windbg常⽤指令(⼯作经验总结)
⼀、windbg双机联调之驱动源码调试
1、通过VirtualKD设置好双机联调环境
2、在驱动程序的⼊⼝点DriverEntry下断点,命令: bm ranet!driverentry
备注:⼀定要⽤bm延迟加载符号命令,不能⽤bp
1: kd> bm ranet!driverentry
1: fffff880`03c4bcdc @!"RaNet!DriverEntry"
1: kd> g
3、把驱动程序拷贝到虚拟机中,利⽤⼯具InstDrvx64 V1.03安装并启动驱动程序,此时会命中断点的⼊⼝处DriverEntry,输⼊kn查看调⽤堆栈
备注:
Breakpoint 1 hit
RaNet!DriverEntry:
fffff880`03c5bcdc 488bc4 mov rax,rsp
1: kd> kn
# Child-SP RetAddr Call Site
00 fffff880`045ec828 fffff880`03c65020 RaNet!DriverEntry [f:\mygitrepo\rst2\rase_windows\framework\agent_windows\drivers\ranet\ranet.c @ 336]
01 fffff880`045ec830 fffff800`042978c6 RaNet!GsDriverEntry+0x20 [minkernel\tools\gs_support\kmode\gs_support.c @ 117]
02 fffff880`045ec860 fffff800`04297cc5 nt!IopLoadDriver+0xa06
03 fffff880`045ecb30 fffff800`03ea628d nt!IopLoadUnloadDriver+0x55
04 fffff880`045ecb70 fffff800`0419c1a0 nt!ExpWorkerThread+0x111
05 fffff880`045ecc00 fffff800`03ef4ba6 nt!PspSystemThreadStartup+0x194
06 fffff880`045ecc40 00000000`00000000 nt!KiStartSystemThread+0x16
4、在卸载驱动程序的函数⼊⼝处下断点,并执⾏go指令,会成功命中断点;下断点命令: bm ranet!RaUnloadDriver
备注:函数RaUnloadDriver是指针DriverObject->DriverUnload指向的函数
1: kd> bm ranet!RaUnloadDriver
2: fffff880`03e3e800 @!"RaNet!RaUnloadDriver"
1: kd> bl
1 e Disable Clear fffff880`03e3dcdc 0001 (0001) RaNet!DriverEntry
2 e Disable Clear fffff880`03e3e800 0001 (0001) RaNet!RaUnloadDriver
1: kd> g
Breakpoint 2 hit
RaNet!RaUnloadDriver:
fffff880`03e3e800 48895c2408 mov qword ptr [rsp+8],rbx
0: kd> kp
# Child-SP RetAddr Call Site
00 fffff880`04708b28 fffff800`04245c8c RaNet!RaUnloadDriver(struct _DRIVER_OBJECT * DriverObject = 0xfffffa80`1b05ec10 Driver "\Driver\RaNet") [f:\mygitre
01 fffff880`04708b30 fffff800`03e5428d nt!IopLoadUnloadDriver+0x1c
02 fffff880`04708b70 fffff800`0414a1a0 nt!ExpWorkerThread+0x111
03 fffff880`04708c00 fffff800`03ea2ba6 nt!PspSystemThreadStartup+0x194
04 fffff880`04708c40 00000000`00000000 nt!KiStartSystemThread+0x16
5、在你感兴趣的函数处下断点,并制造触发的条件,命令:bm 模块名!函数名,例如 bm ranet!GetNetDacRule,都可成功命令断点
⼆、⽤sc命令安装、启动、停⽌、卸载驱动程序
1、创建⼀个驱动服务(CreateService)
sc create mydriver binpath=C:\Users\Administrator\Desktop\888888888\RaNet.sys type=kernel start=demand error=ignore
mydriver 是驱动服务名,可以改成喜欢的名字,貌似有长度限制
binpath=后⾯的 c:\1.sys 是驱动⽂件的路径,如果路径有空格则需引号括起来,例如 binpath=”C:\a b\1.sys”
type=后⾯的 kernel 是代表创建⼀个驱动服务
start=后⾯的 demand 代表这个驱动服务按需启动
error=后⾯的 ignore 代表忽略任何错误
2、启动驱动服务(StartService)
sc start mydriver
mydriver 是你要的驱动服务名字,跟上⾯那个mydriver ⼀致
3、停⽌驱动服务(StopService)
sc stop mydriver
4、删除驱动服务(DeleteService)
sc delete mydriver
不要了就删掉
