Windbg是Windows下debug的神器,下面直接写命令,注释很少,我觉得看到命令就够,具体含义太多地方可以查了。
Then let's begin:
.kdfiles -m \systemroot\system32\drivers\abc.sys D:\local\abc.sys
!ndiskd.miniports
!stacks 2: display stack and other information of all the thread.
lm: list module information
!lmi abc.sys: list information about the specified module.
!process 0 0: show all of the process
!thread: show current thread
!address: show the memory's information
.process: set the virtual address context to the process
.thread: set register context
.frame: set to the specified stack level.
!dd: dump physical address memory.
k: show the current call stack
dd: dump virtual address memory.
Combined Commands: bu npf!NPF_tap "j(1)'db LookaheadBuffer;gc"
MS Symbol Path: srv*D:\WinDDK\Symbols*http://msdl.microsoft.com/download/symbols;
Get Physical address based on virtual address: !pte
0: kd> !pte 0xfffffa80`0345c518 VA fffffa800345c518 PXE at FFFFF6FB7DBEDFA8 PPE at FFFFF6FB7DBF5000 PDE at FFFFF6FB7EA000D0 PTE at FFFFF6FD4001A2E0 contains 0000000078A2B863 contains 0000000078A2A863 contains 80000001002009E3 contains 0000000000000000 pfn 78a2b ---DA--KWEV pfn 78a2a ---DA--KWEV pfn 100200 -GLDA--KW-V LARGE PAGE pfn 10025c 0: kd> dd 0xfffffa80`0345c518 L 0x10 fffffa80`0345c518 00000000 0000000b 00000004 00000000 fffffa80`0345c528 0078d7d0 00000000 00259ad0 fffff8a0 fffffa80`0345c538 fffffffc ffffffff 034ef590 fffffa80 fffffa80`0345c548 054a5070 fffffa80 04836501 fffffa80 0: kd> !dd 10025c518 #10025c518 00000000 0000000b 00000004 00000000 #10025c528 0078d7d0 00000000 00259ad0 fffff8a0 #10025c538 fffffffc ffffffff 034ef590 fffffa80 #10025c548 054a5070 fffffa80 04836501 fffffa80
Will keep update when new useful command is found.