首页
社区
课程
招聘
[原创]windbg使用详解
发表于: 2021-11-17 11:39 26300

[原创]windbg使用详解

2021-11-17 11:39
26300

1、bp命令
是在某个地址下断点, 可以 bp 0x7783FEB 也可以 bp MyApp!SomeFunction 。 对于后者,WinDBG 会自动找到MyApp!SomeFunction 对应的地址并设置断点。 但是使用bp的问题在于:a)当代码修改之后,函数地址改变,该断点仍然保持在相同位置,不一定继续有效; b)WinDBG 不会把bp断点保存工作空间中 。
bp使方法如下:
0:000> bp standAloneWinGuard!CUIAuthMgr::SetLicenseErrCode
2、bu命令
是针对某个符号下断点。bu最重要的用途是对还未加载的模块下断点,例如loader32.dll还未被加载,你想在loader32.dll中下断点bu loader32!DllMain,当load32.dll被加载时,会命中你下的断点, 此外 bu MyApp!SomeFunction ,在代码被修改之后, 该断点可以随着函数地址改变而自动更新到最新位置。 而且bu 断点会保存在WinDbg工作空间中, 下次启动 Windbg 的时候该断点会自动设置上去。
还bu 可以对还不能识别的符号设置断点,当系统中有新模块加载进来时,调试器会对未定断点再次进行识别,如果找到了匹配的符号则会设置它。而bp 断点会失败(因为函数地址不存在),bu 断点则可以成功。 新版的WinDBG中 bp失败后会自动被转成bu
3、bm命令
也是针对符号 下断点。 但是它支持匹配表达式 。 很多时候你下好几个断点。 比如,把MyClass 所有的成员函数都下断点: bu MyApp!MyClass:: , 或者把所有以CreateWindow开头的函数都下断点: bu user32!CreateWindow
如果驱动开发,对驱动程序入口下断点可以用bm,不能用bp
kd> bm ranet!driverentry

4、ba命令
以上三个命令是对代码下断点, 我们还可以对数据下断点。就是针对数据 下断点的命令, 该断点在指定内存被访问时触发。 命令格式为
ba Access Size [地址]
Access 是访问的方式, 比如 e (执行), r (读/写), w (写)
Size 是监控访问的位置的大小,以字节为单位。 值为 1、2或4,还可以是 8(64位机)。
比如要对内存0x0483DFE进行写操作的时候下断点,可以用命令 ba w4 0x0483DFE

