windbg dump分析之分析命令

1.符号路径基本语法：

SRV* 【cache】*toppath

例如：Microsoft公有符号存储地址：http://msdl.microsoft.com/download/symbols

设置符号路径就是：SRV*c:\mysymbols*http://msdl.microsoft.com/download/symbols

c:\mysymbols作为符号缓存以加快符号的访问速度

2.查看已加载的模块和符号文件基本语法：

lm [option] [-a Address] [-m Pattern] [-M Pattern]

eg.

0:000> lm
start    end        module name
00400000 007ca890   procexp    (deferred)             
71a10000 71a18000   WS2HELP    (deferred)             
71a20000 71a37000   WS2_32     (deferred)             
71a90000 71aa2000   MPR        (deferred)             
76320000 76367000   COMDLG32   (deferred)             
76990000 76ace000   ole32      (deferred)             
770f0000 7717b000   OLEAUT32   (deferred)             
77180000 77283000   COMCTL32   (deferred)             
77bd0000 77bd8000   VERSION    (deferred)             
77be0000 77c38000   msvcrt     (deferred)             
77d10000 77da0000   USER32     (deferred)             
77da0000 77e49000   ADVAPI32   (deferred)             
77e50000 77ee3000   RPCRT4     (deferred)             
77ef0000 77f39000   GDI32      (deferred)             
77f40000 77fb6000   SHLWAPI    (deferred)             
77fc0000 77fd1000   Secur32    (deferred)             
7c800000 7c91e000   kernel32   (deferred)             
7c920000 7c9b6000   ntdll      (pdb symbols)          d:\mylocalsymbols\ntdll.pdb\E62AEBA49D7048669405A13F1D46A57E2\ntdll.pdb
7d590000 7dd84000   SHELL32    (deferred)             

3.重新加载符号基本语法：

.reload 抛弃所有已加载的符号信息，任何解析符号的动作将从硬盘上重新加载符号文件

.reload <module>抛弃module的符号信息，任何解析符号的动作将从硬盘上重新加载符号文件

.reload /f <module> 强制调试器立刻加载并且解析与模块module相关的符号文件

.reload nt 加载与当前windows NT内核相对应的符号文件

.reload /user 当前活跃的进程加载所有的用户态符号

.reload <module>=start, size通过指定起始地址来强制加载符号

eg:

0:000> .reload /f WS2_32.dll
0:000> lm
start    end        module name
00400000 007ca890   procexp    (deferred)             
71a10000 71a18000   WS2HELP    (deferred)             
71a20000 71a37000   WS2_32     (pdb symbols)          d:\mylocalsymbols\ws2_32.pdb\A7605F8695A34329B38DDB8421A004CA2\ws2_32.pdb
71a90000 71aa2000   MPR        (deferred)             
76320000 76367000   COMDLG32   (deferred)             
76990000 76ace000   ole32      (deferred)             
770f0000 7717b000   OLEAUT32   (deferred)             
77180000 77283000   COMCTL32   (deferred)             
77bd0000 77bd8000   VERSION    (deferred)             
77be0000 77c38000   msvcrt     (deferred)             
77d10000 77da0000   USER32     (deferred)             
77da0000 77e49000   ADVAPI32   (deferred)             
77e50000 77ee3000   RPCRT4     (deferred)             
77ef0000 77f39000   GDI32      (deferred)             
77f40000 77fb6000   SHLWAPI    (deferred)             
77fc0000 77fd1000   Secur32    (deferred)             
7c800000 7c91e000   kernel32   (deferred)             
7c920000 7c9b6000   ntdll      (pdb symbols)          d:\mylocalsymbols\ntdll.pdb\E62AEBA49D7048669405A13F1D46A57E2\ntdll.pdb
7d590000 7dd84000   SHELL32    (deferred)     

4.验证符号基本语法：

!chksym Address

eg:(参考71a20000 71a37000   WS2_32 )

:000> !chksym 71a20011


C:\WINDOWS\system32\WS2_32.dll
    Timestamp: 4802BE08
  SizeOfImage: 17000
          pdb: ws2_32.pdb
      pdb sig: A7605F86-95A3-4329-B38D-DB8421A004CA
          age: 2


