1、bp命令
是在某个地址下断点, 可以 bp 0x7783FEB 也可以 bp MyApp!SomeFunction 。 对于后者,WinDBG 会自动找到MyApp!SomeFunction 对应的地址并设置断点。 但是使用bp的问题在于:a)当代码修改之后,函数地址改变,该断点仍然保持在相同位置,不一定继续有效; b)WinDBG 不会把bp断点保存工作空间中 。
bp使方法如下:
0:000> bp standAloneWinGuard!CUIAuthMgr::SetLicenseErrCode
2、bu命令
是针对某个符号下断点。bu最重要的用途是对还未加载的模块下断点,例如loader32.dll还未被加载,你想在loader32.dll中下断点bu loader32!DllMain,当load32.dll被加载时,会命中你下的断点, 此外 bu MyApp!SomeFunction ,在代码被修改之后, 该断点可以随着函数地址改变而自动更新到最新位置。 而且bu 断点会保存在WinDbg工作空间中, 下次启动 Windbg 的时候该断点会自动设置上去。
还bu 可以对还不能识别的符号设置断点,当系统中有新模块加载进来时,调试器会对未定断点再次进行识别,如果找到了匹配的符号则会设置它。而bp 断点会失败(因为函数地址不存在),bu 断点则可以成功。 新版的WinDBG中 bp失败后会自动被转成bu
3、bm命令
也是针对符号 下断点。 但是它支持匹配表达式 。 很多时候你下好几个断点。 比如,把MyClass 所有的成员函数都下断点: bu MyApp!MyClass:: , 或者把所有以CreateWindow开头的函数都下断点: bu user32!CreateWindow 。
如果驱动开发,对驱动程序入口下断点可以用bm,不能用bp
kd> bm ranet!driverentry
4、ba命令
以上三个命令是对代码下断点, 我们还可以对数据下断点。就是针对数据 下断点的命令, 该断点在指定内存被访问时触发。 命令格式为
ba Access Size [地址]
Access 是访问的方式, 比如 e (执行), r (读/写), w (写)
Size 是监控访问的位置的大小,以字节为单位。 值为 1、2或4,还可以是 8(64位机)。
比如要对内存0x0483DFE进行写操作的时候下断点,可以用命令 ba w4 0x0483DFE
5、查看断点bl
0:000> bl
6、禁用断点
0:000> bd 1
7、启用断点
0:000> be 1
0:000> bl
8、清除断点
0:000> bc 1
0:000> bl
0:000> bc 2-4
0:000> bc 1
1、设置微软符号路径并下载全部微软符号
windbg符号设置:
srv*C:\Symbols*http://msdl.microsoft.com/download/symbols;F:\MyGitRepo\rst2\hamc\code\framework\agent_windows\installproject\pdb\20210926\x64
输入命令:!sym noisy
输入命令:.reload /f
2、强制加载某模块的符号(模块名称区分大小写,注意要加上模块扩展名)
.reload /f libqaxdecode.dll
.reload /f testHeapOverflow.exe
1、设置微软符号路径并下载全部微软符号
windbg符号设置:
srv*C:\Symbols*http://msdl.microsoft.com/download/symbols;F:\MyGitRepo\rst2\hamc\code\framework\agent_windows\installproject\pdb\20210926\x64
输入命令:!sym noisy
输入命令:.reload /f
2、强制加载某模块的符号(模块名称区分大小写,注意要加上模块扩展名)
.reload /f libqaxdecode.dll
.reload /f testHeapOverflow.exe
1、通过VirtualKD设置好双机联调环境
2、在驱动程序的入口点DriverEntry下断点,命令: bm ranet!driverentry
备注:一定要用bm延迟加载符号命令,不能用bp
1: kd> bm ranet!driverentry
1: fffff880`03c4bcdc @!"RaNet!DriverEntry"
1: kd> g
3、把驱动程序拷贝到虚拟机中,利用工具InstDrvx64 V1.03安装并启动驱动程序,此时会命中断点的入口处DriverEntry,输入kn查看调用堆栈
备注:
Breakpoint 1 hit
RaNet!DriverEntry:
fffff880`03c5bcdc 488bc4 mov rax,rsp
1: kd> kn
00 fffff880`045ec828 fffff880`03c65020 RaNet!DriverEntry [f:\mygitrepo\rst2\rase_windows\framework\agent_windows\drivers\ranet\ranet.c @ 336]
01 fffff880`045ec830 fffff800`042978c6 RaNet!GsDriverEntry+0x20 [minkernel\tools\gs_support\kmode\gs_support.c @ 117]
02 fffff880`045ec860 fffff800`04297cc5 nt!IopLoadDriver+0xa06
03 fffff880`045ecb30 fffff800`03ea628d nt!IopLoadUnloadDriver+0x55
04 fffff880`045ecb70 fffff800`0419c1a0 nt!ExpWorkerThread+0x111
05 fffff880`045ecc00 fffff800`03ef4ba6 nt!PspSystemThreadStartup+0x194
06 fffff880`045ecc40 00000000`00000000 nt!KiStartSystemThread+0x16
4、在卸载驱动程序的函数入口处下断点,并执行go指令,会成功命中断点;下断点命令: bm ranet!RaUnloadDriver
备注:函数RaUnloadDriver是指针DriverObject->DriverUnload指向的函数
1: kd> bm ranet!RaUnloadDriver
2: fffff880`03e3e800 @!"RaNet!RaUnloadDriver"
1: kd> bl
1 e Disable Clear fffff880`03e3dcdc 0001 (0001) RaNet!DriverEntry
2 e Disable Clear fffff880`03e3e800 0001 (0001) RaNet!RaUnloadDriver
1: kd> g
Breakpoint 2 hit
RaNet!RaUnloadDriver:
fffff880`03e3e800 48895c2408 mov qword ptr [rsp+8],rbx
0: kd> kp
00 fffff880`04708b28 fffff800`04245c8c RaNet!RaUnloadDriver(struct _DRIVER_OBJECT * DriverObject = 0xfffffa80`1b05ec10 Driver "\Driver\RaNet") [f:\mygitrepo\rst2\rase_windows\framework\agent_windows\drivers\ranet\ranet.c @ 55]
01 fffff880`04708b30 fffff800`03e5428d nt!IopLoadUnloadDriver+0x1c
02 fffff880`04708b70 fffff800`0414a1a0 nt!ExpWorkerThread+0x111
03 fffff880`04708c00 fffff800`03ea2ba6 nt!PspSystemThreadStartup+0x194
04 fffff880`04708c40 00000000`00000000 nt!KiStartSystemThread+0x16
5、在你感兴趣的函数处下断点,并制造触发的条件,命令:bm 模块名!函数名,例如 bm ranet!GetNetDacRule,都可成功命令断点
1、通过VirtualKD设置好双机联调环境
2、在驱动程序的入口点DriverEntry下断点,命令: bm ranet!driverentry
备注:一定要用bm延迟加载符号命令,不能用bp
1: kd> bm ranet!driverentry
1: fffff880`03c4bcdc @!"RaNet!DriverEntry"
1: kd> g
3、把驱动程序拷贝到虚拟机中,利用工具InstDrvx64 V1.03安装并启动驱动程序,此时会命中断点的入口处DriverEntry,输入kn查看调用堆栈
备注:
Breakpoint 1 hit
RaNet!DriverEntry:
fffff880`03c5bcdc 488bc4 mov rax,rsp
1: kd> kn
00 fffff880`045ec828 fffff880`03c65020 RaNet!DriverEntry [f:\mygitrepo\rst2\rase_windows\framework\agent_windows\drivers\ranet\ranet.c @ 336]
01 fffff880`045ec830 fffff800`042978c6 RaNet!GsDriverEntry+0x20 [minkernel\tools\gs_support\kmode\gs_support.c @ 117]
02 fffff880`045ec860 fffff800`04297cc5 nt!IopLoadDriver+0xa06
03 fffff880`045ecb30 fffff800`03ea628d nt!IopLoadUnloadDriver+0x55
