Windbg常用命令

.extpath 扩展模块搜索路径

.ecxr;kb

!analyze -v
~ - 列举出当前进程上下文中的所有线程
~* - 列举出当前进程上下文中的所有线程的详细信息
lm - 列举出所有加载的模块
!sym noice/quiet - 代码提示开关
.srcpath -设置源码路径
k - 显示当前堆栈
~*kb -显示出所有线程占用的堆栈
dv - 显示出本地变量(使用ctrl + alt + v切换模式)
.Frame - 调用堆栈
dt xxx - 显示出诸如PEB等的数据结构

dt ESAlertServer!* /v /s 14 

!gle/!error - 显示出最新线程错误
!teb - 显示出当前线程执行块
!peb - 显示出当前进程执行块
r [@register] - 显示所有注册的值
ln [Address] - 显示地址类型
x [] -查询全局变量和全局函数
!locks - 显示所有死锁

.bpcmds 断点以命令方式显示
.record_branches 代码分支记录64位才有用
.shell (运行shell)

exit (退出)

 

.kdfiles map.ini

map.ini

map
\Systemroot\system32\drivers\tag.sys
c:\host.sys

 


 

资源查看 !handle - 获取当前活动句柄

!handle ? f
!htrace [enable] - 显示并跟踪所有句柄!handle - 获取当前活动句柄

!handle ? f
!htrace [enable] - 显示并跟踪所有句柄

!htrace [Handle [Max_Traces]] 
!htrace -enable [Max_Traces]
!htrace -snapshot
!htrace -diff
!htrace -disable

 

方法: 
windbg用ctrl+break命令中断进程运行,用!htrace -enable命令开启句柄检测;htrace提供了进行句柄相关检测的命令,可查看windbg帮助。 同时用g命令让程序运行。 
再次中断进程,使用!htrace -snapshot命令,获得此时进程句柄的镜像。并再次让程序运行。 
第三次中断进程运行,我们再使用!htrace -diff命令获得当前句柄状态与第2步 snapshot镜像句柄的差异 

使用lsa 传递指定位置对应的代码,lsa ESCC!funn+0x0000002e 到这里,就找到了泄露句柄的函数。 

 

for_each

!for_each_frame

!for_each_local

!for_each_module

!for_each_module .echo @#ModuleIndex : @#Base @#End @#ModuleName @#ImageName  @#LoadedImageName
!for_each_module x ${@#ModuleName}!*Debug*Flag*
!for_each_module x ${@#ModuleName}!g*Debug*
!for_each_module s-a @#Base @#End "MZ"

 

vertarget 显示操作系统信息

 

 


u - 反汇编

uf

 


bp [Kernel!SetLastError] [value] - 设置断点
bl - 显示断点信息
ba - 数据断点
ba w4 0x4000000 "kb;g" - 显示出地址0x40000调用的所有堆栈
p,pa,t,ta - 控制命令

 

 

.time

 !runaway 7

Bit 0 (0x1)
Causes the debugger to show the amount of user time consumed by each thread.
Bit 1 (0x2)
Causes the debugger to show the amount of kernel time consumed by each thread.
Bit 2 (0x4)
Causes the debugger to show the amount of time that has elapsed since each thread was created.

 

ContextsChangingContextsChanging .frame /r 1 .frame /r 1

 

 

.cxr (Display Context Record)

.ecxr (Display Exception Context Record)

 

 

Other

.load C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sos.dll

!dumpheap -stat
 !eeversion

.chain

 

 显示当前线程的错误值!gle会显示当前线程的上一个错误值和状态值。!error命令可以解码hresult。

查看lock:!locks显示各线程的锁资源使用情况。对调试死锁很有用。

查看handle:!handle显示句柄信息。假如一段代码导致句柄泄漏,你只需要在代码执行前后使用!handle命令并比较两次输出的区别。有一个命令!htrace对调试与句柄有关的bug非常有用。在开始调试前输入:

!htrace –enable

然后在调试过程中使用!htrace handle_value 来显示所有与该句柄有关的调用堆栈。

 

显示当前线程,进程和模块信息

!teb显示当前线程的环境信息。最常见的用途是查看当前线程堆栈的起始地址,然后在堆栈中搜索值。

!peb显示当前进程的环境信息,比如执行文件的路径等等。

lm显示进程中加载的模块信息。

 

 

?

