Windbg命令大全

Windbg是在windows平台下,强大的用户态和内核态调试工具。相比较于Visual Studio,它是一个轻量级的调试工具,所谓轻量级指的是它的安装文件大小较小,但是其调试功能,却比VS更为强大。它的另外一个用途是可以用来分析dump数据。

1.下载

途径1:Microsoft Store下载Windbg Preview,安装完成即可使用。

途径2:https://learn.microsoft.com/zh-cn/windows-hardware/drivers/download-the-wdk

下载WDK完成后,安装其中的[Debugging Tools for Windows],安装完成即可使用Windbg。

2.符号表

Windbg --> File --> Symbol File Path,填入如下内容:

srv*d:\mysymbol*http://msdl.microsoft.com/download/symbols

3.命令列表

翻译自 [www.windbg.info/doc/1-common-].

3.1 内建帮助命令

命令 变量/参数 描述
?

?

? /D

显示常规命令

显示DML格式常规命令

.help

.help

.help /D

.help /D a*

显示 .command

显示DML格式 .command

显示DML格式以a*(通配符)的 .command

.chain

.chain

.chain /D

列出所有已加载的调试器扩展

列出以DML格式所有加载的调试器扩展(其中扩展链接到.extmatch)

.extmatch

.extmatch /e ExtDLL FunctionFilter

.extmatch /D /e ExtDLL FunctionFilter

 

 

显示扩展DLL的所有导出函数。FunctionFilter = 通配符字符串

DML格式也一样(函数链接到"!ExtName.help FuncName"命令)

 

例如: .extmatch /D /e uext * (显示uext.dll的所有导出函数)

.hh

.hh

.hh Text

 

打开Windbg帮助

Text = 要在帮助文件索引中查找的文本

例如: .hh dt

3.2 Windbg通用命令

命令 变量/参数 描述
version   转储调试器和加载的扩展dll的版本信息
vercommand   用于启动调试器的转储命令行
vertarget   目标计算机的版本
CTRL+ALT+V  

打开/关闭verbose模式

在verbose模式下,一些命令(如寄存器转储)有更详细的输出。

n n [8 | 10 | 16] 设置数字基数
.formats

.formats Expression

 

 

显示数字格式=计算数值表达式或符号,并以多种数值格式(十六进制、十进制、八进制、二进制、时间等)显示它。

Example 1: .formats 5

Example 2: .formats poi(nLocal1) == .formats @@($!nLocal1)

.cls   清空屏幕
.lastevent   显示最近发生的异常或事件(为什么调试器在等待?)
.effmach

.effmach

.effmach .

.effmach #

.effmach x86 | amd64 | ia64 | ebc

Dump有效的机器(x86, amd64, ..):

使用目标计算机的本机处理器模式

使用为最近事件执行的代码的处理器模式

使用x86、amd64、ia64或ebc处理器模式

.time   显示时间(系统启动、进程启动、内核时间、用户时间)

3.3 调试会话

命令 变量/参数 描述
.attach PID 附加到进程
.detach   结束调试会话,但让任何用户模式的目标应用程序继续运行
q q, qq

Quit =结束调试会话并终止目标应用程序

远程调试:q=无效果;qq =终止调试服务器

.restart   重新启动目标应用程序

3.4 表达式和命令

命令 变量/参数 描述
;   命令分隔符(cm1; cm2; ..)
?

? Expression

?? Expression

求表达式的值(使用默认的求值程序)

计算c++表达式

.expr

 

.expr

.expr /q

.expr /s c++

.expr /s masm

选择默认表达式求值器

显示当前的计算器

显示可用的评估器

将c++设置为默认表达式求值器

将masm设置为默认表达式求值器

*

* [any text]

 

注释行说明符

Terminated by: end of line

$$ $$ [any text]

评论说明符

Terminated by: end of line OR semicolon

.echo

.echo String

.echo "String"

 

Echo Comment -> 注释文本+ echo it

Terminated by: end of line OR semicolon

使用$$令牌或*令牌,调试器将忽略输入文本而不回显它。

 3.5 调试器标记语言(DML)

命令 变量/参数 描述
.dml_start   跳到其他DML命令
.prefer_dml

.prefer_dml [1 | 0]

 

全局设置:DML增强的命令是否默认为DML?