04 fffff880`045ecb70 fffff800`0419c1a0 nt!ExpWorkerThread+0x111
05 fffff880`045ecc00 fffff800`03ef4ba6 nt!PspSystemThreadStartup+0x194
06 fffff880`045ecc40 00000000`00000000 nt!KiStartSystemThread+0x16
4、在卸载驱动程序的函数入口处下断点,并执行go指令,会成功命中断点;下断点命令: bm ranet!RaUnloadDriver
备注:函数RaUnloadDriver是指针DriverObject->DriverUnload指向的函数
1: kd> bm ranet!RaUnloadDriver
2: fffff880`03e3e800 @!"RaNet!RaUnloadDriver"
1: kd> bl
1 e Disable Clear fffff880`03e3dcdc 0001 (0001) RaNet!DriverEntry
2 e Disable Clear fffff880`03e3e800 0001 (0001) RaNet!RaUnloadDriver
1: kd> g
Breakpoint 2 hit
RaNet!RaUnloadDriver:
fffff880`03e3e800 48895c2408 mov qword ptr [rsp+8],rbx
0: kd> kp
00 fffff880`04708b28 fffff800`04245c8c RaNet!RaUnloadDriver(struct _DRIVER_OBJECT * DriverObject = 0xfffffa80`1b05ec10 Driver "\Driver\RaNet") [f:\mygitrepo\rst2\rase_windows\framework\agent_windows\drivers\ranet\ranet.c @ 55]
01 fffff880`04708b30 fffff800`03e5428d nt!IopLoadUnloadDriver+0x1c
02 fffff880`04708b70 fffff800`0414a1a0 nt!ExpWorkerThread+0x111
03 fffff880`04708c00 fffff800`03ea2ba6 nt!PspSystemThreadStartup+0x194
04 fffff880`04708c40 00000000`00000000 nt!KiStartSystemThread+0x16
5、在你感兴趣的函数处下断点,并制造触发的条件,命令:bm 模块名!函数名,例如 bm ranet!GetNetDacRule,都可成功命令断点
1、创建一个驱动服务(CreateService)
sc create mydriver binpath=C:\Users\Administrator\Desktop\888888888\RaNet.sys type=kernel start=demand error=ignore
mydriver 是驱动服务名,可以改成喜欢的名字,貌似有长度限制
binpath=后面的 c:\1.sys 是驱动文件的路径,如果路径有空格则需引号括起来,例如 binpath=”C:\a b\1.sys”
type=后面的 kernel 是代表创建一个驱动服务
start=后面的 demand 代表这个驱动服务按需启动
error=后面的 ignore 代表忽略任何错误
2、启动驱动服务(StartService)
sc start mydriver
mydriver 是你要的驱动服务名字,跟上面那个mydriver 一致
3、停止驱动服务(StopService)
sc stop mydriver
4、删除驱动服务(DeleteService)
sc delete mydriver
不要了就删掉
1、创建一个驱动服务(CreateService)
sc create mydriver binpath=C:\Users\Administrator\Desktop\888888888\RaNet.sys type=kernel start=demand error=ignore
mydriver 是驱动服务名,可以改成喜欢的名字,貌似有长度限制
binpath=后面的 c:\1.sys 是驱动文件的路径,如果路径有空格则需引号括起来,例如 binpath=”C:\a b\1.sys”
type=后面的 kernel 是代表创建一个驱动服务
start=后面的 demand 代表这个驱动服务按需启动
error=后面的 ignore 代表忽略任何错误
2、启动驱动服务(StartService)
sc start mydriver
mydriver 是你要的驱动服务名字,跟上面那个mydriver 一致
3、停止驱动服务(StopService)
sc stop mydriver
4、删除驱动服务(DeleteService)
sc delete mydriver
不要了就删掉
1、汇编模式:单步执行一条汇编指令
2、源码模式:单步执行一条语句
3、p:step over
4、t:step into
5、g:运行。
6、gu:跳出函数,运行到函数的下一句。相当于跳出函数(go up),vs的shift + F11
7、.detach 解除附加
8、附加到进程的同时设置源代码路径和符号路径(可把下面这句保存为批处理文件,双击批处理就行)
"./windbg_x86/windbg.exe" -pn fcservice.exe -y %cd%\pdb -srcpath %cd%\code
9、抓取dmp文件(经常在程序崩溃时,进行抓取dmp文件)
.dump /ma C:\dumps\myapp.dmp
10、.frame在栈中切换以便检查局部变量
a)查看线程的调用堆栈knb
第一列的号称为Frame nu
0:004> knb
00 02e2fc30 00ce104a ConsoleApplication1!printf+0x4 [C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\stdio.h @ 960]
01 02e2fc38 75fe4f9f ConsoleApplication1!SecondThreadFunc+0xa [D:\02MyDemo\045_register\ConsoleApplication1\ConsoleApplication1\ConsoleApplication1.cpp @ 13]
02 02e2fc70 75c7fa29 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
03 02e2fc80 77aa7a9e KERNEL32!BaseThreadInitThunk+0x19
04 02e2fcdc 77aa7a6e ntdll!__RtlUserThreadStart+0x2f
05 02e2fcec 00000000 ntdll!_RtlUserThreadStart+0x1b
b) frame 栈帧号
命令: .frame 0
c) 然后调用 x 显示当前frame的局部变量,比如这个函数中有两个局部变量pcls和rawptr
0:018> x
0012fced pcls = 0x0039ba80
0012fcd8 rawptr = 0x0039ba80
11、显示地址空间信息
0:000> !address 75831234
Usage: Image
Base Address: 75831000
End Address: 758f6000
Region Size: 000c5000
Type: 01000000MEM_IMAGE
State: 00001000MEM_COMMIT
Protect: 00000020PAGE_EXECUTE_READ
More info: lmv m kernel32
More info: !lmi kernel32
More info: ln 0x75831234
12、重启调试目标
.restart
1、汇编模式:单步执行一条汇编指令
2、源码模式:单步执行一条语句
3、p:step over
4、t:step into
5、g:运行。
6、gu:跳出函数,运行到函数的下一句。相当于跳出函数(go up),vs的shift + F11
7、.detach 解除附加
8、附加到进程的同时设置源代码路径和符号路径(可把下面这句保存为批处理文件,双击批处理就行)
"./windbg_x86/windbg.exe" -pn fcservice.exe -y %cd%\pdb -srcpath %cd%\code
9、抓取dmp文件(经常在程序崩溃时,进行抓取dmp文件)
.dump /ma C:\dumps\myapp.dmp
10、.frame在栈中切换以便检查局部变量
a)查看线程的调用堆栈knb
第一列的号称为Frame nu
0:004> knb
00 02e2fc30 00ce104a ConsoleApplication1!printf+0x4 [C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\ucrt\stdio.h @ 960]
01 02e2fc38 75fe4f9f ConsoleApplication1!SecondThreadFunc+0xa [D:\02MyDemo\045_register\ConsoleApplication1\ConsoleApplication1\ConsoleApplication1.cpp @ 13]
02 02e2fc70 75c7fa29 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
03 02e2fc80 77aa7a9e KERNEL32!BaseThreadInitThunk+0x19
04 02e2fcdc 77aa7a6e ntdll!__RtlUserThreadStart+0x2f
05 02e2fcec 00000000 ntdll!_RtlUserThreadStart+0x1b
b) frame 栈帧号
命令: .frame 0
