Windbg常用命令

.extpath 扩展模块搜索路径

.ecxr;kb

！analyze -v
~ - 列举出当前进程上下文中的所有线程
~* - 列举出当前进程上下文中的所有线程的详细信息
lm - 列举出所有加载的模块
!sym noice/quiet - 代码提示开关
.srcpath -设置源码路径
k - 显示当前堆栈
~*kb -显示出所有线程占用的堆栈
dv - 显示出本地变量(使用ctrl + alt + v切换模式)
.Frame - 调用堆栈
dt xxx - 显示出诸如PEB等的数据结构

dt ESAlertServer!* /v /s 14 

!gle/!error - 显示出最新线程错误
!teb - 显示出当前线程执行块
!peb - 显示出当前进程执行块
r [@register] - 显示所有注册的值
ln [Address] - 显示地址类型
x [] -查询全局变量和全局函数
!locks - 显示所有死锁

.bpcmds 断点以命令方式显示

.record_branches 代码分支记录64位才有用

 

.shell (运行shell)

exit （退出）

.kdfiles map.ini

map.ini

map
\Systemroot\system32\drivers\tag.sys
c:\host.sys

 

资源查看

!handle - 获取当前活动句柄

!handle ? f
!htrace [enable] - 显示并跟踪所有句柄!handle - 获取当前活动句柄

!handle ? f
!htrace [enable] - 显示并跟踪所有句柄

!htrace [Handle [Max_Traces]] 
!htrace -enable [Max_Traces]
!htrace -snapshot
!htrace -diff

!htrace -diff
!htrace -disable

方法： 

windbg用ctrl+break命令中断进程运行，用！htrace -enable命令开启句柄检测；htrace提供了进行句柄相关检测的命令，可查看windbg帮助。 同时用g命令让程序运行。 

 

再次中断进程，使用！htrace -snapshot命令，获得此时进程句柄的镜像。并再次让程序运行。 

 

第三次中断进程运行，我们再使用！htrace -diff命令获得当前句柄状态与第2步 snapshot镜像句柄的差异 

 

使用lsa 传递指定位置对应的代码，lsa ESCC!funn+0x0000002e 到这里，就找到了泄露句柄的函数。 

for_each

!for_each_frame

!for_each_local

!for_each_module

!for_each_module .echo @#ModuleIndex : @#Base @#End @#ModuleName @#ImageName  @#LoadedImageName
!for_each_module x ${@#ModuleName}!*Debug*Flag*
!for_each_module x ${@#ModuleName}!g*Debug*
!for_each_module s-a @#Base @#End "MZ"

vertarget 显示操作系统信息

u - 反汇编

uf

bp [Kernel!SetLastError] [value] - 设置断点
bl - 显示断点信息
ba - 数据断点
ba w4 0x4000000 "kb;g" - 显示出地址0x40000调用的所有堆栈
p,pa,t,ta - 控制命令

.time

 !runaway 7

Bit 0 (0x1)

Causes the debugger to show the amount of user time consumed by each thread.

Bit 1 (0x2)

Causes the debugger to show the amount of kernel time consumed by each thread.

Bit 2 (0x4)

Causes the debugger to show the amount of time that has elapsed since each thread was created.

ContextsChangingContextsChanging

 .frame /r 1 .frame /r 1

.cxr (Display Context Record)

.ecxr (Display Exception Context Record)

Other

.load C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\sos.dll

!dumpheap -stat
 !eeversion

.chain

 显示当前线程的错误值：!gle会显示当前线程的上一个错误值和状态值。!error命令可以解码hresult。

查看lock：!locks显示各线程的锁资源使用情况。对调试死锁很有用。

查看handle：!handle显示句柄信息。假如一段代码导致句柄泄漏，你只需要在代码执行前后使用!handle命令并比较两次输出的区别。有一个命令!htrace对调试与句柄有关的bug非常有用。在开始调试前输入：

!htrace –enable

然后在调试过程中使用!htrace handle_value 来显示所有与该句柄有关的调用堆栈。

显示当前线程，进程和模块信息：

!teb显示当前线程的环境信息。最常见的用途是查看当前线程堆栈的起始地址，然后在堆栈中搜索值。

!peb显示当前进程的环境信息，比如执行文件的路径等等。

lm显示进程中加载的模块信息。

?