三、查看局部变量的值dv
可以通过指定x前缀(⼗六进制)、0n前缀(⼗进制)、0t前缀(⼋进制)或0y前缀(⼆进制)
1、打开watch窗⼝,双机name列可输⼊变量名,即可显⽰局部变量的值
2、/i:使显⽰器指定变量的类型:局部、全局、参数、函数或未知。
2、/i:使显⽰器指定变量的类型:局部、全局、参数、函数或未知。 0:000> dv /i bRegisteredVer
prv local bRegisteredVer = false
3、/t :使显⽰包含每个局部变量的数据类型。
0:000> dv /t bRegisteredVer
bool bRegisteredVer = false
4、/v :使显⽰包括局部变量的虚拟内存地址
0:000> dv /v bRegisteredVer
0012aa27 bRegisteredVer = false
5、/V :与/v相同,还包括相对于相关寄存器的局部变量的地址。
0:000> dv /V bRegisteredVer
0012aa27 @ebp-0x55 bRegisteredVer = false
6、/a:按地址按升序对输出进⾏排序。
0:000> dv /a
this = 0x001ed8c8
length = 0n0
file = class QFile
bRegisteredVer = false
license = class CLicense
qstrAuthCode = class QString
authErrCode = 0x0012aae4
7、 /A :按地址按降序对输出进⾏排序。
0:000> dv /A
authErrCode = 0x0012aae4
qstrAuthCode = class QString
license = class CLicense
bRegisteredVer = false
file = class QFile
git常用指令length = 0n0
this = 0x001ed8c8
8、/n :按名称按升序对输出进⾏排序。
0:000> dv /n
authErrCode = 0x0012aae4
bRegisteredVer = false
file = class QFile
length = 0n0
license = class CLicense
qstrAuthCode = class QString
this = 0x001ed8c8
9、/N :按名称按升序对输出进⾏排序。
0:000> dv /N
this = 0x001ed8c8
qstrAuthCode = class QString
license = class CLicense
length = 0n0
file = class QFile
bRegisteredVer = false
authErrCode = 0x0012aae4
10、/z :按⼤⼩按升序对输出进⾏排序。
0:000> dv /z
bRegisteredVer = false
this = 0x001ed8c8
qstrAuthCode = class QString
authErrCode = 0x0012aae4
length = 0n0
file = class QFile
license = class CLicense
11、/Z :按⼤⼩按升序对输出进⾏排序。
0:000> dv /Z
license = class CLicense
length = 0n0
file = class QFile
this = 0x001ed8c8
qstrAuthCode = class QString
authErrCode = 0x0012aae4
authErrCode = 0x0012aae4
bRegisteredVer = false
四、修改局部变量的值
1、打开watch窗⼝,修改局部变量的值,,双机name列可输⼊变量名
双机Value列,清空原来的内容,输⼊新值即可,单机“Typecast”显⽰变量的类型
单机Locations显⽰变量的地址
五、查看内存
1、dt 查看结构
2、da按照ascii字符串显⽰
0:000> da 0012aa00
0012aa00 "ie"
3、db按照单字节和ascii字符串显⽰
0:000> db 0012aa00
0012aa00 69 65 00 00 00 00 00 00-fb f7 a9 00 00 00 15 00 ie..............
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
4、dc按照4字节和ascii字符串显⽰
0:000> dc 0012aa00
0012aa00 00006569 00000000 00a9f7fb 00150000 ie..............
0012aa10 00000000 033b1900 0012aafc 6702c3c3 ......;........g
0012aa20 033b1900 00001436 033b1900 00000002 ..;.6.....;.....
0012aa30 00000004 6516feef 01fd71f0 01b81d90 .......
0012aa40 033b1900 033b1900 102ccad8 0000011f ..;...;...,.....
0012aa50 01b81b90 ffffffff 00000000 00000000 ................
0012aa60 033b1900 00000000 65106a65 fb93c5d2 ..;.....
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc ................
