Shulou(Shulou.com)06/02 Report--

The driver file * .sys is generally located in the directory:

C:\ Windows\ System32\ drivers

Everything on the pc has a driver, keyboard, mouse, monitor, cpu and so on.

Without a driver, none of these things will work. It's just a pile of junk.

Talk about windows driver debugging.

Debug using windbg.

Generally, after you install ddk, you install windbg in the directory

The windbg debugging tool is available in C:\ Program Files (x86)\ Windows Kits\ 8.1\ Debuggers\ x64.

Windbg commands are divided into standard commands, meta commands and extended commands.

Quasi-commands provide the most basic debugging functions and are not case-sensitive. Such as: bp g dt dv k, etc.

Meta commands provide functions that standard commands do not provide, and are also built into the debugging engine to. The beginning. Such as. Sympath. Reload, etc.

The extension command is used to extend the debugging function of a certain aspect, which can be realized in the dynamically loaded extension module. The beginning. Such as! analyze, etc.

When entering the debugging state, enter directly to repeat the previous command; press the up and down keys to browse and select previously entered commands

Magic Tab key for command completion; ESC clears the text in the current command input box

Use; as a delimiter, you can enter multiple commands on the same line

When the command prompt displays * BUSY*, even if the command input box can enter a command, the command entered will not be executed immediately, but will not be executed until windbg is idle

You can use Ctrl + Break to terminate a command that has not been completed for a long time

You can execute multiple commands at a time, with semicolons between commands; separate [e.g. bp main;bp `command: 120`] and hit 2 breakpoints at a time.

In order to ensure the smooth operation of windbg, when debugging, try not to open Watch, Locals, Registers, Call Stack, Processes and Threads windows, and directly use command to get information.

Help:

? / / print out all standard commands

.help / / print out all meta commands

.hh / / Open the chm help file for windbg

.hh bp / / Open windbg's chm help file bp command introduction page

Command /? / print command command specific parameter usage

* / / comment the whole line

$/ / comments (end of semicolon encountered)

.sympath / / View the current symbol lookup path

.sympath c:\ symbols / / set the symbol lookup path to: C:\ symbols

.sympath + c:\ symbols / / add c:\ symbols to the symbolic lookup path collection

.symfix / / set the symbol lookup path to: SRV*WinDbg installation directory\ Sym* http://msdl.microsoft.com/download/symbols

.symfix f:\ symbols / / set the symbol lookup path to: SRV*f:\ symbols* http://msdl.microsoft.com/download/symbols

.symfix + f:\ symbols / / add SRV*f:\ symbols* http://msdl.microsoft.com/download/symbols to the symbolic lookup path collection

.srcpath / / View the current source file lookup path

.srcpath f:\ src / / set the source file lookup path to: F:\ src

.srcpath + f:\ src / / add f:\ src to the source file lookup path collection

.exepath / / View the executable lookup path

.exepath f:\ bin / / set the executable lookup path to: F:\ bin

.exepath + f:\ bin / / add f:\ bin to the executable lookup path collection

.effmach / / View current debugging mode:x86, x64, etc.

.load wow64exts / / [! load wow64exts] load wow64exts.dll module Note:! sw is the command in wow64exts

.unload wow64exts / / [! unload wow64exts] Uninstall the wow64exts.dll module

! sw / / [! wow64exts.sw] cycle over multiple mode:x86 and x64 Note: if the win32 program is under the mode of x64, you will see that the address is 64-bit

! K / / [! wow64exts.k] print 32-bit, 64-bit stack

! K 5 / / [! wow64exts.k 5] prints 32-bit, 64-bit stack with 5 stack frames

! info / / [! wow64exts.info] outputs basic information about PEB, TEB and TLS related to wow64

! r / / [! wow64exts.r] outputs the processor's current context information

! r dumpTestbound main / / [! wow64exts.r dumpTestbound main] outputs the context information of the address of the main function

Symbol loading and viewing

In addition to loading symbol files directly using the ld and .reload commands, some commands that use symbols can also trigger the debugger to load symbols, such as stack backtracking (k*) and disassembly (u).

