Baixe Manual WinDbg user guide e outras Manuais, Projetos, Pesquisas em PDF para Tecnologia da Informação e das Comunicações, somente na Docsity!
Thinking debugging? Think www.windbg.info
By Robert Kuster Posted^ :^ 01 Feb 2009 Updated : 17 Feb 2009
Common WinDbg Commands (Thematically Grouped)
Built-in help commands 9) Exceptions, events, and crash analysis 17) Information about variables
General WinDbg's commands (clear screen, ..) 10)^ Loaded modules and image information^ 18)^ Memory
Debugging sessions (attach, detach, ..) 11) Process related information 19) Manipulating memory ranges
Expressions and commands 12) Thread related information 20) Memory: Heap
Debugger markup language (DML) 13) Breakpoints 21) Application Verifier
Main extensions 14) Tracing and stepping (F10, F11) 22) Logging extension (logexts.dll)
Symbols 15) Call stack
Sources 16) Registers
Built-in help commands C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
? /D
Display regular commands Display regular commands as DML
.help
.help .help /D .help /D a*
Display. commands Display. commands in DML format (top bar of links is given) Display. commands that start with a* (wildcard) as DML
.chain
.chain .chain /D
Lists all loaded debugger extensions Lists all loaded debugger extensions as DML (where extensions are linked to a .extmatch)
.extmatch
.extmatch /e ExtDLL FunctionFilter .extmatch /D /e ExtDLL FunctionFilter
Show all exported functions of an extension DLL. FunctionFilter = wildcard string Same in DML format (functions link to "!ExtName.help FuncName" commands)
Example: .extmatch /D /e uext * (show all exported functions of uext.dll)
.hh
.hh .hh Text
Open WinDbg's help Text = text to look up in the help file index Example: .hh dt
- General WinDbg's commands (show version, clear screen, etc.) C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
version Dump version info of debugger and loaded extension DLLs
vercommand Dump command line that was used to start the debugger
vertarget Version of target computer
CTRL+ALT+V
Toggle verbose mode ON/OFF In verbose mode some commands (such as register dumping) have more detailed output.
n n [8 | 10 | 16] Set number base
.formats
.formats Expression Show number formats = evaluates a numerical expression or symbol and displays it in multiple numerical formats (hex, decimal, octal, binary, time, ..)
Example 1: .formats 5 Example 2: .formats poi(nLocal1) == .formats @@($!nLocal1)
.cls Clear screen
.lastevent
Displays the most recent exception or event that occurred (why the debugger is waiting?)
.effmach
.effmach .effmach. .effmach # .effmach x86 | amd64 | ia64 | ebc
Dump effective machine (x86, amd64, ..): Use target computer's native processor mode Use processor mode of the code that is executing for the most recent event Use x86, amd64, ia64, or ebc processor mode
This setting influences many debugger features: -> which processor's unwinder is used for stack tracing -> which processor's register set is active
.time display time (system-up, process-up, kernel time, user time)
- Debugging sessions (attach, detach, ..) C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
.attach PID attach to a process
.detach ends the debugging session, but leaves any user-mode target application running
q q, qq Quit = ends the debugging session and terminates the target application Remote debugging: q= no effect; qq= terminates the debug server
.restart Restart target application
- Expressions and commands C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
; Command separator (cm1; cm2; ..)
? Expression ?? Expression
Evaluate expression (use default evaluator) Evaluate c++ expression
.expr
.expr .expr /q .expr /s c++ .expr /s masm
Choose default expression evaluator Show current evaluator Show available evaluators Set c++ as the default expression evaluator Set masm as the default expression evaluator
- [any text] Comment Line Specifier Terminated by: end of line
$$ [any text] Comment Specifier Terminated by: end of line OR semicolon
.echo
.echo String .echo "String"
Echo Comment -> comment text + echo it Terminated by: end of line OR semicolon With the $$ token or the * token the debugger will ignore the inputted text without echoing it.
- Debugger markup language (DML)
Starting with the 6.6.07 version of the debugger a new mechanism for enhancing output from the debugger and extensions was included: DML. DML allows output to include directives and extra non-display information in the form of tags. Debugger user interfaces parse out the extra information to provide new behaviors.
DML is primarily intended to address two issues:
Linking of related information Discoverability of debugger and extension functionality
C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
x
x [Options] Module!Symbol x /t .. x /v .. x /a .. x /n .. x /z ..
