Show Menu
Cheatography
  1. Home >
  2. Software >

windbg1111 Cheat Sheet by

this is windbg command

符号

.reload /f
.sympath .SRVC:\symhttp:/­/ms­dl.m­ic­ros­oft.co­m/d­own­loa­d/s­ymbols/
x module­nam­e!s­ymb­olname
search for function or symbols
$iment­(mo­dule)
entry point of module
!drvobjt <na­me>
find drive
!devobj <na­me>
device object
!devha­ndles <ha­ndl­e>
app using drive

Brakpoints

bp 0x<­add­r>
set breakpoint at address
bl
brakpoints
bd <#>
disable breakp­oint#
bc <#>
clear brakpoint#
be <#>
enable breakpoint #
ba [r|w|e] 0x<­add­r>
break on [read|­wri­te|­exe­cute]
bu <sy­mbo­lna­me>
break on symbol
sxe ld:dllname
break on module load

Control

g or F5
continue
p or F10
step over
t or F11
step into
Shift + F11
step out
wt
trace and watch
 
pa or ta 0x<­add­r>
step to address
pc or tc
step to next call
pt or tt
step to next return
pct or tct
step to next call or return
ph or th
step to next branch
 
F6 or .attach
attach to process
.detach
detach to process
.restart
retstart
q
quit

Thread

a
~<a><b>
*
all threads
.
current threads
<#>
thread ordinal number
b
~<a­><b>
e
exectue
f
freeze
u
ufreeze
n
supsend
m
resume
empty lists threads
 

Dump Structures

k
dump all stack
r
dmp registers
!teb
dump TEB
!peb
dump PEB
!vadump
dump mem pages/info
!heap
dump heap
lm
list loaded modules
ln
list close symbol at memory address
!idt
interrupt descriptor table
dt module­nam­e!s­ymb­olname 0x<­add­r>
dump structure for symbol

CODE

u 0x<­add­r> L<a­ddr>
disass­emble at addr L# instru­ctions

Memory

d* 0x<­add­r>
a
ascii chars
u
 

Metadata

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.