WinDBG debug command Daquan

WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，WinDBG，转：http://www.cnblogs.com/kekec/archive/2012/12/02/2798020.html

# Debug command window

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

#important

(1) windbg command into a standard command, the command element and the command expansion.

     Standard command provides basic debugging functions are not case sensitive. Such as: bp g dt dv k, etc.

     Yuan command provides functionality not provided by standard commands, but also built-in, beginning with the debug engine. As .sympath .reload etc.

     Extended command for a particular aspect of the extended debug capabilities, to achieve dynamic load extension module, start with!. Such as the! Analyze etc.

(2) when entering debug state, the transport may be repeatedly performed directly on a command; Press down arrow keys can browse and select a previously entered command

(3) magic Tab key to perform command completion; the ESC to clear the current command text input box

(4); as a separator, multiple commands can be entered on the same line

(5) Figure red box " 0 : 000 ." [0 is the process ID of the current debugging session ; 000 is the number of threads debugging session ]

(6) When the command prompt is displayed * BUSY *, even though the command input box to enter a command, but the command will not be executed immediately entered to perform idle time to wait windbg.

     You can use Ctrl + Break command to terminate a long-unfinished

# Enable debugging

windbg "notepad.exe" arguments // to start debugging using windbg notepad.exe

pid windbg -p 4200 // windbg to attach to a running process is on 4200

The process windbg -pn "notepad.exe" // windbg will attach to a running notepad.exe is called

windbg -z "c: \ mydumpfile.dmp" // debugging mydumpfile.dmp file

.attach 0n4220 // 4220 as decimal pid, additional debugging when using this command, you must first exist a debugging session

.detach // separate debugging

.restart // restart and debug

.kill // force the end of the current debugging

q // Exit windbg

# Getting Help

? // print out all the standard commands

.help // prints out all the commands yuan

.hh // Open windbg a chm help file

command /? // print command command specific parameter usage

# Comment character

* The entire line // comment

$$ // comment (semicolon encountered)

# Configure debugging environment

.sympath // view the current symbol search path

.sympath c: \ symbols // Set the symbol search path: c: \ symbols

.sympath + c: \ symbols // the c: \ symbols added to the symbol search path set

.symfix // symbol search path is set to: SRV * WinDbg installation directory \ Sym * http: //msdl.microsoft.com/download/symbols

.symfix f: \ symbols // symbol search path is set to: SRV * f: \ symbols * http: //msdl.microsoft.com/download/symbols

.symfix + f: \ symbols // will SRV * f: \ symbols * http: //msdl.microsoft.com/download/symbols added to the symbol search path set

.srcpath // view the current source file search path

.srcpath f: \ src // the source file search path is set: f: \ src

.srcpath + f: \ src // the f: \ src added to the source file search path set

.exepath // View executable search path

.exepath f: \ bin // find the path to the executable file: f: \ bin

.exepath + f: \ bin // the f: \ bin added to the executable search path set

# Symbol to load and view

In addition to using ld and .reload commands directly loaded symbol files, some of the symbols used commands can also trigger the debugger to load symbols, such as: Backtrace command (k *) and disassemble command (u) and so on.

It is worth noting, windbg default using lazy loading strategy style symbol when it receives the module load event, it is not normally loaded symbol, the symbol status is shown as deferred (lazy loading).

.symopt // display the current options for all symbols

.symopt + flags // add Symbol Options

.symopt- flags // delete option symbol

ld * // load symbols for all modules

ld kernel32 // load the symbol of kernel32.dll

.reload // load the symbol information for all modules

.reload / f / v // f: force an immediate mode v: verbose mode

.reload / f @ "c: \ windows \ System32 \ verifier.dll" // load the symbol information for a specified module

x *! // lists all modules corresponding symbol information

lm // List information symbols corresponding to all modules

x ConsoleTest! * // list all the symbols ConsoleTest module

x ConsoleTest! add * // add all symbols are listed at the beginning of ConsoleTest module

x / t / v ConsoleTest! * // band data type, size and type of information symbols, all symbols are listed in the module ConsoleTest

x kernel32! * LoadLib * // lists kernel32 module containing all the words symbol LoadLib