1: kd> n 10
base is 10
1: kd> ? 0x123
Evaluate expression: 291 = 00000123
1: kd> ? 123
Evaluate expression: 123 = 0000007b
1: kd> n 10
base is 10
1: kd> ? 0x123
Evaluate expression: 291 = 00000123
1: kd> ? 123
Evaluate expression: 123 = 0000007b

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Debugger

 

!heap

!heap [HeapOptions] [ValidationOptions] [Heap] 
!heap -b [{alloc|realloc|free} [Tag]] [Heap | BreakAddress] 
!heap -B {alloc|realloc|free} [Heap | BreakAddress] 
!heap -l 
!heap -s [SummaryOptions] [StatHeapAddress] 
!heap -i HeapAddress
!heap -x [-v] Address 
!heap -p [PageHeapOptions] 
!heap -srch [Size] Pattern
!heap -flt FilterOptions
!heap -stat [-h Handle [-grp GroupBy [MaxDisplay]]]
!heap [-p] -? !heap [HeapOptions] [ValidationOptions] [Heap] 
!heap -b [{alloc|realloc|free} [Tag]] [Heap | BreakAddress] 
!heap -B {alloc|realloc|free} [Heap | BreakAddress] 
!heap -l 
!heap -s [SummaryOptions] [StatHeapAddress] 
!heap -i HeapAddress
!heap -x [-v] Address 
!heap -p [PageHeapOptions] 
!heap -srch [Size] Pattern
!heap -flt FilterOptions
!heap -stat [-h Handle [-grp GroupBy [MaxDisplay]]]
!heap [-p] -? 

0:001> !heap -s
  Heap     Flags   Reserv  Commit  Virt   Free  List   UCR  Virt  Lock  Fast
                    (k)     (k)    (k)     (k) length      blocks cont. heap
-----------------------------------------------------------------------------
00150000 00000002    1024     52     52      5     1     1    0      0   L 
00250000 00008000      64     12     12     10     1     1    0      0     
00370000 00000002      64     36     36      5     2     1    0      0   L 
00380000 00001002      64     16     16      0     0     1    0      0   L 
003a0000 00001002     256     12     12      4     1     1    0      0   L 
00030000 00001002      64     32     32      4     1     1    0      0   L 
003e0000 00001002      64     32     32     24     1     1    0      0   L 
Virtual block: 00aa0000 - 00aa0000 (size 00000000)
Virtual block: 00bc0000 - 00bc0000 (size 00000000)
00a80000 00001003      64     20     20      8     1     1    2    bad     
-----------------------------------------------------------------------------

0:001> !heap -s
  Heap     Flags   Reserv  Commit  Virt   Free  List   UCR  Virt  Lock  Fast
                    (k)     (k)    (k)     (k) length      blocks cont. heap
-----------------------------------------------------------------------------
00150000 00000002    1024     52     52      5     1     1    0      0   L 
00250000 00008000      64     12     12     10     1     1    0      0     
00370000 00000002      64     36     36      5     2     1    0      0   L 
00380000 00001002      64     16     16      0     0     1    0      0   L 
003a0000 00001002     256     12     12      4     1     1    0      0   L 
00030000 00001002      64     32     32      4     1     1    0      0   L 
003e0000 00001002      64     32     32     24     1     1    0      0   L 
Virtual block: 00aa0000 - 00aa0000 (size 00000000)
Virtual block: 00bc0000 - 00bc0000 (size 00000000)
Virtual block: 00cd0000 - 00cd0000 (size 00000000)
Virtual block: 00de0000 - 00de0000 (size 00000000)
00a80000 00001003      64     20     20      8     1     1    4    bad     
-----------------------------------------------------------------------------