1: kd> n 10
base is 10
1: kd> ? 0x123
Evaluate expression: 291 = 00000123
1: kd> ? 123
Evaluate expression: 123 = 0000007b
1: kd> n 10
base is 10
1: kd> ? 0x123
Evaluate expression: 291 = 00000123
1: kd> ? 123
Evaluate expression: 123 = 0000007b

 

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Debugger
 
!heap !heap [ HeapOptions] [ ValidationOptions] [ Heap
!heap  -b [{ alloc| realloc| free} [ Tag]] [ Heap |  BreakAddress
!heap  -B { alloc| realloc| free} [ Heap |  BreakAddress
!heap -l 
!heap -s [ SummaryOptions] [ StatHeapAddress
!heap -i  HeapAddress
!heap -x [ -vAddress 
!heap -p [ PageHeapOptions
!heap -srch [ SizePattern
!heap -flt  FilterOptions
!heap -stat [ -h  Handle [ -grp  GroupBy [ MaxDisplay]]]
!heap [ -p-?  !heap [ HeapOptions] [ ValidationOptions] [ Heap
!heap  -b [{ alloc| realloc| free} [ Tag]] [ Heap |  BreakAddress
!heap  -B { alloc| realloc| free} [ Heap |  BreakAddress
!heap -l 
!heap -s [ SummaryOptions] [ StatHeapAddress
!heap -i  HeapAddress
!heap -x [ -vAddress 
!heap -p [ PageHeapOptions
!heap -srch [ SizePattern
!heap -flt  FilterOptions
!heap -stat [ -h  Handle [ -grp  GroupBy [ MaxDisplay]]]
!heap [ -p-? 

 

 

0:001> !heap -s
  Heap     Flags   Reserv  Commit  Virt   Free  List   UCR  Virt  Lock  Fast
                    (k)     (k)    (k)     (k) length      blocks cont. heap
-----------------------------------------------------------------------------
00150000 00000002    1024     52     52      5     1     1    0      0   L 
00250000 00008000      64     12     12     10     1     1    0      0     
00370000 00000002      64     36     36      5     2     1    0      0   L 
00380000 00001002      64     16     16      0     0     1    0      0   L 
003a0000 00001002     256     12     12      4     1     1    0      0   L 
00030000 00001002      64     32     32      4     1     1    0      0   L 
003e0000 00001002      64     32     32     24     1     1    0      0   L 
Virtual block: 00aa0000 - 00aa0000 (size 00000000)
Virtual block: 00bc0000 - 00bc0000 (size 00000000)

00a80000 00001003      64     20     20      8     1     1    2    bad     
-----------------------------------------------------------------------------


0:001> !heap -s
  Heap     Flags   Reserv  Commit  Virt   Free  List   UCR  Virt  Lock  Fast
                    (k)     (k)    (k)     (k) length      blocks cont. heap
-----------------------------------------------------------------------------
00150000 00000002    1024     52     52      5     1     1    0      0   L 
00250000 00008000      64     12     12     10     1     1    0      0     
00370000 00000002      64     36     36      5     2     1    0      0   L 
00380000 00001002      64     16     16      0     0     1    0      0   L 
003a0000 00001002     256     12     12      4     1     1    0      0   L 
00030000 00001002      64     32     32      4     1     1    0      0   L 
003e0000 00001002      64     32     32     24     1     1    0      0   L 
Virtual block: 00aa0000 - 00aa0000 (size 00000000)
Virtual block: 00bc0000 - 00bc0000 (size 00000000)
Virtual block: 00cd0000 - 00cd0000 (size 00000000)
Virtual block: 00de0000 - 00de0000 (size 00000000)

00a80000 00001003      64     20     20      8     1     1       bad     
-----------------------------------------------------------------------------