5、查看断点bl
0:000> bl

6、禁用断点
0:000> bd 1

7、启用断点
0:000> be 1
0:000> bl

8、清除断点
0:000> bc 1
0:000> bl
0:000> bc 2-4
0:000> bc 1

1、设置微软符号路径并下载全部微软符号
    windbg符号设置:
        srv*C:\Symbols*http://msdl.microsoft.com/download/symbols;F:\MyGitRepo\rst2\hamc\code\framework\agent_windows\installproject\pdb\20210926\x64
    输入命令:!sym noisy
    输入命令:.reload /f
2、强制加载某模块的符号(模块名称区分大小写,注意要加上模块扩展名)
    .reload /f libqaxdecode.dll
    .reload /f testHeapOverflow.exe
1、设置微软符号路径并下载全部微软符号
    windbg符号设置:
        srv*C:\Symbols*http://msdl.microsoft.com/download/symbols;F:\MyGitRepo\rst2\hamc\code\framework\agent_windows\installproject\pdb\20210926\x64
    输入命令:!sym noisy
    输入命令:.reload /f
2、强制加载某模块的符号(模块名称区分大小写,注意要加上模块扩展名)
    .reload /f libqaxdecode.dll
    .reload /f testHeapOverflow.exe
1、通过VirtualKD设置好双机联调环境
2、在驱动程序的入口点DriverEntry下断点,命令:    bm ranet!driverentry
    备注:一定要用bm延迟加载符号命令,不能用bp
    1: kd> bm ranet!driverentry
    1: fffff880`03c4bcdc @!"RaNet!DriverEntry"
    1: kd> g
3、把驱动程序拷贝到虚拟机中,利用工具InstDrvx64 V1.03安装并启动驱动程序,此时会命中断点的入口处DriverEntry,输入kn查看调用堆栈
    备注:
    Breakpoint 1 hit
    RaNet!DriverEntry:
    fffff880`03c5bcdc 488bc4          mov     rax,rsp
    1: kd> kn
     # Child-SP          RetAddr           Call Site
    00 fffff880`045ec828 fffff880`03c65020 RaNet!DriverEntry [f:\mygitrepo\rst2\rase_windows\framework\agent_windows\drivers\ranet\ranet.c @ 336]
    01 fffff880`045ec830 fffff800`042978c6 RaNet!GsDriverEntry+0x20 [minkernel\tools\gs_support\kmode\gs_support.c @ 117]
    02 fffff880`045ec860 fffff800`04297cc5 nt!IopLoadDriver+0xa06
    03 fffff880`045ecb30 fffff800`03ea628d nt!IopLoadUnloadDriver+0x55
    04 fffff880`045ecb70 fffff800`0419c1a0 nt!ExpWorkerThread+0x111
    05 fffff880`045ecc00 fffff800`03ef4ba6 nt!PspSystemThreadStartup+0x194
    06 fffff880`045ecc40 00000000`00000000 nt!KiStartSystemThread+0x16
4、在卸载驱动程序的函数入口处下断点,并执行go指令,会成功命中断点;下断点命令: bm ranet!RaUnloadDriver
    备注:函数RaUnloadDriver是指针DriverObject->DriverUnload指向的函数
    1: kd> bm ranet!RaUnloadDriver
      2: fffff880`03e3e800 @!"RaNet!RaUnloadDriver"
    1: kd> bl
         1 e Disable Clear  fffff880`03e3dcdc     0001 (0001) RaNet!DriverEntry
         2 e Disable Clear  fffff880`03e3e800     0001 (0001) RaNet!RaUnloadDriver
    1: kd> g
    Breakpoint 2 hit
    RaNet!RaUnloadDriver:
    fffff880`03e3e800 48895c2408      mov     qword ptr [rsp+8],rbx
    0: kd> kp
     # Child-SP          RetAddr           Call Site
    00 fffff880`04708b28 fffff800`04245c8c RaNet!RaUnloadDriver(struct _DRIVER_OBJECT * DriverObject = 0xfffffa80`1b05ec10 Driver "\Driver\RaNet") [f:\mygitrepo\rst2\rase_windows\framework\agent_windows\drivers\ranet\ranet.c @ 55]
    01 fffff880`04708b30 fffff800`03e5428d nt!IopLoadUnloadDriver+0x1c
    02 fffff880`04708b70 fffff800`0414a1a0 nt!ExpWorkerThread+0x111
    03 fffff880`04708c00 fffff800`03ea2ba6 nt!PspSystemThreadStartup+0x194
    04 fffff880`04708c40 00000000`00000000 nt!KiStartSystemThread+0x16
5、在你感兴趣的函数处下断点,并制造触发的条件,命令:bm 模块名!函数名,例如  bm ranet!GetNetDacRule,都可成功命令断点
1、通过VirtualKD设置好双机联调环境
2、在驱动程序的入口点DriverEntry下断点,命令:    bm ranet!driverentry
    备注:一定要用bm延迟加载符号命令,不能用bp
    1: kd> bm ranet!driverentry
    1: fffff880`03c4bcdc @!"RaNet!DriverEntry"
    1: kd> g
3、把驱动程序拷贝到虚拟机中,利用工具InstDrvx64 V1.03安装并启动驱动程序,此时会命中断点的入口处DriverEntry,输入kn查看调用堆栈
    备注:
    Breakpoint 1 hit
    RaNet!DriverEntry:
    fffff880`03c5bcdc 488bc4          mov     rax,rsp
    1: kd> kn
     # Child-SP          RetAddr           Call Site
    00 fffff880`045ec828 fffff880`03c65020 RaNet!DriverEntry [f:\mygitrepo\rst2\rase_windows\framework\agent_windows\drivers\ranet\ranet.c @ 336]
    01 fffff880`045ec830 fffff800`042978c6 RaNet!GsDriverEntry+0x20 [minkernel\tools\gs_support\kmode\gs_support.c @ 117]
    02 fffff880`045ec860 fffff800`04297cc5 nt!IopLoadDriver+0xa06
    03 fffff880`045ecb30 fffff800`03ea628d nt!IopLoadUnloadDriver+0x55
    04 fffff880`045ecb70 fffff800`0419c1a0 nt!ExpWorkerThread+0x111
    05 fffff880`045ecc00 fffff800`03ef4ba6 nt!PspSystemThreadStartup+0x194
    06 fffff880`045ecc40 00000000`00000000 nt!KiStartSystemThread+0x16
4、在卸载驱动程序的函数入口处下断点,并执行go指令,会成功命中断点;下断点命令: bm ranet!RaUnloadDriver
    备注:函数RaUnloadDriver是指针DriverObject->DriverUnload指向的函数
    1: kd> bm ranet!RaUnloadDriver
      2: fffff880`03e3e800 @!"RaNet!RaUnloadDriver"
    1: kd> bl
         1 e Disable Clear  fffff880`03e3dcdc     0001 (0001) RaNet!DriverEntry
         2 e Disable Clear  fffff880`03e3e800     0001 (0001) RaNet!RaUnloadDriver
    1: kd> g
    Breakpoint 2 hit
    RaNet!RaUnloadDriver:
    fffff880`03e3e800 48895c2408      mov     qword ptr [rsp+8],rbx
    0: kd> kp
     # Child-SP          RetAddr           Call Site
    00 fffff880`04708b28 fffff800`04245c8c RaNet!RaUnloadDriver(struct _DRIVER_OBJECT * DriverObject = 0xfffffa80`1b05ec10 Driver "\Driver\RaNet") [f:\mygitrepo\rst2\rase_windows\framework\agent_windows\drivers\ranet\ranet.c @ 55]
    01 fffff880`04708b30 fffff800`03e5428d nt!IopLoadUnloadDriver+0x1c
    02 fffff880`04708b70 fffff800`0414a1a0 nt!ExpWorkerThread+0x111
    03 fffff880`04708c00 fffff800`03ea2ba6 nt!PspSystemThreadStartup+0x194
    04 fffff880`04708c40 00000000`00000000 nt!KiStartSystemThread+0x16
5、在你感兴趣的函数处下断点,并制造触发的条件,命令:bm 模块名!函数名,例如  bm ranet!GetNetDacRule,都可成功命令断点
1、创建一个驱动服务(CreateService)
    sc create mydriver binpath=C:\Users\Administrator\Desktop\888888888\RaNet.sys type=kernel start=demand error=ignore
    mydriver 是驱动服务名,可以改成喜欢的名字,貌似有长度限制
    binpath=后面的 c:\1.sys 是驱动文件的路径,如果路径有空格则需引号括起来,例如 binpath=”C:\a b\1.sys
    type=后面的 kernel 是代表创建一个驱动服务
    start=后面的 demand 代表这个驱动服务按需启动
    error=后面的 ignore 代表忽略任何错误
2、启动驱动服务(StartService)
    sc start mydriver
    mydriver 是你要的驱动服务名字,跟上面那个mydriver 一致
3、停止驱动服务(StopService)
    sc stop mydriver
4、删除驱动服务(DeleteService)
    sc delete mydriver
    不要了就删掉
1、创建一个驱动服务(CreateService)
    sc create mydriver binpath=C:\Users\Administrator\Desktop\888888888\RaNet.sys type=kernel start=demand error=ignore
    mydriver 是驱动服务名,可以改成喜欢的名字,貌似有长度限制
    binpath=后面的 c:\1.sys 是驱动文件的路径,如果路径有空格则需引号括起来,例如 binpath=”C:\a b\1.sys
    type=后面的 kernel 是代表创建一个驱动服务
    start=后面的 demand 代表这个驱动服务按需启动
    error=后面的 ignore 代表忽略任何错误
2、启动驱动服务(StartService)
    sc start mydriver
    mydriver 是你要的驱动服务名字,跟上面那个mydriver 一致
3、停止驱动服务(StopService)
    sc stop mydriver
4、删除驱动服务(DeleteService)
    sc delete mydriver
    不要了就删掉
1、汇编模式:单步执行一条汇编指令
2、源码模式:单步执行一条语句
3、p:step over
4、t:step into
5、g:运行。
6、gu:跳出函数,运行到函数的下一句。相当于跳出函数(go up),vs的shift + F11
7、.detach  解除附加
8、附加到进程的同时设置源代码路径和符号路径(可把下面这句保存为批处理文件,双击批处理就行)
    "./windbg_x86/windbg.exe" -pn fcservice.exe -y %cd%\pdb -srcpath %cd%\code
9、抓取dmp文件(经常在程序崩溃时,进行抓取dmp文件)
    .dump /ma C:\dumps\myapp.dmp
10、.frame在栈中切换以便检查局部变量
    a)查看线程的调用堆栈knb
        第一列的号称为Frame nu
        0:004> knb
         # ChildEBP RetAddr 
        00 02e2fc30 00ce104a ConsoleApplication1!printf+0x4 [C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\stdio.h @ 960]
        01 02e2fc38 75fe4f9f ConsoleApplication1!SecondThreadFunc+0xa [D:\02MyDemo\045_register\ConsoleApplication1\ConsoleApplication1\ConsoleApplication1.cpp @ 13]
        02 02e2fc70 75c7fa29 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
        03 02e2fc80 77aa7a9e KERNEL32!BaseThreadInitThunk+0x19
        04 02e2fcdc 77aa7a6e ntdll!__RtlUserThreadStart+0x2f
        05 02e2fcec 00000000 ntdll!_RtlUserThreadStart+0x1b
    b) frame  栈帧号
        命令: .frame 0
    c)   然后调用 x  显示当前frame的局部变量,比如这个函数中有两个局部变量pcls和rawptr
        0:018> x
        0012fced pcls = 0x0039ba80
        0012fcd8 rawptr = 0x0039ba80
11、显示地址空间信息
    0:000> !address 75831234
    Usage:                  Image
    Base Address:           75831000
    End Address:            758f6000
    Region Size:            000c5000
    Type:                   01000000MEM_IMAGE
    State:                  00001000MEM_COMMIT
    Protect:                00000020PAGE_EXECUTE_READ
    More info:              lmv m kernel32
    More info:              !lmi kernel32
    More info:              ln 0x75831234
 
12、重启调试目标
        .restart
1、汇编模式:单步执行一条汇编指令
2、源码模式:单步执行一条语句
3、p:step over
4、t:step into
5、g:运行。
6、gu:跳出函数,运行到函数的下一句。相当于跳出函数(go up),vs的shift + F11
7、.detach  解除附加
8、附加到进程的同时设置源代码路径和符号路径(可把下面这句保存为批处理文件,双击批处理就行)
    "./windbg_x86/windbg.exe" -pn fcservice.exe -y %cd%\pdb -srcpath %cd%\code
9、抓取dmp文件(经常在程序崩溃时,进行抓取dmp文件)
    .dump /ma C:\dumps\myapp.dmp
10、.frame在栈中切换以便检查局部变量
    a)查看线程的调用堆栈knb
        第一列的号称为Frame nu
        0:004> knb
         # ChildEBP RetAddr 
        00 02e2fc30 00ce104a ConsoleApplication1!printf+0x4 [C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\stdio.h @ 960]
        01 02e2fc38 75fe4f9f ConsoleApplication1!SecondThreadFunc+0xa [D:\02MyDemo\045_register\ConsoleApplication1\ConsoleApplication1\ConsoleApplication1.cpp @ 13]
        02 02e2fc70 75c7fa29 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
        03 02e2fc80 77aa7a9e KERNEL32!BaseThreadInitThunk+0x19
        04 02e2fcdc 77aa7a6e ntdll!__RtlUserThreadStart+0x2f
        05 02e2fcec 00000000 ntdll!_RtlUserThreadStart+0x1b
    b) frame  栈帧号
        命令: .frame 0
    c)   然后调用 x  显示当前frame的局部变量,比如这个函数中有两个局部变量pcls和rawptr
        0:018> x
        0012fced pcls = 0x0039ba80
        0012fcd8 rawptr = 0x0039ba80
11、显示地址空间信息
    0:000> !address 75831234
    Usage:                  Image
    Base Address:           75831000
    End Address:            758f6000
    Region Size:            000c5000
    Type:                   01000000MEM_IMAGE
    State:                  00001000MEM_COMMIT
    Protect:                00000020PAGE_EXECUTE_READ
    More info:              lmv m kernel32
    More info:              !lmi kernel32
    More info:              ln 0x75831234
 
