windbg常用命令
.hh 打开windbg的帮助文档
Symbol path
https://www.csdn.net/tags/OtTaYgysNDMzNTUtYmxvZwO0O0OO0O0O.html ,讲的很全面。
打印出指定结构中的指定字段
dt 结构 -a 指定字段名 例:
0: kd> dt _KPRCB fffff8072db5d180 -a KernelDirectoryTableBase
nt!_KPRCB
+0x6e80 KernelDirectoryTableBase : 0x80000000`001aa002
直接 [dt 结构 字段名 地址] 就行了
获得当前cpu core的kprcb 和 kpcr
!prcb !pcr
获得指定进程名的一些信息
!process 0 0 进程名
挂靠某个进程
.process /i 指定进程的eprocess
加载某个模块的符号
.reload /f C:\Windows\System32\drivers\ndis.sys
显示某个对象的具体信息
!object 对象体地址
遍历某个链表
例子为遍历PsLoadedModuleList输出所有模块的BaseDllName
@$extret相当于每次list.flink(blink)后对应的地址,这里是LDR_DATA_TABLE_ENTRY
!list -t nt!_LIST_ENTRY.FLink -x "dt nt!_LDR_DATA_TABLE_ENTRY BaseDllName DllBase @$extret" PsLoadedModuleList
windbg单步常用命令
https://www.cnblogs.com/yilang/p/11459091.html
pct 执行程序,直到它到达调用指令或返回指令。 pr 单步并开启寄存器显示
条件断到某个地址
下面例子的效果是如果rax等于0不断,不等于0断
bp fffff801`e0292cf3 ".if(@rax == 0){g}"
windbg d系列命令
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/d--da--db--dc--dd--dd--df--dp--dq--du--dw--dw--dyb--dyd--display-memor
加载所有内核模块符号
.reload /n
加载所有用户模块符号
.reload /user
windbg为了效率符号都是延迟导入的,.reload /f强制载入所有符号
根据驱动名 获得任意驱动的驱动对象和设备对象
!drvobj \FileSystem\FltMgr 这个路径参考winobj
windbg 分析驱动的PE文件信息
dt _image_dos_header fffff802`dfe00000(驱动基址)
dt _IMAGE_NT_HEADERS64 fffff802`dfe00000+e_lfanew
搜索内存(通配符不知道怎么搞)
1: kd> s 0xfffff804`2a011000 l100000 E8 BD 25 08 00 48 83 C4 38
1: kd> u NtOpenProcess
nt!NtOpenProcess:
fffff804`2a5b4460 4883ec38 sub rsp,38h
fffff804`2a5b4464 65488b042588010000 mov rax,qword ptr gs:[188h]
fffff804`2a5b446d 448a9032020000 mov r10b,byte ptr [rax+232h]
fffff804`2a5b4474 4488542428 mov byte ptr [rsp+28h],r10b
fffff804`2a5b4479 4488542420 mov byte ptr [rsp+20h],r10b
fffff804`2a5b447e e8bd250800 call nt!PsOpenProcess (fffff804`2a636a40)
fffff804`2a5b4483 4883c438 add rsp,38h
fffff804`2a5b4487 c3 ret
1: kd> s 0xfffff804`2a011000 l1000000 E8 BD 25 08 00 48 83 C4 38
fffff804`2a4eebc0 e8 bd 25 08 00 48 83 c4-38 88 01 00 00 44 8a 90 ..%..H..8....D..
fffff804`2a4eebde e8 bd 25 08 00 48 83 c4-38 c3 cc cc cc cc cc cc ..%..H..8.......
fffff804`2a5b447e e8 bd 25 08 00 48 83 c4-38 c3 cc cc cc cc cc cc ..%..H..8.......
