【逆向】WinDbg常用命令与技巧

前言

本文用于记录WinDbg的一些常用命令和使用技巧,WinDbg是一个强大的windows调试器,除了文中记录的内容外,其它内容会在用到时进行更新。另外你可以“F1”或使用“.hh”命令打开debugger.chm以获取完整的调试器文档。

主题界面

https://www.cnblogs.com/SunsetR/p/12026080.html

符号文件

https://www.cnblogs.com/SunsetR/p/12034336.html

命令概述

WinDbg中的调试命令,分为三种:基本命令,元命令和扩展命令。
基本命令:是调试器自带的基本调试命令,命令不分大小写。(一般用于操作被调试进程)
元命令:是调试器自带的,元命令总是以“.”开头。(一般用于操作调试器自身,例如:.symfix 命令用于设置符号)
扩展命令:是外部加入的,总是以感叹号“!”开头。(一般用于提供附加功能,扩展命令都实现在扩展DLL中,用户也可以自己编写扩展命令)
扩展命令从动态连接库中导出,一般以DLL文件名来代表一类扩展命令集。
使用如下命令可以列出对应的命令集合:

 1 // 获取基础命令列表
 2 0:000> ?
 3 
 4 Open debugger.chm for complete debugger documentation
 5 
 6 B[C|D|E][<bps>] - clear/disable/enable breakpoint(s)
 7 BL - list breakpoints
 8 BA <access> <size> <addr> - set processor breakpoint
 9 BP <address> - set soft breakpoint
10 D[type][<range>] - dump memory
11 DT [-n|y] [[mod!]name] [[-n|y]fields]
12    [address] [-l list] [-a[]|c|i|o|r[#]|v] - dump using type information
13 DV [<name>] - dump local variables
14 E[type] <address> [<values>] - enter memory values
15 G[H|N] [=<address> [<address>...]] - go
16 K <count> - stacktrace
17 KP <count> - stacktrace with source arguments
18 LM[k|l|u|v] - list modules
19 LN <expr> - list nearest symbols
20 P [=<addr>] [<value>] - step over
21 Q - quit
22 R [[<reg> [= <expr>]]] - view or set registers
23 S[<opts>] <range> <values> - search memory
24 SX [{e|d|i|n} [-c "Cmd1"] [-c2 "Cmd2"] [-h] {Exception|Event|*}] - event filter
25 T [=<address>] [<expr>] - trace into
26 U [<range>] - unassemble
27 version - show debuggee and debugger version
28 X [<*|module>!]<*|symbol> - view symbols
29 ? <expr> - display expression
30 ?? <expr> - display C++ expression
31 $< <filename> - take input from a command file
32 
33 Hit Enter...
 1 // 获取元命令列表,参数“/D”表示使用DML格式显示
 2 0:000> .help /D
 3  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All
 4 
 5 . commands:
 6    .abandon - abandon the current process
 7    .allow_exec_cmds [0|1] - control execution commands
 8    .allow_image_mapping [0|1] - control on-demand image file mapping
 9    .apply_dbp [<options>] - add current data breakpoint state to a
10                             register context
11    .asm [<options>] - set disassembly options
12    .asm- [<options>] - clear disassembly options
13    .attach <proc> - attach to <proc> at next execution
14    .block { <commands> } - brackets a set of commands for nested execution
15    .bpsync [0|1] - special breakpoint behavior for multithreaded debuggees
16    .break - break out of the enclosing loop
17    .breakin - break into KD
18    .cache [<options>] - virtual memory cache control
19    .call <fn>(<arg1>, <arg2>, ...) - run a function in the debuggee
20    .catch { <commands> } - catch failures in commands
21    .chain - list current extensions
22    .childdbg <0|1> - turn child process debugging on or off
23    .clients - list currently active clients
24    .closehandle [<options>] [<handle>] - close the given handle
25    .continue - continue the enclosing loop
26    .copysym [<options>] <path> - copy current symbol files to a directory
27    .create <command line> - create a new process
28    .createdir [<options>] [<path>] - control process creation options
29    .cxr <address> - dump context record at specified address
30                     k* after this gives cxr stack
31    .dbgdbg - attach a debugger to the current debugger
32    .debug_sw_wow [0|1] - allow interaction with software WOW emulation
33    .detach - detach from the current process/dump