12、重启调试目标
        .restart
可以通过指定x前缀(十六进制)、0n前缀(十进制)、0t前缀(八进制)或0y前缀(二进制)
1、打开watch窗口,双机name列可输入变量名,即可显示局部变量的值
2/i:使显示器指定变量的类型:局部、全局、参数、函数或未知。
    0:000> dv /i bRegisteredVer
    prv local   bRegisteredVer = false
3/t :使显示包含每个局部变量的数据类型。
    0:000> dv /t bRegisteredVer
    bool bRegisteredVer = false
4/v :使显示包括局部变量的虚拟内存地址
    0:000> dv /v bRegisteredVer
    0012aa27  bRegisteredVer = false
5/V :与/v相同,还包括相对于相关寄存器的局部变量的地址。
    0:000> dv /V bRegisteredVer
    0012aa27 @ebp-0x55  bRegisteredVer = false
6/a:按地址按升序对输出进行排序。
    0:000> dv /a
               this = 0x001ed8c8
             length = 0n0
               file = class QFile
     bRegisteredVer = false
            license = class CLicense
       qstrAuthCode = class QString
        authErrCode = 0x0012aae4
7、    /A :按地址按降序对输出进行排序。   
    0:000> dv /A
        authErrCode = 0x0012aae4
       qstrAuthCode = class QString
            license = class CLicense
     bRegisteredVer = false
               file = class QFile
             length = 0n0
               this = 0x001ed8c8
 
8/n :按名称按升序对输出进行排序。
            0:000> dv /n
        authErrCode = 0x0012aae4
     bRegisteredVer = false
               file = class QFile
             length = 0n0
            license = class CLicense
       qstrAuthCode = class QString
               this = 0x001ed8c8
9/N :按名称按升序对输出进行排序。              
        0:000> dv /N
               this = 0x001ed8c8
       qstrAuthCode = class QString
            license = class CLicense
             length = 0n0
               file = class QFile
     bRegisteredVer = false
        authErrCode = 0x0012aae4
10/z :按大小按升序对输出进行排序。
        0:000> dv /z
     bRegisteredVer = false
               this = 0x001ed8c8
       qstrAuthCode = class QString
        authErrCode = 0x0012aae4
             length = 0n0
               file = class QFile
            license = class CLicense
11/Z :按大小按升序对输出进行排序。
        0:000> dv /Z
            license = class CLicense
             length = 0n0
               file = class QFile
               this = 0x001ed8c8
       qstrAuthCode = class QString
        authErrCode = 0x0012aae4
     bRegisteredVer = false
可以通过指定x前缀(十六进制)、0n前缀(十进制)、0t前缀(八进制)或0y前缀(二进制)
1、打开watch窗口,双机name列可输入变量名,即可显示局部变量的值
2/i:使显示器指定变量的类型:局部、全局、参数、函数或未知。
    0:000> dv /i bRegisteredVer
    prv local   bRegisteredVer = false
3/t :使显示包含每个局部变量的数据类型。
    0:000> dv /t bRegisteredVer
    bool bRegisteredVer = false
4/v :使显示包括局部变量的虚拟内存地址
    0:000> dv /v bRegisteredVer
    0012aa27  bRegisteredVer = false
5/V :与/v相同,还包括相对于相关寄存器的局部变量的地址。
    0:000> dv /V bRegisteredVer
    0012aa27 @ebp-0x55  bRegisteredVer = false
6/a:按地址按升序对输出进行排序。
    0:000> dv /a
               this = 0x001ed8c8
             length = 0n0
               file = class QFile
     bRegisteredVer = false
            license = class CLicense
       qstrAuthCode = class QString
        authErrCode = 0x0012aae4
7、    /A :按地址按降序对输出进行排序。   
    0:000> dv /A
        authErrCode = 0x0012aae4
       qstrAuthCode = class QString
            license = class CLicense
     bRegisteredVer = false
               file = class QFile
             length = 0n0
               this = 0x001ed8c8
 
8/n :按名称按升序对输出进行排序。
            0:000> dv /n
        authErrCode = 0x0012aae4
     bRegisteredVer = false
               file = class QFile
             length = 0n0
            license = class CLicense
       qstrAuthCode = class QString
               this = 0x001ed8c8
9/N :按名称按升序对输出进行排序。              
        0:000> dv /N
               this = 0x001ed8c8
       qstrAuthCode = class QString
            license = class CLicense
             length = 0n0
               file = class QFile
     bRegisteredVer = false
        authErrCode = 0x0012aae4
10/z :按大小按升序对输出进行排序。
        0:000> dv /z
     bRegisteredVer = false
               this = 0x001ed8c8
       qstrAuthCode = class QString
        authErrCode = 0x0012aae4
             length = 0n0
               file = class QFile
            license = class CLicense
11/Z :按大小按升序对输出进行排序。
        0:000> dv /Z
            license = class CLicense
             length = 0n0
               file = class QFile
               this = 0x001ed8c8
       qstrAuthCode = class QString
        authErrCode = 0x0012aae4
     bRegisteredVer = false
1、打开watch窗口,修改局部变量的值,,双机name列可输入变量名
   双机Value列,清空原来的内容,输入新值即可,单机“Typecast”显示变量的类型
   单机Locations显示变量的地址
1、打开watch窗口,修改局部变量的值,,双机name列可输入变量名
   双机Value列,清空原来的内容,输入新值即可,单机“Typecast”显示变量的类型
   单机Locations显示变量的地址
1、dt 查看结构
 
2、da按照ascii字符串显示
    0:000> da 0012aa00
    0012aa00  "ie"
 
3、db按照单字节和ascii字符串显示
    0:000> db 0012aa00
    0012aa00  69 65 00 00 00 00 00 00-fb f7 a9 00 00 00 15 00  ie..............
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
 
4、dc按照4字节和ascii字符串显示
    0:000> dc 0012aa00
    0012aa00  00006569 00000000 00a9f7fb 00150000  ie..............
    0012aa10  00000000 033b1900 0012aafc 6702c3c3  ......;........g
    0012aa20  033b1900 00001436 033b1900 00000002  ..;.6.....;.....
    0012aa30  00000004 6516feef 01fd71f0 01b81d90  .......e.q......
    0012aa40  033b1900 033b1900 102ccad8 0000011f  ..;...;...,.....
    0012aa50  01b81b90 ffffffff 00000000 00000000  ................
    0012aa60  033b1900 00000000 65106a65 fb93c5d2  ..;.....ej.e....
    0012aa70  0012aaf0 0080b9e9 00000000 0012aafc  ................
 
