Episode
Defrag Tools: #20 - WinDbg - Basic Commands
In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer.
This installment goes over the commands used to show the state of debug session. It also shows some of the basic commands used to view process and thread information of a user mode process. We cover these commands:
- version
- vertarget
- |
- ||
- .sympath
- .srcpath
- .exepath
- .extpath
- .chain
- !analyze -v
- .bugcheck
- !error
- ~
- ~_NN_s
- ~~[TID]s
- ~*k
- ~*r
- !process 0 17
- !threads
- !findstack
- !uniqstack
- !peb
- !teb
- k=
- dps
- dpu
- dpa
- dpp
- .reload /f
- .reload /user
- !gle
- !tls
Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.
Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
System Error Codes
Timeline:
[01:01] - Live Debug of Notepad
[02:14] - Overview of the debug session (version)
[03:10] - OS Version/Architecture and System/Debug/User/Kernel times (vertarget)
[09:03] - Process and System Status (| {pipe}, || {double pipe})
[10:16] - Symbol Path (.sympath)
[10:52] - Source Path (.srcpath)
[11:00] - Executable Path (.exepath, lmvm - Memory Mapped Image File)
[11:40] - Extension Path (.extpath)
[12:20] - Loaded Extensions (.chain)
[13:43] - !analyze is for both User and Kernel crashes (!analyze -v)
[14:56] - Bugcheck code and arguments (.bugcheck)
[15:26] - Error Code Lookup (!error)
[16:04] - Threads in a User Process (~ {tilde})
[17:33] - Change Current Thread Context (~_NN_s)
[20:13] - Show all the call stacks or registers (~*k, ~*r)
[21:04] - Change Current Thread Context by TID (~~[TID]s)
[24:18] - Show all the call stacks in all the processes in a kernel session (!process 0 17)
[25:29] - Configuration summary of all thread (!threads)
[26:54] - Find call stack (!findstack)
[27:35] - Unique call stacks (!uniqstack)
[28:30] - Process Environment Block (!peb)
[30:50] - Thread Environment Block (!teb)
[32:02] - Buffer Overflow of a stack variable
[33:11] - Call Stack Recreation (k= {x64})
[34:40] - Display Pointers as a Symbol, Unicode, ANSI or Pointer (dps, dpu, dpa, dpp)
[37:40] - Force the loading of symbols (.reload /f)
[38:43] - Force the loading of user symbols in the kernel when you change thread context (.reload /user)
Note: /u is for unload, not load user symbols - that's why Chad is the kernel guy!
[39:18] - SetLastError/GetLastError value in the TEB (!gle)
[40:14] - Thread Local Storage values in the TEB (!tls)
In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer.
This installment goes over the commands used to show the state of debug session. It also shows some of the basic commands used to view process and thread information of a user mode process. We cover these commands:
- version
- vertarget
- |
- ||
- .sympath
- .srcpath
- .exepath
- .extpath
- .chain
- !analyze -v
- .bugcheck
- !error
- ~
- ~_NN_s
- ~~[TID]s
- ~*k
- ~*r
- !process 0 17
- !threads
- !findstack
- !uniqstack
- !peb
- !teb
- k=
- dps
- dpu
- dpa
- dpp
- .reload /f
- .reload /user
- !gle
- !tls
Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.
Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
System Error Codes
Timeline:
[01:01] - Live Debug of Notepad
[02:14] - Overview of the debug session (version)
[03:10] - OS Version/Architecture and System/Debug/User/Kernel times (vertarget)
[09:03] - Process and System Status (| {pipe}, || {double pipe})
[10:16] - Symbol Path (.sympath)
[10:52] - Source Path (.srcpath)
[11:00] - Executable Path (.exepath, lmvm - Memory Mapped Image File)
[11:40] - Extension Path (.extpath)
[12:20] - Loaded Extensions (.chain)
[13:43] - !analyze is for both User and Kernel crashes (!analyze -v)
[14:56] - Bugcheck code and arguments (.bugcheck)
[15:26] - Error Code Lookup (!error)
[16:04] - Threads in a User Process (~ {tilde})
[17:33] - Change Current Thread Context (~_NN_s)
[20:13] - Show all the call stacks or registers (~*k, ~*r)
[21:04] - Change Current Thread Context by TID (~~[TID]s)
[24:18] - Show all the call stacks in all the processes in a kernel session (!process 0 17)
[25:29] - Configuration summary of all thread (!threads)
[26:54] - Find call stack (!findstack)
[27:35] - Unique call stacks (!uniqstack)
[28:30] - Process Environment Block (!peb)
[30:50] - Thread Environment Block (!teb)
[32:02] - Buffer Overflow of a stack variable
[33:11] - Call Stack Recreation (k= {x64})
[34:40] - Display Pointers as a Symbol, Unicode, ANSI or Pointer (dps, dpu, dpa, dpp)
[37:40] - Force the loading of symbols (.reload /f)
[38:43] - Force the loading of user symbols in the kernel when you change thread context (.reload /user)
Note: /u is for unload, not load user symbols - that's why Chad is the kernel guy!
[39:18] - SetLastError/GetLastError value in the TEB (!gle)
[40:14] - Thread Local Storage values in the TEB (!tls)