{"id":209,"date":"2010-04-18T00:35:14","date_gmt":"2010-04-18T09:35:14","guid":{"rendered":"\/blog\/?p=209"},"modified":"2023-09-21T09:39:10","modified_gmt":"2023-09-21T00:39:10","slug":"windbg-%ea%b8%b0%eb%b3%b8-%eb%aa%85%eb%a0%b9%ec%96%b4","status":"publish","type":"post","link":"https:\/\/hasu0707.duckdns.org\/blog\/?p=209","title":{"rendered":"WinDbg \uae30\ubcf8 \uba85\ub839\uc5b4"},"content":{"rendered":"\n

Basic Commands<\/a><\/h3>\n

The help file that comes with the WinDbg installation documents commands \nwell, but the following basic commands should get you started:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Feature<\/td>\nCommand<\/td>\nWhat Does it Do<\/td>\nExample \/ Comments<\/td>\nSee Also Related Commands<\/td><\/tr>\n
 <\/td>\n <\/td>\n <\/td>\n <\/td>\n <\/td><\/tr>\n
Stack trace<\/td>\nK, KB x<\/code><\/td>\nDisplays stack trace of current thread (x<\/code> frames). Kb causes \nthe display to include the first three parameters passed to each function.<\/td>\n <\/td>\nKP, Kp, or KV<\/td><\/tr>\n
Frame<\/td>\n.frame X<\/code><\/td>\n <\/td>\n <\/td>\n <\/td><\/tr>\n
Register watch<\/td>\nR<\/td>\nDisplays register set. reax \u2013 displays the eax<\/span><\/code> register.<\/td>\n <\/td>\n <\/td><\/tr>\n
Step<\/td>\nt<\/td>\nTrace = Step into (F11)<\/td>\n <\/td>\n <\/td><\/tr>\n
 <\/td>\np<\/td>\nStep over (F10)<\/td>\n <\/td>\n <\/td><\/tr>\n
 <\/td>\nStep out<\/td>\nShift + F11<\/td>\n <\/td>\n <\/td><\/tr>\n
Disassemble<\/td>\nu<\/td>\nUnassemble next few instructions<\/td>\n <\/td>\n <\/td><\/tr>\n
 <\/td>\nu <start_address<\/code>><\/td>\nUnassemble instructions at start_address<\/code><\/td>\n <\/td>\n <\/td><\/tr>\n
 <\/td>\nu <start_address<\/code>> \n

<end_address<\/code>><\/p><\/td>\n

Unassemble instructions from start_address<\/code> till \nend_address<\/code><\/td>\n <\/td>\n <\/td><\/tr>\n
Breakpoints<\/td>\nBl<\/td>\nList breakpoints.<\/td>\n <\/td>\n <\/td><\/tr>\n
 <\/td>\nbe, bd, bc<\/td>\nEnable \/ disable \/ clear breakpoint.<\/td>\n <\/td>\n <\/td><\/tr>\n
 <\/td>\nbp<\/td>\nSet a breakpoint.<\/td>\n <\/td>\n <\/td><\/tr>\n
 <\/td>\nbu<\/td>\nSet unresolved breakpoint. Breakpoint is resolved by symbolic name, not \nabsolute address. Use this to set breakpoint at a function whose containing \nmodule has not yet been loaded.<\/td>\nbu foo<\/td>\n <\/td><\/tr>\n
 <\/td>\n <\/td>\n <\/td>\n <\/td>\n <\/td><\/tr>\n
Comment<\/td>\n*<\/td>\nIgnores the command<\/td>\n* Hello World<\/td>\n <\/td><\/tr>\n
Continue<\/td>\nG <address_X<\/code> \/ symbol<\/code>><\/td>\nGo. Resumes execution until address_X<\/code><\/td>\n <\/td>\n <\/td><\/tr>\n
 <\/td>\nGH<\/td>\nGo, exception handled<\/td>\n <\/td>\n <\/td><\/tr>\n
 <\/td>\nGN<\/td>\nGo, exception not handled<\/td>\n <\/td>\n <\/td><\/tr>\n
Quit<\/td>\nQ<\/td>\n <\/td>\n <\/td>\n <\/td><\/tr>\n
Dumping data<\/td>\ndv<\/td>\nDisplay local variables.<\/td>\nYou need private symbols.<\/td>\n <\/td><\/tr>\n
 <\/td>\nDd <address<\/code>><\/td>\nDisplay dword<\/code> values at specified address.<\/td>\nTo see value of an int<\/span><\/code>, DD \n<addr<\/code>> L1<\/td>\n <\/td><\/tr>\n
 <\/td>\nDs, da (ASCII), du (Unicode)<\/td>\nDump string<\/td>\n <\/td>\n <\/td><\/tr>\n
 <\/td>\nDt [dt module<\/i>!typedef<\/i> adr<\/i>]<\/td>\nDump type. Will dump the contents of the memory using typedef<\/span><\/code> as a template.<\/td>\n <\/td>\n <\/td><\/tr>\n
Change \/ Edit Values<\/td>\nEb (byte<\/span><\/code>), ed \n(dword<\/code>), ea (ASCII), eu (Unicode)<\/td>\nEdit value of a variable<\/td>\n <\/td>\n <\/td><\/tr>\n
List modules<\/td>\nlm<\/td>\nList loaded modules<\/td>\n <\/td>\nLmi, lml, !dlls<\/td><\/tr>\n
Threads<\/td>\n~<\/td>\nLists all threads<\/td>\n <\/td>\n <\/td><\/tr>\n
Command on thread n<\/td>\n~n<command<\/code>><\/td>\nSwitch to a specific thread by thread-id and execute a command on the \nthread.<\/td>\n~2kb (second thread's stack)<\/td>\n <\/td><\/tr>\n
 <\/td>\n <\/td>\n <\/td>\n <\/td>\n <\/td><\/tr>\n
Search for a symbol in a module<\/td>\nX module!<pattern><\/td>\n <\/td>\nX blah!*foo*<\/td>\n <\/td><\/tr>\n
Dump<\/td>\n.dump<\/td>\n <\/td>\n <\/td>\n <\/td><\/tr>\n
Source line display<\/td>\n.lines<\/td>\nTurns on source code display<\/td>\n <\/td>\n <\/td><\/tr>\n
 <\/td>\nln adr<\/i><\/td>\nWill show the symbol nearest to that location.<\/td>\n <\/td>\n <\/td><\/tr><\/tbody><\/table>Note:<\/a> \n
  1. There is no \"step out\" (Shift+F11). You have to find the return address on \nthe stack manually and use \"g adr<\/i>\". You can find this address by using \n\"k\". If you know the function uses ebp frames you can use \"g poi(ebp+4)\" to step \nout. \n<\/li>
  2. To inspect local variables: \n
    1. Use the \"dv\" command. \n<\/li>
    2. Then use the \"dt <variablename<\/code>>\" command. \n<\/li>
    3. Note: you may not see correct values if values are stored in registers or \ndue to FPO. <\/li><\/ol><\/li><\/ol>\n