5、dd按照4字节显示
    0:000> dd 0012aa00
    0012aa00  00006569 00000000 00a9f7fb 00150000
    0012aa10  00000000 033b1900 0012aafc 6702c3c3
    0012aa20  033b1900 00001436 033b1900 00000002
    0012aa30  00000004 6516feef 01fd71f0 01b81d90
    0012aa40  033b1900 033b1900 102ccad8 0000011f
    0012aa50  01b81b90 ffffffff 00000000 00000000
    0012aa60  033b1900 00000000 65106a65 fb93c5d2
    0012aa70  0012aaf0 0080b9e9 00000000 0012aafc
 
6、dD按照双浮点(8字节)格式显示
    0:000> dD 0012aa00
    0012aa00      1.28264382317e-319     2.92040944479e-308     4.24283322552e-293
    0012aa18      1.63293462903e+188     1.09792330031e-310     4.27077224821e-314
    0012aa30       9.3185129548e+178     2.25060988521e-300     4.24283325567e-293
    0012aa48       6.0914686708e-312               -1.#QNAN                      0
    0012aa60      2.67806662793e-316    -1.88175367138e+287     2.97736448613e-306
 
7、df按照单浮点(4字节)格式显示
    0:000> df 0012aa00
    0012aa00    3.6379109e-041                0   1.5609157e-038   1.9285454e-039
    0012aa10                 0   5.4983059e-037   1.7143766e-039   6.1751881e+023
    0012aa20    5.4983059e-037   7.2503183e-042   5.4983059e-037   2.8025969e-045
    0012aa30    5.6051939e-045   4.4566104e+022   9.3101014e-038   6.7633345e-038
 
8、dp按照指针(32位系统读取4字节、64位系统读取8字节)格式读取
    0:000> df 0012aa00
    0012aa00    3.6379109e-041                0   1.5609157e-038   1.9285454e-039
    0012aa10                 0   5.4983059e-037   1.7143766e-039   6.1751881e+023
    0012aa20    5.4983059e-037   7.2503183e-042   5.4983059e-037   2.8025969e-045
    0012aa30    5.6051939e-045   4.4566104e+022   9.3101014e-038   6.7633345e-038
 
9、dq按照8字节读取
    0:000> dq 0012aa00
    0012aa00  00000000`00006569 00150000`00a9f7fb
    0012aa10  033b1900`00000000 6702c3c3`0012aafc
    0012aa20  00001436`033b1900 00000002`033b1900
    0012aa30  6516feef`00000004 01b81d90`01fd71f0
    0012aa40  033b1900`033b1900 0000011f`102ccad8
    0012aa50  ffffffff`01b81b90 00000000`00000000
    0012aa60  00000000`033b1900 fb93c5d2`65106a65
    0012aa70  0080b9e9`0012aaf0 0012aafc`00000000
 
10、du按照Unicode字符串读取。
    0:000> du 0012aa00
    0012aa00  "敩"
 
11、dw按照双字节显示
    0:000> dw 0012aa00
    0012aa00  6569 0000 0000 0000 f7fb 00a9 0000 0015
    0012aa10  0000 0000 1900 033b aafc 0012 c3c3 6702
    0012aa20  1900 033b 1436 0000 1900 033b 0002 0000
    0012aa30  0004 0000 feef 6516 71f0 01fd 1d90 01b8
    0012aa40  1900 033b 1900 033b cad8 102c 011f 0000
    0012aa50  1b90 01b8 ffff ffff 0000 0000 0000 0000
    0012aa60  1900 033b 0000 0000 6a65 6510 c5d2 fb93
    0012aa70  aaf0 0012 b9e9 0080 0000 0000 aafc 0012
 
12、dW按照2字节和ASCII字符串读取。
    0:000> dW 0012aa00
    0012aa00  6569 0000 0000 0000 f7fb 00a9 0000 0015  ie..............
    0012aa10  0000 0000 1900 033b aafc 0012 c3c3 6702  ......;........g
    0012aa20  1900 033b 1436 0000 1900 033b 0002 0000  ..;.6.....;.....
    0012aa30  0004 0000 feef 6516 71f0 01fd 1d90 01b8  .......e.q......
    0012aa40  1900 033b 1900 033b cad8 102c 011f 0000  ..;...;...,.....
    0012aa50  1b90 01b8 ffff ffff 0000 0000 0000 0000  ................
    0012aa60  1900 033b 0000 0000 6a65 6510 c5d2 fb93  ..;.....ej.e....
    0012aa70  aaf0 0012 b9e9 0080 0000 0000 aafc 0012  ................
 
13、dyb按照单字节和二进制读取
    0:000> dyb 0012aa00
      76543210 76543210 76543210 76543210
      -------- -------- -------- --------
    0012aa00  01101001 01100101 00000000 00000000  69 65 00 00
    0012aa04  00000000 00000000 00000000 00000000  00 00 00 00
    0012aa08  11111011 11110111 10101001 00000000  fb f7 a9 00
    0012aa0c  00000000 00000000 00010101 00000000  00 00 15 00
    0012aa10  00000000 00000000 00000000 00000000  00 00 00 00
    0012aa14  00000000 00011001 00111011 00000011  00 19 3b 03
    0012aa18  11111100 10101010 00010010 00000000  fc aa 12 00
    0012aa1c  11000011 11000011 00000010 01100111  c3 c3 02 67
 
14、dyd按照4字节和二进制读取。
    0:000> dyd 0012aa00
           3          2          1          0
          10987654 32109876 54321098 76543210
          -------- -------- -------- --------
    0012aa00  00000000 00000000 01100101 01101001  00006569
    0012aa04  00000000 00000000 00000000 00000000  00000000
    0012aa08  00000000 10101001 11110111 11111011  00a9f7fb
    0012aa0c  00000000 00010101 00000000 00000000  00150000
    0012aa10  00000000 00000000 00000000 00000000  00000000
    0012aa14  00000011 00111011 00011001 00000000  033b1900
    0012aa18  00000000 00010010 10101010 11111100  0012aafc
    0012aa1c  01100111 00000010 11000011 11000011  6702c3c3
1、dt 查看结构
 
2、da按照ascii字符串显示
    0:000> da 0012aa00
    0012aa00  "ie"
 
3、db按照单字节和ascii字符串显示
    0:000> db 0012aa00
    0012aa00  69 65 00 00 00 00 00 00-fb f7 a9 00 00 00 15 00  ie..............
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
 
4、dc按照4字节和ascii字符串显示
    0:000> dc 0012aa00
    0012aa00  00006569 00000000 00a9f7fb 00150000  ie..............
    0012aa10  00000000 033b1900 0012aafc 6702c3c3  ......;........g
    0012aa20  033b1900 00001436 033b1900 00000002  ..;.6.....;.....
    0012aa30  00000004 6516feef 01fd71f0 01b81d90  .......e.q......
    0012aa40  033b1900 033b1900 102ccad8 0000011f  ..;...;...,.....
    0012aa50  01b81b90 ffffffff 00000000 00000000  ................
    0012aa60  033b1900 00000000 65106a65 fb93c5d2  ..;.....ej.e....
    0012aa70  0012aaf0 0080b9e9 00000000 0012aafc  ................
 