Examine symbols: displays symbols that match the specified pattern with data type verbose (symbol type and size) sort by address sort by name sort by size ("size" of a function symbol is the size of the function in memory)
ln
ln Addr
List nearest symbols = display the symbols at or near the given Addr. Useful to:
determine what a pointer is pointing to when looking at a corrupted stack to determine which procedure made a call
.sympath
.sympath .sympath+
Display or set symbol search path Append directories to previous symbol path
.symopt
.symopt .symopt+ Flags .symopt- Flags
displays current symbol options add option remove option
.symfix
.symfix .symfix+ DownstreamStore
Set symbol store path to automatically point to http://msdl.microsoft.com/ download/symbols
- = append it to the existing path DownstreamStore = directory to be used as a downstream store. Default is WinDbgInstallationDir\Sym.
.reload
.reload .reload [/f | /v] .reload [/f | /v] Module
Reload symbol information for all modules** f = force immediate symbol load (overrides lazy loading); v = verbose mode Module = for Module only
**Note: The .reload command does not actually cause symbol information to be read. It just lets the debugger know that the symbol files may have changed, or that a new module should be added to the module list. To force actual symbol loading to occur use the /f option, or the ld (Load Symbols) command.
Collapse
x *! list all modules
x ntdll!* list all symbols of ntdll x /t /v MyDll!* list all symbol in MyDll with data type, symbol type and size
x kernel32!LoadLib list all symbols in kernel32 that contain the word LoadLib
.sympath+ C:\MoreSymbols add symbols from C:\MoreSymbols (folder location)
.reload /f @"ntdll.dll" Immediately reload symbols for ntdll.dll.
.reload /f @"C:\WINNT\System32\verifier.dll" Reload symbols for verifier. Use the given path.
Also check the "!lmi" command.
- Sources C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
.srcpath .srcpath .srcpath+ DIR
Display or set source search path Append directory to the searched source path
.srcnoisy {1|0} Controls noisy source loading
.lines [-e | -d | -t] Toggle source line support: enable; disable; toggle
l (small letter L)
l+l, l-l l+o, l-o l+s, l-s l+t, l-t
show line numbers suppress all but [s] source and line number source mode vs. assembly mode
- Exceptions, events, and crash analysis C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
g
g gH gN
Go Go exception handled Go not handled
.lastevent What happened? Shows most recent event or exception
!analyze
!analyze -v !analyze -hang !analyze -f
Display information about the current exception or bug check; verbose User mode: Analyzes the thread stack to determine whether any threads are blocking other threads. See an exception analysis even when the debugger does not detect an exception.
sx
sx sxe sxd sxn sxi sxr
Show all event filters with break status and handling break first-chance break second-chance notify; don't break ignore event reset filter settings to default values
.exr
.exr- .exr Addr
display most recent exception record display exception record at Addr
.ecxr displays exception context record (registers) associated with the current exception
!cppexr Addr Display content and type of C++ exception
Collapse
exr -1 display most recent exception
.exr 7c901230 display exception at address 7c !cppexr 7c901230 display c++ exception at address 7c
- Loaded modules and image information C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
lm
lm[ v | l | k | u | f ] [m Pattern] lmD
List modules; verbose | with loaded symbols | k-kernel or u-user only symbol info | image path; pattern that the module name must match DML mode of lm; lmv command links included in output
!dlls
!dlls !dlls -i !dlls -l !dlls -m !dlls -v !dlls -c ModuleAddr !dlls -?
all loaded modules with load count by initialization order by load order (default) by memory order with version info only module at ModuleAddr brief help
!imgreloc ImgBaseAddr information about relocated images
!lmi Module detailed info about a module (including exact symbol info)
!dh
!dh ImgBaseAddr !dh -f ImgBaseAddr !dh -s ImgBaseAddr !dh -h
Dump headers for ImgBaseAddr f = file headers only s = section headers only h = brief help
The !lmi extension extracts the most important information from the image header and displays it in a concise summary format. It is often more useful than !dh.
