Debugger Tricks and Tips
下面是一些我收集的WinDBG常用的指令,在Dump分析和调试的时候都很有帮助的, 特此公开。
具体的使用方法请见WinDBG帮助文档。
--------------------------------------------------------------
Debugger System Help Commands
.help - Command help
.hh - Extended Command Help
Set Current Processor
~0 - Context (kv etc) set to first processor
~1 - Context (kv etc) set to second processor
Debugger System Commands
.attach <PID> - Attaches to a new target application.
.tlist - List of app processes currently running
.reboot - Reboot the target.
.crash - crash the target.
.thread - Shows implicit threas running ID.
.reload /f - reload all system modules (/f=all symbols, /user=usermode)
.formats xxxx - display hex,dec,oct,signed for value a memory address xxxx
.cls - clear debug screen
.chain
.dump /f - Write out memory dump (user and kernel space)
Debugger System Extensions (BANG commands)
!process 0 0 - Displays info about specified process, or all processes running.
!process 0 7 - Displays info about specified process, with call stack info
!process 0 17 - Displays info about user/kernel process, with call stack info
!sprocess - Shows session processes
!address - Displays info about memory used by target process or target computer.
!analyze -v -hang - Automated analysis. Results displayed in the Debugger Command window.
!pte - Shows Page Table Entries (PTEs)
!drivers - display system driver
!dpcs - show DPC's
!timer - Show timer objects (dt nt!_KTIMER)
!memusage - displays memory usage.
!sysinfo - displays machine information (lots of option keywords)
!vm - displays summary information about virtual memory use statistics
!ready - displays information about each system thread in a READY state.
!pcr - displays the current status of the Processor Control Region
!object - displays information about a system object.
!handle - displays information about handles owned by processes in the target
!heap - displays heap usage information, controls breakpoints in the heap manager
!lmi - display loaded module information
!devstack - Shows device stack for a device
!poreqlist - Shows power status.
!drvobj - Shows driver object like: !drvobj \FileSystem\FastFat
!locks - Shows outstanding locks
!acpicache - Shows ACPI tables cached by HAL
!fadt - Shows extension displays a Fixed ACPI Description Table (FADT
!acpiinf - Shows information on the configuration of the Advanced Configuration and Power Interface
!poolused 4 - Shows biggest memory consumers.
!thread -1 4 - Shows all waiting threads
!cpuid - CPUID
!arbiter - shows resource arbiters
!smt - Processor Cores
!idt -a - Interrupt descriptor table
=== SPECIAL EXTENSIONS ======
!active - needs kk.dll in XP debugger XP directory Analyzes hangs
.load dxgkdx.dll - for directX kernel memory logging enable type:
!dxglog -?
.load wow64exts.dll
!sw -switch between 32bit & 64bit
Controlled Execution Commands
g - Go
p - Step
t - Trace
wt - Trace and Watch Data
tb - Trace to Next Branch
gh - Go with Exception Handled
gn - Go with Exception Not Handled.
t - trace
wt - trace and watch data
pa - step to address
pc - step to next call
r - display registers.
k - stack unwind.
lm - list loaded modules.
k,kb,kd,kp - display the stack frame of the given thread.
u esp - unassemble (esp starts at instruction ptr)
ub - unassemble backward
ds - Dump UNICODE string (ds srv!SrvComputerName)
lmv m hal (or NT) - version of hal
X hal!*Set* - Show me all the functions in hal.dll with "Set" contained in them
Breakpoint commands (j command with bx for conditional breakpoints)
bp - Set breakpoint
bu - Set unresolved breakpoint (saves breakpoint - use instead of bp)
ba - Break on access
bc - Breakpoint clear
bd - Breakpoint disable
be - Breakpoint enable
bl - Breakpoint list
x nt!* - Find Functs in nt.dll (x sdbus!* gives breakpoints in SDBUS component)
Sample BP with J
bu nt!PopSetNotificationWork "j poi(esp+4)=1 '';'x;g' "
bu nt!NtSetSystemPowerState ".echo nt!NtSetSystemPowerState exited with ;x status;g"