windbg 常用命令介绍（二）

最新推荐文章于 2025-05-20 09:40:15 发布

点点灵犀

最新推荐文章于 2025-05-20 09:40:15 发布

阅读量2k

点赞数

CC 4.0 BY-SA版权

分类专栏： debug 文章标签： windows windbg

本文链接：https://blog.youkuaiyun.com/sunyikuyu/article/details/8837646

debug 专栏收录该内容

10 篇文章

订阅专栏

本文介绍了Windbg中的断点管理，包括软件断点（bp/bu/bm）、内存断点（ba）、查看和管理断点（bl/bc/br/bd/be），以及条件断点的设定。同时，讲解了检查符号指令（x）、查看附近符号（ln）、显示结构体（dt）和使用（?）命令进行算术运算和数值转换。此外，还涵盖了寄存器操作（r）、线程堆栈信息（k/kv/~）以及调试进程的相关命令。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

b 断点命令

bp/bu/bm 软件断点

bp 设置一个普通断点
bu 设置一个未决的断点，如果该断点所在模块还没加载，使用该指令
bm 对多个符号下断点

0:000> bp kernel32!LoadlibraryA
0:000> bp kernel32!LoadlibraryA+5
0:000> bu kernel32!LoadlibraryW
0:000> ~2 bp kernel32!GetProcAddress //对2号线程设置该断点

ba 内存断点

bl 查看断点列表

0:000> bl
 0 e 7c801d7b     0001 (0001)  0:**** kernel32!LoadLibraryA
 1 e 7c801d80     0001 (0001)  0:**** kernel32!LoadLibraryA+0x5
 2 e 7c80aedb     0001 (0001)  0:**** kernel32!LoadLibraryW
 3 e 7c80ae30     0001 (0001)  0:~002 kernel32!GetProcAddress

bc 清除断点

0:005> bc 1 //清除编号为1的断点
0:005> bl
 0 e 7c801d7b     0001 (0001)  0:**** kernel32!LoadLibraryA
 2 e 7c80aedb     0001 (0001)  0:**** kernel32!LoadLibraryW
 3 e 7c80ae30     0001 (0001)  0:~002 kernel32!GetProcAddress
0:005> bc* //清除所有断点
0:005> bl

br 对断点重新编号

0:005> bl
 0 e 7c801d80     0001 (0001)  0:**** kernel32!LoadLibraryA+0x5
0:005> br 0 5
Breakpoint 0 renamed to 5
0:005> bl
 5 e 7c801d80     0001 (0001)  0:**** kernel32!LoadLibraryA+0x5

bd/be 禁用/启用断点

0:005> bd 5
0:005> bl
 5 d 7c801d80     0001 (0001)  0:**** kernel32!LoadLibraryA+0x5
0:005> be 5
0:005> bl
 5 e 7c801d80     0001 (0001)  0:**** kernel32!LoadLibraryA+0x5

条件断点的设置方法

0:005> bp kernel32!GetProcAddress "j (poi(esp+4)=0x01000000) '';'gc'" //如果第一个参数等于0x01000000,则中断
//0:005> bp kernel32!GetProcAddress ".if (poi(esp+4)=0x01000000) {} .else {gc}"与上一句等价
 0:005> bl
 0 e 7c80ae30     0001 (0001)  0:**** kernel32!GetProcAddress "j (poi(esp+4)=0x01000000) '';'gc'"

//对字符串的判断条件
0:005> bp kernel32!GetProcAddress "as /ma ${/v:ProcName} poi(esp+8);.if ($scmp(\"${ProcName}\",\"TestFunc\")==0) {} .else {gc}"
//如果希望无符号匹配，使用$sicmp
//如果希望支持通配符，使用$spat

x 检查符号指令

0:005> x kernel32!* //查看kernel32.dll模块所有符号 *代表通配符
7c801160 kernel32!_imp__NtFindAtom = <no type information>
7c825e00 kernel32!c_PmapEntries_apphelp = <no type information>
7c863ca4 kernel32!GetThreadTimes = <no type information>
7c855154 kernel32!c_PmapEntries_cryptui = <no type information>
7c87b813 kernel32!InsertPreComposedForm = <no type information>
7c85f578 kernel32!GlobalCompact = <no type information>
7c8010e4 kernel32!_imp___allmul = <no type information>
7c81736e kernel32!OpenSection = <no type information>
......

