Tools/Windows

Windbg: Windows Kernel Debugging

TESTING 2024. 3. 16. 00:34

Commands

1. Find out target binary EPROCESS address

!process 0 0 calc.exe

 

2. Context Swiching

.process /i EPROCESS_ADDRESS

g

 

3. Load symbols

.sympath

!sym noisy

.reload /f /user

lm

 

4. Set break point

sxe ld test.sys

bm calc!*

ba w8 ADDRESS

bp /p @$proc calc!blabla~

[bp/bm/bc/bd/be]

 

5. Unload symbol

bc *

.reload /u /user

.process /r /p

 

ETC

- Comment

bp TEST!execute; $$ before executing

Another way

1. Target PC

windbgx -server tcp:port=41414

And then open or attach to the target process.

 

2. Host PC

windbgx -remote tcp:server=192.168.0.41,port=41414

sxe -c "gn" 0xC0000420

sxe -c "gn" 0xC0000095

 

저작자표시 비영리 변경금지