Configuring WinDbg
WinDbg - allows you to debug 32/64 bit user-level applications, drivers, can be used to analyze crash memory dumps, WinDbg supports automatic loading of debugging symbols, there is a built-in scripting language to automate the debugging process, you can download the debugger here .
May contain the following:
Each debugger has its strength, if you need to debug 64 bit applications or you need to debug a driver, then my choice falls on WinDbg. When you first start WinDbg, we get a rather inconvenient workspace; this is what repels those who use OllyDbg at the beginning.
')
Especially for "pleasant" debugging made sane workspace, with a convenient arrangement of windows and a dark color scheme close to OllyDbg. Download here .
Debugging Extensions — Uses the Wait Chain Traversal API to find “waiting” threads and automatically detects deadlocks.
Viscope - draws graphs for code.
Core Analyzer - shows the analysis of memory and displays the relationship of each object.
pykd - allows you to use python as a language for automating debugging and analysis.
! exploitable - automatic analysis of dumps and risk assessment.
windbgshark - WinDbg integration with wireshark.
ollymigrate - the plugin allows you to "transfer" debugging from one debugger to another (Supported debuggers: OllyDbg1, OllyDbg2, Immunity Debugger, WinDbg, IDA Pro)
blwdbgue - lights in the command window.
WinDbg Highlighted - highlighting asm instructions in the disassembler and commands window.
Common WinDbg Commands - a complete list of WinDbg commands grouped thematically.
WinDbg Hotkeys - a list of available hotkeys.
WinDbg Tutorials is a series of debugging articles from Microsoft.
WinDbg Uncovered - project teaches debugging and analysis using WinDbg.
Crash Dump Analysis Poster - cheat sheet for dump analysis.
Kate Butenko blog - a blog that describes work with crash dumps, memory leaks.
WorkSpace
May contain the following:
Current session information
- All breakpoints.
- Open source files (if any).
- All user aliases.
Debug Settings
- Path to debug symbols.
- The path to the debugged application.
- Path to the source folder.
- Kernel debugging options.
- Logging settings.
GUI Settings
- Font
- The position of the windows relative to the desktop.
- All open windows.
- Register window options.
- Color options for each window.
- Installed flags for windows (Calls windows, Locals window, Watch Window).
Each debugger has its strength, if you need to debug 64 bit applications or you need to debug a driver, then my choice falls on WinDbg. When you first start WinDbg, we get a rather inconvenient workspace; this is what repels those who use OllyDbg at the beginning.
')
Especially for "pleasant" debugging made sane workspace, with a convenient arrangement of windows and a dark color scheme close to OllyDbg. Download here .
List of frequently used commands
Performance control
- g - continue execution.
- p - step through function.
- t - step inside the function.
- pa addr - step in the address.
- pc - step to the next call.
- pt - step to the next return.
- pct - step to the next call or return.
Breakpoints
- bp - set a breakpoint, for example bp nt! NtCreateFile.
- bl - list of breakpoints.
- bd - <number> remove the breakpoint under the number.
- bc - <number> clear the breakpoint under the number.
- ba - access breakpoint.
- be is a breakpoint for execution.
- bw - write breakpoint.
- sxe ld: kernel32 - breakpoint on loading DLL module.
Dump
- d <address> —dump of memory at address (b-byte; w-word; d-dword).
- dd <register> - dump the contents of the register.
- ddp <address> - dump content by address.
- u <address> - disassemble at.
miscellanea
- .load <dll name> - loads add-on for WinDbg.
- ! peb - ​​dump Process Environment Block.
- ! teb - dump Environment Disk Block.
- ! lmi kernel32 - dump information on the module.
- k - show call stack.
- r - show registers.
- x *! - A complete list of modules.
- lm is a list of basic modules.
- dt <structure name> - show structure if there are debug symbols.
- .extmatch / D / e ntdll * - show all exported functions for the library.
- ! dlls - show loaded modules.
- ! process 0 0 explorer.exe - get the structure of EPROCESS
- ? 0x2D - get a representation of the number in the decimal system.
- s -u 0x00000000 L? 0xffffffff “trythis” - search string in memory.
- eu addr "trythi1" - change the string to the address.
- .sympath .SRV * D: \ symbols * http: //msdl.microsoft.com/download/symbols/ - download address of the required debugging symbols.
- ! token - show information about privileges.
- .tlist - show all running processes.
useful links
Extensions
Debugging Extensions — Uses the Wait Chain Traversal API to find “waiting” threads and automatically detects deadlocks.
Viscope - draws graphs for code.
Core Analyzer - shows the analysis of memory and displays the relationship of each object.
pykd - allows you to use python as a language for automating debugging and analysis.
! exploitable - automatic analysis of dumps and risk assessment.
windbgshark - WinDbg integration with wireshark.
ollymigrate - the plugin allows you to "transfer" debugging from one debugger to another (Supported debuggers: OllyDbg1, OllyDbg2, Immunity Debugger, WinDbg, IDA Pro)
blwdbgue - lights in the command window.
WinDbg Highlighted - highlighting asm instructions in the disassembler and commands window.
Help
Common WinDbg Commands - a complete list of WinDbg commands grouped thematically.
WinDbg Hotkeys - a list of available hotkeys.
WinDbg Tutorials is a series of debugging articles from Microsoft.
WinDbg Uncovered - project teaches debugging and analysis using WinDbg.
Crash Dump Analysis Poster - cheat sheet for dump analysis.
Kate Butenko blog - a blog that describes work with crash dumps, memory leaks.
Source: https://habr.com/ru/post/187522/
All Articles