Saturday, April 5, 2014

WinDBG: Useful Debugging Commands

Open "Debugging Tools for Windows" help file
0:017> .hh

Display registers
0:017> r

Display Current Process
0:017> |.
0:017> |
Unassemble Function or address 0:017> uf mshtml!CElement::Doc 0:017> u address Assemble Address 0:017> a address Stack Trace 0:017> knL

Display Stack Backtrace
0:017> k
Trace (t) command executes a single instruction or source line and optionally displays the resulting values of all registers and flags. 0:017> t

Set break point
0:017> bp address

List break points
0:017> bl

Search for a String
0:017> s -a 0x00000000 L?7fffffff "disects"

dll is loaded between 03b10000 and 03fd000, search this area for 5d c3
0:014> s 03b10000 l 03fdd000 5d c3

On Intel machines, looking at the disassembled SEH code, you will see an instruction to move DWORD ptr from FS:[0]. This ensures that the exception handler is set up for the thread and will be able to catch errors when they occur. The opcode for this instruction is 64A100000000. If you cannot find this opcode, the
application/thread may not have exception handling at all.
Dump the TEB
0:017> d fs:[0]

Displays the current exception handler chain
0:017> !exchain

Display information about a local variable, global variable or data types(structures and unions). 
0:017> dt var1

array(arr1) under var1
0:017> dt var1 -a arr1

displays all types and globals under nt
0:017> dt nt!*

Looking at the default process heap, shows percentage of busy blocks
0:017> !heap -stat -h 00150000

Listing allocations with specific size
0:017> !heap -flt s fffe0

Display data at an address or a register
0:017> d 03694024-10
0:017> d esp
To which heap entry a particular address (here, 0c0c0c0c) belongs to 0:017> !heap -p -a 0c0c0c0c

Refer blow link for further reference