Windbg常用命令
查看进程PEB
首先使用!peb获取内存中地址,然后使用 dt peb 内存地址 方式查看对应的数值
如:
0:000> !peb
PEB at 7ffd3000
.......
0:000> dt _peb 7ffd3000
Heap!_PEB
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0x1 ''
+0x003 SpareBool : 0 ''
+0x004 Mutant : 0xffffffff Void
+0x008 ImageBaseAddress : 0x00400000 Void
+0x00c Ldr : 0x00251ea0 _PEB_LDR_DATA
+0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x00150000 Void
.....
查看进程TEB
0:000> !teb
TEB at 7ffdf000
ExceptionList: 0012ffa8
StackBase: 00130000
StackLimit: 00126000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7ffdf000
EnvironmentPointer: 00000000
ClientId: 00000fb8 . 000008a4
RpcHandle: 00000000
Tls Storage: 00000000
PEB Address: 7ffd3000
LastErrorValue: 0
LastStatusValue: c0000135
Count Owned Locks: 0
HardErrorMode: 0
下载系统文件符号
symchk c:\winnt\system32\ntoskrnl.exe /r /s srv*d:\symbols*http://msdl.microsoft.com/download/symbols
查看LastError值
0:000> !gle
LastErrorValue: (NTSTATUS) 0 (0) - STATUS_WAIT_0
LastStatusValue: (NTSTATUS) 0xc0000135 - {
0:000> !error
Error code: (NTSTATUS) 0 (0) - STATUS_WAIT_0
指定形式输出
0:000> ? 0x12345678+0n10
Evaluate expression: 305419906 = 12345682
0:000> ? 0x12345678+0n10
Evaluate expression: 305419906 = 12345682
0x/0n/0t/0y 分别表示 16/10/8/2 进制。
格式化输出
0:000> .formats @eax
Evaluate expression:
Hex: 003a0000
Decimal: 3801088
Octal: 00016400000
Binary: 00000000 00111010 00000000 00000000
Chars: .:..
Time: Sat Feb 14 07:51:28 1970
Float: low 5.32646e-039 high 0
Double: 1.87799e-317
加载DLL时中断
0:000> sxe ld
同样,也可以使用bp Kernel32!LoadLibraryExW断点断在加载时。
sx, sxd, sxe, sxi, sxn, sxr 几条命令可用来设置异常和事件的处理方式。
显示地址附近结构
0:000> ln 004113c0
d:\projects\heap\heap\heap.cpp(4)
(004113c0) Heap!WinMain | (004114c4) Heap!HeapDestroy
Exact matches:
Heap!WinMain (struct HINSTANCE__ *, struct HINSTANCE__ *, char *, int)
当然了,需要符号。
显示加载模块
0:000> lm
start end module name
00400000 0041b000 Heap C (private pdb symbols) D:\Projects\Heap\Debug\Heap.pdb
10200000 10323000 MSVCR90D (deferred)
7c800000 7c91d000 kernel32 (pdb symbols) d:\symbols\kernel32.pdb\35CC603450F44929AEB29742698380BC2\kernel32.pdb
7c920000 7c9b4000 ntdll (pdb symbols) d:\symbols\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
列举当前进程线程信息
0:000> ~
. 0 Id: fb8.8a4 Suspend: 1 Teb: 7ffdf000 Unfrozen
0:000> ~*
. 0 Id: fb8.8a4 Suspend: 1 Teb: 7ffdf000 Unfrozen
Start: Heap!ILT+330(_WinMainCRTStartup) (0041114f)
Priority: 0 Priority class: 32 Affinity: 1
显示当前调用栈信息
0:000> k
ChildEBP RetAddr
0012ff0c 00411b28 Heap!WinMain [d:\projects\heap\heap\heap.cpp @ 4]
0012ffb8 0041188f Heap!__tmainCRTStartup+0x288 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 578]
0012ffc0 7c816fe7 Heap!WinMainCRTStartup+0xf [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 403]
0012fff0 00000000 kernel32!BaseProcessStart+0x23
0:000> kv
ChildEBP RetAddr Args to Child
0012ff0c 00411b28 00400000 00000000 00151eff Heap!WinMain (FPO: [Non-Fpo]) (CONV: stdcall) [d:\projects\heap\heap\heap.cpp @ 4]
0012ffb8 0041188f 0012fff0 7c816fe7 010df6ee Heap!__tmainCRTStartup+0x288 (FPO: [Non-Fpo]) (CONV: cdecl) [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 578]
0012ffc0 7c816fe7 010df6ee 010df748 7ffd3000 Heap!WinMainCRTStartup+0xf (FPO: [Non-Fpo]) (CONV: cdecl) [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 403]
0012fff0 00000000 0041114f 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])
0:000> .frame
00 0012ff0c 00411b28 Heap!WinMain [d:\projects\heap\heap\heap.cpp @ 4]
0:000> ~*kb //查看所有线程调用栈
. 0 Id: fb8.8a4 Suspend: 1 Teb: 7ffdf000 Unfrozen
ChildEBP RetAddr Args to Child
0012ff0c 00411b28 00400000 00000000 00151eff Heap!WinMain [d:\projects\heap\heap\heap.cpp @ 4]
0012ffb8 0041188f 0012fff0 7c816fe7 010df6ee Heap!__tmainCRTStartup+0x288 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 578]
0012ffc0 7c816fe7 010df6ee 010df748 7ffd3000 Heap!WinMainCRTStartup+0xf [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 403]
0012fff0 00000000 0041114f 00000000 78746341 kernel32!BaseProcessStart+0x23
0:000> dps esp //查看全部栈
0012fd50 00616161
0012fd54 0012ff0c
0012fd58 010df758
0012fd5c 7ffdd000
0:000> dps esp l 100 //如果显示信息不足,可以查看更多
0012fd50 00616161
0012fd54 0012ff0c
0012fd58 010df758
查看当前局部变量
0:000> dv
hInstance = 0x00400000
hPrevInstance = 0x00000000
lpCmdLine = 0x00151eff ""
nShowCmd = 0n10
buffer = 0x10305ac8 "???"
