-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathWinDbg.html
58 lines (54 loc) · 30 KB
/
WinDbg.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<!DOCTYPE html>
<html>
<head>
<title>WinDbg</title>
<link rel="stylesheet" href="styles.css">
</head>
<body>
<div class="inner-content"><header class="page-header"><h1 class="page-title">WinDbg</h1></header><div class="page-content"><p><span style="color: #00ccff;">WinDbg </span>is a great debugger, but it has lots of commands, so it takes time to get comfortable with it. I’ll be very brief and concise so that I don’t bore you to death! To do this, I’ll only show you the essential commands and the most important options. We’ll see additional commands and options when we need them in the next chapters.</p><h2>Version</h2><p>To avoid problems, use the <span style="color: #00ccff;">32-bit</span> version of WinDbg to debug 32-bit executables and the <span style="color: #00ccff;">64-bit</span> version to debug 64-bit executables.</p><p>Alternatively, you can switch WinDbg between the 32-bit and 64-bit modes with the following command:</p><pre class="ignore:true">!wow64exts.sw</pre><h2>Symbols</h2><p>Open a new instance of WinDbg (if you’re debugging a process with WinDbg, close WinDbg and reopen it).<br> Under <span style="color: #00ff00;">File</span>→<span style="color: #00ff00;">Symbol File Path</span> enter</p><pre class="ignore:true">SRV*<span style="color: #00ff00;">C:\windbgsymbols</span>*<span style="color: #00ff00;">http://msdl.microsoft.com/download/symbols</span></pre><p>Save the workspace (<span style="color: #00ff00;">File</span>→<span style="color: #00ff00;">Save Workspace</span>).</p><p>The asterisks are delimiters. WinDbg will use the first directory we specified above as a local cache for symbols. The paths/urls after the second asterisk (separated by ‘<span style="color: #00ff00;"><strong>;</strong></span>‘, if more than one) specify the locations where the symbols can be found.</p><h2>Adding Symbols during Debugging</h2><p>To append a symbol search path to the default one during debugging, use</p><pre class="ignore:true">.sympath+ <span style="color: #00ff00;">c:\symbolpath</span></pre><p>(The command without the ‘<span style="color: #00ff00;">+</span>‘ would replace the default search path rather than append to it.)<br> Now reload the symbols:</p><pre class="ignore:true">.reload</pre><h2>Checking Symbols</h2><p><span style="color: #00ccff;">Symbols</span>, if available, are loaded when needed. To see what modules have symbols loaded, use</p><pre class="ignore:true">x *!</pre><p>The <span style="color: #00ff00;">x</span> command supports wildcards and can be used to search for symbols in one or more modules. For instance, we can search for all the symbols in <span style="color: #00ff00;">kernel32</span> whose name starts with <span style="color: #00ff00;">virtual</span> this way:</p><pre class="ignore:true">0:000> x kernel32!virtual*
757d4b5f kernel32!VirtualQueryExStub (<no parameter info>)
7576d950 kernel32!VirtualAllocExStub (<no parameter info>)
757f66f1 kernel32!VirtualAllocExNuma (<no parameter info>)
757d4b4f kernel32!VirtualProtectExStub (<no parameter info>)
757542ff kernel32!VirtualProtectStub (<no parameter info>)
7576d975 kernel32!VirtualFreeEx (<no parameter info>)
7575184b kernel32!VirtualFree (<no parameter info>)
75751833 kernel32!VirtualAlloc (<no parameter info>)
757543ef kernel32!VirtualQuery (<no parameter info>)
757510c8 kernel32!VirtualProtect (<no parameter info>)
757ff14d kernel32!VirtualProtectEx (<no parameter info>)
7575183e kernel32!VirtualFreeStub (<no parameter info>)
75751826 kernel32!VirtualAllocStub (<no parameter info>)
7576d968 kernel32!VirtualFreeExStub (<no parameter info>)
