-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathcmdTree.dbg
More file actions
339 lines (310 loc) · 18.3 KB
/
cmdTree.dbg
File metadata and controls
339 lines (310 loc) · 18.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
windbg ANSI Command Tree 1.0
title {"All Commands"}
body
{"[Managed]"}
{"Load sos"} {".loadby sos mscorwks"}
{"clrstack"} {"!clrstack"}
{"Threads"} {"!threads"}
{"Stack Objects"} {"!dso"}
{"Exceptions"} {"!dae"}
{"-------------------------------"}
{"[debug]"}
{"debug new session"} {".new ;"}
{"collect symbols"}
{"create new dump file(.dump)"} {".echo .dump /mapwd D:\work\dump_1.dmp ;"}
{"create new dump file from dmp analysis session (.dumpcab)"} {".echo .dumpcab -a c:\UserDumps\notepad.cab ;"}
{"collect all loaded symbols"} {"$$>a<${myWinScriptPath}\windbg\script\cmds\collectOfflineSymbolsAll.dbg"}
{"remote debug"}
{"Create server on port 9999"} {".server tcp:port=9999"}
{"Show remote connections"} {".clients"}
{"live debug"}
{"break on startup"} {"bp @$exentry"}
{"Debugging Multiple Targets(c/s)"}
{"allow to debug child processes"}{".childdbg 1"}
{"disable to debug child processes"}{".childdbg 0"}
{"list all running processes"} {".tlist;.echo;.echo show matched process Ids;.echo .tlist -v "Cisco*";"}
{"current parent-child process"} {"|*"}
{"current all debug session"} {"||"}
{"attach new process"} {".echo .attach Pid"}
{"create new process(admin/x64/x86)"} {".echo .createdir d:\myworkingDir\test; .echo .create C:\Windows\notepad.exe"}
{"open new dump file"} {".echo .opendump D:\work\dump_1.dmp ; .echo g;"}
{"detach current debug session(live or dump)"} {".echo .detach;.detach;"}
{"-------------------------------"}
{"[3rd tools]"}
{"mex"} {"!mex.help"}
{"pykd"} {"!pykd.help"}
{"loadsos in 64bit debugger"} {".load "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\SOS.dll""}
{"dump all strings in one module example"} {".echo !mex.strings -m ${exeModuleName}"}
{"-------------------------------"}
{"[calculator tools]"}
{"sizeof"} {"?? sizeof(ntdll!_DPH_BLOCK_INFORMATION)"}
{"function size"} {"x /v CiscoJabber!startApp"}
{"value format"} {".formats 0x34df4"}
{"-------------------------------"}
{"-----------------reload panel----------------"}{".cmds;"}
{"[Logging]"}
{"Open Log"} {".logopen ${$CurrentDumpPath}\windbg_debug_log.txt "}
{"Close Log"} {".logclose"}
{"-------------------------------"}
{"[Switches]"}
{"step prompt - Quiet"} {".prompt_allow -sym -dis -reg -src -ea ; .pcmd /c ; rm 0;"}
{"step prompt - show x"} {".pcmd -s "x""}
{"Enable Unicode"} {".enable_unicode 1"}
{"Disable Unicode"} {".enable_unicode 0"}
{"Symbol Noisy load"} {"!sym noisy"}
{"Symbol Quiet load"} {"!sym quiet"}
{"src Noisy load"} {".srcnoisy 3"}
{"src Quiet load"} {".srcnoisy 0"}
{"source code mode"} {".lines -e;l+*"}
{"Disassembly mode"} {"l-t"}
{"show inline funtion"} {".inline 1"}
{"hide inline funtion"} {".inline 0"}
{"-------------------------------"}
{"[Information]"}
{"open target Location"} {".shell -ci "*" cmd.exe /c start . ;"}
{"path info"}
{"symbol path"} {".sympath"}
{"srcpath"} {".srcpath"}
{"visual data file"} {".nvlist"}
{"extension moduels"} {".extpath"}
{"cache path"} {"!homedir"}
{"target info"}
{"target version"} {"vertarget"}
{"Process Environment Block(!peb)"} {"!peb"}
{"dump file path"} {".echo ${$CurrentDumpFile}"}
{"dump overview by mex"} {"!mex.dumpinfo"}
{"debugger info"}
{"startup command line"} {"vercommand"}
{"debugger version"} {"version"}
{"loaded extension modules"} {".chain"}
{"visual data parser"} {".nvlist"}
{"time info"}
{"Application run time"} {".time"}
