Open "Debugging Tools for Windows" help file
0:017> .hh
Display registers
0:017> r
Display Current Process
0:017> |.
0:017> |
Unassemble Function or address
0:017> uf mshtml!CElement::Doc
0:017> u address
Assemble Address
0:017> a address
Stack Trace
0:017> knL
Display Stack Backtrace
0:017> k
Trace (t) command executes a single instruction or source line and optionally displays the resulting values of all registers and flags.
0:017> t
Set break point
0:017> bp address
List break points
0:017> bl
Search for a String
0:017> s -a 0x00000000 L?7fffffff "disects"
dll is loaded between 03b10000 and 03fd000, search this area for 5d c3
0:014> s 03b10000 l 03fdd000 5d c3
On Intel machines, looking at the disassembled SEH code, you will see an instruction to move DWORD ptr from FS:[0]. This ensures that the exception handler is set up for the thread and will be able to catch errors when they occur. The opcode for this instruction is 64A100000000. If you cannot find this opcode, the
application/thread may not have exception handling at all.
Dump the TEB
0:017> d fs:[0]
Displays the current exception handler chain
0:017> !exchain
Display information about a local variable, global variable or data types(structures and unions).
0:017> dt var1
array(arr1) under var1
0:017> dt var1 -a arr1
displays all types and globals under nt
0:017> dt nt!*
Looking at the default process heap, shows percentage of busy blocks
0:017> !heap -stat -h 00150000
Listing allocations with specific size
0:017> !heap -flt s fffe0
Display data at an address or a register
0:017> d 03694024-10
0:017> d esp
To which heap entry a particular address (here, 0c0c0c0c) belongs to
0:017> !heap -p -a 0c0c0c0c
Refer blow link for further reference
http://windbg.info/doc/1-common-cmds.html
No comments:
Post a Comment