0:001> !heap -stat -h 00a80000
 heap @ 00a80000
group-by: TOTSIZE max-display: 20
    size     #blocks     total     ( %) (percent of total busy bytes)
    100000 4 - 400000  (99.76)
    1000 1 - 1000  (0.10)
    800 1 - 800  (0.05)
    280 1 - 280  (0.02)
    20 12 - 240  (0.01)
    30 9 - 1b0  (0.01)
    40 6 - 180  (0.01)
    160 1 - 160  (0.01)
    50 4 - 140  (0.01)
    110 1 - 110  (0.01)
    100 1 - 100  (0.01)
    d0 1 - d0  (0.00)
    60 2 - c0  (0.00)
    10 b - b0  (0.00)

0:001> !heap -flt s 100000
    _HEAP @ 150000
    _HEAP @ 250000
    _HEAP @ 370000
    _HEAP @ 380000
    _HEAP @ 3a0000
    _HEAP @ 30000
    _HEAP @ 3e0000
    _HEAP @ a80000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00aa0018 20000 0000  [0b]   00aa0020    100000 - (busy VirtualAlloc)
        00bc0018 20000 0000  [0b]   00bc0020    100000 - (busy VirtualAlloc)
        00cd0018 20000 0000  [0b]   00cd0020    100000 - (busy VirtualAlloc)
        00de0018 20000 0000  [0b]   00de0020    100000 - (busy VirtualAlloc)

0:001> !heap -p -a 00aa0018
    address 00aa0018 found in
    _HEAP @ a80000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        00aa0018 20000 0000  [0b]   00aa0020    100000 - (busy VirtualAlloc)

dt _DPH_BLOCK_INFORMATION

Local Kernel

!process 0 0

 

PROCESS 8a038c50  SessionId: 0  Cid: 0118    Peb: 7ffd8000  ParentCid: 05bc

    DirBase: 7f35c2a0  ObjectTable: e2a35f40  HandleCount: 291.

    Image: ESCC.EXE

 

PROCESS 89fb4020  SessionId: 0  Cid: 025c    Peb: 7ffdd000  ParentCid: 05bc

    DirBase: 7f35c2c0  ObjectTable: e29cfab8  HandleCount: 194.

    Image: CenterDS.exe

 

PROCESS 89e378c8  SessionId: 0  Cid: 0364    Peb: 7ffd5000  ParentCid: 05bc

    DirBase: 7f35c2e0  ObjectTable: e2dfaeb0  HandleCount:  87.

    Image: PluginProxy.exe

 

PROCESS 89f41a10  SessionId: 0  Cid: 03e0    Peb: 7ffde000  ParentCid: 05bc

    DirBase: 7f35c300  ObjectTable: e2bc2168  HandleCount: 188.

Image: ESPMServer.exe

 

 

lkd> .process 8a038c50

 

kd> .context 

lkd> !peb

PEB at 7ffd8000

    InheritedAddressSpace:    Yes

    ReadImageFileExecOptions: Yes

    BeingDebugged:            Yes

    ImageBaseAddress:         09c0e000

    Ldr                       00000000

    *** unable to read Ldr table at 00000000

    SubSystemData:     00000000

    ProcessHeap:       7ffd8000

    ProcessParameters: 00001e00

    WindowTitle:  '< Name not readable >'

    ImageFile:    '< Name not readable >'

    CommandLine:  '< Name not readable >'

    DllPath:      '< Name not readable >'

    Environment:  00000000

       Unable to read Environment string.

 

lkd> !handlev

!address -summary

kd> !address -summary
804d8000 - 001f7000                          
          Usage       KernelSpaceUsageImage
          ImageName   ntkrnlpa.exe

  806cf000 - 00021000
          Usage       KernelSpaceUsageImage
          ImageName   halaacpi.dll

  81000000 - 001c1000
          Usage       KernelSpaceUsagePFNDatabase

  811c1000 - 00818000
          Usage       KernelSpaceUsageNonPagedPool

  bc000000 - 00400000
          Usage       KernelSpaceUsageSessionPool

  bc400000 - 03400000
          Usage       KernelSpaceUsageSessionView

  bf800000 - 00800000
          Usage       KernelSpaceUsageSessionImage

  c1200000 - 1fe00000
          Usage       KernelSpaceUsageSystemCache

  e1000000 - 0ca00000
          Usage       KernelSpaceUsagePagedPool

kd> !address -summary
804d8000 - 001f7000                          
          Usage       KernelSpaceUsageImage
          ImageName   ntkrnlpa.exe