It is worth noting that windbg defaults to the lazy symbol loading strategy, and when it receives a module load event, it usually does not load symbols, and the symbol status is displayed as deferred (lazy loading).

.symopt / / Show all current symbol options

.symopt + flags / / add symbol option

.symopt-flags / / Delete symbol option

! sym noisy / / activate detailed symbol loading (noisy symbol loading) display

! sym quiet / / disable loading and display of detailed symbols

Ld * / / load symbols for all modules

Ld kernel32 / / load symbols for kernel32.dll

.reload / / load symbol information for all loaded modules

.reload / I / / reload modules with mismatched symbols [use when the dmp file does not have a corresponding pdb]

.reload / I TGame.exe / / reload TGame.exe with mismatched symbols

.reload / f / v / f: force immediate mode (no delayed loading is allowed) v: verbose mode

.reload / f @ "c:\ windows\ System32\ verifier.dll" / / load symbol information for the specified module

.reload / f TGame.exe / / load symbol information for TGame.exe

.chain / / displays the modules that have been loaded

X *! / / list the symbol information corresponding to all modules

Lm / / lists the symbol information for all modules (loaded and unloaded)

Lmv / / lists the symbol information for all modules (loaded and unloaded)

Lmvm ntdll / / View the details of ntdll.dll (note that exe, dll, etc., do not have suffixes)

X ConsoleTestsheets * / / lists all symbols in the ConsoleTest module

X ConsoleTestrated add* / / lists all the symbols starting with add in the ConsoleTest module

X / t / v ConsoleTestrated * / lists all symbols in the ConsoleTest module with data type, symbol type, and size information

X kernel32 characters LoadLib* / / lists all symbols in the kernel32 module that contain the word LoadLib

# process

| / / lists the debugging process |

| | * / / list debugging process |

| | N / / see debugging process with ordinal N |

| | Ns / / the process whose ordinal number is N is the current debugging process |

# Thread

~ / / list threads

~ * / / all threads

~ * k / / all thread stack information

~ * r / / all thread register information

~. / / View the current thread

~ 0s / View main thread

~ # / / View the thread that caused the current event or exception

~ N / / View threads with ordinal N

~ [n] / / View threads with ID n

~ Ns / / Thread with toggle ordinal N is the current debug thread

~ N f / / freeze threads with ordinal N

~ Nu / / unfreeze threads with ordinal N

~ N n / / threads with Suspend ordinal N

~ N m / / threads with Resume ordinal N

! runaway / / displays the CPU consumption of all threads

# breakpoint

Bl / / list all breakpoints

Bc * / / clear all breakpoints

Bc 1 / / clear breakpoint 1

Bc 1 25 / / clear breakpoints 1, 2, 5

Be * / / enable all breakpoints

Be 1 / / enable breakpoint 1

Be 1 2 5 / enable breakpoints 1, 2 and 5

Bd * / / disable all breakpoints

Bd 1 / / disable breakpoint 1

Bd 1 2 5 / / disable breakpoints 1, 2 and 5

Bp 7c801b00 / / place a breakpoint at the 7c801b00 address

Bp `ConsoleTest.cpp: 36` / / place a breakpoint at line 36 of ConsoleTest.cpp

Bp main / / place a breakpoint at the beginning of the main function

Bp CSecondLoader::CSecondLoader / / place a breakpoint at the constructor of CSecondLoader

Bp TestCommon! CTest::add / / place a breakpoint at the beginning of the CTest::add () function in TestCommon.dll 's Test.cpp file

Bp `ConsoleTest.cpp: 40` "j (poi (pVar) > 5)';'g'" / / j is the conditional expression: if the value of the conditional breakpoint pVar pointer is > 5, execute the null statement (;), or continue.