注意,许多命令,如k, lm, ..随后输出DML内容。

.help /D   .help有一个新的DML模式,其中提供了一个顶部链接栏
.chain /D   .chain有一个新的DML模式,其中扩展链接到.extmatch
.extmatch /D   .extmatch有一个新的DML格式,导出的函数链接到 "!ExtName. help FuncName"命令
lmD   lm有一个新的DML模式,其中模块名链接到lmv命令
kM   k有一个新的DML模式,其中帧号链接到.frame/dv
.dml_flow

.dml_flow StartAddr TargetAddr

 

允许对函数的代码流进行交互式探索。

1.为从给定起始地址开始的函数构建代码流图(类似于uf)

2.显示给定目标地址的基本块,加上指向引用块和当前块引用的块的链接

Example: .dml_flow CreateRemoteThread CreateRemoteThread+30

3.6 主要的扩展

命令 变量/参数 描述
!Ext.help   一般的扩展
!Exts.help   -||-
!Uext.help   用户模式扩展(非操作系统特定的)
!Ntsdexts.help   用户模式扩展(特定于操作系统)
!logexts.help   记录器扩展
!clr10\sos.help   调试托管代码
!wow64exts.help   Wow64调试器扩展
!Wdfkd.help   内核模式驱动程序框架扩展
!Gdikdx.help   图形驱动程序扩展
...    
!NAME.help !NAME.help FUNCTION

显示关于导出函数的详细帮助

NAME =扩展DLL的占位符

FUNCTION =导出函数的占位符

Example: !Ntsdexts.help handle (显示关于!Ntsdexts.handle的详细帮助)

3.7 符号

命令 变量/参数 描述
ld

ld ModuleName

ld *

模块加载符号

加载所有模块的符号

!sym

!sym

!sym noisy

!sym quiet

获取符号加载的状态

设置noisy符号加载(调试器显示关于其搜索符号的信息)

设置quiet符号加载(=default)

x

[Options] Module!Symbol

/t ..

/v ..

/a ..

/n ..

/z ..

检查符号:显示与指定模式匹配的符号

使用数据类型

详细(符号类型和大小)

按地址排序

按名称排序

按大小排序(函数符号的“size”是函数在内存中的大小)

ln ln Addr

列出最近的符号=显示给定Addr处或附近的符号。有用:

  • 确定指针指向什么
  • 查看已损坏的堆栈以确定哪个过程进行了调用时
.sympath

.sympath

.sympath+

显示或设置符号搜索路径

将目录追加到前面的符号路径

.symopt

.symopt

.symopt+ Flags

.symopt- Flags

显示当前符号选项

添加选项

删除选项

.symfix

.symfix

.symfix+ DownstreamStore

设置符号存储路径自动指向http://msdl.microsoft.com/download/symbols

+ =将其附加到现有路径

DownstreamStore =要用作下游存储的目录。默认为WinDbgInstallationDir\Sym。

.reload

.reload

.reload [/f | /v]

.reload [/f | /v] Module

重新加载所有模块的符号信息**

F =强制立即加载符号(覆盖惰性加载);详细模式

Module = for Module only

3.8 源

命令 变量/参数 描述
.srcpath

.srcpath

.srcpath+ DIR

显示或设置源搜索路径

将目录追加到搜索的源路径

.srcnoisy {1|0} 控制噪声源加载
.lines [-e | -d | -t] 切换源行支持:enable; disable; toggle
l (small letter L)

l+l, l-l

l+o, l-o

l+s, l-s

l+t, l-t

显示行号

压制一切

源和行号

源模式vs.组装模式

3.9 异常、事件和崩溃分析

命令 变量/参数 描述
g

g

gH

gN

go

go异常已处理

Go不被处理

.lastevent   发生了什么事?显示最近的事件或异常
!analyze

!analyze -v

!analyze -hang

!analyze -f

显示关于当前异常或bug检查的信息;verbose

用户模式:分析线程堆栈,以确定是否有线程阻塞其他线程。

即使调试器没有检测到异常,也可以查看异常分析。

sx

sx

sxe

sxd

sxn

sxi

sxr

显示所有带有中断状态和处理的事件过滤器

打破第一次机会

二次打破

通知;不打破

忽略事件

将过滤器设置重置为默认值

.exr

.exr-1

.exr Addr

显示最近的异常记录

在Addr上显示异常记录

.ecxr   显示与当前异常相关的异常上下文记录(寄存器)
!cppexr Addr 显示c++异常的内容和类型

3.10 加载模块和图像信息

命令 变量/参数 描述
lm

lm[ v | l | k | u | f ] [m Pattern]

