Thematically groupped WinDBG commands: Common WinDbg Commands (Thematically Grouped)
| Command | Meaning |
|---|---|
| !peb | display formatted PEB |
| dt nt!_PEB Addr | full PEB dump |
| lm | list loaded and unloaded modules |
| lm vm kernel32 | verbose output (incl image, syml information) |
| !dlls | display loaded modules with loader info |
| !imgreloc | display relocation info |
| !dh kernel32 | display headers |
| !gle | Get Last Error |
| !process 0 4 processname.exe | print all threads of process |
| !teb | display formatted teb |
| dt nt!_TEB Addr | full TEB dump |
| k, kP, kf, kv, kb | display call stack for current thread P == full parameters for each function called f == distance between adjacent frames to be displayed (useful to check stack consumption of each frame) v == display FPO information + calling convention b == display the first three parameters passed to each function |
| d, dd, da, du… | Display memory dd == double word values da == display ASCII characters du == display Unicode characters |
| f 0012ff40 L20 ‘A’ ‘B’ ‘C’ | fill 20 elements with ABC starting at address |
| !vprot MyAddr | Displays virtual memory protection information for MyAddr |
| !address MyAddr | Display information (type, protection, usage, ..) about the memory specified by MyAddr |
| !heap | print all heaps |
| !locks | displays a list of locked critical sections for the process |
| !locks -v | display all critical sections for the process |
| !cs -l [CsAddr] | Displays one or more critical sections, or the entire critical section tree. -l == display only locked sections -s == causes each CS’s initialization stack to be displayed -o == causes the owner’s stack to be displayed -t == display critical section tree -> EnterCntr, WaitCnt, … |
| !avrf -cs | Display a list of deleted critical sections (DeleteCriticalSection API) |
| !critsec [CsAddr] | displays the same collection of information as !ntsdexts.locks |
| dt | Display information about a local variable, function parameter, global variable or data type |
| dv | Display local variables |
| dv /t /i /V | Display local variables /i == classify them into categories (parameters or locals) /V == show addresses and offsets for the relevant base frame register (usually EBP) /t == display type information |
| dd 0046c6b0 L1 | display 1 dword at 0046c6b0 |
| dd 0046c6b0 L3 | display 3 dwords at 0046c6b0 |
| du 0046c6b0 | display Unicode chars at 0046c6b0 |
| ad Name ad * |
Delete alias with Name |
| al | List user-named aliases |
| ${Alias} | ${Alias} is replaced by the alias equivalent, even if it is touching other text. If the alias is not defined, the ${Alias} is not replaced |
| ${/f:Alias} | Same as above except that ${/f:Alias} is replaced with an empty string if the alias is not defined |
| ${/n:Alias} | Evaluates to the alias name |
| ${/d:Alias} | Evaluates: 1 = alias defined; 0 = alias not defined |
| bp bu ba bc be, bd |
Set Breakpoint Set Unresolved Breakpoint: defers the actual setting of the breakpoint until the module is loaded Break on Access Breakpoint Clear Breakpoint Enable, Disable |
| ba r4 0012fe34 ba w2 0012fe38 |
break on access (read or write); monitor 4 bytes break on access (write); monitor 2 bytes |
| bu kernel32!LoadLibraryExW 5 | Breakpoint that will starts hitting after 5 passes |
| ~1 bu kernel32!LoadLibraryExW | Break only if called from thread ~1 |
| bp mod!myFunc* | Break at all symbols with pattern myFunc* |
| .lastevent | first-change or second-chance? |
| !analyze -v | Displays detailed information about the current exception |
| .exr -1 | Display most recent exception |
| .exr Addr | Display exception at Addr |
| !cppexr Addr | Display c++ exception at address Addr |
| g, gH gN |
Go with Exception Handled Go with Exception Not Handled |
| .dump /ma D:\large.dmp | all possible data: full memory, code sections, PEB and TEB’s, handle data, thread time information, unloaded module lists, and more |
| .dump /m d:\small.dmp | only basic information: module information (signatures), thread and stack information |
| r | print all registers |
| d * | view memory |
| e * | edit memory |
| ~1 ~2 | change context to processor 1/2 |
| ed nt!Kd_Default_Mask 8 | Включить DbgPrint прям в консоль windbg |
| __debugbreak(); | Команда плюсов, замена int3 |
| .reload /u | Выгрузить модули (например при перекомпиле выгрузить pdb) |
| dds nt!KiServiceTable+syscall*4 | Интерпретировать адреса как символы |
| dt _EPROCESS 81F24BD0 -r1 | print recursively -rN - N - level of recurse |
| ~0s / ~1s / ~2s | switch processor |
| dt nt!_kprcb | view Kernel Processor Control Block |
| !prcb | address of KPRCB for current processor |
| !handle 0 3 EPROCESSADDRESS File | show all handles of process of concrete type |
| dd /c1 ADDRESS L30 | list in one column 30 values |
| .cmdtree | call help |
| .thread ADDRESS | switch to thread in kernel |
| !error @eax | interpret NTSTATUS in eax |
| .chain | extensions |
| .load C:\way\to\dll\Mex.dll | load new extension |
| !reload -u | unload all modules (for ex if you wannd recompile file, but you’ve loaded pdb into windbg, you need to unload it) |
| ?? sizeof(nt!_IRP) | get size of structure |
| !thread XXX !irp addrX |
gives IRP List addrX gives holding IRP’s by thread |
| !dpcs | list dpc queue for the current processor |
bp sampleapp!file.cpp:6 “.if (dwo(VARIABLE)>0n100) {} .else { gc } |
run command at break with if (MASM syntax) |
bp sampleapp!file.cpp:6 “.if (@@(VARIABLE)>0n100) {} .else { gc } |
same in C++ syntax |
| db poi(VAR) | dereference |
| .childdbg [0/1] | enable child debugging |
Full windbg syntax commands, that I once used:
| command |
|---|
| bp kernel32!CreateFileW “.echotime;.echo====================;dps rcx L2;g” |
| .for (r $t0 = 0; @$t0 < 0x4; r $t0 = @$t0 + 1) {.echotime;.echo====================;!irql;t;} |