--------------------
Help commands
--------------------0:000> !help
diskspace <DriveLetter>[:] - Displays free disk spacefor specified volume
address [address] - Displays the address space layout
[-UsageType] - Displays the address space regions ofthegiven type
analyze [-v] - Analyzes current exception or bugcheck
cpuid [processor] - Displays CPU versioninfo for all CPUs
elog_str <message> - Logs simple message to host event log
cppexr <exraddress> - Displays a C++ EXCEPTION_RECORD
error [errorcode] - Displays Win32 & NTSTATUS errorstring
exchain - Displays exception chain for current thread
for_each_frame <cmd> - Executes command for each frame in current
thread
for_each_local <cmd> $$<n> - Executes command for each local variable in
current frame, substituting fixed-namealias
$u<n> for each occurrence of $$<n>
gle [-all] - Displays lasterror & status for current thread
imggp <imagebase> - Displays GP directory entry for64-bit image
imgreloc <imagebase> - Relocates modules for an image
list [-? | parameters] - Displays lists
obja <address> - Displays OBJECT_ATTRIBUTES[32|64]
owner [symbol!module] - Detects owner for current exception or
bugcheck from triage.ini
rtlavl <address> - Displays RTL_AVL_TABLE
std_map <address> - Displays a std::map<>
str <address> - Displays ANSI_STRING or OEM_STRING
ustr <address> - Displays UNICODE_STRING
Type ".hh [command]"for more detailed help
0:000> .help /D *
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All
. commands matching *:
.abandon - abandon the current process
.allow_exec_cmds [0|1] - control execution commands
.allow_image_mapping [0|1] - control on-demand image file mapping
.apply_dbp [<options>] - add current data breakpoint state to a
register context
.asm [<options>] - set disassembly options
.asm- [<options>] - clear disassembly options
.attach <proc> - attach to <proc> at next execution
.block { <commands> } - brackets a setof commands for nested execution
.bpsync [0|1] - special breakpoint behavior for multithreaded debuggees
.break - break out ofthe enclosing loop
.breakin - break into KD
.cache [<options>] - virtual memory cache control
.call <fn>(<arg1>, <arg2>, ...) - run a function inthe debuggee
.catch { <commands> } - catch failures in commands
.chain - list current extensions
.childdbg <0|1> - turn child process debugging onor off
.clients - list currently active clients
.closehandle [<options>] [<handle>] - close thegiven handle
.continue - continuethe enclosing loop
.copysym [<options>] <path> - copy current symbol files to a directory
.create <command line> - create a new process
.createdir [<options>] [<path>] - control process creation options
.cxr <address> - dump context recordat specified address
k* after this gives cxr stack
.dbgdbg - attach a debugger tothe current debugger
.debug_sw_wow [0|1] - allow interaction with software WOW emulation
.detach - detach fromthe current process/dump
.dml_file <file> - output DML content fromfile
.dml_flow <start> <addr> - show basic block code flow
.dml_start [<options>] - navigable overview of debugger activities
.do { <commands> } (<cond>) - execute <commands> until <cond> is zero
.drivers - This command was removed -- use 'lm' or .reload -l)
.dump [<options>] <filename> - create a dump fileonthe host system
.dvalloc [<options>] <bytes> - VirtualAlloc memory inthe debuggee
.dvfree [<options>] <offset> <bytes> - VirtualFree memory inthe debuggee
.echo ["<string>"|<string>] - echo string
.echotime - output debugger time
.echotimestamps [0|1] - toggle timestamp output on events
.ecxr - dump context recordfor current exception
.effmach [<machine>] - change current machine type
.else { <commands> } - if/then/else conditional execution
.elsif (<cond>) { <commands> } [<else clauses>] - if/then/else conditional
execution
.enable_long_status [0|1] - dump LONG types in default base
.enable_unicode [0|1] - dump USHORT array/pointers and unicode strings
.endsrv <id> - disable thegiven engine server
.endpsrv - cause the current session's remote server toexit
.enumtag - enumerate available tagged data
.event_code - display cached event instructions
.eventlog - display logof recent events
.events - display and select available events
.eventstr - display any event strings registered by debuggee
.exepath [<dir>[;...]] - set executable search path
.exepath+ [<dir>[;...]] - append executable search path
.expr - control expression evaluator
.exptr <address> - do .exr and .cxr for EXCEPTION_POINTERS
.exr <address> - dump exception recordat specified address
.extmatch [<opts>] <pattern> - display all extensions matching pattern
.extpath <opts> [<dir>[;...]] - set extension search path
.extpath+ <opts> [<dir>[;...]] - append extension search path
.f+ - set current stack frame to caller of current frame
.f- - set current stack frame to callee of current frame
.fiber <address> - sets context of fiber at address
resets context if no address specified
.fiximports <pattern> - attempts to link imports for images
.fnent <address> - dump function entry forthegiven code address