lmD

列表模块;详细|加载符号| k-kernel或u-user仅符号信息|图像路径;模块名称必须匹配的模式

lm的DML模式;LMV命令链接包含在输出中

!dlls

!dlls

!dlls -i

!dlls -l

!dlls -m

!dlls -v

!dlls -c ModuleAddr

!dlls -?

所有加载的模块都有加载计数

通过初始化顺序

按加载顺序(默认)

根据记忆顺序

带有版本信息

ModuleAddr的唯一模块

简短的帮助

!imgreloc ImgBaseAddr 关于移位图像的信息
!lmi Module 模块的详细信息(包括确切的符号信息)
!dh

!dh ImgBaseAddr

!dh -f ImgBaseAddr

!dh -s ImgBaseAddr

!dh -h

转储ImgBaseAddr的头文件

f = 仅文件头文件

s = 仅节头

h = 简短的帮助

3.11 进程相关信息

命令 变量/参数 描述
!dml_proc   (DML)显示当前流程,并允许钻取流程以获取更多信息
| (pipe)   打印正在调试的所有进程的状态
.tlist   列出系统中运行的所有进程
!peb   显示进程的环境块(PEB)的格式化视图

3.12 线程相关信息

命令 变量/参数 描述
~

~

~* [Command]

~. [Command]

~# [Command]

~Number [Command]

~~[TID] [Command]

~Ns

列出线程

所有线程

当前线程

导致当前事件或异常的线程

序号为Number的线程

线程ID为TID的线程(括号是必需的)

切换到线程N(新的当前线程)

~e

 

~* e CommandString

~. e CommandString

~# e CommandString

~Number e CommandString

执行线程特定的命令(CommandString =一个或多个要执行的命令):

所有线程

当前线程

导致当前事件的线程

带有序数的线程

~f ~Thread f 冻结线程(线程语法参见~)
~u ~Thread u 解冻线程(参见~了解线程语法)
~n ~Thread n 挂起线程=增加线程的挂起计数
~m ~Thread m 恢复线程=减少线程的挂起计数
!teb   显示线程环境块(TEB)的格式化视图
!tls

!tls -1

!tls SlotIdx

!tls [-1 | SlotIdx] TebAddr

-1 = dump当前线程的所有槽位

SlotIdx =仅转储指定槽位

TebAddr =指定线程;如果省略,则使用当前线程

.ttime   显示线程时间(用户+内核模式)
!runaway [Flags: 0 | 1 | 2]

显示每个线程消耗的时间信息(0-用户时间、1-内核时间、自线程创建以来的2个时间)。

快速发现哪些线程正在失去控制或消耗过多的CPU时间

!gle

!gle

!gle -all

转储当前线程的最后一个错误

转储所有线程的最后一个错误

!error

!error ErrValue

!error ErrValue 1

解码并显示有关错误值的信息

将ErrValue值视为NTSTATUS代码

3.13 断点

命令 变量/参数 描述
bl   列出断点
bc

bc *

bc # [#] [#]

清除所有断点

清除#断点

be

be *

be # [#] [#]

使能所有断点

使能#断点

bd

bd *

bd # [#] [#]

失能所有断点

失能#断点

bp

bp [Addr]

bp [Addr] ["CmdString"]

 

[~Thrd] bp[#] [Options] [Addr] [Passes] ["CmdString"]

在地址处设置断点

CmdString = Cmd1;Cmd2;.. 每次命中BP时执行。

 

~ thd == bp也应用的线程。

# = Breakpoint ID

Passes =在#Passes之后激活断点(前面会忽略)

bu bu [Addr]

See bp ..

