条件断点
bp PsLookupProcessByProcessId "j (@esp +4)=754 '';'gc' "
bp 00558dcb "j @ecx=3b10000 '';'gc' "
枚举链表
!list -t nt!_LIST_ENTRY.Flink -x “dt nt!_LARGE_CONTROL_AREA FilePointer SessionId @@(#CONTAINING_RECORD(@$extret, nt!_LARGE_CONTROL_AREA, UserGlobalList))” 0x88c591c0
!list -t nt!_LIST_ENTRY.Flink -x “dt nt!_LIST_ENTRY @$extret” 88e674b8
下载PDB
“C:\Program Files\Debugging Tools for Windows (x86)\symchk.exe” E:\systemdll\wkssvc.dll /S SRVE:\systemdllE:\symbols;http://msdl.microsoft.com/download/symbols
显示所有模块的信息
.foreach (place {lm o 1m}) {lmvm place}
!chkimg -lo 100 -d !nt
保存内存,修改内存
.readmem
.writemem
windbg 找内存泄露
1. 先在gflags.exe里Image File,Image填exe名字,非全路径,选上Create user mode stack trace database
- e:\vs工程\tests\testsdlg.cpp(101) : {125} normal block at 0x003B9578, 100 bytes long.
Data: < > CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD CD
- 0:000> !heap -x 0x003B9578
Entry User Heap Segment Size PrevSize Unused Flags
003b9550 003b9558 003b0000 003b0640 a0 808 18 busy extra fill
4. !heap -p -a 003b9550
!error
kPL
dU /c
调式32位程序的64位dump,如任务管理器dump下来的
.load wow64exts
!sw