Collapse
lm display all loaded and unloaded modules
lmv m kernel32 display verbose (all possible) information for kernel32.dll
lmD DML variant of lm
!gle
!gle !gle -all
Dump last error for current thread Dump last error for all threads
Point of interest: SetLastError( dwErrCode ) checks the value of kernel32! g_dwLastErrorToBreakOn and possibly executes a DbgBreakPoint.
if ((g_dwLastErrorToBreakOn != 0 ) && (dwErrCode == g_dwLastErrorToBreakOn)) DbgBreakPoint();
The downside is that SetLastError is only called from within KERNEL32.DLL. Other calls to SetLastError are redirected to a function located in NTDLL.DLL, RtlSetLastWin32Error.
!error !error ErrValue !error ErrValue 1
Decode and display information about an error value Treat ErrValue value as an NTSTATUS code
Collapse
~* k call stack for all threads ~ !uniqstack
~2 f Freeze Thread TID=
~# f Freeze the thread causing the current exception ~3 u Unfreeze Thread TID=
~2e r; k; kd == ~2r; ~2k; ~2kd
~*e !gle will repeat every the extension command !gle for every single thread being debugged
!tls -1 Dump all TLS slots for current thread
!runaway 7 1 (user time) + 2 (kernel time) + 4 (time elapsed since thread start)
!teb Dump formatted view of our threads TEB (only some information)
dt ntdll!_TEB @$teb Dump TEB of current thread
- Breakpoints C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
bl List breakpoints
bc bc * bc # [#] [#]
Clear all breakpoints Clear breakpoint #
be
be * be # [#] [#]
Enable all bps Enable bp #
bd bd * bd # [#] [#]
Disable all bps Disable bp #
bp
bp [Addr] bp [Addr] ["CmdString"]
[~Thrd] bp[#] [Options] [Addr] [Passes] ["CmdString"]
Set breakpoint at address CmdString = Cmd1; Cmd2; .. Executed every time the BP is hit.
~Thrd == thread that the bp applies too.
= Breakpoint ID
Passes = Activate breakpoint after #Passes (it is ignored before)
bu
bu [Addr]
See bp ..
Set unresolved breakpoint. bp is set when the module gets loaded
bm
bm SymPattern bm SymPattern ["CmdString"]
[~Thrd] bm [Options] SymPattern [#Passes] ["CmdString"]
Set symbol breakpoint. SymPattern can contain wildcards CmdString = Cmd1; Cmd2; .. Executed every time the BP is hit.
~Thrd == thread that the bp applies too. Passes = Activate breakpoint after #Passes (it is ignored before)
The syntax bm SymPattern is equivalent to using x SymPattern and then using bu on each of the results.
ba
ba [r|w|e] [Size] Addr
[~Thrd] ba[#] [r|w|e] [Size] [Options] [Addr] [Passes] ["CmdString"]
Break on Access: [r=read/write, w=write, e=execute], Size=[1|2|4 bytes]
[~Thrd] == thread that the bp applies too.
= Breakpoint ID
Passes = Activate breakpoint after #Passes (it is ignored before)
br br OldID NewID [OldID2 NewID2 ...] renumbers one or more breakpoints
g (F5)
g gu
Go (F5) Go up = execute until the current function is complete gu ~= g @$ra gu ~= bp /1 /c @$csp @$ra;g -> $csp = same as esp on x -> $ra = The return address currently on the stack
p (F10)
p
pr p Count p [Count] "Command" p =StartAddress [Count] ["Command"]
[~Thread] p [=StartAddress] [Count] ["Command"]
Single step - executes a single instruction or source line. Subroutines are treated as a single step.
Toggle display of registers and flags Count = count of instructions or source lines to step through before stopping Command = debugger command to be executed after the step is performed StartAddress = Causes execution to begin at the specified address. Default is the current EIP.
~Thread = The specified thread is thawed and all others frozen
t (F11) t ..
Single trace - executes a single instruction or source line. For subroutines each step is traced as well.
pt
pt ..
Step to next return - similar to the GU (go up), but staying in context of the current function If EIP is already on a return instruction, the entire return is executed. After this return is returned, execution will continue until another return is reached.
tt
tt ..
Trace to next return - similar to the GU (go up), but staying in context of the current function If EIP is already on a return instruction, the debugger traces into the return and continues executing until another return is reached.
pc
pc ..
Step to next call - executes the program until a call instruction is reached If EIP is already on a call instruction, the entire call will be executed. After this call is returned execution will continue until another call is reached.
tc
tc ..