      More Commands<\/a><\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
      Feature<\/td>\nCommand<\/td>\nWhat Does it Do<\/td>\nExample \/ Comments<\/td>\nSee Also Related Commands<\/td><\/tr>\n
       <\/td>\nVertarget<\/td>\nShows information about the system on which you are debugging.<\/td>\n <\/td>\n <\/td><\/tr>\n
      Data breakpoint (hardware bp)<\/td>\nBa \n

      [ba r\/w\/e size<\/i> adr<\/i>]<\/p><\/td>\n

      		Sets a data breakpoint. You can break on read\/ write\/ execute attempt of a \nmemory location.<\/td>\nba w4 adr<\/i><\/td>\n <\/td><\/tr>\n
      Exceptions<\/td>\n.lastevent<\/td>\nDisplays last exception record<\/td>\n <\/td>\n <\/td><\/tr>\n
      Exceptions<\/td>\nSx, Sxe, sxd, sxn, sxi exception_X<\/code><\/td>\nEnable\/ disable\/ notify-only\/ ignore first chance exception \/event \nexception_X<\/code>. <\/i>Example of event: module unload\/ thread \ncreation.<\/td>\n <\/td>\n <\/td><\/tr>\n
      Display type<\/td>\nDt<\/td>\nShows struct<\/span><\/code> and field \nvalues.<\/td>\nDt x;<\/i> \/\/ x: int
      Dt myStruct;<\/i> \/\/ struct myStruct
      Dt \nmyStruct myVar1;<\/i> \/\/ shows myStruct.myVar1<\/td>\n      		 <\/td><\/tr>\n
      Reload symbols<\/td>\n.reload<\/td>\nReloads symbols using the symbol path you would have set.<\/td>\n <\/td>\n <\/td><\/tr>\n
      Source lines<\/td>\nl+l, l+o, l+s, l+t<\/td>\nSource line options<\/td>\n <\/td>\n <\/td><\/tr>\n
       <\/td>\n.ecxr<\/td>\nIf you had an exception, switches context to faulting context.<\/td>\n <\/td>\n <\/td><\/tr>\n
       <\/td>\n.quit_lock<\/td>\n <\/td>\n <\/td>\n <\/td><\/tr>\n
       <\/td>\n;<\/td>\nCommand separator<\/td>\n <\/td>\n <\/td><\/tr>\n
       <\/td>\n?<\/td>\nEvaluate expression<\/td>\n <\/td>\n <\/td><\/tr>\n
       <\/td>\n|<\/td>\nDisplay process information<\/td>\n <\/td>\n <\/td><\/tr>\n
       <\/td>\n.chain<\/td>\nLists all loaded debugger extensions.<\/td>\n <\/td>\n <\/td><\/tr>\n
       <\/td>\n.echo <string<\/span><\/code>><\/td>\nEcho\/ print any string<\/td>\nEcho xyz<\/td>\n <\/td><\/tr>\n
       <\/td>\n.exr <address_x<\/code>><\/td>\nDisplay exception record at x<\/code>.<\/td>\n <\/td>\n <\/td><\/tr>\n
       <\/td>\n.cxr <address_x<\/code>><\/td>\nDisplay context record at x<\/code>.<\/td>\n <\/td>\n <\/td><\/tr>\n
       <\/td>\n.trap<\/td>\nDump a trap frame.<\/td>\n <\/td>\n <\/td><\/tr><\/tbody><\/table>\n

      Handy Extension Commands<\/a><\/h3>\n
      • !help \u2013 help for WinDbg extension commands. \n<\/li>
      • !load, !unload \u2013 to load and unload debugger extension DLLs. \n<\/li>
      • !handle \u2013 displays information about handles owned by processes. \n<\/li>
      • !peb - shows the PEB (process environment block) including DLL information. \n<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"

        Basic Commands The help file that comes with the WinDbg installation documents commands well, but the following basic commands should get you started: Feature Command What Does it Do Example \/ Comments See Also Related Commands           Stack trace K, KB x Displays stack trace of current thread (x frames). Kb […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[24],"tags":[],"class_list":["post-209","post","type-post","status-publish","format-standard","hentry","category-development_winddk"],"_links":{"self":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=209"}],"version-history":[{"count":0,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/209\/revisions"}],"wp:attachment":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}