设置未解决的断点。断点在模块加载时设置

 

bm

bm SymPattern

bm SymPattern ["CmdString"]

 

[~Thrd] bm [Options] SymPattern [#Passes] ["CmdString"]

设置符号断点。SymPattern可以包含通配符

CmdString = Cmd1;Cmd2; .. 每次命中BP时执行。

 

~ thd == bp也应用的线程。

Passes =在#Passes之后激活断点(前面会忽略)

 

语法bm SymPattern等价于使用x SymPattern,然后对每个结果使用bu。

ba

ba [r|w|e] [Size] Addr

 

[~Thrd] ba[#] [r|w|e] [Size] [Options] [Addr] [Passes] ["CmdString"]

Break on Access: [r=read/write, w=write, e=execute], Size=[1|2|4 bytes]

 

[~Thrd] == bp也适用的线程。

# = Breakpoint ID

Passes =在#Passes之后激活断点(前面会忽略)

br br OldID NewID [OldID2 NewID2 ...] 重新编号一个或多个断点

3.14 跟踪和步进

命令 变量/参数 描述
g (F5)

g
gu

 

 

Go (F5)
Go up = 执行直到当前函数完成
gu ~= g @$ra
gu ~= bp /1 /c @$csp @$ra;g
-> $csp = 和x86上的esp一样
-> $ra = 堆栈上当前的返回地址
p (F10) p

pr
Count
p [Count] "Command"
p =StartAddress [Count] ["Command"]

[~Thread] p [=StartAddress] [Count] ["Command"]
Single step - executes a single instruction or source line. Subroutines are treated as a single step.

Toggle display of registers and flags
Count = count of instructions or source lines to step through before stopping
Command = debugger command to be executed after the step is performed
StartAddress = Causes execution to begin at the specified address. Default is the current EIP.

~Thread = The specified thread is thawed and all others frozen
t (F11) t
..
Single trace - executes a single instruction or source line. For subroutines each step is traced as well.
pt pt
..
Step to next return - similar to the GU (go up), but staying in context of the current function
If EIP is already on a return instruction, the entire return is executed. After this return is returned, execution will continue until another return is reached.
tt tt
..
Trace to next return - similar to the GU (go up), but staying in context of the current function
If EIP is already on a return instruction, the debugger traces into the return and continues executing until another return is reached.
pc pc
..
Step to next call - executes the program until a call instruction is reached
If EIP is already on a call instruction, the entire call will be executed. After this call is returned execution will continue until another call is reached.
tc tc
..
Trace to next call - executes the program until a call instruction is reached
If EIP is already on a call instruction, the debugger will trace into the call and continue executing until another call is reached.
pa pa StopAddr


par
pa StopAddr "Command"
pa =StartAddress StopAddr ["Command"]
Step to address; StopAddr = address at which execution will stop
Called functions are treated as a single unit

Toggle display of registers and flags
Command = debugger command to be executed after the step is performed
StartAddress = Causes execution to begin at the specified address. Default is the current EIP.
ta ta StopAddr
..
Trace to address; StopAddr = address at which execution will stop
Called functions are traced as well
wt wt

wt [Options] [= StartAddr] [EndAddr]
wt -l Depth ..
wt -m Module [-m Module2] ..
wt -i Module [-i Module2] ..
wt -oa ..
wt -or ..
wt -oR ..
wt -nc ..
wt -ns ..
wt -nw ..
Trace and watch data. Go to the beginning of a function and do a wt. It will run through the entire function and display statistics.

StartAddr = execution begin; EndAddr = address at which to end tracing (default = after RET of current function)
l = maximum depth of traced calls
m = restrict tracing to Module
i = ignore code from Module
oa = dump actual address of call sites
or = dump return register values (EAX value) of sub-functions
oR = dump return register values (EAX value) in the appropriate type
nc = no info for individual calls
ns = no summary info
ns = no warnings
.step_filter .step_filter
.step_filter "FilerList"
.step_filter /c
Dump current filter list = functions that are skipped when tracing (t, ta, tc)
FilterList = Filter 1; Filter 2; ... symbols associated with functions to be stepped over (skipped)
clear the filter list

.step_filter is not very useful in assembly mode, as each function call is on a different line.