{"all threads run time"} {"!runaway"}
{"-------------------------------"}
{"[Process info]"}
{"Process structure"} {"dx @$peb"}
{"Process being debugged"} {"|"}
{"Process working directory"} {".createdir"}
{"-------------------------------"}
{"[Thread and Stacks]"}
{"current frame"}
{"List current frame variables"} {"x /t /v"}
{"List current frame source"} {"lsa @$scopeip"}
{"list call stack (k)"}
{"Dump stack w/ DML"} {"kpM 1000"}
{"Dump stacks without private info"} {"knL 1000"}
{"Dump stacks with all parameters"} {"kPn 1000"}
{"Dump stacks (distance from last frame)"} {"kf 1000"}
{"Dump stacks with Frame Pointer Omission"} {"kvn 1000"}
{"Dump all stack"} {"~*kbn 1000"}
{"Thread info"}
{"current thread structure"} {"?? @$TEB"}
{"Thread environment block"} {"!teb"}
{"TEB summary"} {"!threads"}
{"Time of current thread"} {".ttime"}
{"Dump thread stack statistics by mex"} {"!mex.us -l"}
{"interpret raw stack by mex"} {"!mex.interpretrawstack"}
{"show 71,72,74 thread name"} {".foreach /s (val "71 72 74 " ) { ~${val}s;.frame 5;dv this; }"}
{"dump stack context"} {"-------------------------------"}
{"Dump stack native object by mex"} {"!mex.ndso"}
{"Dump stack string by mex"} {"!mex.dumpstackstrings"}
{"Dump raw stack stack by mex"} {"!mex.interpretrawstack"}
{"Dump raw stack stack (!ddstack)"} {"!ddstack"}
{"thread stack statistics"}
{"Dump thread stack statistics by mex"} {"!mex.us -l"}
{"Dump unique stacks"} {"!uniqstack -pn"}
{"stack config"} {"-------------------------------"}
{"Set auto mode"} {".effmach ."}
{"Set x86 mode"} {".effmach x86"}
{"Set x64 mode"} {".effmach amd64"}
{"Set frame length to 2000"} {".kframes 2000"}
{"kernel mode only"}
{"kernel stacks"} {"!stacks"}
{"The list of all thread stack traces"} {"!process 0 ff"}
{"Ready threads"} {"!ready"}
{"-------------------------------"}
{"[Modules]"}
{"current module load/unload"}{"lm1m a @$scopeip ;"}
{"reload current module and symbol exactly"} {".foreach /pS 3 /ps 10 (val { .shell -ci "lmn a @$scopeip" find "." }) { .echo .reload /f ${val};.reload /f ${val};}"}
{"reload current module without verify symbol"} {".foreach /pS 3 /ps 10 (val { .shell -ci "lmn a @$scopeip" find "." }) { .reload /i ${val};}"}
{"unload current module"} {".foreach /pS 3 /ps 10 (val { .shell -ci "lmn a @$scopeip" find "." }) { ;aS ${/v:curMod} ${val} ;.reload /u ${val};}"}
{"load current module without symbol which is unloaded just now"} {".if(0!=${/d:curMod}){ .reload ${curMod} } .else { .echo no unloaded modue is recorded.; } "}
{"goto module"} {" .shell -ci "lmv a @$scopeip;" (find /i "Loaded symbol image file:")>2 & (set /p batVar=)<2 & cmd.exe /c ${myWinScriptPath}\windbg\script\cmds\common.bat gotoFileFromVar "*Loaded symbol image file: " "}
{"goto symbol"} {" .shell -ci "!chksym @$scopeip;" (find /i "Loaded pdb is ")>2 & (set /p batVar=)<2 & cmd.exe /c ${myWinScriptPath}\windbg\script\cmds\common.bat gotoFileFromVar "*Loaded pdb is " "}
{"goto target"} {" .shell -ci "*" explorer.exe /select, "${targetFullPath}""}
{"current modue info"}
{"module basic info (lmv)"} {"lmv a @$scopeip;"}
{"module inner info (!dlls)"} {"!dlls -c @$scopeip ;"}
{"module PE header info"}{".foreach ( val { lm1m a @$scopeip ; }) {!dh ${val}; .echo ;.echo Done to dump module '${val}' header info.}"}
{"module name"}{"lm1m a @$scopeip ;"}
{"module sympath path"}{"lma @$scopeip;"}
{"module all info (!dlls -a) -- very long"} {".echo !dlls -a -c @$scopeip ;"}
{"used exported API"} {".foreach ( val { lm1m a @$scopeip } ) { x ${val}!_imp__*}"}
{"any one module info -- need input parameter"}