0:001> !heap -stat -h 00a80000
 heap @ 00a80000
group-by: TOTSIZE max-display: 20
    size     #blocks     total     ( %) (percent of total busy bytes)
    100000 4 - 400000  (99.76)
    1000 1 - 1000  (0.10)
    800 1 - 800  (0.05)
    280 1 - 280  (0.02)
    20 12 - 240  (0.01)
    30 9 - 1b0  (0.01)
    40 6 - 180  (0.01)
    160 1 - 160  (0.01)
    50 4 - 140  (0.01)
    110 1 - 110  (0.01)
    100 1 - 100  (0.01)
    d0 1 - d0  (0.00)
    60 2 - c0  (0.00)
    10 b - b0  (0.00)

0:001> !heap -flt s 100000
    _HEAP @ 150000
    _HEAP @ 250000
    _HEAP @ 370000
    _HEAP @ 380000
    _HEAP @ 3a0000
    _HEAP @ 30000
    _HEAP @ 3e0000
    _HEAP @ a80000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00aa0018 20000 0000  [0b]   00aa0020    100000 - (busy VirtualAlloc)
        00bc0018 20000 0000  [0b]   00bc0020    100000 - (busy VirtualAlloc)
        00cd0018 20000 0000  [0b]   00cd0020    100000 - (busy VirtualAlloc)
        00de0018 20000 0000  [0b]   00de0020    100000 - (busy VirtualAlloc)

0:001> !heap -p -a 00aa0018
    address 00aa0018 found in
    _HEAP @ a80000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00aa0018 20000 0000  [0b]   00aa0020    100000 - (busy VirtualAlloc)

 


dt _DPH_BLOCK_INFORMATION

 

Local Kernel

!process 0 0

 

PROCESS 8a038c50  SessionId: 0  Cid: 0118    Peb: 7ffd8000  ParentCid: 05bc

    DirBase: 7f35c2a0  ObjectTable: e2a35f40  HandleCount: 291.

    Image: ESCC.EXE

 

PROCESS 89fb4020  SessionId: 0  Cid: 025c    Peb: 7ffdd000  ParentCid: 05bc

    DirBase: 7f35c2c0  ObjectTable: e29cfab8  HandleCount: 194.

    Image: CenterDS.exe

 

PROCESS 89e378c8  SessionId: 0  Cid: 0364    Peb: 7ffd5000  ParentCid: 05bc

    DirBase: 7f35c2e0  ObjectTable: e2dfaeb0  HandleCount:  87.

    Image: PluginProxy.exe

 

PROCESS 89f41a10  SessionId: 0  Cid: 03e0    Peb: 7ffde000  ParentCid: 05bc

    DirBase: 7f35c300  ObjectTable: e2bc2168  HandleCount: 188.

Image: ESPMServer.exe

 

 

lkd> .process 8a038c50

 

kd> .context 

lkd> !peb

PEB at 7ffd8000

    InheritedAddressSpace:    Yes

    ReadImageFileExecOptions: Yes

    BeingDebugged:            Yes

    ImageBaseAddress:         09c0e000

    Ldr                       00000000

    *** unable to read Ldr table at 00000000

    SubSystemData:     00000000

    ProcessHeap:       7ffd8000

    ProcessParameters: 00001e00

    WindowTitle:  '< Name not readable >'

    ImageFile:    '< Name not readable >'

    CommandLine:  '< Name not readable >'

    DllPath:      '< Name not readable >'

    Environment:  00000000

       Unable to read Environment string.

 

lkd> !handlev

 

 

 

!address -summary

kd> !address -summary
804d8000 - 001f7000                          
          Usage       KernelSpaceUsageImage
          ImageName   ntkrnlpa.exe

  806cf000 - 00021000
          Usage       KernelSpaceUsageImage
          ImageName   halaacpi.dll

  81000000 - 001c1000
          Usage       KernelSpaceUsagePFNDatabase

  811c1000 - 00818000
          Usage       KernelSpaceUsageNonPagedPool

  bc000000 - 00400000
          Usage       KernelSpaceUsageSessionPool

  bc400000 - 03400000
          Usage       KernelSpaceUsageSessionView

  bf800000 - 00800000
          Usage       KernelSpaceUsageSessionImage

  c1200000 - 1fe00000
          Usage       KernelSpaceUsageSystemCache

  e1000000 - 0ca00000
          Usage       KernelSpaceUsagePagedPool

kd> !address -summary
804d8000 - 001f7000                          
          Usage       KernelSpaceUsageImage
          ImageName   ntkrnlpa.exe