3.15 调用堆栈

命令 变量/参数 描述
k

k [n] [f] [L] [#Frames]
kb ...
kp ...
kP ...
kv ...

dump stack; n = with frame #; f = 相邻帧之间的距离; L = 省略源行;要显示的堆栈帧数
first 3 params
all params: param type + name + value
all params formatted (new line)
FPO info, calling convention
kd kd [WordCnt] display raw stack data + possible symbol info == dds esp
kM   DML variant with links to .frame #;dv
.kframes   Set stack length. The default is 20 (0x14).
.frame .frame
.frame #
.frame /r [#]
show current frame
specify frame #
show register values
!uniqstack !uniqstack
!uniqstack [b|v|p] [n]
!uniqstack -?
show stacks for all threads
[b = first 3 params, v = FPO + calling convention, p = all params: param type + name + value], [n = with frame #]
brief help
!findstack !findstack Symbol
!findstack Symbol [0|1|2]
!findstack -?
locate all stacks that contain Symbol or module
[0 = show only TID, 1 = TID + frames, 2 = entire thread stack]
brief help

3.16 寄存器

命令 变量/参数 描述
r r
Reg1, Reg2
r Reg=Value

r Reg:Type











r Reg:[Num]Type


~Thread r [Reg:[Num]Type]
Dump所有寄存器
Dump only specified registers (i.e.: r eax, edx)
Value to assign to the register (i.e.: r eax=5, edx=6)

Type = data format in which to display the register (i.e.: r eax:uw)
ib = Signed byte
ub = Unsigned byte
iw = Signed word (2b)
uw = Unsigned word (2b)
id = Signed dword (4b)
ud = Unsigned dword (4b)
iq = Signed qword (8b)
uq = Unsigned qword (8b)
f = 32-bit floating-point
d = 64-bit floating-point

Num = number of elements to display (i.e.: r eax:1uw)
Default is full register length, thus r eax:uw would display two values as EAX is a 32-bit register.

Thread = thread from which the registers are to be read (i.e.: ~1 r eax)
rM

rM Mask
rM Mask Reg1, Reg2
rM Mask Reg=Value
..

 

 

 

 

Dump register types specified by Mask
Dump only specified registers from current mask
Value to assign to the register

Flags for Mask
0x1 = basic integer registers
0x4 = floating-point registers == rF
0x8 = segment registers
0x10 = MMX registers
0x20 = Debug registers
0x40 = SSE XMM registers == rX
rF rF
rF Reg1, Reg2
rF Reg=Value
..
Dump all floating-point registers == rM 0x4
Dump only specified floating-point registers
Value to assign to the register
rX rX
rX Reg1, Reg2
rX Reg=Value
..
Dump all SSE XMM registers == rM 0x40
Dump only specified SSE XMM registers
Value to assign to the register
rm rm
rm ?
rm Mask
Dump default register mask. This mask controls how registers are displayed by the "r".
Dump a list of possible Mask bits
Specify the mask to use when displaying the registers.

3.17 关于变量的信息

命令 变量/参数 描述
dt

dt -h
dt [mod!]Name
dt [mod!]Name Field [Field]
dt [mod!]Name [Field] Addr
dt [mod!]Name*

dt [-n|y] [mod!]Name [-n|y] [Field] [Addr]


dt [-n|y] [mod!]Name [-n|y] [Field] [Addr] -abcehioprsv

 

 

 

 

短暂的帮助
Dump variable info
Dump only 'field-name(s)' (struct or unions)
Addr of struct to be dumped
list symbols (wildcard)

-n Name = param is a name (use if name can be mistaken as an address)
-y Name = partially match instead of default exact match

-a = Shows array elements in new line with its index
-b = Dump only contiguous block of struct
-c = Compact output (all fields in one line)
-i = Does not indent the subtypes
-l ListField = Field which is pointer to the next element in list
-o = Omit the offset value (fields of struct)
-p = Dump from physical address
-r[l] = Recursively dump subtypes/fields (up to l levels)
-s [size] = For enumeration only, enumerate types only of given size.
-v = Verbose output.
dv dv
dv Pattern
dv [/i /t /V] [Pattern]
dv [/i /t /V /a /n /z] [Pattern]
display local variables and parameters
vars matching Pattern
i = type (local, global, parameter), t = data type, V = memory address or register location
a = sort by Addr, n = sort by name, z = sort by size