u // decompile

# Processes and threads

| // lists the debugging process

| * // lists the debugging process

| N // N See ordinal number of the debugging process

| Ns // switching sequence number N of the current process of debugging process

// thread lists ~

~ * // all threads

~ * K // all threads stack information

~ * R // all threads register information

~ // view the current thread

~ # // View causes the current thread or abnormal event

~ N // N to view the order numbers of threads

~~ [n] // View thread ID is n thread

~ Ns // N number of switching order of the current thread thread debugging

~ N f // freeze ordinal number is N threads

~ N u // thawing ordinal number N threads

~ N n // Suspend ordinal number N threads

~ N m // Resume ordinal number N threads

# Breakpoint

bl // List all breakpoints

bc * // clear all breakpoints

bc 1 // Clear the breakpoint 1

bc 1 2 5 // clear the No. 1, No. 2, No. 5 breakpoint

be * // Enable all breakpoints

be 1 // Enable breakpoint No. 1

be 1 2 5 // Enable No. 1, No. 2, No. 5 breakpoint

bd * // disable all breakpoints

bd 1 // disable breakpoint 1

bd 1 2 5 // disable the No. 1, No. 2, No. 5 breakpoint

bp 7c801b00 // place a breakpoint at the address 7c801b00

bp `ConsoleTest.cpp: 36` // place a breakpoint at line 36 of ConsoleTest.cpp

bp main // place a breakpoint at the beginning of the main function

bp CSecondLoader :: CSecondLoader // constructor place a breakpoint at the CSecondLoader

bp `ConsoleTest.cpp: 40`" j (poi (MyVar)> 5) ''; 'g' "// conditional breakpoints MyVar> 5, the implementation of an empty statement (;), otherwise continue to live off

bp `ConsoleTest.cpp: 40`" j @eax = 0xa3 ''; 'g' "// conditional breakpoint register eax live off when the value 0xA3

bu // save breakpoints, and its use as bp

bm add_ * // matches the beginning of add_ functions, and these functions are marked with a breakpoint at the beginning of the

ba w4 0483dfe0 // stop when the write address for 0483dfe0

// ba [r|w|e] [Size] Addr      [r=read/write, w=write, e=execute], Size=[1|2|4 bytes]

# Debug execution control

g // Go(F5)

gH gH // execute command to force the debugger returns have been processed this exception. [Go with Exception Handled]

// will stop the distribution system after receiving this reply exception (because the debugger claims to have handled an exception), the debug target recovery continues,

     // But still due to abnormal conditions, can be caused by abnormal, then redistributed, WinDBG interrupted again to command mode.

gN // 【Go with Exception Not Handled】

     // execute gN command to force the debugger does not handle the exception return, the system will further distribute the exception,

// If no other debugger does not handle, and finally terminate the program will pop up dialog box.

gu // perform a complete stop when the current function [Go Up]

p // single-step execution (F10) [Step]

p 2 // 2 is the number of steps

pc // execution of the function call to the next stop [Step to Next Call]

pa 7c801b0b // execution to address 7c801b0b stop [Step to Adress]

t // Step into(F11) 【Trace】

At the next entry point tc // execution to stop [Trace to Next Call]

ta address 7c801b12 // execution to stop 7c801b12 [Trace to Adress]

View variable #

dt nRet // view variables nRet type and value

dv // displays the current function of all local variables, function arguments

dv n * // display the current local variables all begin with the n functions, function parameters

dv /t /i /V /a|/n|/z

/*****************************************

Show in more detail the current function of all local variables, function arguments 
I = type (local, Global, Parameter) 
T = Data type 
V = Register Memory or address LOCATION 
--------------- -------- 
A Sort by Addr =, = n-Sort by name, Z = Sort by size

*****************************************/

Call stack #

k // display the current call stack

kn // number with a stack displays the current call stack

kb // print out the first three arguments of the current call stack

Only 5 kb 5 // display the call stack layer on the most

.frame // display the current stack frame

.frame n // stack frame number n provided for the current stack frame

.frame / rn // set the stack frame number n and the current stack frame display register variables

! Uniqstack // display the call stack for all threads

#register

r // show all register information

r eax, edx // display eax, edx register information

r eax = 5, edx = 6 // eax register assigned to 5, edx assigned 6

#RAM

da / c 5 7c801e02 // 7c801e02 memory starting at 5 ascii characters displayed

/*****************************************

d [a | u | b | w | W | d | c | q | f | D] [/ c columns] [Address]

a = ascii chars 
u = Unicode chars 
b = byte + ascii 
w = word (2b) 
W = word (2b) + ascii 
d = dword (4b) 
c = dword (4b) + ascii 
q = qword (8b) 
f = floating point (single precision - 4b) 
D = floating point (double precision - 8b)

*****************************************/

dyb / c 3 7c801e02 // 7c801e02 memory starting at the byte and binary display 3

/*****************************************

dy[b | d] ..   // b = binary+byte     d = binary+dword

*****************************************/

#dump output

.dump / ma "d: \ mydmpfile.dmp" // Dump the current process of debugging output file

# Other meta commands

.tlist // show all processes

.cls // Clear Screen

Other extension commands #

! Analyze -v // display detailed information about the current exception

! // PEB PEB output format information (process's environment block)

! Gle // Print this recent thread error message

! Gle -all // print the last error message all threads

! Error 897 // display error code 897 as described in detail information

#help

Chinese online help: http://www.dbgtech.net/windbghelp/index.html

cmd WinDbg:  http://www.slideshare.net/kewuc/windbg-cmds  [ Download ]