| 命令 | 解释 |
| 帮助命令 | |
| ? | 显示常规命令,? /D 以DML(Debugger Markup Language)显示 |
| .help | .help 显示 . 系列命令 .help /D 通过 DML 方式显示 . 系列命令 .help /D a* 通过 DML 方式显示所有以 'a' 字母开头的 . 系列命令 |
| .hh command | 在帮助文档中显示该命令的帮助信息 |
| !help | 查看扩展方法列表, 例如: !help dumpheap 可以查看dumpheap命令的帮助信息 |
| Symbol and Source Commands |
|
| .symfix | fix symbol search path |
| .sympath +symbol path | 添加符号文件路径 |
| .sympath symbolpath1;symbolpath1 | 设置符号文件,如果没有加参数则会显示当前的符号文件设置 |
| .reload | reloads symbol information |
| ld kernel32 | load symbols for kernel32.dll |
| ld * | load symbols for all modules |
| !sym noisy | instructs the debugger to display information about its search for symbols |
| .srcpath | get/set path for source-file search |
| .srcpath+ XY | append XY directory to the searched source path |
| 原命令 | |
| .cls | 清空命令窗口屏幕 |
| .load dllfullpath | 加载debugger扩展dll如SOS sosex psscor。如:.load psscor4,psscor4的详细信息查看:https://www.microsoft.com/en-us/download/details.aspx?id=21255 |
| .loadby dll moduleName | 加载debugger扩展dll, 该扩展dll与所指定的module的dll在同一目录下。例如.loadby sos clr. 可以使用lm查看所有加载的module |
| x kernel32!* |
examine and list all symbols in kernel32 |
| x kernel32!*LoadLibrary* |
list all symbols in kernel32 which contain *LoadLibrary* |
| dt ntdll!* |
display all variables in ntdll |
| Process and Module Information Commands |
|
| !peb | displays a formatted view of the information in the process environment block (PEB) |
| dt nt!_PEB Addr | full PEB dump |
| lm | 列出目前加载的模块 |
| !dlls | Display list of loaded modules with loader specific information (entry point, load count) |
| !dh kernel32 | display the headers for kernel32 |
| Retrieving Thread Information |
|
| ~ |
Thread status for all threads |
| ~* | thread status for all threads with some extra info(priority, StartAdress) |
| ~* k | call stacks for all threads ~ !uniqstack |
| ~<threadID> | Thread satus for thread <threadID> |
| ~. | Thread status for current active thread |
| ~<threadID>s | 设置当前thread为<ThreadID> |
| !gle |
Get Last Error |
| !runaway | 显示每个线程占用的时间,可以快速查出哪个线程花费最多的CPU time |
| !teb | displays a formatted view of the information in the thread environment block (TEB) |
| dt nt!_TEB Addr | full TEB dump |
| DML commands | Debugger Markup Language. Allows debugger output to include directives and extra non-display information in the form of tags. DML.doc under install directory has details |
| .dml_start | Kick of to other DML commands |
| .prefer_dml | sets the default behavior for commands that are capable of providing output in the Debugger Markup Language (DML) format. |
| .chain /D | .chain has a new DML mode where extensions are linked to a .extmatch |
| .help /D a* | .help /D a* .help has a new DML mode where a top bar of links is given |
| Stack and Heap commands | |
| !findstack MyStack 2 | locates all call-stacks that contain MyStack |
| !uniqstack | Display call-stacks for all of the threads in the current process |
| k | 显示当前线程的调用栈 |
| kP | P == full parameters for each function called |
| kf | f == distance between adjacent frames to be displayed (useful to check stack consumption of each frame) |
| kv | v == display FPO information + calling convention |
| kb | b == display the first three parameters passed to each function |
| kM | Output in DML format; frame numbers link to a .frame/dv command which displays locals for the frame |
| .dump | dump进程以创建dump文件,一般使用.dump /ma或者.dump /mf。可以使用.dump /?查看帮助信息 |
| .chain | 列出所有的windbg扩展dll信息 |
| k | 显示线程的stack frame信息 |
| ![ExtensionDLL.]help [-v][CommandName] | 显示从扩展dll中导出的命令帮助信息,例如如:!exts.help -v ; |
| ~<threadId>s | 切换到thread id所指定的线程 |
| !threadpool |
查看线程池的信息 |
| !runaway | 查看线程运行时间信息 |
| !clrstack |
查看clr线程栈信息 |
| !Name2EE <module name> <type or method name> !Name2EE <module name>!<type or method name> |
从方法名或者类名获得他的方法表和EEClass |
| !DumpMT [-MD] <MethodTable address> | 输出在类中定义的方法列表,方法表代表了类的行为,其中的EEClass字段指向了EEClass结构 |
| !DumpMD <MethodDesc address> | 列出方法描述信息 |
| !IP2Md <Code address> | 从managed代码地址获得方法描述 |
| !DumpIL <Managed DynamicMethod object> | <DynamicMethodDesc pointer> | <MethodDesc pointer> | /i <IL pointer> |
输出和托管code的IL代码 |
| !DumpDomain [<Domain address>] |
dump应用程序域相关的信息 |
| !DumpAssembly <Assembly address> |
输出assembly的相关信息 |
| !SaveModule <Base address> <Filename> | This command allows you to take a image loaded in memory and write it to a file |
| !EEHeap [-gc] [-loader] | enumerates process memory consumed by internal CLR data structures. You can limit the output by passing "-gc" or "-loader". All information will be displayed otherwise. |
| !DumpHeap | 输出垃圾收集堆相关的信息 ,!DumpHeap -type <class type>可以查看相应类型的对象实例信息,例如对象地址等 |
| !DumpObj <object address> | 输出相应对象的实际信息 |
| !DumpStackObjects | 输出当前堆栈上的对象 |
| !ObjSize <object address> | 查看对象的大小包括引用的子对象 |
| !GCRoot [-nostacks] <Object address> | !GCRoot looks for references (or roots) to an object. These can exist in four places: 1. On the stack 2. Within a GC Handle 3. In an object ready for finalization 4. As a member of an object found in 1, 2 or 3 above. |
| !sosex.refs objAddr |
Lists all references held by the specified object Lists all references to the specified object (searches heaps, stacks, registers, handle tables and the freachable queue)! |
| !sosex.dumpgen 0|1|2 | 输出参数对应代的堆对象 |
| !dumpheap -type classType -stat | 输出特定类型的统计信息 |
| |
|