3.18 内存

命令 变量/参数 描述
d* d[a| u| b| w| W| d| c| q| f| D] [/c #] [Addr]













dy[b | d] ..
显示内存 [#columns to display]
a = ascii chars
u = Unicode chars

b = byte + ascii
w = word (2b)
W = word (2b) + ascii
d = dword (4b)
c = dword (4b) + ascii
q = qword (8b)

f = floating point (single precision - 4b)
D = floating point (double precision - 8b)

b = binary + byte
d = binary + dword
e*

e[ b | w | d | q | f | D ] Addr Value








e[ a | u | za | zu ] Addr "String"

 

Edit memory
b = byte
w = word (2b)
d = dword (4b)
q = qword (8b)

f = floating point (single precision - 4b)
D = floating point (double precision - 8b)

a = ascii string
za = ascii string (NULL-terminated)
u = Unicode string
zu = Unicode string (NULL-terminated)
ds, dS ds [/c #] [Addr]
dS [/c #] [Addr]
Dump string struct (struct! not null-delimited char sequence)
s = STRING or ANSI_STRING
S = UNICODE_STRING
d*s dds [/c #] [Addr]
dqs [/c #] [Addr]
Display words and symbols (memory at Addr is assumed to be a series of addresses in the symbol table)
dds = dwords (4b)
dqs = qwords (8b)
dd*, dq*, dp* dd*
dq*
dp*


d*a
d*u
d*p
Display referenced memory = display pointer at specified Addr, dereference it, and then display the memory at the resulting location in a variety of formats.

the 2nd char determines the pointer size used:
dd* -> 32-bit pointer used
dq* -> 64-bit pointer used
dp* -> standard size: 32-bit or 64-bit, depending on the CPU architecture

the 3rd char determines how the dereferenced memory is displayed:
d*a -> dereferenced mem as asci chars
d*u -> dereferenced mem as Unicode chars
d*p -> dereferenced mem as dword or qword, depending on the CPU architecture. If this value matches any known symbol, this symbol is displayed as well.
dl dl[b] Addr MaxCount Size Display linked list (LIST_ENTRY or SINGLE_LIST_ENTRY)
b = dump in reverse order (follow BLinks instead of FLinks)
Addr = start address of the list
MaxCount = max # elements to dump
Size = Size of each element

Use !list to execute some command for each element in the list.
!address !address -?
!address Addr
!address -summary
!address -RegionUsageXXX
Display info about the memory used by the target process
Brief help
Dump info for region with Addr
Dump summary info for process
Dump specified regions (RegionUsageStack, RegionUsagePageHeap, ..)
!vprot !vprot -?
!vprot Addr
Brief Help
Dump virtual memory protection info
!mapped_file !mapped_file -?
!mapped_file Addr
Brief Help
Dump name of the file containing given Addr

3.19 操作内存范围

命令 变量/参数 描述
c c Range DestAddr 比较内存
m m Range DestAddr Move memory
f f Range Pattern Fill memory. Pattern = a series of bytes (numeric or ASCII chars)
s

Range Pattern

s -[Flags]b Range Pattern


s -[Flags]w Range 'Pattern'
s -[Flags]d Range 'Pattern'
s -[Flags]q Range 'Pattern'


s -[Flags]a Range "Pattern"
s -[Flags]u Range "Pattern"


s -[Flags,l length]sa Range
s -[Flags,l length]su Range


s -[Flags]v Range Object

 

 

 

 

Search memory

b = byte (default value)
Pattern = a series of bytes (numeric or ASCII chars)

w = word (2b)
d = dword (4b)
q = qword (8b)
Pattern = enclosed in single quotation marks (for example, 'Tag7')

a = ascii string (must not be null-terminated)
u = Unicode string (must not be null-terminated)
Pattern = enclosed in double quotation marks (for example, "This string")

Search for any memory containing printable ascii strings
Search for any memory containing printable Unicode strings
Length = minimum length of such strings; the default is 3 chars

Search for objects of the same type.
Object = Addr of a pointer to the Object or of the Object itself

Flags
-------
w = search only writable memory
1 = output only addresses of search matches (useful if you are using the .foreach)
Flags must be surrounded by a single set of brackets without spaces.
Example: s -[swl 10]Type Range Pattern
.holdmem .holdmem -a Range
.holdmem -o
.holdmem -c Range
.holdmem -D
.holdmem -d { Range | Address }
Hold and compare memory. The comparison is made byte-for-byte
Memory range to safe
Display all saved memory ranges
Compares Range to all saved memory ranges
Delete all saved memory ranges
Delete specified memory ranges (any saved range containing Addr or overlapping with Range)

3.20 内存:堆

命令 变量/参数 描述
!heap !heap -?