.fnret <fnaddr> [<retval>] - display formatted return value
.for ( <init> ; <cond> ; <step> ) { <commands> } - execute <commands> and
<step> until <cond> is
zero
.force_radix_output [0|1] - dump integer types in default base
.force_system_init [<options>] - force pending systems to initialize if possible
.force_tb - forcibly allow branch tracing
.foreach [opts] ( <alias> { <tcmds> } ) { <ecmds> } - execute <ecmds> for
each token inthe
output of <tcmds>
.fpo <options> - control override FPO information
.frame [<frame>] - set current stack frame for locals
.formats <expr> - displays expression resultin many formats
.help [<options>] - display this help
.holdmem <options> [range] - hold and compare memory data
.if (<cond>) { <commands> } [<else clauses>] - if/then/else conditional
execution
.ignore_missing_pages [0|1] - control kernel summary dump missing
page error message
.imgscan <options> - scan memory for PE images
.jdinfo <jdi_addr> - interpret AeDebug information
.kframes <count> - set default stack trace depth
.kill - kill the current process
.lastevent - display thelast event that occurred
.leave - exitthe enclosing .catch
.lines - toggle line symbol loading
.load <name> - add this extension DLL tothe extension chain
.loadby <name> <mod> - add the extension DLL inthe module
directory tothe extension chain
.locale [<locale>] - setthe current locale
.logfile - display log status
.logopen [<file>] - open new logfile
.logappend [<file>] - append tologfile
.logclose - close logfile
.netsyms [0|1] - allow/disallow net symbol paths
.netuse [<options>] - manage net connections
.noshell - disable shell commands
.noversion - disable extension version checking
.ofilter <pattern> - filter debuggee output againstthegiven pattern
.ocommand <prefix> - treat output withthegiven prefix as a command
.opendump <file> - open a dump file
.outmask <mask> - set bits inthe current output mask
.outmask- <mask> - clear bits inthe current output mask
.pcmd [<options>] - control per-prompt command
.pop [<options>] - pop state
.prefer_dml [0|1] - control DML mode default
.printf "<format>", <args...> - formatted output
.process [<address>] - sets implicit process
resets default if no address specified
.process_info - display security related information of current process
.prompt_allow [<options>] - control what information can be displayed
atthe prompt
.push [<options>] - push state
.quit_lock [<options>] - locks session against unexpected quit
.readmem <file> <range> - read raw memory from a file
.record_branches [0|1] - controls recording of processor branching
.reload [<image.ext>[=<address>,<size>]] - reload symbols
.restart - request a session restart
.remote <pipename> - start remote.exe server
.secure [0|1] - disallow operations dangerous forthe host
.send_file <options> - send files to remote server
.server <options> - start engine server
.servers - list active remoting servers
.setdll <name> - debugger will search for extensions in this DLL first
.shell [<command>] - execute shell command
.show_read_failures [<opts>] - control extra read failure output
.show_sym_failures [<opts>] - control extra symbol failure output
.sleep <milliseconds> - debugger sleeps forgiven duration
useful for allowing access to a machine that's
broken inon an ntsd -d
.srcfix [<path extra>] - fix source search path
.srcfix+ [<path extra>] - append fixed source search path
.srcnoisy [0|1] - control verbose source loading output
.srcpath [<dir>[;...]] - set source search path
.srcpath+ [<dir>[;...]] - append source search path
.step_filter [<opts>] ["<pattern>[;<pattern>...]"] - Set symbol patterns
to skip when stepping
.symfix [<localsym>] - fix symbol search path
.symfix+ [<localsym>] - append fixed symbol search path
.symopt <flags> - set symbol options
.symopt+ <flags> - set symbol options
.symopt- <flags> - clear symbol options
.sympath [<dir>[;...]] - set symbol search path
.sympath+ [<dir>[;...]] - append symbol search path
.thread [<address>] - sets context of thread at address
resets default context if no address specified
.time - displays session time information
.timezone - display timezone information
.ttime - displays thread time information
.tlist - listrunning processes
.typeopt <flags> - set/clear type options
.unload <name> - remove this extension DLL fromthelistof extension DLLs
.unloadall - remove all extension DLLs fromthelistof extensions DLLs
.wake - wake up a .sleep'ing debugger
.while (<cond>) { <commands> } - execute <commands> while <cond> is non-zero
.writemem <file> <range> - write raw memory to a file
.rrestart - register current session for Application Restart
.urestart - unregister current session from Application Restart
.inline - query the state whether debuggers should query inline functions
.stkwalk_force_frame_pointer - query orsetthe state whether debuggers should unwind stack solely based on frame pointer
--------------------
Regular commands:
--------------------
K, KB x - Displays stack trace of current thread (x frames).