757543fa kernel32!VirtualQueryStub (<no parameter info>)
7576eee1 kernel32!VirtualUnlock (<no parameter info>)
7576ebdb kernel32!VirtualLock (<no parameter info>)
7576d95d kernel32!VirtualAllocEx (<no parameter info>)
757d4b3f kernel32!VirtualAllocExNumaStub (<no parameter info>)
757ff158 kernel32!VirtualQueryEx (<no parameter info>)</pre><p>The wildcards can also be used in the module part:</p><pre class="ignore:true">0:000> x *!messagebox*
7539fbd1 USER32!MessageBoxIndirectA (<no parameter info>)
7539fcfa USER32!MessageBoxExW (<no parameter info>)
7539f7af USER32!MessageBoxWorker (<no parameter info>)
7539fcd6 USER32!MessageBoxExA (<no parameter info>)
7539fc9d USER32!MessageBoxIndirectW (<no parameter info>)
7539fd1e USER32!MessageBoxA (<no parameter info>)
7539fd3f USER32!MessageBoxW (<no parameter info>)
7539fb28 USER32!MessageBoxTimeoutA (<no parameter info>)
7539facd USER32!MessageBoxTimeoutW (<no parameter info>)</pre><p>You can force WinDbg to load symbols for all modules with</p><pre class="ignore:true">ld*</pre><p>This takes a while. Go to <span style="color: #00ff00;">Debug</span>→<span style="color: #00ff00;">Break</span> to stop the operation.</p><h2>Help</h2><p>Just type</p><pre class="ignore:true">.hh</pre><p>or press <span style="color: #00ff00;">F1</span> to open help window.<br> To get help for a specific command type</p><pre class="ignore:true">.hh <command></pre><p>where <span style="color: #00ff00;"><command></span> is the command you’re interested in, or press <span style="color: #00ff00;">F1</span> and select the tab <span style="color: #00ff00;">Index</span> where you can search for the topic/command you want.</p><h2>Debugging Modes</h2><h3>Locally</h3><p>You can either debug a new process or a process already running:</p><ol><li>Run a new process to debug with <span style="color: #00ff00;">File</span>→<span style="color: #00ff00;">Open Executable</span>.</li><li>Attach to a process already running with <span style="color: #00ff00;">File</span>→<span style="color: #00ff00;">Attach to a Process</span>.</li></ol><h3>Remotely</h3><p>To debug a program remotely there are at least two options:</p><ol><li>If you’re already debugging a program locally on machine <span style="color: #00ff00;">A</span>, you can enter the following command (choose the <span style="color: #00ff00;">port</span> you want):<pre class="ignore:true">.server tcp:port=1234</pre><p>This will start a server within WinDbg.<br> On machine <span style="color: #00ff00;">B</span>, run WinDbg and go to <span style="color: #00ff00;">File</span>→<span style="color: #00ff00;">Connect to Remote Session</span> and enter</p><pre class="ignore:true">tcp:Port=1234,Server=<IP of Machine A></pre><p>specifying the right <span style="color: #00ff00;">port</span> and <span style="color: #00ff00;">IP</span>.</p></li><li>On machine <span style="color: #00ff00;">A</span>, run <span style="color: #00ff00;">dbgsrv</span> with the following command:<pre class="ignore:true">dbgsrv.exe -t tcp:port=1234</pre><p>This will start a server on machine <span style="color: #00ff00;">A</span>.<br> On machine <span style="color: #00ff00;">B</span>, run WinDbg, go to <span style="color: #00ff00;">File</span>→<span style="color: #00ff00;">Connect to Remote Stub</span> and enter</p><pre class="ignore:true">tcp:Port=1234,Server=<IP of Machine A></pre><p>with the appropriate parameters.<br> You’ll see that <span style="color: #00ff00;">File</span>→<span style="color: #00ff00;">Open Executable</span> is disabled, but you can choose <span style="color: #00ff00;">File</span>→<span style="color: #00ff00;">Attach to a Process</span>. In that case, you’ll see the list of processes on machine <span style="color: #00ff00;">A</span>.