  806cf000 - 00021000
          Usage       KernelSpaceUsageImage
          ImageName   halaacpi.dll

  81000000 - 001c1000
          Usage       KernelSpaceUsagePFNDatabase

  811c1000 - 00818000
          Usage       KernelSpaceUsageNonPagedPool

  bc000000 - 00400000
          Usage       KernelSpaceUsageSessionPool

  bc400000 - 03400000
          Usage       KernelSpaceUsageSessionView

  bf800000 - 00800000
          Usage       KernelSpaceUsageSessionImage

  c1200000 - 1fe00000
          Usage       KernelSpaceUsageSystemCache

  e1000000 - 0ca00000
          Usage       KernelSpaceUsagePagedPool

 

!pool  1: kd> !pool e7a88000
Pool page e7a88000 region is Nonpaged pool
e7a88000 is not a valid large pool allocation, checking large session pool...
e7a88000 is freed (or corrupt) pool
Bad allocation size @e7a88000, too large

***
*** An error (or corruption) in the pool was detected;
*** Attempting to diagnose the problem.
***
*** Use !poolval e7a88000 for more details.
***

Pool page [ e7a88000 ] is __inVALID.

Analyzing linked list...


Scanning for single bit errors...

None found

1: kd> !pool e7a88000-8
Pool page e7a87ff8 region is Nonpaged pool
 e7a87000 size:  be8 previous size:    0  (Free)       Strg
 e7a87be8 size:  160 previous size:  be8  (Allocated)  CcSc
 e7a87d48 size:  128 previous size:  160  (Allocated)  Ntfi
*e7a87e70 size:  190 previous size:  128  (Allocated) *Epos
  Owning component : Unknown (update pooltag.txt)1: kd> !pool e7a88000
Pool page e7a88000 region is Nonpaged pool
e7a88000 is not a valid large pool allocation, checking large session pool...
e7a88000 is freed (or corrupt) pool
Bad allocation size @e7a88000, too large

***
*** An error (or corruption) in the pool was detected;
*** Attempting to diagnose the problem.
***
*** Use !poolval e7a88000 for more details.
***

Pool page [ e7a88000 ] is __inVALID.

Analyzing linked list...


Scanning for single bit errors...

 

 

WinDBG中设置条件断点
条件断点:断点指令 + “j(Excecute If-Else) 和 gc (Go from Conditional Breakpoint)”
形如:bp Address "j (Condition) 'OptionalCommands'; 'gc' "

这里仅简单说明该如何写后面的条件语句

1. 非结构体变量:       
        "j (poi(MyVar)>5) '';'gc'"   在代码中,MyVar是整数变量。默认的debug配置采用MASM语法,因此MyVar被当作指针看待,在做条件判断时,需要使用poi解引用。如果debug配置采用C++语法,MyVar会被解析为整数变量,可直接用于条件判断。条件为真时对应的语句为空,则当条件满足时,会断在此处。gc表示从断点处继续运行。

2. 结构体变量
        "j (@@c++(MyStruct->field)>5) '';'gc'"   判断结构体变量中的某个成员变量时,采用C++语法解析表达式:@@c++(...)。因默认配置是masm语法,故对于结构体成员都用此种方法解析。

3. 寄存器
1        "j @eax = 0xa3 ''; 'gc'"                                     <1>
2        "j @eax = 0xc0004321 '';'gc'"                            <2>
3        "j (@eax & 0x0`ffffffff) = 0x0`c0004321 '';'gc'"     <3>
   式<1>:当eax的值为0xa3时,触发该断点。
   在masm表达式中,寄存器是做符号扩展的,即0xc0004321实际被当作是0xffffffff`c0004321,即便实际显示时是0xc00004321。这种符号扩展仅存在于kernel mode中。因此式<2>在kernel mode会失败。最好的改法则是按照式<3>的方式做条件比较,该方式可以同时用于kernel mode和user mode。

 

 

bu MSMPPEKey::insert "kb; .time; g"

 bm /a iassam!Auth* "kb; g"

你可能感兴趣的:(常用命令)