Backlink: reference-notes-readme
Basic WinDbg Commands
Attach to a new running process with:
F6
Continue newly attached process execution with:
g
Download all available symbols for loaded modules:
.reload /f
Disassemble a Windows API (kernel32!GetCurrentThread):
u kernel32!GetCurrentThread
Display Memory
Display bytes:
db esp
db 00faf974
db kernel32!WriteFile
Display data in two bytes WORD format:
dw esp
Display data in four byte DWORD format:
dd esp
Display data in eight byte QWORD format:
dq 00faf974
Display ASCII characters along with WORDs:
dW KERNELBASE+0x40
Display ASCII characters along with DWORDs:
dc KERNELBASE
Change length of data to 4 sections (in this case w/dd, four eight-byte sections):
dd esp L4
Change length of data to 10 bytes:
dd esp L10
We can use the following two commands to locate the esp address in memory, then display it's contents.
dd esp L1
dd 77zbab89
We can also use the following to achieve the same result in a single line.
dd poi(esp)
Display Memory Structures
Display structure fields and their offsets:
dt ntdll!_TEB
Display structure fields recursively, using memory address of structure.
dt -r ntdll!_TEB @$teb
Display specific structure field.
dt ntdll!_TEB @teb ThreadLocalStoragePointer
Display the size of a structure extracted from symbol file.
?? sizeof(ntdll!_TEB)
Write to Memory
Edit a DWORD pointed to by ESP.
ed esp 41414141
Write or modify ASCII chars directly.
ea esp "Hello"
Searching Memory
Search for the "AAAA" string in the DWORD memory type.
s -d 0 l?80000000 41414141
Search for well-known ASCII string.
s -a 0 L?80000000 "This program cannot be run in DOS mode"
Inspecting and Editing CPU Registers
Dump all registers.
r
Dump a single register.
r ecx
Modify a single register.
r ecx=41414141
Breakpoints
Software Breakpoints
List all breakpoints currently set.
bl
Set breakpoint when changes are saved to file in Notepad.
bp kernel32!WriteFile
Disable the first breakpoint listed with bl.
bd 0
Enable the first breakpoint listed with bl.
be 0
Clear (delete) first breakpoint listed with bl.
bc 0
Clear (delete) all software breakpoints.
bc *
Set breakpoint on unresolved WriteStringStream function within OLE32.dll module (loaded once file is saved).
bu ole32!WriteStringStream
Breakpoint-Based Actions
Display number of bytes written to file every time kernel32!WriteFile API is triggered.
bp kernel32!WriteFile ".printf \"The number of bytes written is: %p\", poi(esp + 0x0c);.echo;g""
Set conditional breakpoint on kernel32!WriteFile, halting execution flow only if we write exactly four bytes of data.
bp kernel32!WriteFile ".if (poi(esp + 0x0C) != 4) {gc} .else {.printf \"The number of bytes written is 4\";.echo;}""
Hardware Breakpoints
Set a hardware breakpoint on the execution of the WriteFile API.
ba e 1 kernel32!WriteFile
Locate string in memory, then set hardware breakpoint on write on that address.
s -a 0x0 l?80000000 w00tw00t
s -u 0x0 L?80000000 w00tw00t
ba w 2 03b2c768
Stepping Through Code
Execute one instruction at a time and step over function calls.
p
Execute one instruction at a time and step into function calls.
t
Execute instructions until next ret instruction, fast-forwarding to end of function.
pt
Execute instructions until a branching instruction is reached.
ph
Other Features
Display all loaded modules, including their starting and ending addresses.
lm
Force a reload of the symbols.
.reload /f
Filter to show all modules starting with "kernel".
lm m kernel*