buffer1 = 0x00381ec0 "???"
heap_handle = 0x10278224
(按下Ctrl+Alt+V)
Verbose mode ON.
0:000> dv
0012ff14 hInstance = 0x00400000
0012ff18 hPrevInstance = 0x00000000
0012ff1c lpCmdLine = 0x00151eff ""
0012ff20 nShowCmd = 0n10
0012fef8 buffer = 0x10305ac8 "???"
0012feec buffer1 = 0x00381ec0 "???"
0012ff04 heap_handle = 0x10278224
显示/修改寄存器值
0:000> r
eax=00151eff ebx=7ffd3000 ecx=0000000a edx=00151eff esi=010df748 edi=010df6ee
eip=004113c0 esp=0012ff10 ebp=0012ffb8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
Heap!WinMain:
004113c0 55 push ebp
0:000> r eax
eax=00151eff
0:000> r eax=00151efe
0:000> r eax
eax=00151efe
搜索全局变量/函数地址
0:000> x Kernel32!*
7c801150 kernel32!_imp__NtFindAtom = <no type information>
7c825e28 kernel32!c_PmapEntries_apphelp = <no type information>
7c862e84 kernel32!GetThreadTimes = <no type information>
......
0:000> !handle
Handle c
Type File
...
Type Count
Event 2
File 4
Port 1
Directory 2
KeyedEvent 1
0:000> !handle c f
Handle c
Type File
Attributes 0
GrantedAccess 0x100020:
Synch
Execute/Traverse
HandleCount 3
PointerCount 4
No Object Specific Information available
反汇编
0:000> u
Heap!WinMain [d:\projects\heap\heap\heap.cpp @ 4]:
004113c0 55 push ebp
004113c1 8bec mov ebp,esp
...
004113d2 b939000000 mov ecx,39h
0:000> u
Heap!WinMain+0x17 [d:\projects\heap\heap\heap.cpp @ 4]:
004113d7 b8cccccccc mov eax,0CCCCCCCCh
004113dc f3ab rep stos dword ptr es:[edi]
...
u*反汇编
修改反汇编指令
0:000> u 004113c0
Heap!WinMain [d:\projects\heap\heap\heap.cpp @ 4]:
004113c0 50 push eax
...
0:000> a 004113c0
004113c0 push ebp
push ebp
004113c1
0:000> u 004113c0
Heap!WinMain [d:\projects\heap\heap\heap.cpp @ 4]:
004113c0 55 push ebp
断点相关
bp、bl、bc、bd、be
ba:内存访问断点
查看/修改内存
0:000> dd esp+8
0012ff18 00000000 00151eff 0000000a 72c71a37
0012ff28 010df6ee 010df748 7ffd3000 0000000a
......
0:000> dw esp+8
0012ff18 0000 0000 1eff 0015 000a 0000 1a37 72c7
0012ff28 f6ee 010d f748 010d 3000 7ffd 000a 0000
0:000> ed esp+8 0xffff
0:000> dd esp+8
0012ff18 0000ffff 00151eff 0000000a 72c71a37
d*查看,e*修改,可F1查看帮助。
显示死锁
0:000> !lock
No export lock found
本机内核调试
通过 File/Kernel Debug… 菜单可以打开内核调试选择窗口,选择最后一个 Local 选项页,确定后可以以内核方式调试本地机器。这时所有会挂起系统的命令都用不了了,但可以读写系统内存。另外,有一个方便的用途是用来查看系统结构,比如: dt nt!_EPROCESS 。
------------------------------
文章的授權使用CC BY-ND2.5協議。凡是標示“轉載”的文章,均來源於網絡並儘可能標註作者。如果有侵犯您的權益,請及時聯繫刪除或者署名、授權。
Gtalk/Email: cmd4shell [at] gmail.com
