Show Menu
Cheatography

WinDbg Cheat Sheet (DRAFT) by

A cheat sheet on WinDbg commands

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Basic commands

Continue
g
Step over
p
Step into
t
Step to next return
pt
Reload symbols
.reload -f
Print registers
r <re­gis­ter>
Change register
r <re­gis­ter­>=<­val­ue>
List modules
lm
Search module
lm m <MO­DUL­ENA­ME>
Examine symbol
x <Sy­mbo­l>

Execution flow control

New breakpoint
bp <LO­CAT­ION>
List breakp­oints
bl
Disable breakpoint
bd <Br­eak­point number>
Enable breakpoint
be <Br­eak­point number>
Clear breakpoint
bc <Br­eak­point number>
New unresolved breakpoint
bu <Un­res­olved func>
Hardware BP
ba <x|­w|r> <si­ze> <ad­dr>
 

Memory access

Unassemble from memory
u <ad­dr|­sym­bol>
Display bytes
db <ad­dr|­sym­bol> [L<­siz­e>]
Display words
dw <ad­dr|­sym­bol> [L<­siz­e>]
Display double words
dd <<a­ddr­|sy­mbo­l> [L<­siz­e>]
Display quad words
dq <ad­dr|­sym­bol> [L<­siz­e>]
Display ascii chars
dB|dW|­dD|dQ <ad­dr|­sym­bol> [L<­siz­e>]
Display content of pointer
db|dw|­dd|dq poi(<R­EGI­STE­R>)
Display datatype
dt <DA­TAT­YPE>
Display dt nested structs
dt -r <DA­TAT­YPE>
Display dt fields
dt <DA­TAT­YPE> <Fi­eld>
Display dt in address
dt <DA­TAT­YPE> <ad­dr>
Get size of structure
?? sizeof­(<S­TRU­CT>)
Edit memory
ed <AD­DR> <va­lue>
Edit in ascii
ea <AD­DR> <va­lue>
Edit in unicode
eu <AD­DR> <va­lue>
Search DWORD in memory
s -d <ST­ART­_AD­DR> <LE­N> <NE­EDL­E>
Search ASCII in memory
s -a <ST­ART­_AD­DR> <LE­N> <NE­EDL­E>