windbg !fltkd 调试扩展的使用
列举出系统上所有的minifilter
0: kd> !fltkd.filters
Filter List: ffffac07059c3520 "Frame 0"
FLT_FILTER: ffffac07059ec530 "WdFilter" "328010"
FLT_INSTANCE: ffffac0705978a90 "WdFilter Instance" "328010"
FLT_INSTANCE: ffffac07058e0a20 "WdFilter Instance" "328010"
FLT_INSTANCE: ffffac0705bbca80 "WdFilter Instance" "328010"
FLT_FILTER: ffffac070966c050 "procmon" "321420"
FLT_FILTER: ffffac07050d0990 "storqosflt" "244000"
FLT_FILTER: ffffac07050e9990 "wcifs" "189900"
FLT_INSTANCE: ffffac07050f6910 "wcifs Instance" "189900"
FLT_FILTER: ffffac07050f0010 "CldFlt" "180451"
FLT_FILTER: ffffac0705b1f6c0 "FileCrypt" "141100"
FLT_FILTER: ffffac07050f6010 "luafv" "135000"
FLT_INSTANCE: ffffac07050f4010 "luafv" "135000"
FLT_FILTER: ffffac0705bb6260 "npsvctrig" "46000"
FLT_INSTANCE: ffffac0705bb9ab0 "npsvctrig" "46000"
FLT_FILTER: ffffac07059e9010 "Wof" "40700"
FLT_INSTANCE: ffffac07058a1830 "Wof Instance" "40700"
FLT_FILTER: ffffac07059e8240 "FileInfo" "40500"
FLT_INSTANCE: ffffac07058a8840 "FileInfo" "40500"
FLT_INSTANCE: ffffac07058db970 "FileInfo" "40500"
FLT_INSTANCE: ffffac0705bbc4e0 "FileInfo" "40500"
列出一个minifilter的具体信息
0: kd> !fltkd.filter ffffac070966c050
FLT_FILTER: ffffac070966c050 "procmon" "321420"
FLT_OBJECT: ffffac070966c050 [02000000] Filter
RundownRef : 0x0000000000000004 (2)
PointerCount : 0x00000002
PrimaryLink : [ffffac07050d09a0-ffffac07059ec540]
Frame : ffffac07059c3470 "Frame 0"
Flags : [00000012] FilteringInitiated +10!!
DriverObject : ffffac070ac49e30
FilterLink : [ffffac07050d09a0-ffffac07059ec540]
PreVolumeMount : fffff800b6fd6fe0 procmon!ProcmonPreOperation
PostVolumeMount : fffff800b6fd7370 procmon!ProcmonPostOperation
FilterUnload : 0000000000000000 (null)
InstanceSetup : fffff800b6fdf000 procmon!ProcmonInstanceSetup
InstanceQueryTeardown : fffff800b6fdf030 procmon!ProcmonInstanceQueryTeardown
InstanceTeardownStart : 0000000000000000 (null)
InstanceTeardownComplete : 0000000000000000 (null)
ActiveOpens : (ffffac070966c208) mCount=0
Communication Port List : (ffffac070966c258) mCount=1
Client Port List : (ffffac070966c2a8) mCount=0
VerifierExtension : 0000000000000000
Operations : ffffac070966c300
OldDriverUnload : 0000000000000000 (null)
SupportedContexts : (ffffac070966c180)
VolumeContexts : (ffffac070966c180)
InstanceContexts : (ffffac070966c188)
FileContexts : (ffffac070966c190)
StreamContexts : (ffffac070966c198)
StreamHandleContexts : (ffffac070966c1a0)
TransactionContext : (ffffac070966c1a8)
(null) : (ffffac070966c1b0)
InstanceList : (ffffac070966c0b8)
将内存写入文件
.writemem C:\csagent_dump.sys fffff800`160f0000 L2B4000
x命令
0:000> x kernelbase!GetLocal*
74be0520 KERNELBASE!GetLocaleInfoW (void)
74be71d0 KERNELBASE!GetLocaleInfoEx (void)
74bf0eb0 KERNELBASE!GetLocalTime (void)
74bcf010 KERNELBASE!GetLocaleInfoA (void)
74bfe0a0 KERNELBASE!GetLocalPathFromNetResourceW (void)
74bfebe0 KERNELBASE!GetLocaleFromLanguageAndRegion (_GetLocaleFromLanguageAndRegion@16)
74bca42e KERNELBASE!GetLocaleNullStringFromArrayInPoolTestArray (_GetLocaleNullStringFromArrayInPoolTestArray@12)
74be3f30 KERNELBASE!GetLocaleInfoHelper (_GetLocaleInfoHelper@16)
74c330ee KERNELBASE!GetLocaleWordFromArrayInPoolUseDefault (_GetLocaleWordFromArrayInPoolUseDefault@16)
74c32832 KERNELBASE!GetLocaleInfoNativeDigits (_GetLocaleInfoNativeDigits@16)
74be81e2 KERNELBASE!GetLocaleFileInfo (_GetLocaleFileInfo@4)