1.
查询符号
kd> x nt!KeServiceDescriptorTable*
8046e100 nt!KeServiceDescriptorTableShadow = <no type information>
8046e0c0 nt!KeServiceDescriptorTable = <no type information>
kd> ln 8046e100
(8046e100) nt!KeServiceDescriptorTableShadow | (8046e140) nt!MmSectionExtendResource
Exact matches:
nt!KeServiceDescriptorTableShadow = <no type information>
2.
下载系统文件的符号
symchk c:\winnt\system32\ntoskrnl.exe /s srv*c:\symbols*http://msdl.microsoft.com/download/symbols
SYMCHK: FAILED files = 0
SYMCHK: PASSED + IGNORED files = 1
3.
查看
event
对象的信号状态
!object \BaseNamedObjects
dt -b nt!_KEVENT xxxxxxxx
4.
查看
LastError
值
!gle
5.
指定进制形式,
0x/0n/0t/0y
分别表示
16/10/8/2
进制
? 0x12345678+0n10
Evaluate expression: 305419906 = 12345682
6.
过滤命令窗口输出信息
.prompt_allow -reg +dis -ea -src -sym
7. .formats
命令
以多种格式显示表达式的值
0:000> .formats @eax
Evaluate expression:
Hex: 00181eb4
Decimal: 1580724
Octal: 00006017264
Binary: 00000000 00011000 00011110 10110100
Chars: ....
Time: Mon Jan 19 15:05:24 1970
Float: low 2.21507e-039 high 0
Double: 7.80981e-318
8.
异常处理相关
有 sx, sxd, sxe, sxi, sxn, sxr 几条命令可用来设置异常和事件的处理方式。比如:
0:000> sxe ld
可以在加载 dll 时中断下来。
9.
内核调试时切换进程
lkd> !process 0 0
lkd> .process xxxxxxxx
10.
可在桌面上建立一个
WinDbg.exe
的快捷方式,然后在该快捷方式的属性力设置如下命令行
C:\WinDBG\windbg.exe -c ".prompt_allow +dis -reg -ea -src -sym; .enable_unicode 1; .enable_long_status 1; .logopen /t c:\dbglog\dbglog.txt"
11.
本机内核调试
通过 File/Kernel Debug… 菜单可以打开内核调试选择窗口,选择最后一个 Local 选项页,确定后可以以内核方式调试本地机器。这时所有会挂起系统的命令都用不了了,但可以读写系统内存。另外,有一个方便的用途是用来查看系统结构,比如: dt nt!_EPROCESS
。
12. 其他命令
~* - list detail information of threads in current process context
lm - list all loaded modules
!sym noice/quiet - symbol prompts on/off
.srcpath - set source code path
k - display current stack
~*kb - display current stack for all threads
dv - display current local variable (ctrl + alt + v to switch mode)
.Frame - call stack
dt xxx - display data structure for xxx such as PEB
!gle/!error - display last error for current thread.
!teb - diplay current thread execution block
!peb - diplay current process execution block
r [@register] - display value of all register
ln [Address] - display the object type in Address
x [] - search address for global variable or global function, such as "x kernel32!*"
!locks - display dead lock
!handle - get current handle usage
!htrace [enable] - display and trace handles.
u - disassemble
bp [Kernel!SetLastError] [value] - set break pointer
bl - display break pointer information.
for example:
bp `mysource.cpp:143` "j (poi(MyVar)”0n20) ''; 'g' "
when MyVar is exceed 0x20, g command will be invoked. NOTE: "j" is to set conditional break pointer.
ba - data break pointer
ba w4 0x4000000 "kb;g" - list all modify 0x40000's call stack.
p,pa,t,ta - control command
12. 其他命令
windbg中常用的命令
~ - list threads in current process context~* - list detail information of threads in current process context
lm - list all loaded modules
!sym noice/quiet - symbol prompts on/off
.srcpath - set source code path
k - display current stack
~*kb - display current stack for all threads
dv - display current local variable (ctrl + alt + v to switch mode)
.Frame - call stack
dt xxx - display data structure for xxx such as PEB
!gle/!error - display last error for current thread.
!teb - diplay current thread execution block
!peb - diplay current process execution block
r [@register] - display value of all register
ln [Address] - display the object type in Address
x [] - search address for global variable or global function, such as "x kernel32!*"
!locks - display dead lock
!handle - get current handle usage
!htrace [enable] - display and trace handles.
u - disassemble
bp [Kernel!SetLastError] [value] - set break pointer
bl - display break pointer information.
for example:
bp `mysource.cpp:143` "j (poi(MyVar)”0n20) ''; 'g' "
when MyVar is exceed 0x20, g command will be invoked. NOTE: "j" is to set conditional break pointer.
ba - data break pointer
ba w4 0x4000000 "kb;g" - list all modify 0x40000's call stack.
p,pa,t,ta - control command
148
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
