Enable verbose output for sympath
command
Fix symbol and source path and append the specified path to the existing symbol path. the fix commands are specially useful when debugging checked binaries
.srcfix
.symfix
.sympath+
D:\Binaries\Syms.pri\
Enable tracing source line-by-line
Tracing source executing step-by-step (will step though line-by-line if the above command has been executed)
Stepping over a function execution
Execute code until the next subroutine call
Continue execution until the current function finishes
Continue execution after a break point
Get error code message
Get registry values
!dreg
!dreg Software\Microsoft\Windows NT\CurrentVersion\aeDebug!*
Help
Look at the contents of a memory location
Show the contents of an instance pointer
Other useful commands to dump out memory locations
dc 0x72726f43
du 0x72726f43
dds 0x72726f43
dpp 0x72726f43
dpa 0x72726f43
dpu 0x72726f43
If the memory content is small (in a multiple of 4) it might be a handle. dump it with
Show the information about the last API call error
Get return value of a function for x64 (first command), x86 (second command)
Break on write for memory address "00000039`f82ab0b8" (size 1byte)
Symbols:
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbols are also loaded using the following environment variables (in order)
_NT_ALT_SYMBOL_PATH
_NT_SYMBOL_PATH
loaded modules
show loaded modules:
show specific module (verbose). Note that you can't specify the extension.
look at loaded symbols with 'x module!symbol' command note that you can use wild cards
Look at why debugger stopped
Show register values
display eax register
Change eax register
change the register mask used by r command
important psudo registers
$ip = Instruction pointer register
$csp = The current stack pointer
$ra = the return address fro the current function
$retreg = function return value register
display the call stack
display the parameters of the past three functions
Break Point
To make sure your module is loaded set an exception break point for when you module is loaded
sxe ld mybinaryfile_without_extension
Note that you can load all modules by running the following command (you can use module name instead (or with combination) of the wild card), but that may not always load all modules so you may have to use the above command
Now you can load the source and press F9 on the line you are interested in or you can set a break point using (note that you can use wildcards for the function name with bm)
bm mybinaryfile_without_extension!*myFunction*
set a breakpoint for all threads on Fibonacci function in KBTest and execute resp (note that you need to use 'bu' if the module is not already loaded)
bp myexe!KBTest::Fibonacci "resp"
now do the same thing for thread 0 only
~0 bp myexe!KBTest::Fibonacci "resp"
Clear all breakpoints
show local variables
show local variables matching a pattern
Show the object type for 'this'
find the type of memory allocation an address represents (stack, heap, etc..). Note '.' is the current execution address. If no location is provided it enumerates all memory zones.
!address .
!address @esp
!address 0070000
!address
The information on with what parameters and environment variables the current debug session has been started can be found in process environment block (PEB)
Use binplace.exe to extract public symbols from private symbol files provided by the compiler. And store the public/private symbol file and the binary file in specific locations. (more useful to run in a script. but for large projects use symstore.exe)
Note that when binplace creates the public symbol files it modifies the header of the binary file and changes the original symbol file location.
Get debug directory information from a binary file header using link.exe.
link -dump -headers c:\mybin.exe
Create public/private symbol store for automatic management
Extract source file/server information from symbol files (pdb).
Change current stack pointer (64-bit)
Enable Kernel Debugging:
Vista and above:
Pre Vista:
Bootcfg
/debug ON /port COM1 /ID 1
Kernel Objet Commands:
Get name of driver object
kd> !drvobj <name of module>
List all driver objects
Viewing a device object in the kernel
dt nt!_DRIVER_OBJECT 0x827e3698
Get device object information
kd> !devobj <name of device>
Then used the handle returned from the above command (e.g. Device object (826eb030) is for:) to see what use-mode processes have handles to the device
Check SSDT
dd dwo(KeServiceDescriptorTable) L100
Remote Host Debugging
On the target machine enable kernel debugging by running the following command and then rebooting
On the target machine run windbg from an admin cmd using:
windbg -server tcp:port=3001 -k
If necessary, start kernel debugging using Ctrl-k then select local, click OK
On the controller machine run windbg then go to file -> "connect to remote session..." using the following connection string
tcp:server=\\10.0.0.10,port=3001
Symbols
The sympath
can consist of multiple URIs. Sympath
is initialized from the _NT_SYMBOL_PATH
system environment variable.
Exception Codes
The windows common exception codes can be found in <ntstatus.h> in WDK as constants defined having the STAUS_<NAME> form name.