34    .dml_file <file> - output DML content from file
35    .dml_flow <start> <addr> - show basic block code flow
36    .dml_start [<options>] - navigable overview of debugger activities
37    .do { <commands> } (<cond>) - execute <commands> until <cond> is zero
38    .drivers - This command was removed -- use 'lm' or .reload -l)
39     后面省略。。。
 1 // 获取系统中的所有扩展DLL列表,参数“/D”表示使用DML格式显示
 2 0:000> .chain /D
 3 Extension DLL search Path: //扩展模块的搜索路径
 4     C:\Tools\Debuggers\WinDbg\x86\WINXP;
 5     C:\Tools\Debuggers\WinDbg\x86\winext;
 6     C:\Tools\Debuggers\WinDbg\x86\winext\arcade;
 7 
 8 Extension DLL chain: //WinDbg自带的扩展模块
 9     dbghelp: image 6.3.9600.17237, API 6.3.6, built Thu Jul 17 01:35:59 2014
10         [path: C:\Tools\Debuggers\WinDbg\x86\dbghelp.dll]
11     ext: image 6.3.9600.17237, API 1.0.0, built Thu Jul 17 01:53:26 2014
12         [path: C:\Tools\Debuggers\WinDbg\x86\winext\ext.dll]
13     exts: image 6.3.9600.17237, API 1.0.0, built Thu Jul 17 01:43:32 2014
14         [path: C:\Tools\Debuggers\WinDbg\x86\WINXP\exts.dll]
15     uext: image 6.3.9600.16384, API 1.0.0, built Thu Aug 22 12:04:09 2013
16         [path: C:\Tools\Debuggers\WinDbg\x86\winext\uext.dll]
17     ntsdexts: image 6.3.9600.16384, API 1.0.0, built Thu Aug 22 12:04:34 2013
18         [path: C:\Tools\Debuggers\WinDbg\x86\WINXP\ntsdexts.dll]
19 
20 // 使用“!模块名.help”,查看该扩展模块导出的扩展命令列表
21 0:000> !ext.help
22 address [address]          - Displays the address space layout
23         [-UsageType]       - Displays the address space regions of the given type
24 analyze [-v]               - Analyzes current exception or bugcheck
25 cpuid [processor]          - Displays CPU version info for all CPUs
26 elog_str <message>         - Logs simple message to host event log
27 cppexr <exraddress>        - Displays a C++ EXCEPTION_RECORD
28 error [errorcode]          - Displays Win32 & NTSTATUS error string
29 exchain                    - Displays exception chain for current thread
30 for_each_frame <cmd>       - Executes command for each frame in current
31                              thread
32 for_each_local <cmd> $$<n> - Executes command for each local variable in
33                              current frame, substituting fixed-name alias
34                              $u<n> for each occurrence of $$<n>
35 gle [-all]                 - Displays last error & status for current thread
36 imggp <imagebase>          - Displays GP directory entry for 64-bit image
37 imgreloc <imagebase>       - Relocates modules for an image
38 list [-? | parameters]     - Displays lists
39 obja <address>             - Displays OBJECT_ATTRIBUTES[32|64]
40 owner [symbol!module]      - Detects owner for current exception or
41                              bugcheck from triage.ini
42 rtlavl <address>           - Displays RTL_AVL_TABLE
43 std_map <address>          - Displays a std::map<>
44 str <address>              - Displays ANSI_STRING or OEM_STRING
45 ustr <address>             - Displays UNICODE_STRING
46 
47 // 使用“!模块名.命令”,查看该扩展命令执行结果
48 0:000> !ext.cpuid
49 CP  F/M/S  Manufacturer     MHz
50  0  6,14,12 GenuineIntel    1800

参考:

http://yiiyee.cn/blog/2013/08/23/windbg/

https://www.cnblogs.com/kekec/archive/2012/12/02/2798020.html

https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/getting-started-with-windows-debugging

https://www.cnblogs.com/gaochundong/p/windbg_cheat_sheet.html

posted @ 2019-12-12 15:57  SunsetR  阅读(670)  评论(0编辑  收藏  举报