WinDbg 기본 명령어 – 뿡뿡너구리의 블로그

Basic Commands

The help file that comes with the WinDbg installation documents commands well, but the following basic commands should get you started:

Feature	Command	What Does it Do	Example / Comments	See Also Related Commands

Stack trace	K, KB `x`	Displays stack trace of current thread (`x` frames). Kb causes the display to include the first three parameters passed to each function.		KP, Kp, or KV
Frame	.frame `X`
Register watch	R	Displays register set. reax – displays the `eax` register.
Step	t	Trace = Step into (F11)
	p	Step over (F10)
	Step out	Shift + F11
Disassemble	u	Unassemble next few instructions
	u <`start_address`>	Unassemble instructions at `start_address`
	u <`start_address`> <`end_address`>	Unassemble instructions from `start_address` till `end_address`
Breakpoints	Bl	List breakpoints.
	be, bd, bc	Enable / disable / clear breakpoint.
	bp	Set a breakpoint.
	bu	Set unresolved breakpoint. Breakpoint is resolved by symbolic name, not absolute address. Use this to set breakpoint at a function whose containing module has not yet been loaded.	bu foo

Comment	*	Ignores the command	* Hello World
Continue	G <`address_X` / `symbol`>	Go. Resumes execution until `address_X`
	GH	Go, exception handled
	GN	Go, exception not handled
Quit	Q
Dumping data	dv	Display local variables.	You need private symbols.
	Dd <`address`>	Display `dword` values at specified address.	To see value of an `int`, DD <`addr`> L1
	Ds, da (ASCII), du (Unicode)	Dump string
	Dt [dt module!typedef adr]	Dump type. Will dump the contents of the memory using `typedef` as a template.
Change / Edit Values	Eb (`byte`), ed (`dword`), ea (ASCII), eu (Unicode)	Edit value of a variable
List modules	lm	List loaded modules		Lmi, lml, !dlls
Threads	~	Lists all threads
Command on thread n	~n<`command`>	Switch to a specific thread by thread-id and execute a command on the thread.	~2kb (second thread's stack)

Search for a symbol in a module	X module!<pattern>		X blah!foo
Dump	.dump
Source line display	.lines	Turns on source code display
	ln adr	Will show the symbol nearest to that location.

Note:

There is no "step out" (Shift+F11). You have to find the return address on the stack manually and use "g adr". You can find this address by using "k". If you know the function uses ebp frames you can use "g poi(ebp+4)" to step out.
To inspect local variables:
1. Use the "dv" command.
2. Then use the "dt <variablename>" command.
3. Note: you may not see correct values if values are stored in registers or due to FPO.

More Commands

Feature	Command	What Does it Do	Example / Comments	See Also Related Commands
	Vertarget	Shows information about the system on which you are debugging.
Data breakpoint (hardware bp)	Ba [ba r/w/e size adr]	Sets a data breakpoint. You can break on read/ write/ execute attempt of a memory location.	ba w4 adr
Exceptions	.lastevent	Displays last exception record
Exceptions	Sx, Sxe, sxd, sxn, sxi `exception_X`	Enable/ disable/ notify-only/ ignore first chance exception /event `exception_X`. Example of event: module unload/ thread creation.
Display type	Dt	Shows `struct` and field values.	Dt x; // x: int Dt myStruct; // struct myStruct Dt myStruct myVar1; // shows myStruct.myVar1
Reload symbols	.reload	Reloads symbols using the symbol path you would have set.
Source lines	l+l, l+o, l+s, l+t	Source line options
	.ecxr	If you had an exception, switches context to faulting context.
	.quit_lock
	;	Command separator
	?	Evaluate expression
	\|	Display process information
	.chain	Lists all loaded debugger extensions.
	.echo <`string`>	Echo/ print any string	Echo xyz
	.exr <`address_x`>	Display exception record at `x`.
	.cxr <`address_x`>	Display context record at `x`.
	.trap	Dump a trap frame.

Handy Extension Commands

!help – help for WinDbg extension commands.
!load, !unload – to load and unload debugger extension DLLs.
!handle – displays information about handles owned by processes.
!peb - shows the PEB (process environment block) including DLL information.