Windbg Commands / Tips

Useful Windbg Command

Check Instruction

u

Memory View

dq
dd
db
? poi rcx+420h
dq poi rcx+420h
dq poi(poi(rcx+420h))

Break Point

Conditional Break Point

ba w1 address
ba w2 address
ba r1 address
ba r2 address
bu 

General Break Point

bp [address | symbol]
bd [num]
bc [num]
be [num]
bc *
bd *

Exceptions

sx
sxe 0xC0000420
sxe 0xc0000002
sd *

sxe ld test.dll

Execution

g / p / t / u
pc / pt / tt / ta
g- / g-u / g-p / gu

F11, F10, Shift+F11

Modifying Memory or Register

e 0x40000000 0x41414141
eb 0x40000000 0x41

eb 0x40000000 41 41 41 41 43 42 42 41 42 43 53 63 31 42 53 63 00 00 42 12 45 12

r rax=0x4141414141

Check Symbol

x test!TESTING*

Searching Strings

• ANSI

s -sa [range]

• Unicode

s -su fffff880`01370100 fffff880`01371100

• s 810c7000 L10000000 50 00 50 00 43 00 32 00 3a 00

Systematic Command

.reload
.restart
.sympath

 

For Coverage

pt
bp
.restart
g
ta

Postmortem

• Turn on
  windbgx /I
  windbg -I

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Debugger /t REG_SZ /d "\"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe\" -p %ld -e %ld -g" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Auto /t REG_SZ /d "1" /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Debugger /t REG_SZ /d "\"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe\" -p %ld -e %ld -g" /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Auto /t REG_SZ /d "1" /f

 

• Turn off
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
  Auto == 0

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Auto /t REG_SZ /d "0" /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Auto /t REG_SZ /d "0" /f

 

---

Windbg Extension

- TTD(Time Travel Debugging)

?