Kb causes the display toincludethefirst thress parameters
passwd toeachfunction
.frame x - Display frame information
R - Displays register set. reax - displays the eax register.
t - Trace = Step into (F11)
p - Step Over (F10)
Step Out (Shift + F11)
u - Unassemble next few instructions
u <start_address>
u <start_address> <end_address>
Bl - List breakpoints
be, bd, bc - Enable / disable / clearbreakpoint
bp - Set abreakpoint
Set unresolved breakpoint. Breakpoint is resolved by symbolic name, not abslute address.
bu - Use this tosetbreakpointata bu foo functionwhosecontainingmodulehasnotyetbeenloaded.
* - Ignores thecommand (* HelloWorld)
G <address_X /symbol> - Go Resume execution until address_X
GH - Go, exception handled
GN - Go, exception not handled
Q - Quit
dv - Display local variables
dd <address> - Display dword values at specified address
ds, da, du - Dump string
dt, - Dump type. Will dump the contents ofthe memory using typedef asa template
Eb, ed, ea, eu - edit valueofavariable (byte, dword, ascii, unicode)
lm - List loaded modules, (Lmi, lmi, LmD, !dlls)
~ - Lists all threads
~n<command> - Switchtosspecificthreadbythread-idandexecuteacommandonthethread (~2kb)
X module!<pattern> -
.dump -
.lines -
ln adr - Will show the symbol nearest to that location.
vertarget - Shows information about thesystemonwhichyouaredebugging
ba - Sets a data breakpoint. You can break onread/write/executeattemptbaw4adrofamemorylocation.
ba r/w/e size adr - ba r 40x4000000
.lastevent - Displays last exception record (Enable/disable/notify-noly/ignore)
Sx, Sxe, Sxd, Sxn - First chance exception / event
Sxi exception_X exception_X - Examples of event module unload/thread creation.
--------------------
Meta or Dot-Commands
--------------------.help /D a*.sympath.cls.lastevent.detach.if.hh.reload - Reloads symbols using the symbol path you would have set.
; - Command separator
? - Evaluate expression
| - Display process information
.chain - Lists all loaded debugger extensions..echo <string> - Echo/print any string.exr <address_X> - Display exception record at X..cxr <address_X> - Display context record at X..trap - Dump a trap frame
0:000> !exts.help
acl <address> [flags] - Displays the ACL
atom <address> - Displays the atom or table(s) fortheprocess
avrf [-? | parameters] - Displays or modifies App Verifier settings
cs [-? | parameters] - Displays critical sections fortheprocess
cxr - Obsolete, .cxr is newcommand
dlls [-h | parameters] - Displays loaded DLLS
exr - Obsolete, .exr is newcommand
findthis [-? | options] - Search the registers forthe this pointer
gflag [-?|<value>] - Displays theglobal flag
heap [-? | parameters] - Displays heap info
help - Displays this list
kuser - Displays KUSER_SHARED_DATA
peb [address] - Displays the PEB structure
psr <value>|@ipsr [flags] - Displays an IA64 Processor Status Word
sd <address> [flags] - Displays the SECURITY_DESCRIPTOR
shipassert - Displays ship asserts
sid <address> [flags] - Displays the SID
slist [-? | parameters] - Displays singly-linked list
stl [options] <varname> - Dumps an STL variable
stltree [options] <address> - Dumps an STL set, map, multiset, or multimap
teb [address] - Displays the TEB structure
tls <slot | -1> [teb | 0] - Dumps TLS slots. !tls /? for usage
token [-n|-?] <handle|addr> - Displays TOKEN
tp <command> - Dumpthreadpoolinformation
Type ".hh [command]"for more detailed help
扫一扫
1166
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