<br> To stop the server on machine A you can use Task Manager and kill <span style="color: #00ff00;">dbgsrv.exe</span>.</p></li></ol><h2>Modules</h2><p>When you <span style="color: #00ccff;">load an executable</span> or <span style="color: #00ccff;">attach to a process</span>, WinDbg will list the loaded modules. If you want to list the modules again, enter</p><pre class="ignore:true">lmf</pre><p>To list a specific module, say <span style="color: #00ff00;">ntdll.dll</span>, use</p><pre class="ignore:true">lmf m ntdll</pre><p>To get the <span style="color: #00ccff;">image header</span> information of a module, say <span style="color: #00ff00;">ntdll.dll</span>, type</p><pre class="ignore:true">!dh ntdll</pre><p>The ‘<span style="color: #00ff00;">!</span>‘ means that the command is an <span style="color: #00ccff;">extension</span>, i.e. an external command which is exported from an external <span style="color: #00ccff;">DLL</span> and called inside WinDbg. Users can create their own extensions to extend WinDbg’s functionality.<br> You can also use the start address of the module:</p><pre class="ignore:true">0:000> lmf m ntdll
start end module name
77790000 77910000 ntdll ntdll.dll
0:000> !dh 77790000</pre><h2>Expressions</h2><p>WinDbg supports <span style="color: #00ccff;">expressions,</span> meaning that when a value is required, you can type the value directly or you can type an expression that evaluates to a value.<br> For instance, if <span style="color: #00ccff;">EIP</span> is <span style="color: #00ff00;">77c6cb70</span>, then</p><pre class="ignore:true">bp 77c6cb71</pre><p>and</p><pre class="ignore:true">bp EIP+1</pre><p>are equivalent.<br> You can also use symbols:</p><pre class="ignore:true">u ntdll!CsrSetPriorityClass+0x41</pre><p>and registers:</p><pre class="ignore:true">dd ebp+4</pre><p>Numbers are by default in base <span style="color: #00ccff;">16</span>. To be explicit about the base used, add a prefix:</p><p style="padding-left: 30px;">0x123: base 16 (hexadecimal)<br> 0n123: base 10 (decimal)<br> 0t123: base 8 (octal)<br> 0y111: base 2 (binary)</p><p>Use the command <span style="color: #00ff00;">.format</span> to display a value in many formats:</p><pre class="ignore:true">0:000> .formats 123
Evaluate expression:
Hex: 00000000`00000123
Decimal: 291
Octal: 0000000000000000000443
Binary: 00000000 00000000 00000000 00000000 00000000 00000000 00000001 00100011
Chars: .......#
Time: Thu Jan 01 01:04:51 1970
Float: low 4.07778e-043 high 0
Double: 1.43773e-321</pre><p>To evaluate an expression use ‘<span style="color: #00ff00;">?</span>‘:</p><pre class="ignore:true">? eax+4</pre><h2>Registers and Pseudo-registers</h2><p>WinDbg supports several <span style="color: #00ccff;">pseudo-registers</span> that hold certain values. Pseudo-registers are indicated by the prefix ‘<span style="color: #00ff00;">$</span>‘.<br> When using registers or pseudo-registers, one can add the prefix ‘<span style="color: #00ff00;">@</span>‘ which tells WinDbg that what follows is a register and not a symbol. If ‘<span style="color: #00ff00;">@</span>‘ is not used, WinDbg will first try to interpret the name as a symbol.<br> Here are a few examples of pseudo-registers:</p><ul><li><span style="color: #00ff00;">$teb</span> or <span style="color: #00ff00;">@$teb</span> (address of the <span style="color: #00ccff;">TEB</span>)</li><li><span style="color: #00ff00;">$peb</span> or <span style="color: #00ff00;">@$peb</span> (address of the <span style="color: #00ccff;">PEB</span>)</li><li><span style="color: #00ff00;">$thread</span> or <span style="color: #00ff00;">@$thread</span> (current thread)</li></ul><h2>Exceptions</h2><p>To break on a specific exception, use the command <span style="color: #00ff00;">sxe</span>. For instance, to break when a module is loaded, type</p><pre class="ignore:true">sxe ld <module name 1>,...,<module name N></pre><p>For instance,</p><pre class="ignore:true">sxe ld user32</pre><p>To see the list of exceptions type</p><pre class="ignore:true">sx</pre><p>To ignore an exception, use <span style="color: #00ff00;">sxi</span>:</p><pre class="ignore:true">sxi ld</pre><p>This cancels out the effect of our first command.