-

-

An address represented by x

Hi (x) High 16 bits

Low (x) low 16 bits

By (x) returns the first byte

Wo (x) returns the first word

Dwo (x) returns the first dword

Qwo (x) returns the first 4 word (Quad-word)

Poi (x) returns the value pointed to by the first pointer

-

Bp advapi32 promote RegOpenKeyExA ".echo; .printf\" RegOpenKeyExW (% p,\\ "% ma\\",% NMagi% p) returned:\ ", dwo (esp+4), poi (esp+8), dwo (esp+c), dwo (esp+10), dwo (esp+14); gu;.printf\"% N\ ", eax;.echo;g" / / print all RegOpenKeyExA calls (open registry key) in the case of continuous process

Bu / / saves breakpoints in the same way as bp

Bm add_* / / matches the functions at the beginning of add_ and puts breakpoints at the beginning of these functions

Ba w4 0483dfe0 / / stop while writing to the 0483dfe0 address

/ / ba [r | w | e] [Size] Addr [r=read/write, w=write, e=execute], Size= [1 | 2 | 4 bytes]

# debugging execution control

G / / Go (F5)

GH / / executes the gH command to force the debugger to return that the exception has been handled. [Go with Exception Handled]

/ / after receiving this reply, the system stops distributing exceptions (because the debugger claims to have handled the exception), and resumes the debugging target to continue execution.

/ / but because the exception condition is still there, the exception will still be generated, so it will be redistributed, and the WinDBG will be interrupted to command mode again.

GN / / [Go with Exception Not Handled]

/ / execute the gN command to force the debugger to return that the exception was not handled, and the system will further distribute the exception

/ / if there is no other debugger and does not handle it, the system will eventually pop up the program termination dialog box.

Gu / / stop execution when the current function is completed [Go Up]

Ctrl+Break / / pause a running program

P / / single step (F10) [Step]

P 2 / / 2 is the number of steps.

Pc / / stop at the next function call [Step to Next Call]

Pa 7c801b0b / / execute to 7c801b0b address and stop [Step to Adress]

T / / Step into (F11) [Trace]

Tc / / execute to stop at the next entry point [Trace to Next Call]

Ta 7c801b12 / / execute to 7c801b12 address and stop [Trace to Adress]

Bp advapi32 promote RegOpenKeyExA ".echo; .printf\" RegOpenKeyExW (% p,\\ "% ma\\",% NMagi% p) returned:\ ", dwo (esp+4), poi (esp+8), dwo (esp+c), dwo (esp+10), dwo (esp+14); gu;.printf\"% N\ ", eax;.echo;g" / / print all RegOpenKeyExA calls (open registry key) in the case of continuous process

Bu / / saves breakpoints in the same way as bp

Bm add_* / / matches the functions at the beginning of add_ and puts breakpoints at the beginning of these functions

Ba w4 0483dfe0 / / stop while writing to the 0483dfe0 address

/ / ba [r | w | e] [Size] Addr [r=read/write, w=write, e=execute], Size= [1 | 2 | 4 bytes]

# debugging execution control

G / / Go (F5)

GH / / executes the gH command to force the debugger to return that the exception has been handled. [Go with Exception Handled]

/ / after receiving this reply, the system stops distributing exceptions (because the debugger claims to have handled the exception), and resumes the debugging target to continue execution.

/ / but because the exception condition is still there, the exception will still be generated, so it will be redistributed, and the WinDBG will be interrupted to command mode again.

GN / / [Go with Exception Not Handled]

/ / execute the gN command to force the debugger to return that the exception was not handled, and the system will further distribute the exception

/ / if there is no other debugger and does not handle it, the system will eventually pop up the program termination dialog box.

Gu / / stop execution when the current function is completed [Go Up]

Ctrl+Break / / pause a running program

P / / single step (F10) [Step]

P 2 / / 2 is the number of steps.

Pc / / stop at the next function call [Step to Next Call]

Pa 7c801b0b / / execute to 7c801b0b address and stop [Step to Adress]

T / / Step into (F11) [Trace]

Tc / / execute to stop at the next entry point [Trace to Next Call]

Ta 7c801b12 / / execute to 7c801b12 address and stop [Trace to Adress]

# View handle

! handle / / View the ID of all handles

! handle 000007f8 1 / / check the type of handle whose ID is 000007f8

! handle 000007f8 4 / / View the name of the handle whose ID is 000007f8

! handle 0 5 / / View the type and name of all handles

View variabl

= = 0n (decimal) 0x (hexadecimal) 0t (octal) 0y (2) you can use the n [8 | 10 | 16] command to modify the numeric representation (enter n to see the current base, default is hexadecimal) = =

-- the Link option of VC6.0 needs to change / pdbtype:sept to / pdbtype:con, otherwise the generated pdb file will not contain information such as custom structures, classes, etc.