{"module info with modle name (lmvm)"} {".echo lmvm IMPresenceServices"}
{"module info include addres (lmv)"} {".echo lmv a 0x2345"}
{"debug info (!lmi)"} {".echo !lmi IMPresenceServices"}
{"module name include addr"}{".echo lm1m a addr"}
{"show PE header(!dh)"} {".echo !dh user32.dll"}
{"verify module symbol matched"} {".echo !chksym user32;"}
{"used exported API"} {".echo x modName!_imp__* ;"}
{"show !dlls options help"} {"!dlls -h ;"}
{"all moduels info"} {"-------------------------------"}
{"All Modules (include unloaded)"} {".echo lm D sm"}
{"only Loaded Modules"} {".echo lmo D sm"}
{"Loaded Modules (verbose)"} {".echo lmvo D sm"}
{"basic info (!dlls)"} {"!dlls -m ;"}
{"modules which have a symbol problem"} {".echo lme D sm"}
{"show exe PE header -- time-consuming procedure"} {".echo .foreach ( val { lm1m } ) { !dh ${val} }"}
{"detects corruptted modules"}
{"current module"}{".foreach ( val { lm1m a @$scopeip ; }) {!chkimg -lo 50 -d !${val} -v ;}"}
{"verify specifed moduel"} {".echo !chkimg -lo 50 -d !ntdll -v"}
{"verify all moduels -- time-consuming procedure"} {".echo !for_each_module !chkimg -lo 50 -d !${@#ModuleName} -v"}
{"load modules"}
{"enable load Unqualified symbol (.symopt- 100)"}{".symopt- 100;"}
{"disable load Unqualified symbol (.symopt+ 100)"}{".symopt+ 100;"}
{"load unloaded moduels in image unloaded list (lm)"}{".echo .reload /unl modName.dll;"}
{"load system moduels(resolve 'unqualified symbol' issue)"}{".reload /s;.reload /n;"}
{"load any module"}{".echo .reload /s anyModFullPath.ext;"}
{"load any module without verify symbol match"}{".echo .reload /i anyModFullPath.ext;"}
{"unload module and its symbol"}{".echo .reload /u anyModFullPath.ext;"}
{"re-download current module symbol to overwriten and re-load symbol"}{".foreach /pS 3 /ps 10 (val { .shell -ci "lmn a @$scopeip" find "." }) {.echo .reload /o /f ${val};.reload /o /f ${val};};"}
{"write memory to file"}{".echo .writemem d:\myMod.dll 0x1234 L?0x4535 ;"}
{"!for_each_module example in script"} {".echo !for_each_module .echo @#Base @#End @#ModuleName"}
{"!for_each_module help"} {".echo !for_each_module -?"}
{"-------------------------------"}
{"[Exception]"}
{"exception info"} {"-------------------------------"}
{"Check exception(.exp)"} {".exp"}
{"reset stack(.cxr)"} {".cxr;kP;"}
{"find possible exception context(time-consuming cmd)"}{".shell -ci "~*kp;" find /i "_EXCEPTION_POINTERS" "}
{"last error in current thread"} {"!gle"}
{"last error in all threads"} {"!gle -all"}
{"explain error code example"} {"!error 0x1"}
{"check crash"} {"-------------------------------"}
{"script analysis exception"} {"$$>a<${myWinScriptPath}\windbg\script\cmds\checkException.dbg"}
{"detect moduel corruption"} {".echo !chkimg -lo 50 -d !ntdll -v"}
{"analysis crashed thread by mex"} {"!mex.us -crash"}
{"!analyze"} {"!ext.analyze -v"}
{"exception chain in current thread"} {"!exchain"}
{"check hang & high CPU"} {"-------------------------------"}
{"check CPU time (!runaway)"} {"!runaway"}
{"currently not waiting threads(kernel mode)"}{"!running"}
{"current thread time"} {".ttime"}
{"!analysis -hang"} {"!ext.analyze -v -hang"}
{"who block main thread."} {"~0"}
{"check deadlock"}
{"list locked critical sections (!cs -l)"} {"!cs -l"}
{"check deadlock (!deadlock)"} {"!deadlock"}
{"query specifed lock"}
{"list single lock"} {".echo !Kdexts.locks -v 0x1b33f060"}
{"list single critical sections"} {".echo !cs -s -o 0x1b33f060"}
{"list all locks"} {"-------------------------------"}
{"list all Locks (!Kdexts.locks)"} {"!Kdexts.locks -v"}
{"list all critical sections Locks (!cs)"} {"!cs -v -s"}
