Dbg

Enable verbose output for sympath command

!sym noisy


Fix symbol and source path and append the specified path to the existing symbol path. the fix commands are specially useful when debugging checked binaries

.srcfix

.symfix

.sympath+ D:\Binaries\Syms.pri\

 
Enable tracing source line-by-line

l+t

 
Tracing source executing step-by-step (will step though line-by-line if the above command has been executed)

t

 
Stepping over a function execution

p

 
Execute code until the next subroutine call

pc

 
Continue execution until the current function finishes

gu

 
Continue execution after a break point

g

 
Get error code message

!error 0x0070005

!error 5
 
Get registry values

!dreg

!dreg Software\Microsoft\Windows NT\CurrentVersion\aeDebug!*
 
Help

.hh

.hh <topic>
 
Look at the contents of a memory location

dd 0x72726f43

 
Show the contents of an instance pointer

da 0x72726f43

 
Other useful commands to dump out memory locations

dc 0x72726f43
du 0x72726f43

dds 0x72726f43

dpp 0x72726f43

dpa 0x72726f43

dpu 0x72726f43

 
If the memory content is small (in a multiple of 4) it might be a handle. dump it with

!handle 0x72726f43

 
Show the information about the last API call error

!gle

 
Get return value of a function for x64 (first command), x86 (second command)

r rax

r eax
 
Break on write for memory address "00000039`f82ab0b8" (size 1byte)

ba w 1 00000039`f82ab0b8

 
 
 
Symbols:
 
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
 
Symbols are also loaded using the following environment variables (in order)
 
_NT_ALT_SYMBOL_PATH
_NT_SYMBOL_PATH
 
loaded modules
 
show loaded modules:

lm

 
show specific module (verbose). Note that you can't specify the extension.

lm v m *myModuleName*

look at loaded symbols with 'x module!symbol' command note that you can use wild cards
 
Look at why debugger stopped

.lastevent

 

Show register values

r

 
display eax register

reax

 
Change eax register

reax=1

 
change the register mask used by r command

rm

 
important psudo registers
$ip = Instruction pointer register
$csp = The current stack pointer
$ra = the return address fro the current function
$retreg = function return value register
 
display the call stack

k

 
display the parameters of the past three functions

kp 3

 
 
Break Point 
To make sure your module is loaded set an exception break point for when you module is loaded

sxe ld mybinaryfile_without_extension

 
Note that you can load all modules by running the following command (you can use module name instead (or with combination) of the wild card), but that may not always load all modules so you may have to use the above command

ld *

 
Now you can load the source and press F9 on the line you are interested in or you can set a break point using (note that you can use wildcards for the function name with bm)

bm mybinaryfile_without_extension!*myFunction*

 
 
set a breakpoint for all threads on Fibonacci function in KBTest and execute resp (note that you need to use 'bu' if the module is not already loaded)

bp myexe!KBTest::Fibonacci "resp"

 
now do the same thing for thread 0 only
 

~0 bp myexe!KBTest::Fibonacci "resp"

 
 
Clear all breakpoints

bc *

 
 
show local variables

dv

 
show local variables matching a pattern
 

dv myExe!m*v*

 
Show the object type for 'this'

dt this

 
 
find the type of memory allocation an address represents (stack, heap, etc..). Note '.' is the current execution address. If no location is provided it enumerates all memory zones.

!address .
!address @esp
!address 0070000

!address

 
 The information on with what parameters and environment variables the current debug session has been started can be found in process environment block (PEB)

!peb

 
 
Use binplace.exe to extract public symbols from private symbol files provided by the compiler. And store the public/private symbol file and the binary file in specific locations. (more useful to run in a script. but for large projects use symstore.exe)

binplace.exe

Note that when binplace creates the public symbol files it modifies the header of the binary file and changes the original symbol file location.
 
Get debug directory information from a binary file header using link.exe.

link -dump -headers c:\mybin.exe

 
Create public/private symbol store for automatic management

symstore.exe

 
Extract source file/server information from symbol files (pdb).

srctool.exe

 
 
Change current stack pointer (64-bit)

r rip=000007fe`c60bba6c

 
 
 
Enable Kernel Debugging:
Vista and above:

bcdedit /set debug on

 
Pre Vista:

Bootcfg /debug ON /port COM1 /ID 1

Kernel Objet Commands:

Get name of driver object

kd> !drvobj <name of module>

 
List all driver objects

!object \Driver

 
Viewing a device object in the kernel

dt nt!_DRIVER_OBJECT 0x827e3698

 
Get device object information

kd> !devobj <name of device>

 
 Then used the handle returned from the above command (e.g. Device object (826eb030) is for:) to see what use-mode processes have handles to the device

kd> !devhandles 826eb030

 
 Check SSDT

dd dwo(KeServiceDescriptorTable) L100

 

Remote Host Debugging

On the target machine enable kernel debugging by running the following command and then rebooting

bcdedit /debug on

 
On the target machine run windbg from an admin cmd using:

windbg -server tcp:port=3001 -k

 
If necessary, start kernel debugging using Ctrl-k then select local, click OK
 
On the controller machine run windbg then go to file -> "connect to remote session..." using the following connection string

tcp:server=\\10.0.0.10,port=3001

 

Symbols

The sympath can consist of multiple URIs. Sympath is initialized from the _NT_SYMBOL_PATH system environment variable.
 
 
Exception Codes
The windows common exception codes can be found in <ntstatus.h> in WDK as constants defined having the STAUS_<NAME> form name.
 
 
Comments