Scribd
Upload
122 views

File: /home/xml/desktop/working - Windbg Page 1 of 2

1. To enable kernel debugging in Windows, use the bcdedit command to turn the debug setting on and restart. 2. In WinDbg, choose the Local kernel debug option under File > Kernel Debug to debug the local system without a remote target. 3. The dt command can be used to display the format of kernel data structures like _EPROCESS without specifying an address. 4. There are different types of commands in WinDbg - regular commands apply to the debugging session, meta commands prefixed with a dot apply to the debugger itself, and extension commands prefixed with an exclamation mark are defined in extensions.

Uploaded by

xdeveloperx
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
122 views

File: /home/xml/desktop/working - Windbg Page 1 of 2

1. To enable kernel debugging in Windows, use the bcdedit command to turn the debug setting on and restart. 2. In WinDbg, choose the Local kernel debug option under File > Kernel Debug to debug the local system without a remote target. 3. The dt command can be used to display the format of kernel data structures like _EPROCESS without specifying an address. 4. There are different types of commands in WinDbg - regular commands apply to the debugging session, meta commands prefixed with a dot apply to the debugger itself, and extension commands prefixed with an exclamation mark are defined in extensions.

Uploaded by

xdeveloperx
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

File: /home/xml/Desktop/working_windbg Page 1 of 2

1. To enable kernel debug


- open cmd
- type "bcdedit /debug on"
- restart for effect

2. Choose local kernel debug


- Using Ctrl+k
or File, Kernel Debug
- Choose last tab: local

3. symbol (now, Microsoft only support online, we could not download)


- in the command window, type in:

.sympath+ srv*c:\symbols*https://msdl.microsoft.com/download/symbols
.reload

- Or, Ctrl-s
paste the link

srv*c:\symbols*https://msdl.microsoft.com/download/symbols

- Test with the following command

dt nt!_eprocess
dt nt!_kprocess

4. List all _eprocess structures and their start address


!process 0 0

Because the KPROCESS is


the first thing in the EPROCESS, the address of an EPROCESS will also work as the
address of a
KPROCESS

5. dt command
- dt : display type
The dt command used as shown earlier shows the format of the selected structure,
not the
contents of any particular instance of that structure type.

6.
There are different kinds of commands in WinDbg.

- Regular commands, e.g. kb apply to the debugging session. E.g. show stack dump
etc.

- Meta commands are prefixed with a dot, e.g. .load. Meta commands apply to the
debugger itself. E.g. load extensions, show help and so forth.

- Extension commands are prefixed with an exclamation mark, e.g. !analyze and !
dumpheap are defined in debugger extensions (DLLs that provide additional
functionality).

7.
!dp is: display pointer

!dp already performs a dt command internally

8. Getting started with Kernel mode


https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-
with-windbg--kernel-mode-

9. Getting started with user mode


File: /home/xml/Desktop/working_windbg Page 2 of 2

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-
with-windbg

10. Analyst's Perspective: Analyzing User Mode State from a Kernel Connection
https://www.osronline.com/article.cfm%5Earticle=576.htm

11.
!lmi nt

lmi: load module info ???

12. Debugging a driver


https://www.easefilter.com/Forums_Files/kernel_debugging_tutorial.htm

13.Good cheatsheet
https://github.com/repnz/windbg-cheat-sheet

14.
!process - Dump current process information

!process 123 - dump process with cId (client id in kernel context, and process id
from user context): 0x123

15. Change the implicit process


lkd> .process fffffa8005a5a060
Implicit process is now fffffa80`05a5a060

lkd> !peb
PEB at 000007fffffd5000
error 1 InitTypeRead( nt!_PEB at 000007fffffd5000)...

You might also like