Nytro Posted October 9, 2014 Report Posted October 9, 2014 Am inceput sa folosesc mai des WinDbg (IDA sucks in unele privinte) si mi-am facut o lista cu comenzile utile.? - Regular commands help?? expr - Evaluate C++ expression$$ comment - Add comment~ - All threads~. - Current thread~. k - Current thread stack~* k - All threads stack .cls - Clear screen.help - Display . commands.hh text - Open Help and search text.lastevent - Last exception/event.time - Kernel and user time.tthread - Thread time.attach - Attach to process with PID.detach - Detach from process.restart - Restart application.symfix - Set default symbol path.reload - Reload all symbols.tlist - List all processes!Ext.help - General extensions!Exts.help - Other extensions!Uext.help - User-mode extensions !Wdfkd.help - Kernel-mode extensions !analyze -v - Information about current exception!threads - Detalied threads info!address -summary - Memory addresses!heap -s - Heap info!runaway - Time of all threads!teb - Thread Environment Block!peb - Process Environment Block!dlls - Loaded modules (+options)!lmi chrome.dll - Module information!dh kernel32.dll - Display PE headers and sections!tls - Thread Local Storage!gle - Dump last errors (by threads)!error ERR - Display error text info!uniqstack - Stack for all threads!address Addr - Display info about address!mapped_file Addr - File containing that addressg - Gogu - Go up (until function complete)q - End debug sessionp - Single steppt - Step to next returnpc - Step to next callpa Addr - Step until addrlm / lmf - Loaded moduleslm vm chrome - Module informationld * / module - Load symbolsn 10 / 16 - Change number basex kernel32!Load* - Examine symbolsln addr - List nearest symbolsk - Stackkd - Raw stackkb - Stack with firts 3 paramsr - Show registersr eax,ebx - Show some registersr ecx=0 - Set register valuedt ntdll!_PEB - Display typedv - Display local variablesda, du - Display ASCII/Unicode memorydb, dw, dd, dq, df - Display byte/word/dword/qword/float memorydb*, dd* - Display dereferenced memoryeb, ew, ed, eq, ef - Edit byte/word/dword/qword/float memoryc, m, f - Compare, move, fill memorys Addr Size Data - Search databl - List breakpointsbc * - Clear all breakpointsbe / bd - Enable/disable breakpointsbp Addr - Add breakpointbm Sym - Add breakpoint on symbolba [rwx] Addr - Break on accessbp mod!addr /1 - Only oncebp mod!addr k - Only triggered after k-1 passesPoate i se mai pare cuiva utila.Mai multe comenzi: http://windbg.info/doc/1-common-cmds.htmlUn mic cheatsheet: https://labs.snort.org/awbo/windbg.txt Quote
Ganav Posted October 9, 2014 Report Posted October 9, 2014 @Nytro Vreau sa te intreb, tu ce setup folosesti cand faci kernel debugging? Modul ideal ar presupune doua statii conectate fie prin USB sau RS232 insa in cazul meu acest lucru nu este posibil. Se pot folosi si masini virtuale insa in acest caz imaginea memoriei(date+instructiuni) nu este actualizata in mod real(are delay-uri considerabile). Quote
Nytro Posted October 9, 2014 Author Report Posted October 9, 2014 Nu am facut kernel debugging, dar http://alexandreborgesbrazil.files.wordpress.com/2014/03/intro_win_debugging.pdf . Quote