Trace to next call - executes the program until a call instruction is reached If EIP is already on a call instruction, the debugger will trace into the call and continue executing until another call is reached.
pa
pa StopAddr
par pa StopAddr "Command" pa =StartAddress StopAddr ["Command"]
Step to address; StopAddr = address at which execution will stop Called functions are treated as a single unit
Toggle display of registers and flags Command = debugger command to be executed after the step is performed StartAddress = Causes execution to begin at the specified address. Default is the current EIP.
ta ta StopAddr ..
Trace to address; StopAddr = address at which execution will stop Called functions are traced as well
wt (^) wt
wt [Options] [= StartAddr] [EndAddr] wt -l Depth .. wt -m Module [-m Module2] .. wt -i Module [-i Module2] .. wt -oa .. wt -or .. wt -oR .. wt -nc .. wt -ns .. wt -nw ..
Trace and watch data. Go to the beginning of a function and do a wt. It will run through the entire function and display statistics.
StartAddr = execution begin; EndAddr = address at which to end tracing (default = after RET of current function) l = maximum depth of traced calls m = restrict tracing to Module i = ignore code from Module oa = dump actual address of call sites or = dump return register values (EAX value) of sub-functions oR = dump return register values (EAX value) in the appropriate type nc = no info for individual calls ns = no summary info ns = no warnings
.step_filter
.step_filter .step_filter "FilerList" .step_filter /c
Dump current filter list = functions that are skipped when tracing (t, ta, tc) FilterList = Filter 1; Filter 2; ... symbols associated with functions to be stepped over (skipped) clear the filter list
.step_filter is not very useful in assembly mode, as each function call is on a different line.
Collapse
g go
g :123;? poi(counter); g executes the current program to source line 123; print the value of counter; resume execution
p single step
pr toggle displaying of registers
p 5 "kb" 5x steps, execute "kb" thereafter
pc step to next CALL instruction
pa 7c801b0b step until 7c801b0b is reached
wt trace and watch sub-functions
wt -l 4 -oR trace sub-functions to depth 4, display their return values
- Call stack C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
k
k [n] [f] [L] [#Frames] kb ... kp ... kP ... kv ...
dump stack; n = with frame #; f = distance between adjacent frames; L = omit source lines; number of stack frames to display first 3 params all params: param type + name + value all params formatted (new line) FPO info, calling convention
kd kd [WordCnt] display raw stack data + possible symbol info == dds esp
kM DML variant with links to .frame #;dv
.kframes Set stack length. The default is 20 (0x14).
.frame
.frame .frame # .frame /r [#]
show current frame specify frame # show register values
The .frame command specifies which local context (scope) will be used to interpret local variables, or displays the current local context. When executing a near call, the processor pushes the value of the EIP register (which contains the offset of the instruction following the CALL instruction) onto the stack (for use later as a return-instruction pointer). This is the first step in building a frame. Each time a function call is made, another frame is created so that the called function can access arguments, create local variables, and provide a mechanism to return to calling function. The composition of the frame is dependant on the function calling convention.
!uniqstack
!uniqstack !uniqstack [b|v|p] [n] !uniqstack -?
show stacks for all threads [b = first 3 params, v = FPO + calling convention, p = all params: param type + name + value], [n = with frame #] brief help
!findstack
!findstack Symbol !findstack Symbol [0|1|2] !findstack -?
locate all stacks that contain Symbol or module [0 = show only TID, 1 = TID + frames, 2 = entire thread stack] brief help
Collapse
k display call stack
kn call stack with frame numbers kb display call stack with first 3 params
kb 5 display first 5 frames only
To get more than 3 Function Arguments from the stack dd ChildEBP+8 (Parameters start at ChildEBP+8)
rm 0x20 enable debug register mask r dump debug registers
rF dump all floating point register
rM 0x4 dump all floating point register rm 0x4; r dump all floating point registers
- Information about variables C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
dt
dt -h dt [mod!]Name dt [mod!]Name Field [Field] dt [mod!]Name [Field] Addr dt [mod!]Name*
dt [-n|y] [mod!]Name [-n|y] [Field] [Addr]
dt [-n|y] [mod!]Name [-n|y] [Field] [Addr] - abcehioprsv
Brief help Dump variable info Dump only 'field-name(s)' (struct or unions) Addr of struct to be dumped list symbols (wildcard)
-n Name = param is a name (use if name can be mistaken as an address) -y Name = partially match instead of default exact match
-a = Shows array elements in new line with its index -b = Dump only contiguous block of struct -c = Compact output (all fields in one line) -i = Does not indent the subtypes -l ListField = Field which is pointer to the next element in list -o = Omit the offset value (fields of struct) -p = Dump from physical address -r[l] = Recursively dump subtypes/fields (up to l levels) -s [size] = For enumeration only, enumerate types only of given size. -v = Verbose output.