5、dd按照4字节显示
    0:000> dd 0012aa00
    0012aa00  00006569 00000000 00a9f7fb 00150000
    0012aa10  00000000 033b1900 0012aafc 6702c3c3
    0012aa20  033b1900 00001436 033b1900 00000002
    0012aa30  00000004 6516feef 01fd71f0 01b81d90
    0012aa40  033b1900 033b1900 102ccad8 0000011f
    0012aa50  01b81b90 ffffffff 00000000 00000000
    0012aa60  033b1900 00000000 65106a65 fb93c5d2
    0012aa70  0012aaf0 0080b9e9 00000000 0012aafc
 
6、dD按照双浮点(8字节)格式显示
    0:000> dD 0012aa00
    0012aa00      1.28264382317e-319     2.92040944479e-308     4.24283322552e-293
    0012aa18      1.63293462903e+188     1.09792330031e-310     4.27077224821e-314
    0012aa30       9.3185129548e+178     2.25060988521e-300     4.24283325567e-293
    0012aa48       6.0914686708e-312               -1.#QNAN                      0
    0012aa60      2.67806662793e-316    -1.88175367138e+287     2.97736448613e-306
 
7、df按照单浮点(4字节)格式显示
    0:000> df 0012aa00
    0012aa00    3.6379109e-041                0   1.5609157e-038   1.9285454e-039
    0012aa10                 0   5.4983059e-037   1.7143766e-039   6.1751881e+023
    0012aa20    5.4983059e-037   7.2503183e-042   5.4983059e-037   2.8025969e-045
    0012aa30    5.6051939e-045   4.4566104e+022   9.3101014e-038   6.7633345e-038
 
8、dp按照指针(32位系统读取4字节、64位系统读取8字节)格式读取
    0:000> df 0012aa00
    0012aa00    3.6379109e-041                0   1.5609157e-038   1.9285454e-039
    0012aa10                 0   5.4983059e-037   1.7143766e-039   6.1751881e+023
    0012aa20    5.4983059e-037   7.2503183e-042   5.4983059e-037   2.8025969e-045
    0012aa30    5.6051939e-045   4.4566104e+022   9.3101014e-038   6.7633345e-038
 
9、dq按照8字节读取
    0:000> dq 0012aa00
    0012aa00  00000000`00006569 00150000`00a9f7fb
    0012aa10  033b1900`00000000 6702c3c3`0012aafc
    0012aa20  00001436`033b1900 00000002`033b1900
    0012aa30  6516feef`00000004 01b81d90`01fd71f0
    0012aa40  033b1900`033b1900 0000011f`102ccad8
    0012aa50  ffffffff`01b81b90 00000000`00000000
    0012aa60  00000000`033b1900 fb93c5d2`65106a65
    0012aa70  0080b9e9`0012aaf0 0012aafc`00000000
 
10、du按照Unicode字符串读取。
    0:000> du 0012aa00
    0012aa00  "敩"
 
11、dw按照双字节显示
    0:000> dw 0012aa00
    0012aa00  6569 0000 0000 0000 f7fb 00a9 0000 0015
    0012aa10  0000 0000 1900 033b aafc 0012 c3c3 6702
    0012aa20  1900 033b 1436 0000 1900 033b 0002 0000
    0012aa30  0004 0000 feef 6516 71f0 01fd 1d90 01b8
    0012aa40  1900 033b 1900 033b cad8 102c 011f 0000
    0012aa50  1b90 01b8 ffff ffff 0000 0000 0000 0000
    0012aa60  1900 033b 0000 0000 6a65 6510 c5d2 fb93
    0012aa70  aaf0 0012 b9e9 0080 0000 0000 aafc 0012
 
12、dW按照2字节和ASCII字符串读取。
    0:000> dW 0012aa00
    0012aa00  6569 0000 0000 0000 f7fb 00a9 0000 0015  ie..............
    0012aa10  0000 0000 1900 033b aafc 0012 c3c3 6702  ......;........g
    0012aa20  1900 033b 1436 0000 1900 033b 0002 0000  ..;.6.....;.....
    0012aa30  0004 0000 feef 6516 71f0 01fd 1d90 01b8  .......e.q......
    0012aa40  1900 033b 1900 033b cad8 102c 011f 0000  ..;...;...,.....
    0012aa50  1b90 01b8 ffff ffff 0000 0000 0000 0000  ................
    0012aa60  1900 033b 0000 0000 6a65 6510 c5d2 fb93  ..;.....ej.e....
    0012aa70  aaf0 0012 b9e9 0080 0000 0000 aafc 0012  ................
 
13、dyb按照单字节和二进制读取
    0:000> dyb 0012aa00
      76543210 76543210 76543210 76543210
      -------- -------- -------- --------
    0012aa00  01101001 01100101 00000000 00000000  69 65 00 00
    0012aa04  00000000 00000000 00000000 00000000  00 00 00 00
    0012aa08  11111011 11110111 10101001 00000000  fb f7 a9 00
    0012aa0c  00000000 00000000 00010101 00000000  00 00 15 00
    0012aa10  00000000 00000000 00000000 00000000  00 00 00 00
    0012aa14  00000000 00011001 00111011 00000011  00 19 3b 03
    0012aa18  11111100 10101010 00010010 00000000  fc aa 12 00
    0012aa1c  11000011 11000011 00000010 01100111  c3 c3 02 67
 
14、dyd按照4字节和二进制读取。
    0:000> dyd 0012aa00
           3          2          1          0
          10987654 32109876 54321098 76543210
          -------- -------- -------- --------
    0012aa00  00000000 00000000 01100101 01101001  00006569
    0012aa04  00000000 00000000 00000000 00000000  00000000
    0012aa08  00000000 10101001 11110111 11111011  00a9f7fb
    0012aa0c  00000000 00010101 00000000 00000000  00150000
    0012aa10  00000000 00000000 00000000 00000000  00000000
    0012aa14  00000011 00111011 00011001 00000000  033b1900
    0012aa18  00000000 00010010 10101010 11111100  0012aafc
    0012aa1c  01100111 00000010 11000011 11000011  6702c3c3
    e, ea, eb, ed, eD, ef, ep, eq, eu, ew, eza (Enter Values)
e*命令将您指定的值输入内存。不要将此命令与~e(Thread-Specific Command)限定符混淆。
 
e{b|d|D|f|p|q|w} Address [Values]
e{a|u|za|zu} Address "String"
e Address [Values]
参数:
Address
指定输入值的起始地址。调试器将替换地址和每个后续内存位置处的值,直到所有值都被使用为止。
Values
指定要输入内存的一个或多个值。多个数值应该用空格分隔。如果未指定任何值,则将显示当前地址和该地址的值,并提示您输入。
String
指定要输入内存的字符串。ea和eza命令将此作为ascii字符串写入内存;eu和ezu命令将此作为unicode字符串写入内存。eza和ezu命令会写入一个终端空值;ea和eu命令不会。字符串必须用引号括起来。
 
1、eb    字节值。
    0:000> eb 0012aa00 56
    0:000> db 0012aa00
    0012aa00  56 65 00 00 00 00 00 00-fb f7 a9 00 00 00 15 00  Ve..............
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
 
2、ed    双字值 (4 个字节为单位)。
    0:000> ed 0012aa00 12345678
    0:000> dd 0012aa00
    0012aa00  12345678 00000000 00a9f7fb 00150000
    0012aa10  00000000 033b1900 0012aafc 6702c3c3
    0012aa20  033b1900 00001436 033b1900 00000002
    0012aa30  00000004 6516feef 01fd71f0 01b81d90
    0012aa40  033b1900 033b1900 102ccad8 0000011f
    0012aa50  01b81b90 ffffffff 00000000 00000000
    0012aa60  033b1900 00000000 65106a65 fb93c5d2
    0012aa70  0012aaf0 0080b9e9 00000000 0012aafc
 
3、eD    双精度浮点数 (8 字节为单位)。
    0:000> eD 0012aa00 3.1415926
    0:000> dD 0012aa00
    0012aa00               3.1415926     2.92040944479e-308     4.24283322552e-293
    0012aa18      1.63293462903e+188     1.09792330031e-310     4.27077224821e-314
    0012aa30       9.3185129548e+178     2.25060988521e-300     4.24283325567e-293
    0012aa48       6.0914686708e-312               -1.#QNAN                      0
    0012aa60      2.67806662793e-316    -1.88175367138e+287     2.97736448613e-306
 
4、ef    单精度浮点数 (4 个字节为单位)。
    0:000> ef 0012aa00 6.28
    0:000> df 0012aa00
    0012aa00         6.2800002         2.142699   1.5609157e-038   1.9285454e-039
    0012aa10                 0   5.4983059e-037   1.7143766e-039   6.1751881e+023
    0012aa20    5.4983059e-037   7.2503183e-042   5.4983059e-037   2.8025969e-045
    0012aa30    5.6051939e-045   4.4566104e+022   9.3101014e-038   6.7633345e-038
 
