[ring0] WinDbg 명령어

Digging 2008. 11. 5. 10:57

[ring0] WinDbg 명령어

 

//=================================================================================================

* 로드된 모듈 확인

lm (List Loaded Modules)

The lm command displays the specified loaded modules. The output includes the status and the path of the module.

Syntax

lm Options [a Address] [m Pattern | M Pattern]

 

lm

lm m s*

 

 

//=================================================================================================

* 심볼경로 확인

.sympath
Symbol search path is: c:\windows\Symbols*http://msdl.microsoft.com/download/symbols

디버깅 심볼은 따로 받을 필요가 없다. 위와 같이 경로 지정후 reload하면 자동으로 인터넷으로 다운 받음
 

//=================================================================================================

* 심볼 재로드

.reload (Reload Module)

The .reload command deletes all symbol information for the specified module and reloads these symbols as needed. In some cases, this command also reloads or unloads the module itself.

Syntax

.reload [Options] [Module [= Address [, Size [, Timestamp] ] ] ]
.reload -? 

 

.reload ModuleName

0:000> .reload /u ntdll.dll
Unloaded ntdll.dll
0:000> .reload /s /f ntdll.dll

 

//=================================================================================================

* 심볼 확장 제어

!sym

The !sym extension controls noisy symbol loading and symbol prompts.

Syntax

!sym 
!sym noisy 
!sym quiet 
!sym prompts 
!sym prompts off 

Parameters

noisy

Activates noisy symbol loading.

quiet

Deactivates noisy symbol loading.

prompts

Allows authentication dialog boxes to appear when SymSrv receives an authentication request.

prompts off

Suppresses all authentication dialog boxes when SymSrv receives an authentication request. This may result in SymSrv being unable to access symbols over the internet.

 

!sym noisy

 

 

//=================================================================================================

* 대상 컴픁 버전 확인

vertarget (Show Target Computer Version)

The vertarget command displays the current version of the Microsoft Windows operating system of the target computer.

Syntax

vertarget 

 

 

//=================================================================================================

* 역어셈블

u (Unassemble)

The u command displays an assembly translation of the specified program code in memory.

Do not confuse this command with the ~u (Unfreeze Thread) command.

Syntax

u[b] Range 
u[b] Address
u[b]

 

u videoprt!videoportfindadapter2

u nt!KiSystemService

u nt!KiFastCallEntry

 

 

//=================================================================================================

* 백트레이스 스택 보기

k, kb, kd, kp, kP, kv (Display Stack Backtrace)

The k* commands display the stack frame of the given thread, together with related information..

Syntax

Kernel-Mode

[Processor] k[b|p|P|v] [n] [f] [L] [FrameCount]
[Processor] k[b|p|P|v] [n] [f] [L] = BasePtr [FrameCount]
[Processor] k[b|p|P|v] [n] [f] [L] = BasePtr StackPtr InstructionPtr 
[Processor] kd [WordCount]

 

 

//=================================================================================================

* 메모리 보기

d, da, db, dc, dd, dD, df, dp, dq, du, dw, dW, dyb, dyd (Display Memory)

The d* commands display the contents of memory in the given range.

Syntax

d{a|b|c|d|D|f|p|q|u|w|W} [Options] [Range]
dy{b|d} [Options] [Range]
d [Options] [Range]

 

0:000> dd 420000 
0:000> dd poi(123456) 

In C++ expressions, pointers behave like pointers in C++. However, numbers are interpreted as integers. If you have to derefence an actual number, you must cast it first, as the following example shows.

0:000> dd *( (long*) 0x123456 ) 

Some pseudo-registers also hold common

 

 

//=================================================================================================

* 심볼 export 확인

x (Examine Symbols)

The x command displays the symbols in all contexts that match the specified pattern.

Syntax

x [Options] Module!Symbol 

 

> x nt!KeService*

>x nt!*

 

 

 

//=================================================================================================

* 타입 확인

dt (Display Type)

The dt command displays information about a local variable, global variable or data type. This can display information about simple data types, as well as structures and unions.

 

Kernel-Mode Syntax

[Processor] dt [-DisplayOpts] [-SearchOpts] [module!]NAME [[-SearchOpts] Field] [Address] [-l List]
dt [-DisplayOpts] Address [-l List]
dt -h 

 

dt nt!_PEB

dt nt!_EPROCESS -l ActiveProcessLinks.Flink -y Ima -yoi Uni 814856f0

 


반응형

'Digging' 카테고리의 다른 글

강원도의 산  (0) 2017.02.13
전국 국립공원, 휴양림, 100대 명산  (0) 2017.02.13
강원도 자연휴양림  (0) 2014.06.20
Virtual PC 2007과 WinDBG를 이용한 디버깅 설정  (0) 2008.11.08
OllyDbg Command  (0) 2008.11.08
Posted by codens