  806cf000 - 00021000
          Usage       KernelSpaceUsageImage
          ImageName   halaacpi.dll

  81000000 - 001c1000
          Usage       KernelSpaceUsagePFNDatabase

  811c1000 - 00818000
          Usage       KernelSpaceUsageNonPagedPool

  bc000000 - 00400000
          Usage       KernelSpaceUsageSessionPool

  bc400000 - 03400000
          Usage       KernelSpaceUsageSessionView

  bf800000 - 00800000
          Usage       KernelSpaceUsageSessionImage

  c1200000 - 1fe00000
          Usage       KernelSpaceUsageSystemCache

  e1000000 - 0ca00000
          Usage       KernelSpaceUsagePagedPool

!pool 

1: kd> !pool e7a88000
Pool page e7a88000 region is Nonpaged pool
e7a88000 is not a valid large pool allocation, checking large session pool...
e7a88000 is freed (or corrupt) pool
Bad allocation size @e7a88000, too large

***
*** An error (or corruption) in the pool was detected;
*** Attempting to diagnose the problem.
***
*** Use !poolval e7a88000 for more details.
***

Pool page [ e7a88000 ] is __inVALID.

Analyzing linked list...

Scanning for single bit errors...

None found

1: kd> !pool e7a88000-8
Pool page e7a87ff8 region is Nonpaged pool
 e7a87000 size:  be8 previous size:    0  (Free)       Strg
 e7a87be8 size:  160 previous size:  be8  (Allocated)  CcSc
 e7a87d48 size:  128 previous size:  160  (Allocated)  Ntfi
*e7a87e70 size:  190 previous size:  128  (Allocated) *Epos
  Owning component : Unknown (update pooltag.txt)1: kd> !pool e7a88000
Pool page e7a88000 region is Nonpaged pool
e7a88000 is not a valid large pool allocation, checking large session pool...
e7a88000 is freed (or corrupt) pool
Bad allocation size @e7a88000, too large

***
*** An error (or corruption) in the pool was detected;
*** Attempting to diagnose the problem.
***
*** Use !poolval e7a88000 for more details.
***

Pool page [ e7a88000 ] is __inVALID.

Analyzing linked list...

Scanning for single bit errors...

WinDBG中设置条件断点
条件断点：断点指令 + “j(Excecute If-Else) 和 gc (Go from Conditional Breakpoint)”
形如：bp Address "j (Condition) 'OptionalCommands'; 'gc' "

这里仅简单说明该如何写后面的条件语句

1. 非结构体变量：       
        "j (poi(MyVar)>5) '';'gc'"   在代码中，MyVar是整数变量。默认的debug配置采用MASM语法，因此MyVar被当作指针看待，在做条件判断时，需要使用poi解引用。如果debug配置采用C++语法，MyVar会被解析为整数变量，可直接用于条件判断。条件为真时对应的语句为空，则当条件满足时，会断在此处。gc表示从断点处继续运行。

2. 结构体变量
        "j (@@c++(MyStruct->field)>5) '';'gc'"   判断结构体变量中的某个成员变量时，采用C++语法解析表达式：@@c++(...)。因默认配置是masm语法，故对于结构体成员都用此种方法解析。

3. 寄存器
1        "j @eax = 0xa3 ''; 'gc'"                                     <1>
2        "j @eax = 0xc0004321 '';'gc'"                            <2>
3        "j (@eax & 0x0`ffffffff) = 0x0`c0004321 '';'gc'"     <3>
   式<1>：当eax的值为0xa3时，触发该断点。
   在masm表达式中，寄存器是做符号扩展的，即0xc0004321实际被当作是0xffffffff`c0004321，即便实际显示时是0xc00004321。这种符号扩展仅存在于kernel mode中。因此式<2>在kernel mode会失败。最好的改法则是按照式<3>的方式做条件比较，该方式可以同时用于kernel mode和user mode。

bu MSMPPEKey::insert "kb; .time; g"

 bm /a iassam!Auth* "kb; g"