Loaded pdb is d:\mylocalsymbols\ws2_32.pdb\A7605F8695A34329B38DDB8421A004CA2\ws2_32.pdb


ws2_32.pdb
      pdb sig: A7605F86-95A3-4329-B38D-DB8421A004CA
          age: 2


MATCH: ws2_32.pdb and C:\WINDOWS\system32\WS2_32.dll

5.使用符号基本语法：

x [option] module!symbols

例如：

*为通配符，在调试陌生代码时很有用

x *!*some*

x module!*

1. 查看目标系统

vertarget 是version命令的一个功能子集

vertarget显示调试目标所在的操作系统版本

version则会显示调试环境的其它信息

eg：

0:000> version
Windows XP Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)
Machine Name:
Debug session time: Sat Jun 30 08:45:50.437 2012 (GMT+8)
System Uptime: 0 days 1:14:31.091
Process Uptime: 0 days 0:23:58.671
  Kernel time: 0 days 0:00:00.000
  User time: 0 days 0:00:00.015
Live user mode: <Local>


Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


command line: '"C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe" '  Debugger Process 0x12C 
dbgeng:  image 6.11.0001.404, built Thu Feb 26 09:55:43 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll]
dbghelp: image 6.11.0001.404, built Thu Feb 26 09:55:30 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
        DIA version: 11212
Extension DLL search Path:
    C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\Wireless\Bin\;C:\Program Files\ThinkPad Wireless LAN Adapter Software;C:\Program Files\Common Files\Lenovo;D:\Program Files\TortoiseSVN\bin;d:\Program Files\T58KTV\9158VirtualCamera\Package\bpl;d:\Program Files\T58KTV\9158VirtualCamera\bin;C:\Program Files\QuickTime\QTSystem\;d:\Program Files\Lua\5.1;d:\Program Files\Lua\5.1\clibs;d:\Program Files\Tencent\QQPCMgr\6.6.2135.201;C:\Program Files\IDM Computer Solutions\UltraEdit\;d:\Program Files\Tencent\QQPCMgr\6.6.2135.201
Extension DLL chain:
    dbghelp: image 6.11.0001.404, API 6.1.6, built Thu Feb 26 09:55:30 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
    ext: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 09:55:30 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
    exts: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 09:55:24 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
    uext: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 09:55:26 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\uext.dll]
    ntsdexts: image 6.1.7015.0, API 1.0.0, built Thu Feb 26 09:54:43 2009
        [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll]

2.查看寄存器值

r

eg：

0:000> r
eax=00251eb4 ebx=7ffd7000 ecx=00000001 edx=00000002 esi=00251f48 edi=00251eb4
eip=7c92120e esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c92120e cc              int     3

reax

eg：

0:000> reax
eax=00251eb4

reax=1

eg：

0:000> reax=1
0:000> reax
eax=00000001

3.处理器当前执行代码

u . 当前eip指向地址上8条指令

uf  . 当前eip指向地址整个函数

ub . 当前eip指向地址之前8条指令

u .L2之后2条指令

ub .L2之前2条指令

4.查看当前调用栈

k 显示调用栈

kP 5 显示在调用栈中前五个函数以及它们的参数

kb 5 显示在调用栈中五个函数的前三个参数

kf 5 显示在调用栈中五个函数所使用的栈大小

eg：

0:000> kf 5
  Memory  ChildEBP RetAddr  
          0012fb1c 7c96031d ntdll!DbgBreakPoint
      178 0012fc94 7c941c87 ntdll!LdrpInitializeProcess+0x1014
       88 0012fd1c 7c92e457 ntdll!_LdrpInitialize+0x183
          00000000 00000000 ntdll!KiUserApcDispatcher+0x7

k = 栈基指针 栈顶指针 指令指针用来手动重新构造栈

5.在代码中设置断点

bl列出所有断点

bc * 清除所有断点

bp module!myclass:memfun设置断点

6.查看变量的值

dv显示局部变量的值

dv /i显示值以及存储位置

dt this 已知符号this指针

dt KBTest 0x1111111解析地址0x1111111，类型为KBTest 变量值

7.查看内存命令

d[type] [AddressRange]