-
-
[转帖]Windbg 调试分析代码从.cmdtree命令开始
-
2013-5-20 14:51
-
http://www.cnblogs.com/pugang/archive/2012/12/17/2822153.html
使用Windbg 调试分析代码
---从.cmdtree命令的积累开始
一提到windbg很多人心里就有些畏难情绪,也难怪,这东西虽然是神器,对一个新手来说使用起来确实有些不方便,而且命令太多,很难一下子都记住,最近发现一个好方法,分享出来,希望大家可以通过这个方法开个好头。
使用windbg第一关就是要记住一堆的命令,其实老外也不会记住所有的命令,哪怕是高手,也就那常用的几十个,最多不超过几百个命令。Windbg里面有一个功能,说是功能不如说是原命令.cmdtree,使用这个命令,我们可以将常用的命令记录起来,然后以图形界面的方式选择执行,这样地新手来说,门槛就低了很多,而且随着时间的推移,就会慢慢的记住这些命令都是什么。
配置完成的效果是这样的,需要执行哪个命令,选择就可以了:
如下是配置过程:
如下是配置过程:
1.将下列内容存为文本cmdtree.wl,并保存到windbg安装目录下。
2.在windbg中执行命令: .cmdtree cmdtree.wl
3.如下是文本文件的内容。
windbg ANSI Command Tree 1.0
title {"Crash Dump Analysis Checklist"}
body
{"Crash Dump Analysis Checklist"}
{"General"}
{"Versions and locations"} {"version"}
{"Set longer stack trace"} {".kframes 100"}
{"Application crash or hang"}
{"Default analysis (crash)"} {"!analyze -v"}
{"Default analysis (hang)"} {"!analyze -v -hang"}
{"Switch to x86 architecture"} {".load wow64exts; .effmach x86"}
{"Critical sections (locked)"} {"!locks"}
{"Modules"} {"lmv"}
{"Threads (all)"} {"~*kv 250"}
{"Threads (unique)"} {"!uniqstack"}
{"Gflags"} {"!gflag"}
{"Time consumed by thread"} {"!runaway"}
{"PEB"} {"!peb"}
{"TEB"} {"!teb"}
{"Hooked functions (ntdll)"} {"!chkimg -lo 50 -d !ntdll -v"}
{"Hooked functions (kernel32)"} {"!chkimg -lo 50 -d !kernel32 -v"}
{"Hooked functions (user32)"} {"!chkimg -lo 50 -d !user32 -v"}
{"Hooked functions (ALL)"} {"!for_each_module !chkimg -lo 50 -d !${@#ModuleName} -v"}
{"Exception handlers"} {"!exchain"}
{"Computer name"} {"!envvar COMPUTERNAME"}
{"Stack of exception thread"} {"~#kv 250"}
{"Stack of current thread"} {"~.kv 250"}
{"Switch to thread"}
{"#0"} {"~0s"}
{"#1"} {"~1s"}
{"#2"} {"~2s"}
{"#3"} {"~3s"}
{"#4"} {"~4s"}
{"#5"} {"~5s"}
{"#6"} {"~6s"}
{"#7"} {"~7s"}
{"#8"} {"~8s"}
{"#9"} {"~9s"}
{"System hang"}
{"Default analysis"} {"!analyze -v -hang"}
{"ERESOURCE contention"} {"!locks"}
{"Processes and virtual memory"} {"!vm 4"}
{"Sorted pool consumption (paged)"} {"!poolused 4"}
{"Sorted pool consumption (nonpaged)"} {"!poolused 3"}
{"Waiting threads"} {"!stacks"}
{"Critical system queues"} {"!exqueue f"}
{"I/O"} {"!irpfind"}
{"The list of all thread stack traces"} {"!process 0 ff"}
{"Critical sections for current process"} {"!ntsdexts.locks"}
{"Sessions"} {"!session"}
{"Processes"} {"!process 0 0"}
{"Running threads"} {"!running"}
{"Ready threads"} {"!ready"}
{"DPC queues"} {"!dpcs"}
{"The list of APCs"} {"!apc"}
{"Internal queued spinlocks"} {"!qlocks"}
{"Computer name"} {"dS srv!srvcomputername"}
{"Switch to processor"}
{"#0"} {"~0s"}
{"#1"} {"~1s"}
{"#2"} {"~2s"}
{"#3"} {"~3s"}
{"#4"} {"~4s"}
{"#5"} {"~5s"}
{"#6"} {"~6s"}
{"#7"} {"~7s"}
{"BSOD"}
{"Default analysis"} {"!analyze -v"}
{"Processes and virtual memory"} {"!vm 4"}
{"Bugcheck callback data (prior to Windows XP SP1)"} {"!bugdump"}
{"Bugcheck secondary callback data"} {".enumtag"}
{"Computer name"} {"dS srv!srvcomputername"}
总结
本文介绍了一种记录常用命令,并以选择方式在windbg中执行的方式,这种方式极大的降低了初学者的门槛,使大家可以很方便的对.dmp或者windows程序进行分析,而无需立即记住所有的windbg命令,希望对大家有所帮助。