c) 然后调用 x 显示当前frame的局部变量,比如这个函数中有两个局部变量pcls和rawptr
0:018> x
0012fced pcls = 0x0039ba80
0012fcd8 rawptr = 0x0039ba80
11、显示地址空间信息
0:000> !address 75831234
Usage: Image
Base Address: 75831000
End Address: 758f6000
Region Size: 000c5000
Type: 01000000MEM_IMAGE
State: 00001000MEM_COMMIT
Protect: 00000020PAGE_EXECUTE_READ
More info: lmv m kernel32
More info: !lmi kernel32
More info: ln 0x75831234
12、重启调试目标
.restart
可以通过指定x前缀(十六进制)、0n前缀(十进制)、0t前缀(八进制)或0y前缀(二进制)
1、打开watch窗口,双机name列可输入变量名,即可显示局部变量的值
2、/i:使显示器指定变量的类型:局部、全局、参数、函数或未知。
0:000> dv /i bRegisteredVer
prv local bRegisteredVer = false
3、/t :使显示包含每个局部变量的数据类型。
0:000> dv /t bRegisteredVer
bool bRegisteredVer = false
4、/v :使显示包括局部变量的虚拟内存地址
0:000> dv /v bRegisteredVer
0012aa27 bRegisteredVer = false
5、/V :与/v相同,还包括相对于相关寄存器的局部变量的地址。
0:000> dv /V bRegisteredVer
0012aa27 @ebp-0x55 bRegisteredVer = false
6、/a:按地址按升序对输出进行排序。
0:000> dv /a
this = 0x001ed8c8
length = 0n0
file = class QFile
bRegisteredVer = false
license = class CLicense
qstrAuthCode = class QString
authErrCode = 0x0012aae4
7、 /A :按地址按降序对输出进行排序。
0:000> dv /A
authErrCode = 0x0012aae4
qstrAuthCode = class QString
license = class CLicense
bRegisteredVer = false
file = class QFile
length = 0n0
this = 0x001ed8c8
8、/n :按名称按升序对输出进行排序。
0:000> dv /n
authErrCode = 0x0012aae4
bRegisteredVer = false
file = class QFile
length = 0n0
license = class CLicense
qstrAuthCode = class QString
this = 0x001ed8c8
9、/N :按名称按升序对输出进行排序。
0:000> dv /N
this = 0x001ed8c8
qstrAuthCode = class QString
license = class CLicense
length = 0n0
file = class QFile
bRegisteredVer = false
authErrCode = 0x0012aae4
10、/z :按大小按升序对输出进行排序。
0:000> dv /z
bRegisteredVer = false
this = 0x001ed8c8
qstrAuthCode = class QString
authErrCode = 0x0012aae4
length = 0n0
file = class QFile
license = class CLicense
11、/Z :按大小按升序对输出进行排序。
0:000> dv /Z
license = class CLicense
length = 0n0
file = class QFile
this = 0x001ed8c8
qstrAuthCode = class QString
authErrCode = 0x0012aae4
bRegisteredVer = false
可以通过指定x前缀(十六进制)、0n前缀(十进制)、0t前缀(八进制)或0y前缀(二进制)
1、打开watch窗口,双机name列可输入变量名,即可显示局部变量的值
2、/i:使显示器指定变量的类型:局部、全局、参数、函数或未知。
0:000> dv /i bRegisteredVer
prv local bRegisteredVer = false
3、/t :使显示包含每个局部变量的数据类型。
0:000> dv /t bRegisteredVer
bool bRegisteredVer = false
4、/v :使显示包括局部变量的虚拟内存地址
0:000> dv /v bRegisteredVer
0012aa27 bRegisteredVer = false
5、/V :与/v相同,还包括相对于相关寄存器的局部变量的地址。
0:000> dv /V bRegisteredVer
0012aa27 @ebp-0x55 bRegisteredVer = false
6、/a:按地址按升序对输出进行排序。
0:000> dv /a
this = 0x001ed8c8
length = 0n0
file = class QFile
bRegisteredVer = false
license = class CLicense
qstrAuthCode = class QString
authErrCode = 0x0012aae4
7、 /A :按地址按降序对输出进行排序。
0:000> dv /A
authErrCode = 0x0012aae4
qstrAuthCode = class QString
license = class CLicense
bRegisteredVer = false
file = class QFile
length = 0n0
this = 0x001ed8c8
8、/n :按名称按升序对输出进行排序。
0:000> dv /n
authErrCode = 0x0012aae4
bRegisteredVer = false
file = class QFile
length = 0n0
license = class CLicense
qstrAuthCode = class QString
this = 0x001ed8c8
9、/N :按名称按升序对输出进行排序。
0:000> dv /N
this = 0x001ed8c8
qstrAuthCode = class QString
license = class CLicense
length = 0n0
file = class QFile
bRegisteredVer = false
authErrCode = 0x0012aae4
10、/z :按大小按升序对输出进行排序。
0:000> dv /z
bRegisteredVer = false
this = 0x001ed8c8
qstrAuthCode = class QString
authErrCode = 0x0012aae4
length = 0n0
file = class QFile
license = class CLicense
11、/Z :按大小按升序对输出进行排序。
0:000> dv /Z
license = class CLicense
length = 0n0
file = class QFile
this = 0x001ed8c8
qstrAuthCode = class QString
authErrCode = 0x0012aae4
bRegisteredVer = false
1、打开watch窗口,修改局部变量的值,,双机name列可输入变量名
双机Value列,清空原来的内容,输入新值即可,单机“Typecast”显示变量的类型
单机Locations显示变量的地址
1、打开watch窗口,修改局部变量的值,,双机name列可输入变量名
双机Value列,清空原来的内容,输入新值即可,单机“Typecast”显示变量的类型
单机Locations显示变量的地址
1、dt 查看结构
2、da按照ascii字符串显示
0:000> da 0012aa00
0012aa00 "ie"
3、db按照单字节和ascii字符串显示
0:000> db 0012aa00
0012aa00 69 65 00 00 00 00 00 00-fb f7 a9 00 00 00 15 00 ie..............
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
4、dc按照4字节和ascii字符串显示
0:000> dc 0012aa00
0012aa00 00006569 00000000 00a9f7fb 00150000 ie..............
0012aa10 00000000 033b1900 0012aafc 6702c3c3 ......;........g
0012aa20 033b1900 00001436 033b1900 00000002 ..;.6.....;.....
0012aa30 00000004 6516feef 01fd71f0 01b81d90 .......e.q......
0012aa40 033b1900 033b1900 102ccad8 0000011f ..;...;...,.....
0012aa50 01b81b90 ffffffff 00000000 00000000 ................
0012aa60 033b1900 00000000 65106a65 fb93c5d2 ..;.....ej.e....
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc ................