0:005> x kernel32!loadlibrary* //查看与加载模块相关的符号
7c801af5 kernel32!LoadLibraryExW = <no type information>
7c801d7b kernel32!LoadLibraryA = <no type information>
7c80aedb kernel32!LoadLibraryW = <no type information>
7c801d53 kernel32!LoadLibraryExA = <no type information>

ln 查看附近符号指令

0:022> ln 7c92124c 
(7c921225)   ntdll!RtlInitString+0x27   |  (7c92125d)   ntdll!RtlInitAnsiString
//查看7c92124c地址处符号。 7c92124c是函数 ntdll!RtlInitString内部地址， 该地处下一个符号是ntdll!RtlInitAnsiString

dt 显示结构体指令

lkd> dt nt!_KPROCESS 88ba47e8 //查看88ba47e8位置的_KPROCESS结构 
   +0x000 Header           : _DISPATCHER_HEADER
   +0x010 ProfileListHead  : _LIST_ENTRY [ 0x88ba47f8 - 0x88ba47f8 ]
   +0x018 DirectoryTableBase : [2] 0x9f602a0
   +0x020 LdtDescriptor    : _KGDTENTRY
   +0x028 Int21Descriptor  : _KIDTENTRY
   +0x030 IopmOffset       : 0x20ac
   +0x032 Iopl             : 0 ''
   +0x033 Unused           : 0 ''
   +0x034 ActiveProcessors : 0
   +0x038 KernelTime       : 5
   +0x03c UserTime         : 1
   +0x040 ReadyListHead    : _LIST_ENTRY [ 0x88ba4828 - 0x88ba4828 ]
   +0x048 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x04c VdmTrapcHandler  : (null) 
   +0x050 ThreadListHead   : _LIST_ENTRY [ 0x88bc61d0 - 0x88c6dc00 ]
   +0x058 ProcessLock      : 0
   +0x05c Affinity         : 3
   +0x060 StackCount       : 0
   +0x062 BasePriority     : 8 ''
   +0x063 ThreadQuantum    : 6 ''
   +0x064 AutoAlignment    : 0 ''
   +0x065 State            : 0x1 ''
   +0x066 ThreadSeed       : 0x1 ''
   +0x067 DisableBoost     : 0 ''
   +0x068 PowerState       : 0 ''
   +0x069 DisableQuantum   : 0 ''
   +0x06a IdealNode        : 0 ''
   +0x06b Flags            : _KEXECUTE_OPTIONS
   +0x06b ExecuteOptions   : 0x32 '2'

? 帮助命令

做算术运算

0:005> ? 0x1024*0x30
Evaluate expression: 198336 = 000306c0

获取一个数值的十六进制和十进制表示形式

0:005> ? 0x40
Evaluate expression: 64 = 00000040

r 寄存器操作指令

读取寄存器值

0:005> r eax
eax=7ffd9000

对寄存器赋值

0:005> r eax = 200
0:005> r eax
eax=00000200

显示当前所有寄存器值

0:005> r
eax=00000200 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c92120e esp=0247ffcc ebp=0247fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c92120e cc              int     3

k 显示当前线程堆栈

0:005> k
ChildEBP RetAddr  
0247ffc8 7c970010 ntdll!DbgBreakPoint
0247fff4 00000000 ntdll!DbgUiRemoteBreakin+0x2d

kv 显示更详细信息

0:005> kv
ChildEBP RetAddr  Args to Child              
0247ffc8 7c970010 00000005 00000004 00000001 ntdll!DbgBreakPoint (FPO: [0,0,0])
0247fff4 00000000 00000000 00000000 00000000 ntdll!DbgUiRemoteBreakin+0x2d (FPO: [Non-Fpo])

~ 线程操作命令

~. 显示当前线程信息

0:005> ~.
.  5  Id: 73c.dc Suspend: 1 Teb: 7ffdd000 Unfrozen
      Priority: 0  Priority class: 32  Affinity: 3