!heap
!heap -h
!heap -h [HeapAddr | Idx | 0]
!heap -v [HeapAddr | Idx | 0]
!heap -s [HeapAddr | 0]
!heap -i [HeapAddr]
!heap -x [-v] Address
!heap -l
短暂的帮助

用index和HeapAddr列出堆
列出带索引和范围的堆(= startAddr(=HeapAddr), endAddr)
详细堆信息[Idx = heap Idx, 0 = all heaps]
验证堆 [Idx = heap Idx, 0 = all heaps]
摘要信息,即保留和提交的内存 [Idx = heap Idx, 0 = all heaps]
给定地址的块的详细信息
搜索包含地址的堆块 (v = 整个搜索过程虚拟空间)
搜索可能泄漏的堆块
!heap -b, -B !heap Heap -b [alloc | realloc | free] [Tag]
!heap Heap -B [alloc | realloc | free]
在堆管理器中设置条件断点 [Heap = HeapAddr | Idx | 0]
删除条件断点
!heap -flt !heap -flt s Size
!heap -flt r SizeMin SizeMax
转储匹配指定大小的分配的信息
按范围筛选
!heap -stat !heap -stat
!heap -stat -h [HeapHandle | 0]
转储堆句柄列表
转储每个AllocSize的使用统计信息 [HeapHandle = given heap | 0 = all heaps].
统计数据包括 AllocSize, #blocks, TotalMem for each AllocSize.
!heap -p !heap -p -?
!heap -p
!heap -p -h HeapHandle
!heap -p -a UserAddr
!heap -p -all
扩展页面堆帮助
NtGlobalFlag、HeapHandle + NormalHeap list ** 的摘要
带有Handle的页面堆的详细信息
包含UserAddr的堆分配详细信息。在可用时打印回溯.
进程中所有堆中的所有分配的详细信息。
每个HeapAlloc调用的输出包括UserAddr和AllocSize。

3.21 应用程序验证器

命令 变量/参数 描述
!avrf   显示应用程序验证器选项。如果发生了应用程序验证器停止,请揭示停止的性质和原因。
!avrf

-?

 

-vs N

-vs -a ADDR

 

-hp N

-hp -a ADDR

 

-cs N

-cs -a ADDR

 

-dlls N

-ex N

-cnt

-threads

-trm

-trace INDEX

-brk [INDEX]

短暂的帮助

 

从vspace日志(MapViewOfFile, UnmapViewOfFile, ..)中转储最后N项。

在vspace日志中查找ADDR。

 

HeapAlloc, HeapFree, new, delete日志

在堆日志中搜索ADDR。

 

DeleteCriticalSection API日志(最后#Entries)。~CCriticalSection隐式调用此函数。

在临界区搜索ADDR删除日志。

 

LoadLibrary / FreeLibrary日志

异常日志

全局计数器(WaitForSingleObject, HeapAllocation调用,…)

线程信息+子线程的开始参数

TerminateThread API日志

使用INDEX转储堆栈跟踪。

转储或设置/重置中断触发器。

3.22 日志扩展(logexts.dll)

命令 变量/参数 描述
!logexts.help   显示所有Logexts.dll扩展命令
!loge !loge [dir] 启用日志记录+如果还没有初始化它。输出目录可选。
!logi   初始化(=将Logger注入到目标应用程序中)但不启用日志记录。
!logd   禁用日志记录
!logo

!logo

!logo [e|d] [d|t|v]

列出输出设置

打开/关闭[d - Debugger, t - Text file, v - Verbose log]输出。使用logviewer.exe检查详细日志。

!logc

!logc

!logc p #

!logc [e|d] *

!logc [e|d] # [#] [#]

列出所有类别

在分类#中列出api

启用/禁用所有类别

启用/禁用类别#

!logb

!logb p

!logb f

将缓冲区内容打印到调试器

将缓冲区刷新到日志文件

!logm

!logm

!logm [i|x] [DLL] [DLL]

显示模块包含/排除列表

指定模块包含/排除列表

posted @ 2022-11-30 11:33  this毛豆  阅读(656)  评论(0编辑  收藏  举报