5、dd按照4字节显示
0:000> dd 0012aa00
0012aa00 00006569 00000000 00a9f7fb 00150000
0012aa10 00000000 033b1900 0012aafc 6702c3c3
0012aa20 033b1900 00001436 033b1900 00000002
0012aa30 00000004 6516feef 01fd71f0 01b81d90
0012aa40 033b1900 033b1900 102ccad8 0000011f
0012aa50 01b81b90 ffffffff 00000000 00000000
0012aa60 033b1900 00000000 65106a65 fb93c5d2
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc
6、dD按照双浮点(8字节)格式显示
0:000> dD 0012aa00
0012aa00 1.28264382317e-319 2.92040944479e-308 4.24283322552e-293
0012aa18 1.63293462903e+188 1.09792330031e-310 4.27077224821e-314
0012aa30 9.3185129548e+178 2.25060988521e-300 4.24283325567e-293
0012aa48 6.0914686708e-312 -1.
0012aa60 2.67806662793e-316 -1.88175367138e+287 2.97736448613e-306
7、df按照单浮点(4字节)格式显示
0:000> df 0012aa00
0012aa00 3.6379109e-041 0 1.5609157e-038 1.9285454e-039
0012aa10 0 5.4983059e-037 1.7143766e-039 6.1751881e+023
0012aa20 5.4983059e-037 7.2503183e-042 5.4983059e-037 2.8025969e-045
0012aa30 5.6051939e-045 4.4566104e+022 9.3101014e-038 6.7633345e-038
8、dp按照指针(32位系统读取4字节、64位系统读取8字节)格式读取
0:000> df 0012aa00
0012aa00 3.6379109e-041 0 1.5609157e-038 1.9285454e-039
0012aa10 0 5.4983059e-037 1.7143766e-039 6.1751881e+023
0012aa20 5.4983059e-037 7.2503183e-042 5.4983059e-037 2.8025969e-045
0012aa30 5.6051939e-045 4.4566104e+022 9.3101014e-038 6.7633345e-038
9、dq按照8字节读取
0:000> dq 0012aa00
0012aa00 00000000`00006569 00150000`00a9f7fb
0012aa10 033b1900`00000000 6702c3c3`0012aafc
0012aa20 00001436`033b1900 00000002`033b1900
0012aa30 6516feef`00000004 01b81d90`01fd71f0
0012aa40 033b1900`033b1900 0000011f`102ccad8
0012aa50 ffffffff`01b81b90 00000000`00000000
0012aa60 00000000`033b1900 fb93c5d2`65106a65
0012aa70 0080b9e9`0012aaf0 0012aafc`00000000
10、du按照Unicode字符串读取。
0:000> du 0012aa00
0012aa00 "敩"
11、dw按照双字节显示
0:000> dw 0012aa00
0012aa00 6569 0000 0000 0000 f7fb 00a9 0000 0015
0012aa10 0000 0000 1900 033b aafc 0012 c3c3 6702
0012aa20 1900 033b 1436 0000 1900 033b 0002 0000
0012aa30 0004 0000 feef 6516 71f0 01fd 1d90 01b8
0012aa40 1900 033b 1900 033b cad8 102c 011f 0000
0012aa50 1b90 01b8 ffff ffff 0000 0000 0000 0000
0012aa60 1900 033b 0000 0000 6a65 6510 c5d2 fb93
0012aa70 aaf0 0012 b9e9 0080 0000 0000 aafc 0012
12、dW按照2字节和ASCII字符串读取。
0:000> dW 0012aa00
0012aa00 6569 0000 0000 0000 f7fb 00a9 0000 0015 ie..............
0012aa10 0000 0000 1900 033b aafc 0012 c3c3 6702 ......;........g
0012aa20 1900 033b 1436 0000 1900 033b 0002 0000 ..;.6.....;.....
0012aa30 0004 0000 feef 6516 71f0 01fd 1d90 01b8 .......e.q......
0012aa40 1900 033b 1900 033b cad8 102c 011f 0000 ..;...;...,.....
0012aa50 1b90 01b8 ffff ffff 0000 0000 0000 0000 ................
0012aa60 1900 033b 0000 0000 6a65 6510 c5d2 fb93 ..;.....ej.e....
0012aa70 aaf0 0012 b9e9 0080 0000 0000 aafc 0012 ................
13、dyb按照单字节和二进制读取
0:000> dyb 0012aa00
76543210 76543210 76543210 76543210
-------- -------- -------- --------
0012aa00 01101001 01100101 00000000 00000000 69 65 00 00
0012aa04 00000000 00000000 00000000 00000000 00 00 00 00
0012aa08 11111011 11110111 10101001 00000000 fb f7 a9 00
0012aa0c 00000000 00000000 00010101 00000000 00 00 15 00
0012aa10 00000000 00000000 00000000 00000000 00 00 00 00
0012aa14 00000000 00011001 00111011 00000011 00 19 3b 03
0012aa18 11111100 10101010 00010010 00000000 fc aa 12 00
0012aa1c 11000011 11000011 00000010 01100111 c3 c3 02 67
14、dyd按照4字节和二进制读取。
0:000> dyd 0012aa00
3 2 1 0
10987654 32109876 54321098 76543210
-------- -------- -------- --------
0012aa00 00000000 00000000 01100101 01101001 00006569
0012aa04 00000000 00000000 00000000 00000000 00000000
0012aa08 00000000 10101001 11110111 11111011 00a9f7fb
0012aa0c 00000000 00010101 00000000 00000000 00150000
0012aa10 00000000 00000000 00000000 00000000 00000000
0012aa14 00000011 00111011 00011001 00000000 033b1900
0012aa18 00000000 00010010 10101010 11111100 0012aafc
0012aa1c 01100111 00000010 11000011 11000011 6702c3c3
1、dt 查看结构
2、da按照ascii字符串显示
0:000> da 0012aa00
0012aa00 "ie"
3、db按照单字节和ascii字符串显示
0:000> db 0012aa00
0012aa00 69 65 00 00 00 00 00 00-fb f7 a9 00 00 00 15 00 ie..............
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
4、dc按照4字节和ascii字符串显示
0:000> dc 0012aa00
0012aa00 00006569 00000000 00a9f7fb 00150000 ie..............
0012aa10 00000000 033b1900 0012aafc 6702c3c3 ......;........g
0012aa20 033b1900 00001436 033b1900 00000002 ..;.6.....;.....
0012aa30 00000004 6516feef 01fd71f0 01b81d90 .......e.q......
0012aa40 033b1900 033b1900 102ccad8 0000011f ..;...;...,.....
0012aa50 01b81b90 ffffffff 00000000 00000000 ................
0012aa60 033b1900 00000000 65106a65 fb93c5d2 ..;.....ej.e....
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc ................
5、dd按照4字节显示
0:000> dd 0012aa00
0012aa00 00006569 00000000 00a9f7fb 00150000
0012aa10 00000000 033b1900 0012aafc 6702c3c3
0012aa20 033b1900 00001436 033b1900 00000002
0012aa30 00000004 6516feef 01fd71f0 01b81d90
0012aa40 033b1900 033b1900 102ccad8 0000011f
0012aa50 01b81b90 ffffffff 00000000 00000000
0012aa60 033b1900 00000000 65106a65 fb93c5d2
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc
6、dD按照双浮点(8字节)格式显示
0:000> dD 0012aa00
0012aa00 1.28264382317e-319 2.92040944479e-308 4.24283322552e-293
0012aa18 1.63293462903e+188 1.09792330031e-310 4.27077224821e-314
0012aa30 9.3185129548e+178 2.25060988521e-300 4.24283325567e-293
0012aa48 6.0914686708e-312 -1.
