SETUP -----------------------------------------------------To set windbg as your default post-mortem debugger (run on crash of programs), simply run windbg from

the command line with the -I option: C:\wherever\windbg.exe -I -----------------------------------------------------CONTROL FLOW g - go / continue / run p - step over t - step into (All further commands also work as ta, tc, tt, tct, th stepping in insted of over) pa 0xaddress pc pt pct ph step step step step step to to to to to address next call next return next call or return next branching instruction

-----------------------------------------------------BREAKPOINTS bp 0xaddress bl bd num bc num ba [e|r|w] 1 0xaddress size address sxe ld:dllname Set breakpoint List breakpoints disable breakpoint num clear breakpoitn num break on access [execution|read|write]

- Break on load of module dllname

-----------------------------------------------------DUMP MEMORY d[d|w|b|a] 0xaddress d[d|w|b|a] 0xaddress L5 them to dump dd register ddp 0xaddress it points to dda 0xaddress the string if it exists u 0xaddress L5 instructions - dump [dword|word|byte|ascii] at address - option L argument defines how many of - dump contents of a register - dump contents of address, and whatever - dump contents of address, and print - disassemble at 0xaddress, L

-----------------------------------------------------EDIT MEMORY e[d|w|b] 0xaddress newbytes .third option is end address .ex dword: 0x41414141 .reload /f -----------------------------------------------------DUMP STRUCTURES !teb !peb !vadump !lmi modulename lm k r dt structName 0xaddress if you have symbols dump thread environment block dump process environment block dump list of memory pages and info dump the info for module modulename show loaded modules show call stack show registers display a structure in proper format -----------------------------------------------------SUGGESTED SETUP | | | | | | ---------------------------------------------| | | | | | | | DISASSEMBLY | REGISTERS | | | .ex word 0x4241 .sympath .ex byte ff e3 (can be as many as you like!) .first option is size ( dump symbols in C:\sym .SRV*C:\sym* .second option is start address .last option is the value to search for . ascii string) . byte.ex ascii: avacado! -----------------------------------------------------SYMBOL SETUP .edit memory -----------------------------------------------------SEARCH MEMORY s -[d|w|b|a] 0x00000000 L?0xffffffff searchval .

...Virtual: set to esp to show the stack If you want a generic memdump AND a constant stack.| | | | | | MEMORY / STACK | | | | ----------------------------------------------MEMORY . put another memory window under command ..yes.I usually check both boxes in the configuration changes show up on top and in red . you can have as many as you like REGISTERS ..| |----------------------| | | | | | | | | | |-----------------------| COMMAND | | | | | | | | | | | MEMORY | | | | | | |......

Sign up to vote on this title
UsefulNot useful