Dt nRet / / View the type and value of the local variable nRet (use the dv command for function argument variables)

Dt myApproomgroomapp / / shows the memory layout of the global variable g_app in the myApp process (Note: vc6 see above)

Dt WindbgTestrated CTest / / View the memory layout of the CTest of the module WindbgTest (Note: vc6 see above)

Dt WindbgTestrated CTest 0x0041f8d4 / / parse the contents at the 0x0041f8d4 address according to the memory layout of the CTest of the module WindbgTest

Dt this / / View the type of this pointer and its member variables (Note: vc6 see above)

Dt-b this / / check the type and member variables of the this pointer. If a member variable is a structure, print out its structure members one by one.

Dt _ PEB @ $PEB / / View PEB (process's environment block) memory structure

?? This- > m_nPen / / View the value of the member variable (Note: vc6 see above)

?? This / / View the member variables in the this pointer (Note: vc6 see above)

? NCount / / displays the address of the local variable nCount (preceded by 4198608 for decimal and 004010d0 for hexadecimal), such as: Evaluate expression: 4198608 = 004010d0

? Add function address in CTest class in the HeapTest module is displayed in HeapTestrated CTestVAND add / / display

Dv / / displays the values of all local variables and function parameters in the current function

Dv n * / / displays all local variables starting with n in the current function and the values of function parameters.

Dv nCount / / View the value of the local variable nCount

Dv a / / View the value of the function parameter variable a

Dv / t / I / V / a | / n | / z

/ * *

Display all local variables and function parameter information in the current function in more detail

I = type (local, global, parameter)

T = data type

V = memory address or register location

A = sort by Addr, n = sort by name, z = sort by size

* * /

The x / / usage is consistent with the dv command, showing all local variables in the current function, and the address and value of the function parameters.

Call stack

K / / displays the current call stack

Kn / / display the current call stack with stack number

Kb / / prints out the current call stack for the first three function arguments

02a9ffec 00000000 01e511f9 0174c570 00000000 Kernel32 BaseThreadStartkeeper 0x37

-

Kernel32 functions BaseThreadStartaddress 0x37 this is the function address.

01e511f9 0174c570 00000000 these are the first three parameters. Note: if it is a member function, the this pointer is passed through ecx

02a9ffec 00000000 is the ebp and return address.

Kb 5 / / shows only the top 5 call stack

Kv / / added information such as function calling convention on the basis of kb

Kp / / displays the complete parameters of each layer of function call, including parameter type, name, value (if it must be a complete symbol, private symbols). Note: if the program is optimized, these values may not be correct

Kd / / address of the print stack

.frame / / displays the current stack frame

.frame n / / sets the stack frame numbered n to the current stack frame

.frame / r n / / sets the stack frame numbered n to the current stack frame and displays register variables

! uniqstack / / displays the call stack for all threads

Call stack

K / / displays the current call stack

Kn / / display the current call stack with stack number

Kb / / prints out the current call stack for the first three function arguments

02a9ffec 00000000 01e511f9 0174c570 00000000 Kernel32 BaseThreadStartkeeper 0x37

-

Kernel32 functions BaseThreadStartaddress 0x37 this is the function address.

01e511f9 0174c570 00000000 these are the first three parameters. Note: if it is a member function, the this pointer is passed through ecx

02a9ffec 00000000 is the ebp and return address.