0012aa60 2.67806662793e-316 -1.88175367138e+287 2.97736448613e-306
7、df按照单浮点(4字节)格式显示
0:000> df 0012aa00
0012aa00 3.6379109e-041 0 1.5609157e-038 1.9285454e-039
0012aa10 0 5.4983059e-037 1.7143766e-039 6.1751881e+023
0012aa20 5.4983059e-037 7.2503183e-042 5.4983059e-037 2.8025969e-045
0012aa30 5.6051939e-045 4.4566104e+022 9.3101014e-038 6.7633345e-038
8、dp按照指针(32位系统读取4字节、64位系统读取8字节)格式读取
0:000> df 0012aa00
0012aa00 3.6379109e-041 0 1.5609157e-038 1.9285454e-039
0012aa10 0 5.4983059e-037 1.7143766e-039 6.1751881e+023
0012aa20 5.4983059e-037 7.2503183e-042 5.4983059e-037 2.8025969e-045
0012aa30 5.6051939e-045 4.4566104e+022 9.3101014e-038 6.7633345e-038
9、dq按照8字节读取
0:000> dq 0012aa00
0012aa00 00000000`00006569 00150000`00a9f7fb
0012aa10 033b1900`00000000 6702c3c3`0012aafc
0012aa20 00001436`033b1900 00000002`033b1900
0012aa30 6516feef`00000004 01b81d90`01fd71f0
0012aa40 033b1900`033b1900 0000011f`102ccad8
0012aa50 ffffffff`01b81b90 00000000`00000000
0012aa60 00000000`033b1900 fb93c5d2`65106a65
0012aa70 0080b9e9`0012aaf0 0012aafc`00000000
10、du按照Unicode字符串读取。
0:000> du 0012aa00
0012aa00 "敩"
11、dw按照双字节显示
0:000> dw 0012aa00
0012aa00 6569 0000 0000 0000 f7fb 00a9 0000 0015
0012aa10 0000 0000 1900 033b aafc 0012 c3c3 6702
0012aa20 1900 033b 1436 0000 1900 033b 0002 0000
0012aa30 0004 0000 feef 6516 71f0 01fd 1d90 01b8
0012aa40 1900 033b 1900 033b cad8 102c 011f 0000
0012aa50 1b90 01b8 ffff ffff 0000 0000 0000 0000
0012aa60 1900 033b 0000 0000 6a65 6510 c5d2 fb93
0012aa70 aaf0 0012 b9e9 0080 0000 0000 aafc 0012
12、dW按照2字节和ASCII字符串读取。
0:000> dW 0012aa00
0012aa00 6569 0000 0000 0000 f7fb 00a9 0000 0015 ie..............
0012aa10 0000 0000 1900 033b aafc 0012 c3c3 6702 ......;........g
0012aa20 1900 033b 1436 0000 1900 033b 0002 0000 ..;.6.....;.....
0012aa30 0004 0000 feef 6516 71f0 01fd 1d90 01b8 .......e.q......
0012aa40 1900 033b 1900 033b cad8 102c 011f 0000 ..;...;...,.....
0012aa50 1b90 01b8 ffff ffff 0000 0000 0000 0000 ................
0012aa60 1900 033b 0000 0000 6a65 6510 c5d2 fb93 ..;.....ej.e....
0012aa70 aaf0 0012 b9e9 0080 0000 0000 aafc 0012 ................
13、dyb按照单字节和二进制读取
0:000> dyb 0012aa00
76543210 76543210 76543210 76543210
-------- -------- -------- --------
0012aa00 01101001 01100101 00000000 00000000 69 65 00 00
0012aa04 00000000 00000000 00000000 00000000 00 00 00 00
0012aa08 11111011 11110111 10101001 00000000 fb f7 a9 00
0012aa0c 00000000 00000000 00010101 00000000 00 00 15 00
0012aa10 00000000 00000000 00000000 00000000 00 00 00 00
0012aa14 00000000 00011001 00111011 00000011 00 19 3b 03
0012aa18 11111100 10101010 00010010 00000000 fc aa 12 00
0012aa1c 11000011 11000011 00000010 01100111 c3 c3 02 67
14、dyd按照4字节和二进制读取。
0:000> dyd 0012aa00
3 2 1 0
10987654 32109876 54321098 76543210
-------- -------- -------- --------
0012aa00 00000000 00000000 01100101 01101001 00006569
0012aa04 00000000 00000000 00000000 00000000 00000000
0012aa08 00000000 10101001 11110111 11111011 00a9f7fb
0012aa0c 00000000 00010101 00000000 00000000 00150000
0012aa10 00000000 00000000 00000000 00000000 00000000
0012aa14 00000011 00111011 00011001 00000000 033b1900
0012aa18 00000000 00010010 10101010 11111100 0012aafc
0012aa1c 01100111 00000010 11000011 11000011 6702c3c3
e, ea, eb, ed, eD, ef, ep, eq, eu, ew, eza (Enter Values)
e*命令将您指定的值输入内存。不要将此命令与~e(Thread-Specific Command)限定符混淆。
e{b|d|D|f|p|q|w} Address [Values]
e{a|u|za|zu} Address "String"
e Address [Values]
参数:
Address
指定输入值的起始地址。调试器将替换地址和每个后续内存位置处的值,直到所有值都被使用为止。
Values
指定要输入内存的一个或多个值。多个数值应该用空格分隔。如果未指定任何值,则将显示当前地址和该地址的值,并提示您输入。
String
指定要输入内存的字符串。ea和eza命令将此作为ascii字符串写入内存;eu和ezu命令将此作为unicode字符串写入内存。eza和ezu命令会写入一个终端空值;ea和eu命令不会。字符串必须用引号括起来。
1、eb 字节值。
0:000> eb 0012aa00 56
0:000> db 0012aa00
0012aa00 56 65 00 00 00 00 00 00-fb f7 a9 00 00 00 15 00 Ve..............
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
2、ed 双字值 (4 个字节为单位)。
0:000> ed 0012aa00 12345678
0:000> dd 0012aa00
0012aa00 12345678 00000000 00a9f7fb 00150000
0012aa10 00000000 033b1900 0012aafc 6702c3c3
0012aa20 033b1900 00001436 033b1900 00000002
0012aa30 00000004 6516feef 01fd71f0 01b81d90
0012aa40 033b1900 033b1900 102ccad8 0000011f
0012aa50 01b81b90 ffffffff 00000000 00000000
0012aa60 033b1900 00000000 65106a65 fb93c5d2
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc
3、eD 双精度浮点数 (8 字节为单位)。
0:000> eD 0012aa00 3.1415926
0:000> dD 0012aa00
0012aa00 3.1415926 2.92040944479e-308 4.24283322552e-293
0012aa18 1.63293462903e+188 1.09792330031e-310 4.27077224821e-314
0012aa30 9.3185129548e+178 2.25060988521e-300 4.24283325567e-293
0012aa48 6.0914686708e-312 -1.