5、dd按照4字节显⽰
0:000> dd 0012aa00
0012aa00 00006569 00000000 00a9f7fb 00150000
0012aa10 00000000 033b1900 0012aafc 6702c3c3
0012aa20 033b1900 00001436 033b1900 00000002
0012aa30 00000004 6516feef 01fd71f0 01b81d90
0012aa40 033b1900 033b1900 102ccad8 0000011f
0012aa50 01b81b90 ffffffff 00000000 00000000
0012aa60 033b1900 00000000 65106a65 fb93c5d2
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc
6、dD按照双浮点(8字节)格式显⽰
0:000> dD 0012aa00
0012aa00 1.28264382317e-319 2.92040944479e-308 4.24283322552e-293 0012aa18 1.63293462903e+188 1.09792330031e-310 4.27077224821e-314 0012aa30 9.3185129548e+178 2.25060988521e-300 4.24283325567e-293 0012aa48 6.0914686708e-312 -1.#QNAN 0
0012aa60 2.67806662793e-316 -1.88175367138e+287 2.97736448613e-306
7、df按照单浮点(4字节)格式显⽰
0:000> df 0012aa00
0012aa00 3.6379109e-041 0 1.5609157e-038 1.9285454e-039
0012aa10 0 5.4983059e-037 1.7143766e-039 6.1751881e+023
0012aa20 5.4983059e-037 7.2503183e-042 5.4983059e-037 2.8025969e-045 0012aa30 5.6051939e-045 4.4566104e+022 9.3101014e-038 6.7633345e-038
8、dp按照指针(32位系统读取4字节、64位系统读取8字节)格式读取
0:000> df 0012aa00
0:000> df 0012aa00
0012aa00 3.6379109e-041 0 1.5609157e-038 1.9285454e-039
0012aa10 0 5.4983059e-037 1.7143766e-039 6.1751881e+023
0012aa20 5.4983059e-037 7.2503183e-042 5.4983059e-037 2.8025969e-045 0012aa30 5.6051939e-045 4.4566104e+022 9.3101014e-038 6.7633345e-038
9、dq按照8字节读取
0:000> dq 0012aa00
0012aa00 00000000`00006569 00150000`00a9f7fb
0012aa10 033b1900`00000000 6702c3c3`0012aafc
0012aa20 00001436`033b1900 00000002`033b1900
0012aa30 6516feef`00000004 01b81d90`01fd71f0
0012aa40 033b1900`033b1900 0000011f`102ccad8
0012aa50 ffffffff`01b81b90 00000000`00000000
0012aa60 00000000`033b1900 fb93c5d2`65106a65
0012aa70 0080b9e9`0012aaf0 0012aafc`00000000
10、du按照Unicode字符串读取。
0:000> du 0012aa00
0012aa00 "敩"
11、dw按照双字节显⽰
0:000> dw 0012aa00
0012aa00 6569 0000 0000 0000 f7fb 00a9 0000 0015
0012aa10 0000 0000 1900 033b aafc 0012 c3c3 6702
0012aa20 1900 033b 1436 0000 1900 033b 0002 0000
0012aa30 0004 0000 feef 6516 71f0 01fd 1d90 01b8
0012aa40 1900 033b 1900 033b cad8 102c 011f 0000
0012aa50 1b90 01b8 ffff ffff 0000 0000 0000 0000
0012aa60 1900 033b 0000 0000 6a65 6510 c5d2 fb93
0012aa70 aaf0 0012 b9e9 0080 0000 0000 aafc 0012
12、dW按照2字节和ASCII字符串读取。
0:000> dW 0012aa00
0012aa00 6569 0000 0000 0000 f7fb 00a9 0000 0015 ie..............
0012aa10 0000 0000 1900 033b aafc 0012 c3c3 6702 ......;........g
0012aa20 1900 033b 1436 0000 1900 033b 0002 0000 ..;.6.....;.....
0012aa30 0004 0000 feef 6516 71f0 01fd 1d90 01b8 .......
0012aa40 1900 033b 1900 033b cad8 102c 011f 0000 ..;...;...,.....
0012aa50 1b90 01b8 ffff ffff 0000 0000 0000 0000 ................
0012aa60 1900 033b 0000 0000 6a65 6510 c5d2 fb93 ..;.....
0012aa70 aaf0 0012 b9e9 0080 0000 0000 aafc 0012 ................