Kb 5 / / shows only the top 5 call stack

Kv / / added information such as function calling convention on the basis of kb

Kp / / displays the complete parameters of each layer of function call, including parameter type, name, value (if it must be a complete symbol, private symbols). Note: if the program is optimized, these values may not be correct

Kd / / address of the print stack

.frame / / displays the current stack frame

.frame n / / sets the stack frame numbered n to the current stack frame

.frame / r n / / sets the stack frame numbered n to the current stack frame and displays register variables

! uniqstack / / displays the call stack for all threads

Register

R / / displays all register information and the instruction in which core occurs

R eax,edx / / display eax,edx register information

R eax=5, edx=6 / / A pair of registers eax assigned to 5 and edX assigned to 6

! address 7ffd8000 / / View memory page properties at 7ffd8000 address

Dd / c 5 7c801e02 / / display memory in dword units from 7c801e02 memory (width: 5) [128byte length is displayed by default]

Dd / c 5 7c801e02 L8 / / displays memory in dword units from 7c801e02 memory (width: 5) [shows 8 dword]

Da / c 100 7c80ff03 / / displays Ascii strings from 7c80ff03 memory (width: 100)

Du / c 100 7c8022f5 / / displays Unicode strings from 7c8022f5 memory (width: 100)

/ * *

D [a | u | b | w | W | d | c | Q | f | D] [/ c columns] [address]

A = ascii chars

U = Unicode chars

B = byte + ascii

W = word (2b)

W = word (2b) + ascii

D = dword (4b)

C = dword (4b) + ascii

Q = qword (8b)

F = floating point (single precision-4b)

D = floating point (double precision-8b)

* * /

Dyb / c 3 7c801e02 / / displays byte and binary (width: 3) from 7c801e02 memory

Dyb / c 3 7c801e02 / / displays byte and binary (width: 3) from 7c801e02 memory

/ * *

Dy [b | d].. / / b = binary+byte d = binary+dword

* * /

S-w 522e0000 L0x100 0x1212 0x2212 0x1234 / / indicates that the starting address of the 0x1212 0x2212 0x1234 series is searched within the 0x100 units after the starting address 522e0000

S-u 522e0000 527d1000 "web" / / means to search for the Unicode string "web" between 522e0000 and 527d1000

Ea 0x445634 "abc" / / indicates that the Ascii string abc is written at the 0x445634 address, without the Terminator 0

Eza 0x445634 "abc" / / means to write the Ascii string abc at the 0x445634 address, including the Terminator 0

Eu 0x445634 "abc" / / indicates that the Unicode string abc is written at the 0x445634 address, without the Terminator 0

Ezu 0x445634 "abc" / / means to write the Unicode string abc at the 0x445634 address, including the Terminator 0

Ed nCounter 80 / / change the value of the variable nCounter to 80 (Note: whether 80 is decimal or hexadecimal, or something else, depending on the current base)

! heap-HEAP / shows the number of process heaps (each item is a heap, that is, a pointer to the _ HEAP structure, and the corresponding API is HeapCreate)

Dt _ HEAP 00140000 / / pick the address of a heap and print the memory structure of the heap

! heap-a 00140000 / / choose the address of a heap and print the heap information, which is more detailed and intuitive than the above print memory command

Set the windbg behavior when an event occurs

Set the windbg behavior when an event occurs

Sx / / displays the behavior of windbg when it encounters each exception and event

Sxr / / reset the status of all exception and event filters to default values

Sxe ld / / when the module is loaded, immediately interrupt (Break) to the debugger (first processing opportunity)

Sxe ud / / when the module is uninstalled, windbg will not be shown in th

Interrupted when an opportunity is processed (although a message is displayed). If other error handlers do not handle the exception, execution stops and breaks (Break) into the windbg (second processing opportunity)

Sxn et / / when a thread exits, windbg prints out a message

Sxi ct / / when a thread is created, windbg does not interrupt or print messages

Dump output

.dump / ma "d:\ mydmpfile.dmp" / / outputs the current debugging process to the Dump file

Other meta commands

.tlist / / shows all processes

.cls / / clear the screen

.logopen c:\ 1.log / / output the command content to a c:\ 1.log file

Other extension commands

! analyze-v / / displays the current exception information in detail

! peb / / formatted output PEB information (process's environment block)

! gle / / print the most recent error message LastError for the current thread

! gle-all / / prints the latest error message for all threads

! error 897Compact / shows detailed description of error code 897

Chinese online help:

Click to open the link

Windbg cmd:

WinDbg Command Manual

Http://www.cnblogs.com/gaochundong/p/windbg_cheat_sheet.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.