0012aa60 2.67806662793e-316 -1.88175367138e+287 2.97736448613e-306
4、ef 单精度浮点数 (4 个字节为单位)。
0:000> ef 0012aa00 6.28
0:000> df 0012aa00
0012aa00 6.2800002 2.142699 1.5609157e-038 1.9285454e-039
0012aa10 0 5.4983059e-037 1.7143766e-039 6.1751881e+023
0012aa20 5.4983059e-037 7.2503183e-042 5.4983059e-037 2.8025969e-045
0012aa30 5.6051939e-045 4.4566104e+022 9.3101014e-038 6.7633345e-038
5、ep 指针大小值。 此命令是等效于ed或eq,具体取决于目标计算机的处理器体系结构是否 32 位或 64 位分别。
0:000> ep 0012aa00 98765432
0:000> dp 0012aa00
0012aa00 98765432 400921fb 00a9f7fb 00150000
0012aa10 00000000 033b1900 0012aafc 6702c3c3
0012aa20 033b1900 00001436 033b1900 00000002
0012aa30 00000004 6516feef 01fd71f0 01b81d90
0012aa40 033b1900 033b1900 102ccad8 0000011f
0012aa50 01b81b90 ffffffff 00000000 00000000
0012aa60 033b1900 00000000 65106a65 fb93c5d2
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc
6、eq 四字值 (8 字节为单位)。
0:000> ep 0012aa00 98765432
0:000> dp 0012aa00
0012aa00 98765432 400921fb 00a9f7fb 00150000
0012aa10 00000000 033b1900 0012aafc 6702c3c3
0012aa20 033b1900 00001436 033b1900 00000002
0012aa30 00000004 6516feef 01fd71f0 01b81d90
0012aa40 033b1900 033b1900 102ccad8 0000011f
0012aa50 01b81b90 ffffffff 00000000 00000000
0012aa60 033b1900 00000000 65106a65 fb93c5d2
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc
7、ew 字值 (2 个字节)。
0:000> ew 0012aa00 9999
0:000> dw 0012aa00
0012aa00 9999 0075 0061 0069 007a 0068 0069 0015
0012aa10 0000 0000 1900 033b aafc 0012 c3c3 6702
0012aa20 1900 033b 1436 0000 1900 033b 0002 0000
0012aa30 0004 0000 feef 6516 71f0 01fd 1d90 01b8
0012aa40 1900 033b 1900 033b cad8 102c 011f 0000
0012aa50 1b90 01b8 ffff ffff 0000 0000 0000 0000
0012aa60 1900 033b 0000 0000 6a65 6510 c5d2 fb93
0012aa70 aaf0 0012 b9e9 0080 0000 0000 aafc 0012
8、ea ASCII 字符串 (不以 NULL 终止)。
0:000> ea 0012aa00 "jiahao"
0:000> db 0012aa00
0012aa00 6a 69 61 68 61 6f 6c 65-69 f7 a9 00 00 00 15 00 jiahaolei.......
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
9、eu Unicode 字符串 (不以 NULL 终止)。
0:000> eu 0012aa00 "huaizhi"
0:000> du 0012aa00
0012aa00 "huaizhi."
0:000> db 0012aa00
0012aa00 68 00 75 00 61 00 69 00-7a 00 68 00 69 00 15 00 h.u.a.i.z.h.i...
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
10、eza 以 NULL 结尾的 ASCII 字符串。
0:000> eza 0012aa00 "china"
0:000> db 0012aa00
0012aa00 63 68 69 6e 61 00 69 00-7a 00 68 00 69 00 15 00 china.i.z.h.i...
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
11、ezu 以 NULL 结尾的 Unicode 字符串。
0:000> ezu 0012aa00 "Enlish"
0:000> db 0012aa00
0012aa00 45 00 6e 00 6c 00 69 00-73 00 68 00 00 00 15 00 E.n.l.i.s.h.....
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
e, ea, eb, ed, eD, ef, ep, eq, eu, ew, eza (Enter Values)
e*命令将您指定的值输入内存。不要将此命令与~e(Thread-Specific Command)限定符混淆。
e{b|d|D|f|p|q|w} Address [Values]
e{a|u|za|zu} Address "String"
e Address [Values]
参数:
Address
指定输入值的起始地址。调试器将替换地址和每个后续内存位置处的值,直到所有值都被使用为止。
Values
指定要输入内存的一个或多个值。多个数值应该用空格分隔。如果未指定任何值,则将显示当前地址和该地址的值,并提示您输入。
String
指定要输入内存的字符串。ea和eza命令将此作为ascii字符串写入内存;eu和ezu命令将此作为unicode字符串写入内存。eza和ezu命令会写入一个终端空值;ea和eu命令不会。字符串必须用引号括起来。
1、eb 字节值。
0:000> eb 0012aa00 56
0:000> db 0012aa00
0012aa00 56 65 00 00 00 00 00 00-fb f7 a9 00 00 00 15 00 Ve..............
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
2、ed 双字值 (4 个字节为单位)。
0:000> ed 0012aa00 12345678
0:000> dd 0012aa00
0012aa00 12345678 00000000 00a9f7fb 00150000
0012aa10 00000000 033b1900 0012aafc 6702c3c3
0012aa20 033b1900 00001436 033b1900 00000002
0012aa30 00000004 6516feef 01fd71f0 01b81d90
0012aa40 033b1900 033b1900 102ccad8 0000011f
0012aa50 01b81b90 ffffffff 00000000 00000000
0012aa60 033b1900 00000000 65106a65 fb93c5d2
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc
3、eD 双精度浮点数 (8 字节为单位)。
0:000> eD 0012aa00 3.1415926
0:000> dD 0012aa00
0012aa00 3.1415926 2.92040944479e-308 4.24283322552e-293
0012aa18 1.63293462903e+188 1.09792330031e-310 4.27077224821e-314
0012aa30 9.3185129548e+178 2.25060988521e-300 4.24283325567e-293
0012aa48 6.0914686708e-312 -1.
0012aa60 2.67806662793e-316 -1.88175367138e+287 2.97736448613e-306
4、ef 单精度浮点数 (4 个字节为单位)。
0:000> ef 0012aa00 6.28
0:000> df 0012aa00
0012aa00 6.2800002 2.142699 1.5609157e-038 1.9285454e-039
0012aa10 0 5.4983059e-037 1.7143766e-039 6.1751881e+023
0012aa20 5.4983059e-037 7.2503183e-042 5.4983059e-037 2.8025969e-045
0012aa30 5.6051939e-045 4.4566104e+022 9.3101014e-038 6.7633345e-038
5、ep 指针大小值。 此命令是等效于ed或eq,具体取决于目标计算机的处理器体系结构是否 32 位或 64 位分别。
0:000> ep 0012aa00 98765432
0:000> dp 0012aa00
0012aa00 98765432 400921fb 00a9f7fb 00150000
0012aa10 00000000 033b1900 0012aafc 6702c3c3
0012aa20 033b1900 00001436 033b1900 00000002
0012aa30 00000004 6516feef 01fd71f0 01b81d90
0012aa40 033b1900 033b1900 102ccad8 0000011f
0012aa50 01b81b90 ffffffff 00000000 00000000
0012aa60 033b1900 00000000 65106a65 fb93c5d2
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc
6、eq 四字值 (8 字节为单位)。
0:000> ep 0012aa00 98765432
0:000> dp 0012aa00
0012aa00 98765432 400921fb 00a9f7fb 00150000
0012aa10 00000000 033b1900 0012aafc 6702c3c3
0012aa20 033b1900 00001436 033b1900 00000002
0012aa30 00000004 6516feef 01fd71f0 01b81d90
0012aa40 033b1900 033b1900 102ccad8 0000011f
0012aa50 01b81b90 ffffffff 00000000 00000000
0012aa60 033b1900 00000000 65106a65 fb93c5d2
0012aa70 0012aaf0 0080b9e9 00000000 0012aafc
7、ew 字值 (2 个字节)。
0:000> ew 0012aa00 9999
0:000> dw 0012aa00
0012aa00 9999 0075 0061 0069 007a 0068 0069 0015
0012aa10 0000 0000 1900 033b aafc 0012 c3c3 6702
0012aa20 1900 033b 1436 0000 1900 033b 0002 0000
0012aa30 0004 0000 feef 6516 71f0 01fd 1d90 01b8
0012aa40 1900 033b 1900 033b cad8 102c 011f 0000
0012aa50 1b90 01b8 ffff ffff 0000 0000 0000 0000
0012aa60 1900 033b 0000 0000 6a65 6510 c5d2 fb93
0012aa70 aaf0 0012 b9e9 0080 0000 0000 aafc 0012
8、ea ASCII 字符串 (不以 NULL 终止)。
0:000> ea 0012aa00 "jiahao"
0:000> db 0012aa00
0012aa00 6a 69 61 68 61 6f 6c 65-69 f7 a9 00 00 00 15 00 jiahaolei.......