5、ep    指针大小值。 此命令是等效于ed或eq,具体取决于目标计算机的处理器体系结构是否 32 位或 64 位分别。
    0:000> ep 0012aa00 98765432
    0:000> dp 0012aa00
    0012aa00  98765432 400921fb 00a9f7fb 00150000
    0012aa10  00000000 033b1900 0012aafc 6702c3c3
    0012aa20  033b1900 00001436 033b1900 00000002
    0012aa30  00000004 6516feef 01fd71f0 01b81d90
    0012aa40  033b1900 033b1900 102ccad8 0000011f
    0012aa50  01b81b90 ffffffff 00000000 00000000
    0012aa60  033b1900 00000000 65106a65 fb93c5d2
    0012aa70  0012aaf0 0080b9e9 00000000 0012aafc
 
6、eq    四字值 (8 字节为单位)。
    0:000> ep 0012aa00 98765432
    0:000> dp 0012aa00
    0012aa00  98765432 400921fb 00a9f7fb 00150000
    0012aa10  00000000 033b1900 0012aafc 6702c3c3
    0012aa20  033b1900 00001436 033b1900 00000002
    0012aa30  00000004 6516feef 01fd71f0 01b81d90
    0012aa40  033b1900 033b1900 102ccad8 0000011f
    0012aa50  01b81b90 ffffffff 00000000 00000000
    0012aa60  033b1900 00000000 65106a65 fb93c5d2
    0012aa70  0012aaf0 0080b9e9 00000000 0012aafc
 
7、ew    字值 (2 个字节)。
    0:000> ew 0012aa00 9999
    0:000> dw 0012aa00
    0012aa00  9999 0075 0061 0069 007a 0068 0069 0015
    0012aa10  0000 0000 1900 033b aafc 0012 c3c3 6702
    0012aa20  1900 033b 1436 0000 1900 033b 0002 0000
    0012aa30  0004 0000 feef 6516 71f0 01fd 1d90 01b8
    0012aa40  1900 033b 1900 033b cad8 102c 011f 0000
    0012aa50  1b90 01b8 ffff ffff 0000 0000 0000 0000
    0012aa60  1900 033b 0000 0000 6a65 6510 c5d2 fb93
    0012aa70  aaf0 0012 b9e9 0080 0000 0000 aafc 0012
 
8、ea    ASCII 字符串 (不以 NULL 终止)。
    0:000> ea 0012aa00 "jiahao"
    0:000> db 0012aa00
    0012aa00  6a 69 61 68 61 6f 6c 65-69 f7 a9 00 00 00 15 00  jiahaolei.......
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
 
9、eu    Unicode 字符串 (不以 NULL 终止)。
    0:000> eu 0012aa00 "huaizhi"
    0:000> du 0012aa00
    0012aa00  "huaizhi."
    0:000> db 0012aa00
    0012aa00  68 00 75 00 61 00 69 00-7a 00 68 00 69 00 15 00  h.u.a.i.z.h.i...
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
 
 
10、eza    以 NULL 结尾的 ASCII 字符串。
    0:000> eza 0012aa00 "china"
    0:000> db 0012aa00
    0012aa00  63 68 69 6e 61 00 69 00-7a 00 68 00 69 00 15 00  china.i.z.h.i...
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
 
11、ezu    以 NULL 结尾的 Unicode 字符串。
    0:000> ezu 0012aa00 "Enlish"
    0:000> db 0012aa00
    0012aa00  45 00 6e 00 6c 00 69 00-73 00 68 00 00 00 15 00  E.n.l.i.s.h.....
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
    e, ea, eb, ed, eD, ef, ep, eq, eu, ew, eza (Enter Values)
e*命令将您指定的值输入内存。不要将此命令与~e(Thread-Specific Command)限定符混淆。
 
e{b|d|D|f|p|q|w} Address [Values]
e{a|u|za|zu} Address "String"
e Address [Values]
参数:
Address
指定输入值的起始地址。调试器将替换地址和每个后续内存位置处的值,直到所有值都被使用为止。
Values
指定要输入内存的一个或多个值。多个数值应该用空格分隔。如果未指定任何值,则将显示当前地址和该地址的值,并提示您输入。
String
指定要输入内存的字符串。ea和eza命令将此作为ascii字符串写入内存;eu和ezu命令将此作为unicode字符串写入内存。eza和ezu命令会写入一个终端空值;ea和eu命令不会。字符串必须用引号括起来。
 
1、eb    字节值。
    0:000> eb 0012aa00 56
    0:000> db 0012aa00
    0012aa00  56 65 00 00 00 00 00 00-fb f7 a9 00 00 00 15 00  Ve..............
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
 
2、ed    双字值 (4 个字节为单位)。
    0:000> ed 0012aa00 12345678
    0:000> dd 0012aa00
    0012aa00  12345678 00000000 00a9f7fb 00150000
    0012aa10  00000000 033b1900 0012aafc 6702c3c3
    0012aa20  033b1900 00001436 033b1900 00000002
    0012aa30  00000004 6516feef 01fd71f0 01b81d90
    0012aa40  033b1900 033b1900 102ccad8 0000011f
    0012aa50  01b81b90 ffffffff 00000000 00000000
    0012aa60  033b1900 00000000 65106a65 fb93c5d2
    0012aa70  0012aaf0 0080b9e9 00000000 0012aafc
 
3、eD    双精度浮点数 (8 字节为单位)。
    0:000> eD 0012aa00 3.1415926
    0:000> dD 0012aa00
    0012aa00               3.1415926     2.92040944479e-308     4.24283322552e-293
    0012aa18      1.63293462903e+188     1.09792330031e-310     4.27077224821e-314
    0012aa30       9.3185129548e+178     2.25060988521e-300     4.24283325567e-293
    0012aa48       6.0914686708e-312               -1.#QNAN                      0
    0012aa60      2.67806662793e-316    -1.88175367138e+287     2.97736448613e-306
 
4、ef    单精度浮点数 (4 个字节为单位)。
    0:000> ef 0012aa00 6.28
    0:000> df 0012aa00
    0012aa00         6.2800002         2.142699   1.5609157e-038   1.9285454e-039
    0012aa10                 0   5.4983059e-037   1.7143766e-039   6.1751881e+023
    0012aa20    5.4983059e-037   7.2503183e-042   5.4983059e-037   2.8025969e-045
    0012aa30    5.6051939e-045   4.4566104e+022   9.3101014e-038   6.7633345e-038
 
5、ep    指针大小值。 此命令是等效于ed或eq,具体取决于目标计算机的处理器体系结构是否 32 位或 64 位分别。
    0:000> ep 0012aa00 98765432
    0:000> dp 0012aa00
    0012aa00  98765432 400921fb 00a9f7fb 00150000
    0012aa10  00000000 033b1900 0012aafc 6702c3c3
    0012aa20  033b1900 00001436 033b1900 00000002
    0012aa30  00000004 6516feef 01fd71f0 01b81d90
    0012aa40  033b1900 033b1900 102ccad8 0000011f
    0012aa50  01b81b90 ffffffff 00000000 00000000
    0012aa60  033b1900 00000000 65106a65 fb93c5d2
    0012aa70  0012aaf0 0080b9e9 00000000 0012aafc
 
6、eq    四字值 (8 字节为单位)。
    0:000> ep 0012aa00 98765432
    0:000> dp 0012aa00
    0012aa00  98765432 400921fb 00a9f7fb 00150000
    0012aa10  00000000 033b1900 0012aafc 6702c3c3
    0012aa20  033b1900 00001436 033b1900 00000002
    0012aa30  00000004 6516feef 01fd71f0 01b81d90
    0012aa40  033b1900 033b1900 102ccad8 0000011f
    0012aa50  01b81b90 ffffffff 00000000 00000000
    0012aa60  033b1900 00000000 65106a65 fb93c5d2
    0012aa70  0012aaf0 0080b9e9 00000000 0012aafc
 
