[ring0] WinDbg 명령어
//=================================================================================================
* 로드된 모듈 확인
lm (List Loaded Modules)
The lm command displays the specified loaded modules. The output includes the status and the path of the module.
Syntax
lm Options [a Address] [m Pattern | M Pattern]
lm
lm m s*
//=================================================================================================
* 심볼경로 확인
.sympath
Symbol search path is: c:\windows\Symbols*http://msdl.microsoft.com/download/symbols
//=================================================================================================
* 심볼 재로드
.reload (Reload Module)
The .reload command deletes all symbol information for the specified module and reloads these symbols as needed. In some cases, this command also reloads or unloads the module itself.
Syntax
.reload [Options] [Module [= Address [, Size [, Timestamp] ] ] ]
.reload -?
.reload ModuleName
0:000> .reload /u ntdll.dll
Unloaded ntdll.dll
0:000> .reload /s /f ntdll.dll
//=================================================================================================
* 심볼 확장 제어
!sym
The !sym extension controls noisy symbol loading and symbol prompts.
Syntax
!sym
!sym noisy
!sym quiet
!sym prompts
!sym prompts off
Parameters
noisy
Activates noisy symbol loading.
quiet
Deactivates noisy symbol loading.
prompts
Allows authentication dialog boxes to appear when SymSrv receives an authentication request.
prompts off
Suppresses all authentication dialog boxes when SymSrv receives an authentication request. This may result in SymSrv being unable to access symbols over the internet.
!sym noisy
//=================================================================================================
* 대상 컴픁 버전 확인
vertarget (Show Target Computer Version)
The vertarget command displays the current version of the Microsoft Windows operating system of the target computer.
Syntax
vertarget
//=================================================================================================
* 역어셈블
u (Unassemble)
The u command displays an assembly translation of the specified program code in memory.
Do not confuse this command with the ~u (Unfreeze Thread) command.
Syntax
u[b] Range
u[b] Address
u[b]
u videoprt!videoportfindadapter2
u nt!KiSystemService
u nt!KiFastCallEntry
//=================================================================================================
* 백트레이스 스택 보기
k, kb, kd, kp, kP, kv (Display Stack Backtrace)
The k* commands display the stack frame of the given thread, together with related information..
Syntax
Kernel-Mode
[Processor] k[b|p|P|v] [n] [f] [L] [FrameCount]
[Processor] k[b|p|P|v] [n] [f] [L] = BasePtr [FrameCount]
[Processor] k[b|p|P|v] [n] [f] [L] = BasePtr StackPtr InstructionPtr
[Processor] kd [WordCount]
//=================================================================================================
* 메모리 보기
d, da, db, dc, dd, dD, df, dp, dq, du, dw, dW, dyb, dyd (Display Memory)
The d* commands display the contents of memory in the given range.
Syntax
d{a|b|c|d|D|f|p|q|u|w|W} [Options] [Range]
dy{b|d} [Options] [Range]
d [Options] [Range]
0:000> dd 420000
0:000> dd poi(123456)
In C++ expressions, pointers behave like pointers in C++. However, numbers are interpreted as integers. If you have to derefence an actual number, you must cast it first, as the following example shows.
0:000> dd *( (long*) 0x123456 )
Some pseudo-registers also hold common
//=================================================================================================
* 심볼 export 확인
x (Examine Symbols)
The x command displays the symbols in all contexts that match the specified pattern.
Syntax
x [Options] Module!Symbol
> x nt!KeService*
>x nt!*
//=================================================================================================
* 타입 확인
dt (Display Type)
The dt command displays information about a local variable, global variable or data type. This can display information about simple data types, as well as structures and unions.
Kernel-Mode Syntax
[Processor] dt [-DisplayOpts] [-SearchOpts] [module!]NAME [[-SearchOpts] Field] [Address] [-l List]
dt [-DisplayOpts] Address [-l List]
dt -h
dt nt!_PEB
dt nt!_EPROCESS -l ActiveProcessLinks.Flink -y Ima -yoi Uni 814856f0
'Digging' 카테고리의 다른 글
강원도의 산 (0) | 2017.02.13 |
---|---|
전국 국립공원, 휴양림, 100대 명산 (0) | 2017.02.13 |
강원도 자연휴양림 (0) | 2014.06.20 |
Virtual PC 2007과 WinDBG를 이용한 디버깅 설정 (0) | 2008.11.08 |
OllyDbg Command (0) | 2008.11.08 |