{"kernel mode only"}
{"Critical system queues"} {"!exqueue f"}
{"check memory leak"}
{"fix 'No symbols for ntdll. Cannot continue.' "} {".reload /u ntdll.dll"}
{"show memory total usage"} {"!address -summary"}
{"show heap commit info"} {"!heap -a"}
{"trace memory leak"} {"-------------------------------"}
{"1. list max heap usage"} {"!heap -s"}
{"2. most memory block statistics in heap 01150000"} {".echo !heap -stat -h 01150000"}
{"3. specifed block size(0x50) in heap"} {".echo !heap -flt s 0x50"}
{"4. who alloc memory addr 0x1b33f060"} {".echo !heap -p -a 0x1b33f060"}
{"gflag options to trace memory alloc procedure -- live debug or enable it before app startup"}
{"current gflag options"}{"!exts.gflag;"}
{"gflag options list"}{"!exts.gflag -?;"}
{"necessary gflag options for memory alloc trace"}{"!exts.gflag +ust;"}
{"optional gflag options for memory alloc trace (nice to have)"}{"!exts.gflag +hpa;"}
{".. detect possible leaked heap blocks"} {"!heap -l "}
{".. specifed block size(0x50,0x80) range in heap"} {"!heap -flt r 0x50 0x80"}
{"query memory block info"} {"-------------------------------"}
{"memory UserPtr 0x1b33f060 State info"} {".echo !address 0x1b33f060"}
{"memory UserPtr 0x1b33f060 memory block info -- usefull but slow"} {".echo !heap -x 0x1b33f060"}
{"memory HEAP_ENTRY address 0x2db52018 info in heap--stacks"} {".echo !heap -i 2db52018"}
{"memory HEAP_ENTRY address 0x2db52018 structure"} {".echo dt ${$ntsym}!_DPH_BLOCK_INFORMATION 2db52018"}
{"query single heap info"} {"-------------------------------"}
{"heap all info for heap 036b0000"} {".echo !heap -a -h 036b0000"}
{"dump detail heap page info for heap 036b0000"} {".echo !heap -p -h 036b0000"}
{"all available alloc call stacks in heap "} {".echo !heap -k -h 01150000"}
{"heap structure for heap 036b0000"} {".echo dt ${$ntsym}!_HEAP 036b0000"}
{"help example"} {"-------------------------------"}
{"!heap help in browser"} {".shell -ci "*" cmd.exe /c start "" "mk:@MSITStore:C:\PROGRA~2\WI3CF2~1\10\DEBUGG~1\x86\debugger.chm::/debugger/_heap.htm" "}
{"!heap help"} {"!heap -?"}
{"!heap page help"} {"!heap -p -?"}
{"memory breakpoint example"} {".echo bp ucrtbase!_malloc_base "j(poi(@esp+4)!=0x20) 'gc ;' " "}
{"kernel mode only"}
{"Processes and virtual memory"} {"!vm 4"}
{"Sorted pool consumption (paged)"} {"!poolused 4"}
{"Sorted pool consumption (nonpaged)"} {"!poolused 3"}
{"check deadlock"}
{"show all locks(!locks -v)"}{"!locks -v"}
{"show single lock info auto"}{"$$>a<${myWinScriptPath}\windbg\script\cmds\checkDeadLock.dbg"}
{"show single lock info manual"}{".echo !cs -o lockAddr"}
{"kernel mode only"}
{".bugcheck"} {".bugcheck"}
{"Critical system queues"} {"!exqueue f"}
{"-------------------------------"}
{"[search example]"}
{"search global variable"} {"-------------------------------"}
{"search global variable in module"}{".echo x modName!*dynamic initializer for*;"}
{"search global variable in function scope(getInstance)"}{".echo x modName!*::getInstance"}
{"search global variable in current module"}{".foreach ( val { lm1m a @$scopeip ; }) {.echo x ${val}!*dynamic initializer for*;x ${val}!*dynamic initializer for*;};"}
{"search global variable in function scope(getInstance)"}{".foreach ( val { lm1m a @$scopeip ; }) {.echo x ${val}!*::getInstance;x ${val}!*::getInstance;};"}
{"open source file (.open)"}{".echo .open -a addr"}
{"list source code (lsa)"}{".echo lsa addr"}
{"search string in specifed place"} {"-------------------------------"}
{"string in current thread stack"} {"!mex.dumpstackstrings"}