7、ew    字值 (2 个字节)。
    0:000> ew 0012aa00 9999
    0:000> dw 0012aa00
    0012aa00  9999 0075 0061 0069 007a 0068 0069 0015
    0012aa10  0000 0000 1900 033b aafc 0012 c3c3 6702
    0012aa20  1900 033b 1436 0000 1900 033b 0002 0000
    0012aa30  0004 0000 feef 6516 71f0 01fd 1d90 01b8
    0012aa40  1900 033b 1900 033b cad8 102c 011f 0000
    0012aa50  1b90 01b8 ffff ffff 0000 0000 0000 0000
    0012aa60  1900 033b 0000 0000 6a65 6510 c5d2 fb93
    0012aa70  aaf0 0012 b9e9 0080 0000 0000 aafc 0012
 
8、ea    ASCII 字符串 (不以 NULL 终止)。
    0:000> ea 0012aa00 "jiahao"
    0:000> db 0012aa00
    0012aa00  6a 69 61 68 61 6f 6c 65-69 f7 a9 00 00 00 15 00  jiahaolei.......
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
 
9、eu    Unicode 字符串 (不以 NULL 终止)。
    0:000> eu 0012aa00 "huaizhi"
    0:000> du 0012aa00
    0012aa00  "huaizhi."
    0:000> db 0012aa00
    0012aa00  68 00 75 00 61 00 69 00-7a 00 68 00 69 00 15 00  h.u.a.i.z.h.i...
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
 
 
10、eza    以 NULL 结尾的 ASCII 字符串。
    0:000> eza 0012aa00 "china"
    0:000> db 0012aa00
    0012aa00  63 68 69 6e 61 00 69 00-7a 00 68 00 69 00 15 00  china.i.z.h.i...
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
 
11、ezu    以 NULL 结尾的 Unicode 字符串。
    0:000> ezu 0012aa00 "Enlish"
    0:000> db 0012aa00
    0012aa00  45 00 6e 00 6c 00 69 00-73 00 68 00 00 00 15 00  E.n.l.i.s.h.....
    0012aa10  00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67  ......;........g
    0012aa20  00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00  ..;.6.....;.....
    0012aa30  04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01  .......e.q......
    0012aa40  00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00  ..;...;...,.....
    0012aa50  90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00  ................
    0012aa60  00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb  ..;.....ej.e....
    0012aa70  f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00  ................
 
 
 
 
 
1、查看加载的所有模块lm
    0:000> lm
    start    end        module name
    003c0000 003d3000   VCRUNTIME140   (export symbols)       C:\Program Files\RSAWinGuard\VCRUNTIME140.dll
    003e0000 003e4000   api_ms_win_crt_runtime_l1_1_0   (export symbols)       C:\WINDOWS\system32\api-ms-win-crt-runtime-l1-1-0.dll
    003f0000 003f3000   api_ms_win_core_string_l1_1_0   (export symbols)       C:\WINDOWS\system32\api-ms-win-core-string-l1-1-0.dll
    00400000 009f4000   standAloneWinGuard C (private pdb symbols)  c:\pdb\standAloneWinGuard.pdb
    00a00000 00a6f000   MSVCP140   (export symbols)       C:\Program Files\RSAWinGuard\MSVCP140.dll
2、查看某个模块的详细信息lmvm
    0:000> lmvm standAloneWinGuard
    start    end        module name
    00400000 009f4000   standAloneWinGuard C (private pdb symbols)  c:\pdb\standAloneWinGuard.pdb
        Loaded symbol image file: C:\Program Files\RSAWinGuard\standAloneWinGuard.exe
        Image path: standAloneWinGuard.exe
        Image name: standAloneWinGuard.exe
        Timestamp:        Thu Mar 11 14:11:27 2021 (6049B48F)
        CheckSum:         00000000
        ImageSize:        005F4000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
1、查看加载的所有模块lm
    0:000> lm
    start    end        module name
    003c0000 003d3000   VCRUNTIME140   (export symbols)       C:\Program Files\RSAWinGuard\VCRUNTIME140.dll
    003e0000 003e4000   api_ms_win_crt_runtime_l1_1_0   (export symbols)       C:\WINDOWS\system32\api-ms-win-crt-runtime-l1-1-0.dll
    003f0000 003f3000   api_ms_win_core_string_l1_1_0   (export symbols)       C:\WINDOWS\system32\api-ms-win-core-string-l1-1-0.dll
    00400000 009f4000   standAloneWinGuard C (private pdb symbols)  c:\pdb\standAloneWinGuard.pdb
    00a00000 00a6f000   MSVCP140   (export symbols)       C:\Program Files\RSAWinGuard\MSVCP140.dll
2、查看某个模块的详细信息lmvm
    0:000> lmvm standAloneWinGuard
    start    end        module name
    00400000 009f4000   standAloneWinGuard C (private pdb symbols)  c:\pdb\standAloneWinGuard.pdb
        Loaded symbol image file: C:\Program Files\RSAWinGuard\standAloneWinGuard.exe
        Image path: standAloneWinGuard.exe
        Image name: standAloneWinGuard.exe
        Timestamp:        Thu Mar 11 14:11:27 2021 (6049B48F)
        CheckSum:         00000000
        ImageSize:        005F4000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:000> kb
ChildEBP RetAddr  Args to Child             
0012aa7c 00532012 0336ab30 0012aae4 fb93c552 standAloneWinGuard!CUIAuthMgr::Authorize+0xe5 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\uiauthmgr.cpp @ 95]
0012aafc 00577527 00000000 fb93a27d 0012ab54 standAloneWinGuard!CMainWnd::handle_pushButton_authorize_click+0xf2 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\mainwnd.cpp @ 2784]
0012ab5c 6718364f 0012d4d0 00000000 00000051 standAloneWinGuard!CMainWnd::qt_static_metacall+0xa27 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\release\moc\moc_mainwnd.cpp @ 639]
WARNING: Stack unwind information not available. Following frames may be wrong.
0012abec 6718382e 01b82978 00000000 6745b4d0 Qt5Core!QMetaObject::activate+0x50f
0012ac00 650bfa90 01b82978 652c6074 00000002 Qt5Core!QMetaObject::activate+0x1e
0012ac2c 650bf9f8 0012afc8 0012afc8 01b829a8 Qt5Widgets!QAbstractButton::clicked+0x80
00000000 00000000 00000000 00000000 00000000 Qt5Widgets!QAbstractButton::click+0x158
0:000> kb
ChildEBP RetAddr  Args to Child             
0012aa7c 00532012 0336ab30 0012aae4 fb93c552 standAloneWinGuard!CUIAuthMgr::Authorize+0xe5 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\uiauthmgr.cpp @ 95]
0012aafc 00577527 00000000 fb93a27d 0012ab54 standAloneWinGuard!CMainWnd::handle_pushButton_authorize_click+0xf2 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\mainwnd.cpp @ 2784]
0012ab5c 6718364f 0012d4d0 00000000 00000051 standAloneWinGuard!CMainWnd::qt_static_metacall+0xa27 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\release\moc\moc_mainwnd.cpp @ 639]
WARNING: Stack unwind information not available. Following frames may be wrong.
0012abec 6718382e 01b82978 00000000 6745b4d0 Qt5Core!QMetaObject::activate+0x50f
0012ac00 650bfa90 01b82978 652c6074 00000002 Qt5Core!QMetaObject::activate+0x1e
0012ac2c 650bf9f8 0012afc8 0012afc8 01b829a8 Qt5Widgets!QAbstractButton::clicked+0x80
00000000 00000000 00000000 00000000 00000000 Qt5Widgets!QAbstractButton::click+0x158
    u        向下反汇编
    ub        向上反汇编
    uf        反汇编整个函数
    a        写入汇编指令
1、uf 模块名!函数名称
        0: kd> uf tcpip!TcpPortPoolQueryLocalAddressFunction
        tcpip!TcpPortPoolQueryLocalAddressFunction:
        89c3c012 8bff            mov     edi,edi
        89c3c014 55              push    ebp
        89c3c015 8bec            mov     ebp,esp
        89c3c017 80fa01          cmp     dl,1
        89c3c01a 7437            je      tcpip!TcpPortPoolQueryLocalAddressFunction+0x41 (89c3c053)  Branch
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0xa:
        89c3c01c 80fa02          cmp     dl,2
        89c3c01f 7532            jne     tcpip!TcpPortPoolQueryLocalAddressFunction+0x41 (89c3c053)  Branch
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0xf:
        89c3c021 668b41fc        mov     ax,word ptr [ecx-4]
        89c3c025 8b5508          mov     edx,dword ptr [ebp+8]
        89c3c028 668902          mov     word ptr [edx],ax
        89c3c02b 8b81a0feffff    mov     eax,dword ptr [ecx-160h]
        89c3c031 8b00            mov     eax,dword ptr [eax]
        89c3c033 8b4008          mov     eax,dword ptr [eax+8]
        89c3c036 8b00            mov     eax,dword ptr [eax]
        89c3c038 8b550c          mov     edx,dword ptr [ebp+0Ch]
        89c3c03b 8902            mov     dword ptr [edx],eax
        89c3c03d f681ccfeffff20  test    byte ptr [ecx-134h],20h
        89c3c044 7526            jne     tcpip!TcpPortPoolQueryLocalAddressFunction+0x5a (89c3c06c)  Branch
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0x34:
        89c3c046 8b81a0feffff    mov     eax,dword ptr [ecx-160h]
        89c3c04c 8b00            mov     eax,dword ptr [eax]
        89c3c04e 8b400c          mov     eax,dword ptr [eax+0Ch]
        89c3c051 eb20            jmp     tcpip!TcpPortPoolQueryLocalAddressFunction+0x61 (89c3c073)  Branch
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0x41:
        89c3c053 668b41fc        mov     ax,word ptr [ecx-4]
        89c3c057 8b5508          mov     edx,dword ptr [ebp+8]
        89c3c05a 668902          mov     word ptr [edx],ax
        89c3c05d 8b41f0          mov     eax,dword ptr [ecx-10h]
        89c3c060 8b550c          mov     edx,dword ptr [ebp+0Ch]
        89c3c063 8902            mov     dword ptr [edx],eax
        89c3c065 8b49f4          mov     ecx,dword ptr [ecx-0Ch]
        89c3c068 85c9            test    ecx,ecx
        89c3c06a 7504            jne     tcpip!TcpPortPoolQueryLocalAddressFunction+0x5e (89c3c070)  Branch
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0x5a:
        89c3c06c 33c0            xor     eax,eax
        89c3c06e eb03            jmp     tcpip!TcpPortPoolQueryLocalAddressFunction+0x61 (89c3c073)  Branch
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0x5e:
        89c3c070 8b410c          mov     eax,dword ptr [ecx+0Ch]
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0x61:
        89c3c073 5d              pop     ebp
        89c3c074 c20800          ret     8
 