13、dyb按照单字节和⼆进制读取
0:000> dyb 0012aa00
76543210 76543210 76543210 76543210
-------- -------- -------- --------
0012aa00 01101001 01100101 00000000 00000000 69 65 00 00
0012aa04 00000000 00000000 00000000 00000000 00 00 00 00
0012aa08 11111011 11110111 10101001 00000000 fb f7 a9 00
0012aa0c 00000000 00000000 00010101 00000000 00 00 15 00
0012aa10 00000000 00000000 00000000 00000000 00 00 00 00
0012aa14 00000000 00011001 00111011 00000011 00 19 3b 03
0012aa18 11111100 10101010 00010010 00000000 fc aa 12 00
0012aa1c 11000011 11000011 00000010 01100111 c3 c3 02 67
14、dyd按照4字节和⼆进制读取。
0:000> dyd 0012aa00
3 2 1 0
10987654 32109876 54321098 76543210
-------- -------- -------- --------
0012aa00 00000000 00000000 01100101 01101001 00006569
0012aa04 00000000 00000000 00000000 00000000 00000000
0012aa08 00000000 10101001 11110111 11111011 00a9f7fb
0012aa0c 00000000 00010101 00000000 00000000 00150000
0012aa10 00000000 00000000 00000000 00000000 00000000
0012aa14 00000011 00111011 00011001 00000000 033b1900
0012aa18 00000000 00010010 10101010 11111100 0012aafc
0012aa1c 01100111 00000010 11000011 11000011 6702c3c3
六、编辑内存
e, ea, eb, ed, eD, ef, ep, eq, eu, ew, eza (Enter Values)
e*命令将您指定的值输⼊内存。不要将此命令与~e(Thread-Specific Command)限定符混淆。
e{b|d|D|f|p|q|w} Address [Values]
e{a|u|za|zu} Address "String"
e Address [Values]
参数:
Address
指定输⼊值的起始地址。调试器将替换地址和每个后续内存位置处的值,直到所有值都被使⽤为⽌。
Values
指定要输⼊内存的⼀个或多个值。多个数值应该⽤空格分隔。如果未指定任何值,则将显⽰当前地址和该地址的值,并提⽰您输⼊。
String
指定要输⼊内存的字符串。ea和eza命令将此作为ascii字符串写⼊内存;eu和ezu命令将此作为unicode字符串写⼊内存。eza和ezu命令会写⼊⼀个终端空值;ea和eu
1、eb 字节值。
0:000> eb 0012aa00 56
0:000> db 0012aa00
0012aa00 56 65 00 00 00 00 00 00-fb f7 a9 00 00 00 15 00 Ve..............
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
2、ed 双字值(4 个字节为单位)。
0:000> ed 0012aa00 12345678
0:000> dd 0012aa00
0012aa00 12345678 00000000 00a9f7fb 00150000
0012aa10 00000000 033b1900 0012aafc 6702c3c3
0012aa20 033b1900 00001436 033b1900 00000002
0012aa30 00000004 6516feef 01fd71f0 01b81d90
0012aa40 033b1900 033b1900 102ccad8 0000011f
0012aa50 01b81b90 ffffffff 00000000 00000000
0012aa60 033b1900 00000000 65106a65 fb93c5d2
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc
3、eD 双精度浮点数(8 字节为单位)。
0:000> eD 0012aa00 3.1415926
0:000> dD 0012aa00
0012aa00 3.1415926 2.92040944479e-308 4.24283322552e-293
0012aa18 1.63293462903e+188 1.09792330031e-310 4.27077224821e-314
0012aa30 9.3185129548e+178 2.25060988521e-300 4.24283325567e-293
0012aa48 6.0914686708e-312 -1.#QNAN 0
0012aa60 2.67806662793e-316 -1.88175367138e+287 2.97736448613e-306
4、ef 单精度浮点数(4 个字节为单位)。
0:000> ef 0012aa00 6.28
0:000> df 0012aa00
0012aa00 6.2800002 2.142699 1.5609157e-038 1.9285454e-039
0012aa10 0 5.4983059e-037 1.7143766e-039 6.1751881e+023
0012aa20 5.4983059e-037 7.2503183e-042 5.4983059e-037 2.8025969e-045
0012aa30 5.6051939e-045 4.4566104e+022 9.3101014e-038 6.7633345e-038
5、ep 指针⼤⼩值。此命令是等效于ed或eq,具体取决于⽬标计算机的处理器体系结构是否 32 位或 64 位分别。
0:000> ep 0012aa00 98765432
0:000> dp 0012aa00
0012aa00 98765432 400921fb 00a9f7fb 00150000
0012aa10 00000000 033b1900 0012aafc 6702c3c3
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论