使用Windbg 调试分析代码
---从.cmdtree命令的积累开始
一提到windbg很多人心里就有些畏难情绪,也难怪,这东西虽然是神器,对一个新手来说使用起来确实有些不方便,而且命令太多,很难一下子都记住,最近发现一个好方法,分享出来,希望大家可以通过这个方法开个好头。
使用windbg第一关就是要记住一堆的命令,其实老外也不会记住所有的命令,哪怕是高手,也就那常用的几十个,最多不超过几百个命令。Windbg里面有一个功能,说是功能不如说是原命令.cmdtree,使用这个命令,我们可以将常用的命令记录起来,然后以图形界面的方式选择执行,这样地新手来说,门槛就低了很多,而且随着时间的推移,就会慢慢的记住这些命令都是什么。
配置完成的效果是这样的,需要执行哪个命令,选择就可以了:
如下是配置过程:
如下是配置过程:
1.将下列内容存为文本cmdtree.wl,并保存到windbg安装目录下。
2.在windbg中执行命令: .cmdtree cmdtree.wl
3.如下是文本文件的内容。
windbg ANSI Command Tree 1.0
title {"Crash Dump Analysis Checklist"}
body
{"Crash Dump Analysis Checklist"}
{"General"}
{"Versions and locations"} {"version"}
{"Set longer stack trace"} {".kframes 100"}
{"Application crash or hang"}
{"Default analysis (crash)"} {"!analyze -v"}
{"Default analysis (hang)"} {"!analyze -v -hang"}
{"Switch to x86 architecture"} {".load wow64exts; .effmach x86"}
{"Critical sections (locked)"} {"!locks"}
{"Modules"} {"lmv"}
{"Threads (all)"} {"~*kv 250"}
{"Threads (unique)"} {"!uniqstack"}
{"Gflags"} {"!gflag"}
{"Time consumed by thread"} {"!runaway"}
{"PEB"} {"!peb"}
{"TEB"} {"!teb"}
{"Hooked functions (ntdll)"} {"!chkimg -lo 50 -d !ntdll -v"}
{"Hooked functions (kernel32)"} {"!chkimg -lo 50 -d !kernel32 -v"}
{"Hooked functions (user32)"} {"!chkimg -lo 50 -d !user32 -v"}
{"Hooked functions (ALL)"} {"!for_each_module !chkimg -lo 50 -d !${@#ModuleName} -v"}
{"Exception handlers"} {"!exchain"}
{"Computer name"} {"!envvar COMPUTERNAME"}
{"Stack of exception thread"} {"~#kv 250"}
{"Stack of current thread"} {"~.kv 250"}
{"Switch to thread"}
{"#0"} {"~0s"}
{"#1"} {"~1s"}
{"#2"} {"~2s"}
{"#3"} {"~3s"}
{"#4"} {"~4s"}
{"#5"} {"~5s"}
{"#6"} {"~6s"}
{"#7"} {"~7s"}
{"#8"} {"~8s"}
{"#9"} {"~9s"}
{"System hang"}
{"Default analysis"} {"!analyze -v -hang"}
{"ERESOURCE contention"} {"!locks"}
{"Processes and virtual memory"} {"!vm 4"}
{"Sorted pool consumption (paged)"} {"!poolused 4"}
{"Sorted pool consumption (nonpaged)"} {"!poolused 3"}
{"Waiting threads"} {"!stacks"}
{"Critical system queues"} {"!exqueue f"}
{"I/O"} {"!irpfind"}
{"The list of all thread stack traces"} {"!process 0 ff"}
{"Critical sections for current process"} {"!ntsdexts.locks"}
{"Sessions"} {"!session"}
{"Processes"} {"!process 0 0"}
{"Running threads"} {"!running"}
{"Ready threads"} {"!ready"}
{"DPC queues"} {"!dpcs"}
{"The list of APCs"} {"!apc"}
{"Internal queued spinlocks"} {"!qlocks"}
{"Computer name"} {"dS srv!srvcomputername"}
{"Switch to processor"}
{"#0"} {"~0s"}
{"#1"} {"~1s"}
{"#2"} {"~2s"}
{"#3"} {"~3s"}
{"#4"} {"~4s"}
{"#5"} {"~5s"}
{"#6"} {"~6s"}
{"#7"} {"~7s"}
{"BSOD"}
{"Default analysis"} {"!analyze -v"}
{"Processes and virtual memory"} {"!vm 4"}
{"Bugcheck callback data (prior to Windows XP SP1)"} {"!bugdump"}
{"Bugcheck secondary callback data"} {".enumtag"}
{"Computer name"} {"dS srv!srvcomputername"}
总结
本文介绍了一种记录常用命令,并以选择方式在windbg中执行的方式,这种方式极大的降低了初学者的门槛,使大家可以很方便的对.dmp或者windows程序进行分析,而无需立即记住所有的windbg命令,希望对大家有所帮助。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