{"string in current module"} {"$$>a<${myWinScriptPath}\windbg\script\cmds\dump\dumpAllStringInCurModule.dbg"}
{"search string example"} {"-------------------------------"}
{"any human readable string"}
{"any ASCII string"} {".echo s -sa 0x10000 L?512"}
{"any ASCII string whose length >=14"} {".echo s -[14]sa 0x10000 L?512"}
{"any Unicode string"} {".echo s -su 0x10000 0x11000"}
{"specified string -- Hello"}
{"specified ASCII string"} {".echo s -a 0x10000 L?512 "Hello" "}
{"specified Unicode string"} {".echo s -u 0x10000 0x11000 "Hello""}
{"search "Hello" string in every module"} {".echo !for_each_module s-a @#Base @#End "hello""}
{"search dword 0x0001003f"} {".echo s -d 0x10000 L?512 0x0001003f"}
{"search instruction"} {"-------------------------------"}
{"jnz instruction from current address"} {".echo # jnz "}
{"call instruction from 779f9fba "} {".echo # call 779f9fba "}
{"strlen call from main function "} {".echo # strlen main"}
{"search szFileName variable usage from notepad!WinMain"} {".echo # notepad!szFileName notepad!WinMain"}
{"search myfunc function call in every module"} {".echo !for_each_module # myfunc @#Base @#End"}
{"-------------------------------"}
{"data display formats"}
{"list all data d* format"} {"$$>a<${myWinScriptPath}\windbg\script\cmds\listDataFormat.dbg;"}
{"list all stack k* formats"} {"$$>a<${myWinScriptPath}\windbg\script\cmds\listStackFormat.dbg;"}
{"list all variable display formats"} {"$$>a<${myWinScriptPath}\windbg\script\cmds\listVariableFormat.dbg;"}
{"list raw thread stack symbols"} {"$$>a<${myWinScriptPath}\windbg\script\cmds\listStackSymbol.dbg;"}
{"Automatic Pseudo-Registers -- refered by @$"}{".hh pseudo-registers"}
{"list all available Pseudo-Registers value"} {"$$>a<${myWinScriptPath}\windbg\script\cmds\listAllPseudoRegisters.dbg;"}
{"last expression value : @$exp"} {"dx @$exp ;"}
{"last function return address : @$ra"} {"dx @$ra ;ln @$ra ;"}
{"last function return value : @$callret"} {"dx @$callret;"}
{"current function frame number : @$frame"} {"dx @$frame;"}
{"current function address : @$scopeip"} {"dx @$scopeip ;ln @$scopeip ;"}
{"exe module entry function : @$exentry"} {"dx @$exentry;ln @$exentry;"}
{"No.N breakpoint address(@$bp2) : @$bpN"} {" ln @$bp0 ; .echo ; .echo .open -a @$bp0 ;"}
{"process and thread"}
{"process address (PEB/EPROCESS block): @$proc / @$peb "}{"dx @$proc;"}
{"thread address (TEB/ETHREAD block) : @$thread / @$teb"}{"dx @$thread;"}
{"current process ID (PID) : @$tpid"}{"dx @$tpid;"}
{"current thread ID (TID) : @$tid"}{"dx @$tid;"}
{"automatic aliases -- refered by ${}"}
{"current appropriate 64 bit NT symbols name : ${$ntnsym}"}{".echo ${$ntnsym};"}
{"current appropriate 64 bit NT symbols name : ${$ntwsym}"}{".echo ${$ntwsym};"}
{"current auto NT symbols name : ${$ntsym}"}{".echo ${$ntsym};"}
{"current dump file name : ${$CurrentDumpFile}"}{".echo ${$CurrentDumpFile};"}
{"current dump file directory path : ${$CurrentDumpPath}"}{".echo ${$CurrentDumpPath};"}
{"[dx command] : case sensetive"}
{"list Debugger"}{"dx -r1 Debugger"}
{"list Debugger.Settings"}{"dx -r1 Debugger.Settings"}
{"set Debugger.Settings example"}{".echo .settings set Display.PreferDMLOutput=true"}
{"use dx variable example"}{"dx -r1 @$curthread"}
{"search all thread include 'Exception' in function name"}{"dx -r1 @$curprocess.Threads.Select(p=>p.Stack).Select(p=>p.Frames).Select(t=>t[1]).Where( ( p=>p.ToDisplayString().Contains("Exception") == true ))"}
{"help on browser"}{".shell -ci "*" cmd.exe /c start "" "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/dx--display-visualizer-variables-";"}