServiceName is "VolSnap"
      TargetDeviceNotify List - f 0xe1250938 b 0xe14b9198
      State = DeviceNodeStarted (0x308)
      Previous State = DeviceNodeEnumerateCompletion (0x30d)
    .....

The last device node listed is a volume. Examine its physical device object (PDO) with the !devobj extension:

kd> !devobj 80e15cb8
Device object (80e15cb8) is for:
HarddiskVolume1 \Driver\Ftdisk DriverObject 80e4e248
Current Irp 00000000 RefCount 14 Type 00000007 Flags 00001050
Vpb 80e15c30 DevExt 80e15d70 DevObjExt 80e15e40 Dope 80e15bd8 DevNode 80e152a0
ExtensionFlags (0000000000)
AttachedDevice (Upper) 80e14c60 \Driver\VolSnap
Device queue is not busy.

The address of this device's VPB is included in this listing. Use this address with the !vpb extension:

kd> !vpb 80e15c30
Vpb at 0x80e15c30
Flags: 0x1 mounted
DeviceObject: 0x80de5020
RealDevice: 0x80e15cb8
RefCount: 14
Volume Label: MY-DISK-C

2。user mode

!runaway 7//显示线程在U/KMOD下的执行时间，谁多

0:003> !runaway 7
User Mode Time
Thread       Time
   0:fa0       0 days 0:00:00.203
   4:aa0       0 days 0:00:00.000
   3:1a8       0 days 0:00:00.000
   2:b38       0 days 0:00:00.000
   1:c60       0 days 0:00:00.000
Kernel Mode Time
Thread       Time
   0:fa0       0 days 0:00:00.281
   4:aa0       0 days 0:00:00.000
   3:1a8       0 days 0:00:00.000
   2:b38       0 days 0:00:00.000
   1:c60       0 days 0:00:00.000
Elapsed Time
Thread       Time
   0:fa0       0 days 2:38:39.125
   1:c60       0 days 2:38:39.078
   2:b38       0 days 2:38:38.968
   3:1a8       0 days 2:37:48.234
   4:aa0       0 days 0:30:49.953

如何检测应用层死锁？
0:006> !locks
CritSec ftpsvc2!g_csServiceEntryLock+0 at 6833dd68
LockCount          0
RecursionCount     1
OwningThread       a7
EntryCount         0
ContentionCount    0
*** Locked

CritSec isatq!AtqActiveContextList+a8 at 68629100
LockCount          2
RecursionCount     1
OwningThread       a3
EntryCount         2
ContentionCount    2
*** Locked

CritSec +24e750 at 24e750
LockCount          6
RecursionCount     1
OwningThread       a9
EntryCount         6
ContentionCount    6
*** Locked

0:006> ~
   0 Id: 1364.1330 Suspend: 1 Teb: 7ffdf000 Unfrozen
   1 Id: 1364.17e0 Suspend: 1 Teb: 7ffde000 Unfrozen
   2 Id: 1364.135c Suspend: 1 Teb: 7ffdd000 Unfrozen
   3 Id: 1364.1790 Suspend: 1 Teb: 7ffdc000 Unfrozen
   4 Id: 1364.a3 Suspend: 1 Teb: 7ffdb000 Unfrozen
   5 Id: 1364.1278 Suspend: 1 Teb: 7ffda000 Unfrozen
. 6 Id: 1364.a9 Suspend: 1 Teb: 7ffd9000 Unfrozen
   7 Id: 1364.111c Suspend: 1 Teb: 7ffd8000 Unfrozen
   8 Id: 1364.1588 Suspend: 1 Teb: 7ffd7000 Unfrozen

0:006> ~4 kb
4 id: 97.a3 Suspend: 0 Teb 7ffd9000 Unfrozen
ChildEBP RetAddr Args to Child
014cfe64 77f6cc7b 00000460 00000000 00000000 ntdll!NtWaitForSingleObject+0xb
014cfed8 77f67456 0024e750 6833adb8 0024e750 ntdll!RtlpWaitForCriticalSection+0xaa
014cfee0 6833adb8 0024e750 80000000 01f21cb8 ntdll!RtlEnterCriticalSection+0x46
014cfef4 6833ad8f 01f21cb8 000a41f0 014cff20 ftpsvc2!DereferenceUserDataAndKill+0x24
014cff04 6833324a 01f21cb8 00000000 00000079 ftpsvc2!ProcessUserAsyncIoCompletion+0x2a
014cff20 68627260 01f21e0c 00000000 00000079 ftpsvc2!ProcessAtqCompletion+0x32
014cff40 686249a5 000a41f0 00000001 686290e8 isatq!I_TimeOutContext+0x87
014cff5c 68621ea7 00000000 00000001 0000001e isatq!AtqProcessTimeoutOfRequests_33+0x4f
014cff70 68621e66 68629148 000ad1b8 686230c0 isatq!I_AtqTimeOutWorker+0x30
014cff7c 686230c0 00000000 00000001 000c000a isatq!I_AtqTimeoutCompletion+0x38
014cffb8 77f04f2c 00000000 00000001 000c000a isatq!SchedulerThread_297+0x2f
00000001 000003e6 00000000 00000001 000c000a kernel32!BaseThreadStart+0x51