dv
dv dv Pattern dv [/i /t /V] [Pattern] dv [/i /t /V /a /n /z] [Pattern]
display local variables and parameters vars matching Pattern i = type (local, global, parameter), t = data type, V = memory address or register location a = sort by Addr, n = sort by name, z = sort by size
Collapse
dt ntdll!_PEB* list all variables that contain the word _PEB dt ntdll!_PEB* -v list with verbose output (address and size included)
dt ntdll!_PEB* -v -s 9 list only symbols whose size is 9 bytes
dt ntdll!_PEB dump _PEB info dt ntdll!_PEB @$peb dump _PEB for our process
dt ntdll!_PEB 7efde dump _PEB at Addr 7efde You can get our process's PEB address with "r @$peb" or with "!peb".
dt ntdll!_PEB Ldr SessionId dump only PEB's Ldr and SessionId fields
dt ntdll!_PEB Ldr -y OS* dump Ldr field + all fields that start with OS*
dt mod!var m_cs. dump m_cs and expand its subfields
dt mod!var m_cs.. expand its subfields for 2 levels
dt ntdll!_PEB -r2 dump recursively (2 levels)
dv /t /i /V
dump local variables with type information (/t), addresses and EBP offsets (/V), classify them into categories (/i) Note: dv will also display the value of a THIS pointer for methods called with the "this calling-convention". BUG: You must first execute a few commands before dv displays the correct value. Right at a function's entry point the THIS pointer is present in ECX, so you can easily get it from there.
- Memory C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
d*
d[a| u| b| w| W| d| c| q| f| D] [/c #] [Addr]
dy[b | d] ..
Display memory [#columns to display] a = ascii chars u = Unicode chars
b = byte + ascii w = word (2b) W = word (2b) + ascii d = dword (4b) c = dword (4b) + ascii q = qword (8b)
f = floating point (single precision - 4b) D = floating point (double precision - 8b)
b = binary + byte d = binary + dword
e*
e[ b | w | d | q | f | D ] Addr Value
e[ a | u | za | zu ] Addr "String"
Edit memory b = byte w = word (2b) d = dword (4b) q = qword (8b)
f = floating point (single precision - 4b) D = floating point (double precision - 8b)
a = ascii string za = ascii string (NULL-terminated) u = Unicode string zu = Unicode string (NULL-terminated)
ds, dS ds [/c #] [Addr] dS [/c #] [Addr]
Dump string struct (struct! not null-delimited char sequence) s = STRING or ANSI_STRING S = UNICODE_STRING
d*s dds [/c #] [Addr] dqs [/c #] [Addr]
Display words and symbols (memory at Addr is assumed to be a series of addresses in the symbol table) dds = dwords (4b) dqs = qwords (8b)
dd, dq, dp*
dd* dq* dp*
da du d*p
Display referenced memory = display pointer at specified Addr, dereference it, and then display the memory at the resulting location in a variety of formats.
the 2nd char determines the pointer size used: dd* -> 32-bit pointer used dq* -> 64-bit pointer used dp* -> standard size: 32-bit or 64-bit, depending on the CPU architecture
the 3rd char determines how the dereferenced memory is displayed: da -> dereferenced mem as asci chars du -> dereferenced mem as Unicode chars d*p -> dereferenced mem as dword or qword, depending on the CPU architecture. If this value matches any known symbol, this symbol is displayed as well.
dl dl[b] Addr MaxCount Size
Display linked list (LIST_ENTRY or SINGLE_LIST_ENTRY) b = dump in reverse order (follow BLinks instead of FLinks) Addr = start address of the list MaxCount = max # elements to dump Size = Size of each element
Use !list to execute some command for each element in the list.
!address
!address -? !address Addr !address -summary !address -RegionUsageXXX
Display info about the memory used by the target process Brief help Dump info for region with Addr Dump summary info for process Dump specified regions (RegionUsageStack, RegionUsagePageHeap, ..)