</p><p>WinDbg breaks on <span style="color: #00ccff;">single-chance</span> exceptions and <span style="color: #00ccff;">second-chance</span> exceptions. They’re not different kinds of exceptions. As soon as there’s an exception, WinDbg stops the execution and says that there’s been a single-chance exception. Single-chance means that the exception hasn’t been sent to the debuggee yet. When we resume the execution, WinDbg sends the exception to the debuggee. If the debuggee doesn’t handle the exception, WinDbg stops again and says that there’s been a second-chance exception.</p><p>When we examine EMET 5.2, we’ll need to ignore single-chance <span style="color: #00ccff;">single step exceptions</span>. To do that, we can use the following command:</p><pre class="ignore:true">sxd sse</pre><h2>Breakpoints</h2><h3>Software Breakpoints</h3><p>When you put a <span style="color: #00ccff;">software breakpoint</span> on one instruction, WinDbg saves to memory the first byte of the instruction and overwrites it with <span style="color: #00ff00;">0xCC</span> which is the opcode for “<span style="color: #00ff00;">int 3</span>“.<br> When the “<span style="color: #00ff00;">int 3</span>” is executed, the breakpoint is triggered, the execution stops and WinDbg restores the instruction by restoring its first byte.</p><p>To put a software breakpoint on the instruction at the address <span style="color: #00ff00;">0x4110a0</span> type</p><pre class="ignore:true">bp 4110a0</pre><p>You can also specify the number of <span style="color: #00ccff;">passes</span> required to activate the breakpoint:</p><pre class="ignore:true">bp 4110a0 3</pre><p>This means that the breakpoint will be ignored the first <span style="color: #00ff00;">2</span> times it’s encountered.</p><p>To resume the execution (and stop at the first breakpoint encountered) type</p><pre class="ignore:true">g</pre><p>which is short for “<span style="color: #00ff00;">go</span>“.<br> To run until a certain address is reached (containing code), type</p><pre class="ignore:true">g <code location></pre><p>Internally, WinDbg will put a software breakpoint on the specified location (like ‘<span style="color: #00ff00;">bp</span>‘), but will remove the breakpoint after it has been triggered. Basically, ‘<span style="color: #00ff00;">g</span>‘ puts a <span style="color: #00ccff;">one-time</span> software breakpoint.</p><h3>Hardware Breakpoints</h3><p><span style="color: #00ccff;">Hardware breakpoints</span> use specific registers of the <span style="color: #00ccff;">CPU</span> and are more versatile than software breakpoints. In fact, one can break <span style="color: #00ccff;">on execution</span> or <span style="color: #00ccff;">on memory access</span>.<br> Hardware breakpoints don’t modify any code so they can be used even with <span style="color: #00ccff;">self modifying code</span>. Unfortunately, you can’t set more than 4 breakpoints.