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
9、eu Unicode 字符串 (不以 NULL 终止)。
0:000> eu 0012aa00 "huaizhi"
0:000> du 0012aa00
0012aa00 "huaizhi."
0:000> db 0012aa00
0012aa00 68 00 75 00 61 00 69 00-7a 00 68 00 69 00 15 00 h.u.a.i.z.h.i...
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
10、eza 以 NULL 结尾的 ASCII 字符串。
0:000> eza 0012aa00 "china"
0:000> db 0012aa00
0012aa00 63 68 69 6e 61 00 69 00-7a 00 68 00 69 00 15 00 china.i.z.h.i...
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
11、ezu 以 NULL 结尾的 Unicode 字符串。
0:000> ezu 0012aa00 "Enlish"
0:000> db 0012aa00
0012aa00 45 00 6e 00 6c 00 69 00-73 00 68 00 00 00 15 00 E.n.l.i.s.h.....
0012aa10 00 00 00 00 00 19 3b 03-fc aa 12 00 c3 c3 02 67 ......;........g
0012aa20 00 19 3b 03 36 14 00 00-00 19 3b 03 02 00 00 00 ..;.6.....;.....
0012aa30 04 00 00 00 ef fe 16 65-f0 71 fd 01 90 1d b8 01 .......e.q......
0012aa40 00 19 3b 03 00 19 3b 03-d8 ca 2c 10 1f 01 00 00 ..;...;...,.....
0012aa50 90 1b b8 01 ff ff ff ff-00 00 00 00 00 00 00 00 ................
0012aa60 00 19 3b 03 00 00 00 00-65 6a 10 65 d2 c5 93 fb ..;.....ej.e....
0012aa70 f0 aa 12 00 e9 b9 80 00-00 00 00 00 fc aa 12 00 ................
1、查看加载的所有模块lm
0:000> lm
start end module name
003c0000 003d3000 VCRUNTIME140 (export symbols) C:\Program Files\RSAWinGuard\VCRUNTIME140.dll
003e0000 003e4000 api_ms_win_crt_runtime_l1_1_0 (export symbols) C:\WINDOWS\system32\api-ms-win-crt-runtime-l1-1-0.dll
003f0000 003f3000 api_ms_win_core_string_l1_1_0 (export symbols) C:\WINDOWS\system32\api-ms-win-core-string-l1-1-0.dll
00400000 009f4000 standAloneWinGuard C (private pdb symbols) c:\pdb\standAloneWinGuard.pdb
00a00000 00a6f000 MSVCP140 (export symbols) C:\Program Files\RSAWinGuard\MSVCP140.dll
2、查看某个模块的详细信息lmvm
0:000> lmvm standAloneWinGuard
start end module name
00400000 009f4000 standAloneWinGuard C (private pdb symbols) c:\pdb\standAloneWinGuard.pdb
Loaded symbol image file: C:\Program Files\RSAWinGuard\standAloneWinGuard.exe
Image path: standAloneWinGuard.exe
Image name: standAloneWinGuard.exe
Timestamp: Thu Mar 11 14:11:27 2021 (6049B48F)
CheckSum: 00000000
ImageSize: 005F4000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
1、查看加载的所有模块lm
0:000> lm
start end module name
003c0000 003d3000 VCRUNTIME140 (export symbols) C:\Program Files\RSAWinGuard\VCRUNTIME140.dll
003e0000 003e4000 api_ms_win_crt_runtime_l1_1_0 (export symbols) C:\WINDOWS\system32\api-ms-win-crt-runtime-l1-1-0.dll
003f0000 003f3000 api_ms_win_core_string_l1_1_0 (export symbols) C:\WINDOWS\system32\api-ms-win-core-string-l1-1-0.dll
00400000 009f4000 standAloneWinGuard C (private pdb symbols) c:\pdb\standAloneWinGuard.pdb
00a00000 00a6f000 MSVCP140 (export symbols) C:\Program Files\RSAWinGuard\MSVCP140.dll
2、查看某个模块的详细信息lmvm
0:000> lmvm standAloneWinGuard
start end module name
00400000 009f4000 standAloneWinGuard C (private pdb symbols) c:\pdb\standAloneWinGuard.pdb
Loaded symbol image file: C:\Program Files\RSAWinGuard\standAloneWinGuard.exe
Image path: standAloneWinGuard.exe
Image name: standAloneWinGuard.exe
Timestamp: Thu Mar 11 14:11:27 2021 (6049B48F)
CheckSum: 00000000
ImageSize: 005F4000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:000> kb
ChildEBP RetAddr Args to Child
0012aa7c 00532012 0336ab30 0012aae4 fb93c552 standAloneWinGuard!CUIAuthMgr::Authorize+0xe5 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\uiauthmgr.cpp @ 95]
0012aafc 00577527 00000000 fb93a27d 0012ab54 standAloneWinGuard!CMainWnd::handle_pushButton_authorize_click+0xf2 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\mainwnd.cpp @ 2784]
0012ab5c 6718364f 0012d4d0 00000000 00000051 standAloneWinGuard!CMainWnd::qt_static_metacall+0xa27 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\release\moc\moc_mainwnd.cpp @ 639]
WARNING: Stack unwind information not available. Following frames may be wrong.
0012abec 6718382e 01b82978 00000000 6745b4d0 Qt5Core!QMetaObject::activate+0x50f
0012ac00 650bfa90 01b82978 652c6074 00000002 Qt5Core!QMetaObject::activate+0x1e
0012ac2c 650bf9f8 0012afc8 0012afc8 01b829a8 Qt5Widgets!QAbstractButton::clicked+0x80
00000000 00000000 00000000 00000000 00000000 Qt5Widgets!QAbstractButton::click+0x158
0:000> kb
ChildEBP RetAddr Args to Child
0012aa7c 00532012 0336ab30 0012aae4 fb93c552 standAloneWinGuard!CUIAuthMgr::Authorize+0xe5 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\uiauthmgr.cpp @ 95]
0012aafc 00577527 00000000 fb93a27d 0012ab54 standAloneWinGuard!CMainWnd::handle_pushButton_authorize_click+0xf2 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\mainwnd.cpp @ 2784]
0012ab5c 6718364f 0012d4d0 00000000 00000051 standAloneWinGuard!CMainWnd::qt_static_metacall+0xa27 [f:\mygitrepo\rst2\standalonewinguard_v2\framework\agent_windows\standalonewinguard\release\moc\moc_mainwnd.cpp @ 639]
WARNING: Stack unwind information not available. Following frames may be wrong.