!vprot !vprot -? !vprot Addr
Brief Help Dump virtual memory protection info
s
s Range Pattern
s -[Flags]b Range Pattern
s -[Flags]w Range 'Pattern' s -[Flags]d Range 'Pattern' s -[Flags]q Range 'Pattern'
s -[Flags]a Range "Pattern" s -[Flags]u Range "Pattern"
s -[Flags,l length]sa Range s -[Flags,l length]su Range
s -[Flags]v Range Object
Search memory
b = byte (default value) Pattern = a series of bytes (numeric or ASCII chars)
w = word (2b) d = dword (4b) q = qword (8b) Pattern = enclosed in single quotation marks (for example, 'Tag7')
a = ascii string (must not be null-terminated) u = Unicode string (must not be null-terminated) Pattern = enclosed in double quotation marks (for example, "This string")
Search for any memory containing printable ascii strings Search for any memory containing printable Unicode strings Length = minimum length of such strings; the default is 3 chars
Search for objects of the same type. Object = Addr of a pointer to the Object or of the Object itself
Flags
w = search only writable memory 1 = output only addresses of search matches (useful if you are using the .foreach) Flags must be surrounded by a single set of brackets without spaces. Example: s -[swl 10]Type Range Pattern
.holdmem
.holdmem -a Range .holdmem -o .holdmem -c Range .holdmem -D .holdmem -d { Range | Address }
Hold and compare memory. The comparison is made byte-for-byte Memory range to safe Display all saved memory ranges Compares Range to all saved memory ranges Delete all saved memory ranges Delete specified memory ranges (any saved range containing Addr or overlapping with Range)
Collapse
c Addr (Addr+100) DestAddr compare 100 bytes at Addr with DestAddr c Addr L100 DestAddr -||-
m Addr L20 DestAddr move 20 bytes from Addr to DestAddr
f Addr L20 'A' 'B' 'C' fill specified memory location with the pattern "ABC", repeated several times
f Addr L20 41 42 43 -||-
s 0012ff40 L20 'H' 'e' 'l' 'l' 'o' search memory locations 0012FF40 through 0012FF5F for the pattern "Hello" s 0012ff40 L20 48 65 6c 6c 6f -||-
s -a 0012ff40 L20 "Hello" -||-
s -[w]a 0012ff40 L20 "Hello" search only writable memory
- Memory: Heap C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
!heap
!heap -?
!heap !heap -h !heap -h [HeapAddr | Idx | 0] !heap -v [HeapAddr | Idx | 0] !heap -s [HeapAddr | 0] !heap -i [HeapAddr] !heap -x [-v] Address !heap -l
Brief help
List heaps with index and HeapAddr List heaps with index and range (= startAddr(=HeapAddr), endAddr) Detailed heap info [Idx = heap Idx, 0 = all heaps] Validate heap [Idx = heap Idx, 0 = all heaps] Summary info, i.e. reserved and committed memory [Idx = heap Idx, 0 = all heaps] Detailed info for a block at given address Search heap block containing the address (v = search the whole process virtual space) Search for potentially leaked heap blocks
!heap -b, -B
!heap Heap -b [alloc | realloc | free] [Tag] !heap Heap -B [alloc | realloc | free]
Set conditional breakpoint in the heap manager [Heap = HeapAddr | Idx | 0] Remove a conditional breakpoint
!heap -flt !heap -flt s Size !heap -flt r SizeMin SizeMax
Dump info for allocations matching the specified size Filter by range
!heap -stat
!heap -stat !heap -stat -h [HeapHandle | 0]
Dump heap handle list Dump usage statistic for every AllocSize [HeapHandle = given heap | 0 = all heaps]. The statistic includes AllocSize, #blocks, TotalMem for each AllocSize.
!heap -p
!heap -p -? !heap -p !heap -p -h HeapHandle !heap -p -a UserAddr !heap -p -all
Extended page heap help Summary for NtGlobalFlag, HeapHandle + NormalHeap list ** Detailed info about a page heap with Handle Details of heap allocation containing UserAddr. Prints backtraces when available. Details of all allocations in all heaps in the process. The output includes UserAddr and AllocSize for every HeapAlloc call.