~* 显示所有线程信息

0:005> ~*
   0  Id: 73c.478 Suspend: 1 Teb: 7ffdf000 Unfrozen
      Start: FeiQ+0x92588b (00d2588b) 
      Priority: 0  Priority class: 32  Affinity: 3
   1  Id: 73c.7c8 Suspend: 1 Teb: 7ffde000 Unfrozen
      Priority: 0  Priority class: 32  Affinity: 3
   2  Id: 73c.548 Suspend: 1 Teb: 7ffdc000 Unfrozen
      Start: gdiplus!BackgroundThreadProc (4aea72b0) 
      Priority: 0  Priority class: 32  Affinity: 3
   3  Id: 73c.354 Suspend: 1 Teb: 7ffdb000 Unfrozen
      Start: FeiQ+0xf4df0 (004f4df0) 
      Priority: 0  Priority class: 32  Affinity: 3
   4  Id: 73c.450 Suspend: 1 Teb: 7ffda000 Unfrozen
      Start: mswsock!SockAsyncThread (719cd33a) 
      Priority: 1  Priority class: 32  Affinity: 3
.  5  Id: 73c.dc Suspend: 1 Teb: 7ffdd000 Unfrozen
      Priority: 0  Priority class: 32  Affinity: 3

~<id> s 设置当前线程

0:005> ~1 s //把当前5号线程切换成1号线程
eax=00000001 ebx=00000000 ecx=7ffde000 edx=001530c4 esi=00153088 edi=001530c4
eip=7c92e4f4 esp=0246fe18 ebp=0246ff80 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c92e4f4 c3              ret

查看制定线程栈

0:001> ~2 kv //查看2号线程栈
ChildEBP RetAddr  Args to Child              
026bfe50 7c92df2c 7c809574 00000002 026bfe7c ntdll!KiFastSystemCallRet (FPO: [0,0,0])
026bfe54 7c809574 00000002 026bfe7c 00000001 ntdll!NtWaitForMultipleObjects+0xc (FPO: [5,0,0])
026bfef0 77d195f9 00000002 026bff18 00000000 kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])
026bff4c 77d196a8 00000001 026bffac ffffffff USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])
026bff68 4aea730c 00000001 026bffac 00000000 USER32!MsgWaitForMultipleObjects+0x1f (FPO: [Non-Fpo])
026bffb4 7c80b713 00000000 00000000 0012b9a0 gdiplus!BackgroundThreadProc+0x59 (FPO: [Non-Fpo])
026bffec 00000000 4aea72b0 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])

查看所有线程栈

0:001> ~* kv //用来排查线程问题

   0  Id: 73c.478 Suspend: 1 Teb: 7ffdf000 Unfrozen
ChildEBP RetAddr  Args to Child              
0012bc70 77d191be 77d191f1 0017d780 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0012bc90 00b9b204 0017d780 00000000 00000000 USER32!NtUserGetMessage+0xc
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bcd4 00b8460b 00000004 b05b9abe 00fd8f40 FeiQ+0x79b204
0012bd20 007a7eb5 b05bd882 00fd8b40 00fd8b40 FeiQ+0x78460b
0012ff1c 00d77169 00320035 00000000 7ffd9000 FeiQ+0x3a7eb5
0012ff30 00d25838 00400000 00000000 00020612 FeiQ+0x977169
0012ffc0 7c817067 00320035 00340036 7ffd9000 FeiQ+0x925838
0012fff0 00000000 00d2588b 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

   1  Id: 73c.7c8 Suspend: 1 Teb: 7ffde000 Unfrozen
ChildEBP RetAddr  Args to Child              
0246fe14 7c92da8c 77e565e3 00000168 0246ff74 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0246fe18 77e565e3 00000168 0246ff74 00000000 ntdll!ZwReplyWaitReceivePortEx+0xc (FPO: [5,0,0])
0246ff80 77e56caf 0246ffa8 77e56ad1 00153088 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x12a (FPO: [Non-Fpo])
0246ff88 77e56ad1 00153088 00000000 0012f7fc RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo])
0246ffa8 77e56c97 00181be8 0246ffec 7c80b713 RPCRT4!BaseCachedThreadRoutine+0x79 (FPO: [Non-Fpo])
0246ffb4 7c80b713 0018c278 00000000 0012f7fc RPCRT4!ThreadStartRoutine+0x1a (FPO: [Non-Fpo])
0246ffec 00000000 77e56c7d 0018c278 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
......

| 调试进程命令

查看当前正在调试进程

0:001> |.
.  0	id: 73c	attach	name: D:\Tools\FeiQ.exe

查看所有正在调试进程

0:000> |*
.  0    id: b40    create    name: notepad.exe
   1    id: 878    attach    name: D:\Tools\SysinternalsSuite\procexp.exe

|<id> s 设置当前进程

0:001> |1 s //我只有这一个调试进程，哈哈
        ^ Illegal process error in '|1 s'

转载请注明出处。ddlx studio。点点灵犀。 http://blog.youkuaiyun.com/sunyikuyu