0:006> ~6 kb
ChildEBP RetAddr Args to Child
0155fe38 77f6cc7b 00000414 00000000 00000000 ntdll!NtWaitForSingleObject+0xb
0155feac 77f67456 68629100 6862142e 68629100 ntdll!RtlpWaitForCriticalSection+0xaa
0155feb4 6862142e 68629100 0009f238 686222e1 ntdll!RtlEnterCriticalSection+0x46
0155fec0 686222e1 0009f25c 00000001 0009f238 isatq!ATQ_CONTEXT_LISTHEAD__RemoveFromList
0155fed0 68621412 0009f238 686213d1 0009f238 isatq!ATQ_CONTEXT__CleanupAndRelease+0x30
0155fed8 686213d1 0009f238 00000001 01f26bcc isatq!AtqpReuseOrFreeContext+0x3f
0155fee8 683331f7 0009f238 00000001 01f26bf0 isatq!AtqFreeContext+0x36
0155fefc 6833984b ffffffff 00000000 00000000 ftpsvc2!ASYNC_IO_CONNECTION__SetNewSocket
0155ff18 6833adcd 77f05154 01f26a58 00000000 ftpsvc2!USER_DATA__Cleanup+0x47
0155ff28 6833ad8f 01f26a58 000a3410 0155ff54 ftpsvc2!DereferenceUserDataAndKill+0x39
0155ff38 6833324a 01f26a58 00000000 00000040 ftpsvc2!ProcessUserAsyncIoCompletion+0x2a
0155ff54 686211eb 01f26bac 00000000 00000040 ftpsvc2!ProcessAtqCompletion+0x32
0155ff88 68622676 000a3464 00000000 000a3414 isatq!AtqpProcessContext+0xa7
0155ffb8 77f04f2c abcdef01 ffffffff 000ad1b0 isatq!AtqPoolThread+0x32
0155ffec 00000000 68622644 abcdef01 00000000 kernel32!BaseThreadStart+0x51

This thread, too, is waiting for a critical section to be freed. In this case, it is waiting on the critical section

at 0x68629100. This was the second critical section in the list generated earlier by the !locks extension.

This is the deadlock. Thread 4, which owns the second critical section, is waiting on the third critical section.

Thread 6, which owns the third critical section, is waiting on the second critical section.

ADPLUS(监控进程crash或者hang住占用了太高的CPU)
adplus.vbs -hang(-crash) -p 1234 (-pn xyz.exe) -dbg WinDbg.exe -o d:\dump

windbg -I. To change the postmortem debugger to WinDbg

自动获取DUMP

#include <dbghelp.h >
#pragma comment(lib, "dbghelp.lib")

//设置异常处理回调函数
SetUnhandledExceptionFilter(UnhandledExceptionFilter);

//异常处理代码
//EXCEPTION_EXECUTE_HANDLER equ 1 表示我已经处理了异常,可以优雅地结束了
//EXCEPTION_CONTINUE_SEARCH equ 0 表示我不处理,其他人来吧,于是windows调用默认的处理程序显示一个错误框,并结束
//EXCEPTION_CONTINUE_EXECUTION equ -1 表示错误已经被修复,请从异常发生处继续执行
LONG UnhandledExceptionFilter(struct _EXCEPTION_POINTERS* ExceptionInfo)
{
    CString   strDumpFile;
    strDumpFile.Format("%d",CTime::GetCurrentTime().GetTickCount());
    strDumpFile   +=   ".dmp ";
    HANDLE   hFile   =   CreateFile(strDumpFile,   GENERIC_WRITE,   FILE_SHARE_WRITE,   NULL,   CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,   NULL   );

    if   (hFile!=INVALID_HANDLE_VALUE)
    {
        MINIDUMP_EXCEPTION_INFORMATION   ExInfo;

        ExInfo.ThreadId   =   ::GetCurrentThreadId();
        ExInfo.ExceptionPointers   =   ExceptionInfo;
        ExInfo.ClientPointers   =   NULL;

        //   write   the   dump
        BOOL   bOK   =   MiniDumpWriteDump(GetCurrentProcess(),   GetCurrentProcessId(),   hFile,   MiniDumpNormal,   &ExInfo,   NULL,   NULL   );
        CloseHandle(hFile);
    }

theApp.PostThreadMessage(WM_QUIT,0,0);
return EXCEPTION_EXECUTE_HANDLER;
}

启动UNICODE等字符串查看:
VC6:
TOOLS-->options-->Debug-->Display unicode strings
WINDBG:
.enable_unicode 0
.enable_unicode 1