0012abec 6718382e 01b82978 00000000 6745b4d0 Qt5Core!QMetaObject::activate+0x50f
0012ac00 650bfa90 01b82978 652c6074 00000002 Qt5Core!QMetaObject::activate+0x1e
0012ac2c 650bf9f8 0012afc8 0012afc8 01b829a8 Qt5Widgets!QAbstractButton::clicked+0x80
00000000 00000000 00000000 00000000 00000000 Qt5Widgets!QAbstractButton::click+0x158
u 向下反汇编
ub 向上反汇编
uf 反汇编整个函数
a 写入汇编指令
1、uf 模块名!函数名称
0: kd> uf tcpip!TcpPortPoolQueryLocalAddressFunction
tcpip!TcpPortPoolQueryLocalAddressFunction:
89c3c012 8bff mov edi,edi
89c3c014 55 push ebp
89c3c015 8bec mov ebp,esp
89c3c017 80fa01 cmp dl,1
89c3c01a 7437 je tcpip!TcpPortPoolQueryLocalAddressFunction+0x41 (89c3c053) Branch
tcpip!TcpPortPoolQueryLocalAddressFunction+0xa:
89c3c01c 80fa02 cmp dl,2
89c3c01f 7532 jne tcpip!TcpPortPoolQueryLocalAddressFunction+0x41 (89c3c053) Branch
tcpip!TcpPortPoolQueryLocalAddressFunction+0xf:
89c3c021 668b41fc mov ax,word ptr [ecx-4]
89c3c025 8b5508 mov edx,dword ptr [ebp+8]
89c3c028 668902 mov word ptr [edx],ax
89c3c02b 8b81a0feffff mov eax,dword ptr [ecx-160h]
89c3c031 8b00 mov eax,dword ptr [eax]
89c3c033 8b4008 mov eax,dword ptr [eax+8]
89c3c036 8b00 mov eax,dword ptr [eax]
89c3c038 8b550c mov edx,dword ptr [ebp+0Ch]
89c3c03b 8902 mov dword ptr [edx],eax
89c3c03d f681ccfeffff20 test byte ptr [ecx-134h],20h
89c3c044 7526 jne tcpip!TcpPortPoolQueryLocalAddressFunction+0x5a (89c3c06c) Branch
tcpip!TcpPortPoolQueryLocalAddressFunction+0x34:
89c3c046 8b81a0feffff mov eax,dword ptr [ecx-160h]
89c3c04c 8b00 mov eax,dword ptr [eax]
89c3c04e 8b400c mov eax,dword ptr [eax+0Ch]
89c3c051 eb20 jmp tcpip!TcpPortPoolQueryLocalAddressFunction+0x61 (89c3c073) Branch
tcpip!TcpPortPoolQueryLocalAddressFunction+0x41:
89c3c053 668b41fc mov ax,word ptr [ecx-4]
89c3c057 8b5508 mov edx,dword ptr [ebp+8]
89c3c05a 668902 mov word ptr [edx],ax
89c3c05d 8b41f0 mov eax,dword ptr [ecx-10h]
89c3c060 8b550c mov edx,dword ptr [ebp+0Ch]
89c3c063 8902 mov dword ptr [edx],eax
89c3c065 8b49f4 mov ecx,dword ptr [ecx-0Ch]
89c3c068 85c9 test ecx,ecx
89c3c06a 7504 jne tcpip!TcpPortPoolQueryLocalAddressFunction+0x5e (89c3c070) Branch
tcpip!TcpPortPoolQueryLocalAddressFunction+0x5a:
89c3c06c 33c0 xor eax,eax
89c3c06e eb03 jmp tcpip!TcpPortPoolQueryLocalAddressFunction+0x61 (89c3c073) Branch
tcpip!TcpPortPoolQueryLocalAddressFunction+0x5e:
89c3c070 8b410c mov eax,dword ptr [ecx+0Ch]
tcpip!TcpPortPoolQueryLocalAddressFunction+0x61:
89c3c073 5d pop ebp
89c3c074 c20800 ret 8
2、u 指令地址
0: kd> u 89c77510
tcpip!EnumerateAndReferenceEndpointInAssignment+0x43:
89c77510 eb0a jmp tcpip!EnumerateAndReferenceEndpointInAssignment+0x4f (89c7751c)
89c77512 83651000 and dword ptr [ebp+10h],0
89c77516 83651c00 and dword ptr [ebp+1Ch],0
89c7751a 33c0 xor eax,eax
89c7751c 83f8ff cmp eax,0FFFFFFFFh
89c7751f 7444 je tcpip!EnumerateAndReferenceEndpointInAssignment+0x98 (89c77565)
89c77521 8b4d1c mov ecx,dword ptr [ebp+1Ch]
89c77524 85c9 test ecx,ecx
u 向下反汇编
ub 向上反汇编
uf 反汇编整个函数
a 写入汇编指令
1、uf 模块名!函数名称
0: kd> uf tcpip!TcpPortPoolQueryLocalAddressFunction
tcpip!TcpPortPoolQueryLocalAddressFunction:
89c3c012 8bff mov edi,edi
89c3c014 55 push ebp
89c3c015 8bec mov ebp,esp
89c3c017 80fa01 cmp dl,1
89c3c01a 7437 je tcpip!TcpPortPoolQueryLocalAddressFunction+0x41 (89c3c053) Branch
tcpip!TcpPortPoolQueryLocalAddressFunction+0xa:
89c3c01c 80fa02 cmp dl,2
89c3c01f 7532 jne tcpip!TcpPortPoolQueryLocalAddressFunction+0x41 (89c3c053) Branch
tcpip!TcpPortPoolQueryLocalAddressFunction+0xf:
89c3c021 668b41fc mov ax,word ptr [ecx-4]
89c3c025 8b5508 mov edx,dword ptr [ebp+8]
89c3c028 668902 mov word ptr [edx],ax
89c3c02b 8b81a0feffff mov eax,dword ptr [ecx-160h]
89c3c031 8b00 mov eax,dword ptr [eax]
89c3c033 8b4008 mov eax,dword ptr [eax+8]
89c3c036 8b00 mov eax,dword ptr [eax]
89c3c038 8b550c mov edx,dword ptr [ebp+0Ch]
89c3c03b 8902 mov dword ptr [edx],eax
89c3c03d f681ccfeffff20 test byte ptr [ecx-134h],20h
89c3c044 7526 jne tcpip!TcpPortPoolQueryLocalAddressFunction+0x5a (89c3c06c) Branch
tcpip!TcpPortPoolQueryLocalAddressFunction+0x34:
89c3c046 8b81a0feffff mov eax,dword ptr [ecx-160h]
89c3c04c 8b00 mov eax,dword ptr [eax]
89c3c04e 8b400c mov eax,dword ptr [eax+0Ch]
89c3c051 eb20 jmp tcpip!TcpPortPoolQueryLocalAddressFunction+0x61 (89c3c073) Branch
tcpip!TcpPortPoolQueryLocalAddressFunction+0x41:
89c3c053 668b41fc mov ax,word ptr [ecx-4]
89c3c057 8b5508 mov edx,dword ptr [ebp+8]
89c3c05a 668902 mov word ptr [edx],ax
89c3c05d 8b41f0 mov eax,dword ptr [ecx-10h]
89c3c060 8b550c mov edx,dword ptr [ebp+0Ch]
89c3c063 8902 mov dword ptr [edx],eax
89c3c065 8b49f4 mov ecx,dword ptr [ecx-0Ch]
89c3c068 85c9 test ecx,ecx
89c3c06a 7504 jne tcpip!TcpPortPoolQueryLocalAddressFunction+0x5e (89c3c070) Branch
tcpip!TcpPortPoolQueryLocalAddressFunction+0x5a:
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2022-8-31 11:07
被sanganlei编辑
,原因:
