windbg dump分析之分析命令
来源:互联网 发布:淘宝如何举报盗图 编辑:程序博客网 时间:2024/04/29 06:26
1.符号路径基本语法:
SRV* 【cache】*toppath
例如:Microsoft公有符号存储地址:http://msdl.microsoft.com/download/symbols
设置符号路径就是:SRV*c:\mysymbols*http://msdl.microsoft.com/download/symbols
c:\mysymbols作为符号缓存以加快符号的访问速度
2.查看已加载的模块和符号文件基本语法:
lm [option] [-a Address] [-m Pattern] [-M Pattern]
eg.
0:000> lm
start end module name
00400000 007ca890 procexp (deferred)
71a10000 71a18000 WS2HELP (deferred)
71a20000 71a37000 WS2_32 (deferred)
71a90000 71aa2000 MPR (deferred)
76320000 76367000 COMDLG32 (deferred)
76990000 76ace000 ole32 (deferred)
770f0000 7717b000 OLEAUT32 (deferred)
77180000 77283000 COMCTL32 (deferred)
77bd0000 77bd8000 VERSION (deferred)
77be0000 77c38000 msvcrt (deferred)
77d10000 77da0000 USER32 (deferred)
77da0000 77e49000 ADVAPI32 (deferred)
77e50000 77ee3000 RPCRT4 (deferred)
77ef0000 77f39000 GDI32 (deferred)
77f40000 77fb6000 SHLWAPI (deferred)
77fc0000 77fd1000 Secur32 (deferred)
7c800000 7c91e000 kernel32 (deferred)
7c920000 7c9b6000 ntdll (pdb symbols) d:\mylocalsymbols\ntdll.pdb\E62AEBA49D7048669405A13F1D46A57E2\ntdll.pdb
7d590000 7dd84000 SHELL32 (deferred)
3.重新加载符号基本语法:
.reload 抛弃所有已加载的符号信息,任何解析符号的动作将从硬盘上重新加载符号文件
.reload <module>抛弃module的符号信息,任何解析符号的动作将从硬盘上重新加载符号文件
.reload /f <module> 强制调试器立刻加载并且解析与模块module相关的符号文件
.reload nt 加载与当前windows NT内核相对应的符号文件
.reload /user 当前活跃的进程加载所有的用户态符号
.reload <module>=start, size通过指定起始地址来强制加载符号
eg:
0:000> .reload /f WS2_32.dll
0:000> lm
start end module name
00400000 007ca890 procexp (deferred)
71a10000 71a18000 WS2HELP (deferred)
71a20000 71a37000 WS2_32 (pdb symbols) d:\mylocalsymbols\ws2_32.pdb\A7605F8695A34329B38DDB8421A004CA2\ws2_32.pdb
71a90000 71aa2000 MPR (deferred)
76320000 76367000 COMDLG32 (deferred)
76990000 76ace000 ole32 (deferred)
770f0000 7717b000 OLEAUT32 (deferred)
77180000 77283000 COMCTL32 (deferred)
77bd0000 77bd8000 VERSION (deferred)
77be0000 77c38000 msvcrt (deferred)
77d10000 77da0000 USER32 (deferred)
77da0000 77e49000 ADVAPI32 (deferred)
77e50000 77ee3000 RPCRT4 (deferred)
77ef0000 77f39000 GDI32 (deferred)
77f40000 77fb6000 SHLWAPI (deferred)
77fc0000 77fd1000 Secur32 (deferred)
7c800000 7c91e000 kernel32 (deferred)
7c920000 7c9b6000 ntdll (pdb symbols) d:\mylocalsymbols\ntdll.pdb\E62AEBA49D7048669405A13F1D46A57E2\ntdll.pdb
7d590000 7dd84000 SHELL32 (deferred)
4.验证符号基本语法:
!chksym Address
eg:(参考71a20000 71a37000 WS2_32 )
:000> !chksym 71a20011
C:\WINDOWS\system32\WS2_32.dll
Timestamp: 4802BE08
SizeOfImage: 17000
pdb: ws2_32.pdb
pdb sig: A7605F86-95A3-4329-B38D-DB8421A004CA
age: 2
Loaded pdb is d:\mylocalsymbols\ws2_32.pdb\A7605F8695A34329B38DDB8421A004CA2\ws2_32.pdb
ws2_32.pdb
pdb sig: A7605F86-95A3-4329-B38D-DB8421A004CA
age: 2
MATCH: ws2_32.pdb and C:\WINDOWS\system32\WS2_32.dll
5.使用符号基本语法:
x [option] module!symbols
例如:
*为通配符,在调试陌生代码时很有用
x *!*some*
x module!*
1. 查看目标系统
vertarget 是version命令的一个功能子集
vertarget显示调试目标所在的操作系统版本
version则会显示调试环境的其它信息
eg:
0:000> version
Windows XP Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)
Machine Name:
Debug session time: Sat Jun 30 08:45:50.437 2012 (GMT+8)
System Uptime: 0 days 1:14:31.091
Process Uptime: 0 days 0:23:58.671
Kernel time: 0 days 0:00:00.000
User time: 0 days 0:00:00.015
Live user mode: <Local>
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
command line: '"C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe" ' Debugger Process 0x12C
dbgeng: image 6.11.0001.404, built Thu Feb 26 09:55:43 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll]
dbghelp: image 6.11.0001.404, built Thu Feb 26 09:55:30 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
DIA version: 11212
Extension DLL search Path:
C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\Wireless\Bin\;C:\Program Files\ThinkPad Wireless LAN Adapter Software;C:\Program Files\Common Files\Lenovo;D:\Program Files\TortoiseSVN\bin;d:\Program Files\T58KTV\9158VirtualCamera\Package\bpl;d:\Program Files\T58KTV\9158VirtualCamera\bin;C:\Program Files\QuickTime\QTSystem\;d:\Program Files\Lua\5.1;d:\Program Files\Lua\5.1\clibs;d:\Program Files\Tencent\QQPCMgr\6.6.2135.201;C:\Program Files\IDM Computer Solutions\UltraEdit\;d:\Program Files\Tencent\QQPCMgr\6.6.2135.201
Extension DLL chain:
dbghelp: image 6.11.0001.404, API 6.1.6, built Thu Feb 26 09:55:30 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
ext: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 09:55:30 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
exts: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 09:55:24 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
uext: image 6.11.0001.404, API 1.0.0, built Thu Feb 26 09:55:26 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\uext.dll]
ntsdexts: image 6.1.7015.0, API 1.0.0, built Thu Feb 26 09:54:43 2009
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll]
2.查看寄存器值
r
eg:
0:000> r
eax=00251eb4 ebx=7ffd7000 ecx=00000001 edx=00000002 esi=00251f48 edi=00251eb4
eip=7c92120e esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c92120e cc int 3
reax
eg:
0:000> reax
eax=00251eb4
reax=1
eg:
0:000> reax=1
0:000> reax
eax=00000001
3.处理器当前执行代码
u . 当前eip指向地址上8条指令
uf . 当前eip指向地址整个函数
ub . 当前eip指向地址之前8条指令
u .L2之后2条指令
ub .L2之前2条指令
4.查看当前调用栈
k 显示调用栈
kP 5 显示在调用栈中前五个函数以及它们的参数
kb 5 显示在调用栈中五个函数的前三个参数
kf 5 显示在调用栈中五个函数所使用的栈大小
eg:
0:000> kf 5
Memory ChildEBP RetAddr
0012fb1c 7c96031d ntdll!DbgBreakPoint
178 0012fc94 7c941c87 ntdll!LdrpInitializeProcess+0x1014
88 0012fd1c 7c92e457 ntdll!_LdrpInitialize+0x183
00000000 00000000 ntdll!KiUserApcDispatcher+0x7
k = 栈基指针 栈顶指针 指令指针用来手动重新构造栈
5.在代码中设置断点
bl列出所有断点
bc * 清除所有断点
bp module!myclass:memfun设置断点
6.查看变量的值
dv显示局部变量的值
dv /i显示值以及存储位置
dt this 已知符号this指针
dt KBTest 0x1111111解析地址0x1111111,类型为KBTest 变量值
7.查看内存命令
d[type] [AddressRange]
- windbg dump分析之分析命令
- windbg dump分析之分析命令
- windbg dump分析之分析命令之二
- Windbg核心调试之dump分析
- 【转帖】Windbg核心调试之dump分析
- windbg dump分析入门之符号相关
- Windbg核心调试之dump分析
- Windbg核心调试之dump分析
- Windbg核心调试之dump分析
- windbg dump分析入门之符号相关
- Windbg核心调试之dump分析
- windbg分析dump文件
- windbg dump分析
- windbg dump 批量分析
- windbg分析dump
- windbg dump分析入门
- windbg分析dump文件
- windbg分析dump文件
- poj 1962 Corporative Network(带权并查集)
- C/C++__函数指针
- Linux学习2_Vim命令总结及解释
- 初学强大的JQuery
- 快速排序解析
- windbg dump分析之分析命令
- ubuntu android-studio创建右侧快捷启动方式
- php正则表达式基本语法
- 如何在OC中使用Swift如何在Swift中使用OC
- LeetCode(73) Set Matrix Zeroes
- 读书笔记MoreEffectiveC++(20)
- CListCtrl的主要事件及鼠标响应函数
- js 简单计算器
- 字符串训练 ----------- uva 10361 Automatic Poetry