2、u 指令地址
    0: kd> u 89c77510
    tcpip!EnumerateAndReferenceEndpointInAssignment+0x43:
    89c77510 eb0a            jmp     tcpip!EnumerateAndReferenceEndpointInAssignment+0x4f (89c7751c)
    89c77512 83651000        and     dword ptr [ebp+10h],0
    89c77516 83651c00        and     dword ptr [ebp+1Ch],0
    89c7751a 33c0            xor     eax,eax
    89c7751c 83f8ff          cmp     eax,0FFFFFFFFh
    89c7751f 7444            je      tcpip!EnumerateAndReferenceEndpointInAssignment+0x98 (89c77565)
    89c77521 8b4d1c          mov     ecx,dword ptr [ebp+1Ch]
    89c77524 85c9            test    ecx,ecx
    u        向下反汇编
    ub        向上反汇编
    uf        反汇编整个函数
    a        写入汇编指令
1、uf 模块名!函数名称
        0: kd> uf tcpip!TcpPortPoolQueryLocalAddressFunction
        tcpip!TcpPortPoolQueryLocalAddressFunction:
        89c3c012 8bff            mov     edi,edi
        89c3c014 55              push    ebp
        89c3c015 8bec            mov     ebp,esp
        89c3c017 80fa01          cmp     dl,1
        89c3c01a 7437            je      tcpip!TcpPortPoolQueryLocalAddressFunction+0x41 (89c3c053)  Branch
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0xa:
        89c3c01c 80fa02          cmp     dl,2
        89c3c01f 7532            jne     tcpip!TcpPortPoolQueryLocalAddressFunction+0x41 (89c3c053)  Branch
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0xf:
        89c3c021 668b41fc        mov     ax,word ptr [ecx-4]
        89c3c025 8b5508          mov     edx,dword ptr [ebp+8]
        89c3c028 668902          mov     word ptr [edx],ax
        89c3c02b 8b81a0feffff    mov     eax,dword ptr [ecx-160h]
        89c3c031 8b00            mov     eax,dword ptr [eax]
        89c3c033 8b4008          mov     eax,dword ptr [eax+8]
        89c3c036 8b00            mov     eax,dword ptr [eax]
        89c3c038 8b550c          mov     edx,dword ptr [ebp+0Ch]
        89c3c03b 8902            mov     dword ptr [edx],eax
        89c3c03d f681ccfeffff20  test    byte ptr [ecx-134h],20h
        89c3c044 7526            jne     tcpip!TcpPortPoolQueryLocalAddressFunction+0x5a (89c3c06c)  Branch
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0x34:
        89c3c046 8b81a0feffff    mov     eax,dword ptr [ecx-160h]
        89c3c04c 8b00            mov     eax,dword ptr [eax]
        89c3c04e 8b400c          mov     eax,dword ptr [eax+0Ch]
        89c3c051 eb20            jmp     tcpip!TcpPortPoolQueryLocalAddressFunction+0x61 (89c3c073)  Branch
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0x41:
        89c3c053 668b41fc        mov     ax,word ptr [ecx-4]
        89c3c057 8b5508          mov     edx,dword ptr [ebp+8]
        89c3c05a 668902          mov     word ptr [edx],ax
        89c3c05d 8b41f0          mov     eax,dword ptr [ecx-10h]
        89c3c060 8b550c          mov     edx,dword ptr [ebp+0Ch]
        89c3c063 8902            mov     dword ptr [edx],eax
        89c3c065 8b49f4          mov     ecx,dword ptr [ecx-0Ch]
        89c3c068 85c9            test    ecx,ecx
        89c3c06a 7504            jne     tcpip!TcpPortPoolQueryLocalAddressFunction+0x5e (89c3c070)  Branch
 
        tcpip!TcpPortPoolQueryLocalAddressFunction+0x5a:

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2022-8-31 11:07 被sanganlei编辑 ,原因:
收藏
免费 10
支持
分享
最新回复 (6)
雪    币: 1821
活跃值: (1918)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
2
感谢分享
2021-11-17 11:46
0
雪    币: 2531
活跃值: (4401)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
3
不客气
2021-11-27 22:41
0
雪    币: 143
活跃值: (861)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
有心了
2022-5-19 08:44
0
雪    币: 3623
活跃值: (656)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
5
感谢分享,收获颇多
2022-8-24 10:52
0
雪    币: 63
活跃值: (738)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
怎么下条件段点呢,我系统好多系统进程一直调用
于是bp ntsetinformationthread “j(process!=8000Xxxx)’’;’g’”
看教程测试了好久一样会被这个进程下段
2022-8-31 03:02
0
雪    币: 8753
活跃值: (5215)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
7
收藏收藏,总结的到位。
2022-8-31 08:59
0
游客
登录 | 注册 方可回帖
返回
//