</p><p>In its simplest form, the format of the command is</p><pre class="ignore:true">ba <mode> <size> <address> <passes (default=1)></pre><p>where <span style="color: #00ff00;"><mode></span> can be</p><ol><li>‘<span style="color: #00ff00;">e</span>‘ for <span style="color: #00ff00;">execute</span></li><li>‘<span style="color: #00ff00;">r</span>‘ for <span style="color: #00ff00;">read</span>/<span style="color: #00ff00;">write memory access</span></li><li>‘<span style="color: #00ff00;">w</span>‘ for <span style="color: #00ff00;">write memory access</span></li></ol><p><span style="color: #00ff00;"><size></span> specifies the size of the location, in bytes, to monitor for access (it’s always 1 when <span style="color: #00ff00;"><mode></span> is ‘<span style="color: #00ff00;">e</span>‘).<br> <span style="color: #00ff00;"><address></span> is the location where to put the breakpoint and <span style="color: #00ff00;"><passes></span> is the number of passes needed to activate the breakpoint (see ‘<span style="color: #00ff00;">bp</span>‘ for an example of its usage).</p><p><strong>Note:</strong> It’s not possible to use hardware breakpoints for a process before it has started because hardware breakpoints are set by modifying CPU registers (<span style="color: #00ccff;">dr0</span>, <span style="color: #00ccff;">dr1</span>, etc…) and when a process starts and its threads are created the registers are reset.</p><h3>Handling Breakpoints</h3><p>To list the breakpoints type</p><pre class="ignore:true">bl</pre><p>where ‘<span style="color: #00ff00;">bl</span>‘ stands for <span style="color: #00ff00;">breakpoint list</span>.<br> Example:</p><pre class="ignore:true">0:000> bl
0 e 77c6cb70 0002 (0002) 0:**** ntdll!CsrSetPriorityClass+0x40</pre><p>where the fields, from left to right, are as follows:</p><ul><li><span style="color: #00ff00;">0</span>: breakpoint ID</li><li><span style="color: #00ff00;">e</span>: breakpoint status; can be (<span style="color: #00ff00;">e</span>)nabled or (<span style="color: #00ff00;">d</span>)isabled</li><li><span style="color: #00ff00;">77c6cb70</span>: memory address</li><li><span style="color: #00ff00;">0002 (0002)</span>: the number of passes remaining before the activation, followed by the total number of passes to wait for the activation (i.e. the value specified when the breakpoint was created).</li><li><span style="color: #00ff00;">0:****</span>: the associated process and thread. The asterisks mean that the breakpoint is not thread-specific.</li><li><span style="color: #00ff00;">ntdll!CsrSetPriorityClass+0x40</span>: the <span style="color: #00ccff;">module</span>, <span style="color: #00ccff;">function</span> and <span style="color: #00ccff;">offset</span> where the breakpoint is located.</li></ul><p>To disable a breakpoint type</p><pre class="ignore:true">bd <breakpoint id></pre><p>To delete a breakpoint use</p><pre class="ignore:true">bc <breakpoint ID></pre><p>To delete all the breakpoints type</p><pre class="ignore:true">bc *</pre><h3>Breakpoint Commands</h3><p>If you want to execute a certain command automatically every time a breakpoint is triggered, you can specify the command like this:</p><pre class="ignore:true">bp 40a410 ".echo \"Here are the registers:\n\"; r"</pre><p>Here’s another example:</p><pre class="ignore:true">bp jscript9+c2c47 ".printf \"new Array Data: addr = 0x%p\\n\",eax;g"</pre><h2>Stepping</h2><p>There are at least 3 types of <span style="color: #00ccff;">stepping</span>:</p><ol><li><span style="color: #00ff00;">step-in</span> / <span style="color: #00ff00;">trace</span> (command: <span style="color: #00ff00;">t</span>)<br> This command breaks after every single instruction. If you are on a <span style="color: #00ccff;">call</span> or <span style="color: #00ccff;">int</span>, the command breaks on the first instruction of the called function or <span style="color: #00ccff;">int handler</span>, respectively.