It seems that the following applies for windows XP SP2:
a) Normal heap
- CreateHeap -> creates a _HEAP
- AllocHeap -> creates a _HEAP_ENTRY
b) Page heap enabled (gflags.exe /i +hpa)
- CreateHeap -> creates a _DPH_HEAP_ROOT (+ _HEAP + 2x _HEAP_ENTRY)**
- AllocHeap -> creates a _DPH_HEAP_BLOCK
** With page heap enabled there will still be a _HEAP with two constant _HEAP_ENTRY's for every CreateHeap call.
T e r m D e s c r i p t i o n H e a p t y p e
HeapHandle = value returned by HeapCreate or GetProcessHeap For normal heap: HeapHandle == HeapStartAddr Normal & page HeapAddr = startAddr = NormalHeap Normal & page
UserAddr, UserPtr = value in the range [HeapAlloc...HeapAlloc+AllocSize] For normal heap this range is further within Heap[startAddr-endAddr] Normal & page
UserSize = AllocSize (value passed to HeapAlloc) Normal & page
_HEAP
= HeapHandle = HeapStartAddr For every HeapCreate a _HEAP struct is created. You can use "!heap -p -all" to get these addresses.
Normal heap
_HEAP_ENTRY For every^ HeapAlloc^ a _HEAP_ENTRY is created. You can use "!heap -p -all" to get these addresses. Normal heap
_DPH_HEAP_ROOT
= usually HeapHandle + 0x For every HeapCreate a _DPH_HEAP_ROOT is created. You can use "!heap -p -all" to get these addresses.
Page heap
_DPH_HEAP_BLOCK
For every HeapAlloc a _DPH_HEAP_BLOCK is created. You can use "!heap -p -all" to get these addresses. Page heap
Collapse
dt ntdll!_HEAP dump _HEAP struct
dt ntdll!_DPH_HEAP_ROOT
dump _DPH_HEAP_ROOT struct. Enable page heap. Then you can use "!heap -p -all" to get addresses of actual _DPH_HEAP_ROOT structs in your process.
dt ntdll! _DPH_HEAP_BLOCK
dump _DPH_HEAP_BLOCK struct. Enable page heap. Then you can use "!heap -p -all" to get addresses of actual _DPH_HEAP_BLOCK structs in your process.
!heap list all heaps with index and HeapAddr
!heap -h list all heaps with range information (startAddr, endAddr)
!heap -h 1 detailed heap info for heap with index 1 !heap -s 0 Summary for all heaps (reserved and committed memory, ..)
!heap -flt s 20 Dump heap allocations of size 20 bytes
Last Updated: 17 Feb 2009 Article Copyright 2009 by Robert Kuster Everything else Copyright © 2009 www.windbg.info
Between 1 November 2007 and 31 Januar 2009 this article was published on software.rkuster.com where it was viewed 28.705 times.
Visit http://windbg.info/doc/1-common-cmds.html to post and view comments on this article.
-threads -trm -trace INDEX -brk [INDEX]
global counters (WaitForSingleObject, HeapAllocation calls, ...) thread information + start parameters for child threads TerminateThread API log dump stack trace with INDEX. dump or set/reset break triggers.
- Logging extension (logexts.dll)
You must enable the following options for you image in GFlags: -> "Create user mode stack trace database" -> "Stack Backtrace: (Megs)" -> 10 -> It seems that you sometimes also need to check and specify the "Debugger" field in GFlags C m d V a r i a n t s / P a r a m s D e s c r i p t i o n
!logexts.help displays all Logexts.dll extension commands
!loge !loge [dir] Enable logging + possibly initialize it if not yet done. Output directory optional.
!logi Initialize (=inject Logger into the target application) but don't enable logging.
!logd Disable logging
!logo
!logo !logo [e|d] [d|t|v]
List output settings Enable/disable [d - Debugger, t - Text file, v - Verbose log] output. Use logviewer.exe to examine Verbose logs.
!logc
!logc !logc p # !logc [e|d] * !logc [e|d] # [#] [#]
List all categories List APIs in category # Enable/disable all categories Enable/disable category #
!logb !logb p !logb f
Print buffer contents to debugger Flush buffer to log files
!logm !logm !logm [i|x] [DLL] [DLL]
Display module inclusion/exclusion list Specify module inclusion/exclusion list
Collapse
Enable 19-ProcessesAndThreads and 22-StringManipulation logging:
!loge Enable logging !logc d * Disable all categories
!logc p 19 Display APIs of category 19
logc e 19 22 Enable category 19 and 22
!logo d v Disable verbose output !logo d t Disable text output
!logo e d Enable debugger output