</li><li><span style="color: #00ff00;">step-over</span> (command: <span style="color: #00ff00;">p</span>)<br> This command breaks after every single instruction without following <span style="color: #00ccff;">calls</span> or <span style="color: #00ccff;">ints</span>, i.e. if you are on a <span style="color: #00ccff;">call</span> or <span style="color: #00ccff;">int</span>, the command breaks on the instruction right after the <span style="color: #00ccff;">call</span> or <span style="color: #00ccff;">int</span>.</li><li><span style="color: #00ff00;">step-out</span> (command: <span style="color: #00ff00;">gu</span>)<br> This command (<span style="color: #00ff00;">go up</span>) resume execution and breaks right after the next <span style="color: #00ff00;">ret</span> instruction. It’s used to exit functions.<br> There two other commands for exiting functions:<p></p><ul><li><span style="color: #00ff00;">tt</span> (<span style="color: #00ff00;">trace to next return</span>): it’s equivalent to using the command ‘<span style="color: #00ff00;">t</span>‘ repeatedly and stopping on the first <span style="color: #00ccff;">ret</span> encountered.</li><li><span style="color: #00ff00;">pt</span> (<span style="color: #00ff00;">step to next return</span>): it’s equivalent to using the command ‘<span style="color: #00ff00;">p</span>‘ repeatedly and stopping on the first <span style="color: #00ccff;">ret</span> encountered.<br> Note that <span style="color: #00ff00;">tt</span> goes inside functions so, if you want to get to the <span style="color: #00ccff;">ret</span> instruction of the current function, use <span style="color: #00ff00;">pt</span> instead.<br> The difference between <span style="color: #00ff00;">pt</span> and <span style="color: #00ff00;">gu</span> is that <span style="color: #00ff00;">pt</span> breaks on the <span style="color: #00ccff;">ret</span> instruction, whereas <span style="color: #00ff00;">gu</span> breaks on the instruction right after.</li></ul></li></ol><p>Here are the variants of ‘<span style="color: #00ff00;">p</span>‘ and ‘<span style="color: #00ff00;">t</span>‘:</p><ul><li><span style="color: #00ff00;">pa</span>/<span style="color: #00ff00;">ta <address></span>: step/trace to address</li><li><span style="color: #00ff00;">pc</span>/<span style="color: #00ff00;">tc</span>: step/trace to next <span style="color: #00ccff;">call</span>/<span style="color: #00ccff;">int</span> instruction</li><li><span style="color: #00ff00;">pt</span>/<span style="color: #00ff00;">tt</span>: step/trace to next <span style="color: #00ccff;">ret</span> (discussed above at point 3)</li><li><span style="color: #00ff00;">pct</span>/<span style="color: #00ff00;">tct</span>: step/trace to next <span style="color: #00ccff;">call</span>/<span style="color: #00ccff;">int</span> or <span style="color: #00ccff;">ret</span></li><li><span style="color: #00ff00;">ph</span>/<span style="color: #00ff00;">th</span>: step/trace to next <span style="color: #00ccff;">branching instruction</span></li></ul><h2>Displaying Memory</h2><p>To display the contents of memory, you can use ‘<span style="color: #00ff00;">d</span>‘ or one of its variants:</p><ul><li><span style="color: #00ff00;">db</span>: display <span style="color: #00ccff;">bytes</span></li><li><span style="color: #00ff00;">dw</span>: display <span style="color: #00ccff;">words</span> (2 bytes)</li><li><span style="color: #00ff00;">dd</span>: display <span style="color: #00ccff;">dwords</span> (4 bytes)</li><li><span style="color: #00ff00;">dq</span>: display <span style="color: #00ccff;">qwords</span> (8 bytes)</li><li><span style="color: #00ff00;">dyb</span>: display <span style="color: #00ccff;">bits</span></li><li><span style="color: #00ff00;">da</span>: display null-terminated <span style="color: #00ccff;">ASCII</span> strings</li><li><span style="color: #00ff00;">du</span>: display null-terminated <span style="color: #00ccff;">Unicode</span> strings</li></ul><p>Type <span style="color: #00ff00;">.hh d</span> for seeing other variants.</p><p>The command ‘<span style="color: #00ff00;">d</span>‘ displays data in the same format as the most recent <span style="color: #00ff00;">d*</span> command (or <span style="color: #00ff00;">db</span> if there isn’t one).<br> The (simplified) format of these commands is</p><pre class="ignore:true">d* [range]</pre><p>Here, the asterisk is used to represent all the variations we listed above and the square brackets indicate that <span style="color: #00ff00;">range</span> is optional. If <span style="color: #00ff00;">range</span> is missing, <span style="color: #00ff00;">d*</span> will display the portion of memory right after the portion displayed by the most recent <span style="color: #00ff00;">d*</span> command.<br> Ranges can be specified many ways:</p><ol><li><span style="color: #00ff00;"><start address> <end address></span><br> For instance,<p></p><pre class="ignore:true">db 77cac000 77cac0ff</pre></li><li><span style="color: #00ff00;"><start address> L<number of elements></span><br> For instance,<p></p><pre class="ignore:true">dd 77cac000 L10</pre><p>displays 10 <span style="color: #00ccff;">dwords</span> starting with the one at <span style="color: #00ff00;">77cac000</span>.<br> <strong>Note:</strong> for ranges larger than <span style="color: #00ff00;">256 MB</span>, we must use <span style="color: #00ff00;">L?</span> instead of <span style="color: #00ff00;">L</span> to specify the number of elements.</p></li><li><span style="color: #00ff00;"><start address></span><br> When only the starting point is specified, WinDbg will display 128 bytes.</li></ol><h2>Editing Memory</h2><p>You can edit memory by using</p><pre class="ignore:true">e[d|w|b] <address> [<new value 1> ... <new value N>]</pre><p>where <span style="color: #00ff00;">[d|w|b]</span> is optional and specifies the size of the elements to edit (<span style="color: #00ff00;">d</span> = <span style="color: #00ccff;">dword</span>, <span style="color: #00ff00;">w</span> = <span style="color: #00ccff;">word</span>, <span style="color: #00ff00;">b</span> = <span style="color: #00ccff;">byte</span>).<br> If the new values are omitted, WinDbg will ask you to enter them interactively.</p><p>Here’s an example:</p><pre class="ignore:true">ed eip cc cc</pre><p>This overwrites the first two dwords at the address in <span style="color: #00ccff;">eip</span> with the value <span style="color: #00ff00;">0xCC</span>.</p><h2>Searching Memory</h2><p>To search memory use the ‘<span style="color: #00ff00;">s</span>‘ command. Its format is:</p><pre class="ignore:true">s [-d|-w|-b|-a|-u] <start address> L?<number of elements> <search values></pre><p>where <span style="color: #00ff00;">d</span>, <span style="color: #00ff00;">w</span>, <span style="color: #00ff00;">b<span style="color: #000000;">,</span></span> <span style="color: #00ff00;">a</span> and <span style="color: #00ff00;">u</span> means <span style="color: #00ccff;">dword</span>, <span style="color: #00ccff;">word</span>, <span style="color: #00ccff;">byte</span>, <span style="color: #00ccff;">ascii</span> and <span style="color: #00ccff;">unicode</span>.<br> <span style="color: #00ff00;"><search values></span> is the sequence of values to search.<br> For instance,</p><pre class="ignore:true">s -d eip L?1000 cc cc</pre><p>searches for the two consecutive dwords <span style="color: #00ff00;">0xcc 0xcc</span> in the memory interval <span style="color: #00ff00;">[eip, eip + 1000*4 – 1]</span>.</p><h2>Pointers</h2><p>Sometimes you need to dereference a pointer. The operator to do this is <span style="color: #00ff00;">poi</span>:</p><pre class="ignore:true">dd poi(ebp+4)</pre><p>In this command, <span style="color: #00ff00;">poi(ebp+4)</span> evaluates to the <span style="color: #00ccff;">dword</span> (or <span style="color: #00ccff;">qword</span>, if in 64-bit mode) at the address <span style="color: #00ff00;">ebp+4</span>.</p><h2>Miscellaneous Commands</h2><p>To display the registers, type</p><pre class="ignore:true">r</pre><p>To display specific registers, say <span style="color: #00ccff;">eax</span> and <span style="color: #00ccff;">edx</span>, type</p><pre class="ignore:true">r eax, edx</pre><p>To print the first 3 instructions pointed to by <span style="color: #00ccff;">EIP</span>, use</p><pre class="ignore:true">u EIP L3</pre><p>where ‘<span style="color: #00ff00;">u</span>‘ is short for <span style="color: #00ccff;">unassemble</span> and ‘<span style="color: #00ff00;">L</span>‘ lets you specify the number of lines to display.</p><p>To display the <span style="color: #00ccff;">call stack</span> use</p><pre class="ignore:true">k</pre><h2>Dumping Structures</h2><p>Here are the commands used to display structures:</p><table style="height: 602px;" border="3" width="1084"><tbody><tr><td>!teb</td><td>Displays the <span style="color: #00ccff;">TEB</span> (<span style="color: #00ccff;">T</span>hread <span style="color: #00ccff;">E</span>nvironment <span style="color: #00ccff;">B</span>lock).</td></tr><tr><td>$teb</td><td>Address of the <span style="color: #00ccff;">TEB</span>.</td></tr><tr><td>!peb</td><td>Displays the <span style="color: #00ccff;">PEB</span> (<span style="color: #00ccff;">P</span>rocess <span style="color: #00ccff;">E</span>nvironment <span style="color: #00ccff;">B</span>lock).</td></tr><tr><td>$peb</td><td>Address of the <span style="color: #00ccff;">PEB</span>.</td></tr><tr><td>!exchain</td><td>Displays the current <span style="color: #00ccff;">exception handler chain</span>.</td></tr><tr><td>!vadump</td><td>Displays the list of <span style="color: #00ccff;">memory pages</span> and info.</td></tr><tr><td>!lmi <module name></td><td>Displays information for the specified <span style="color: #00ccff;">module</span>.</td></tr><tr><td>!slist <address> [ <symbol> [<offset>] ]</td><td>Displays a <span style="color: #00ccff;">singly-linked list</span>, where:<p></p><ul><li><span style="color: #00ff00;"><address></span> is the address of the pointer to the first node of the list</li><li><span style="color: #00ff00;"><symbol></span> is the name of the structure of the nodes</li><li><span style="color: #00ff00;"><offset></span> is the offset of the field “next” within the node</li></ul></td></tr><tr><td>dt <struct name></td><td>Displays the structure <span style="color: #00ff00;"><struct name></span>.</td></tr><tr><td>dt <struct name> <field></td><td>Displays the field <span style="color: #00ff00;"><field></span> of the structure <span style="color: #00ff00;"><struct name></span>.</td></tr><tr><td>dt <struct name> <address></td><td>Displays the data at <span style="color: #00ff00;"><address></span> as a structure of type <span style="color: #00ff00;"><struct name></span> (you need symbols for <span style="color: #00ff00;"><struct name></span>).</td></tr><tr><td>dg <first selector> [<last selector>]</td><td>Displays the <span style="color: #00ccff;">segment descriptor</span> for the specified <span style="color: #00ccff;">selectors</span>.</td></tr></tbody></table><h2></h2><h2>Suggested SETUP</h2><p>
<a href="images/pic_a0.png"><img src="images/pic_a0.png" alt="pic_a0" width="1600" height="918"></a>
</p><p>Save the workspace (<span style="color: #00ff00;">File</span>→<span style="color: #00ff00;">Save Workspace</span>) after setting up the windows.</p> </div></div>
</body>
</html>