• windbg不常用命令2


    !chkimg nt //检测模块代码是否被修改

    The dt,可以使用dt -v显示结构的大小信息,dt -s xx nt!*xx*,能搜索大小为xx的结构体变量

    The !error extension decodes and displays information about an error value.

    The !irql extension displays the interrupt request level (IRQL) of a processor on the target computer before the debugger break.

    The !obja extension displays the attributes of an object in the object manager.

    The !obtrace extension displays object reference tracing data for the specified object.,,需要GFlags开启跟踪功能

    The .process command specifies which process is used for the process context. 用/i选择可以执行后,切换到目标空间,用/P(大写P)切换后,可直接在windbg里面用peb,db之类命令读取切换后的进程空间内存

    The !stacks extension displays information about the kernel stacks.    

    The !uniqstack extension displays all of the stacks for all of the threads in the current process, excluding stacks that appear to have duplicates.  和~*k同功效

    The !vprot extension displays virtual memory protection information,应用层和!addresss功能差不多

    The !timer extension displays a detailed listing of all system timer use.

    !wdfkd.help 如同ndiskd一样,显示WDF系列驱动的信息

    WINDBG内核调试,进程启动时在其入口点断下bp nt!NtTestAlert "r $t0 = @@c++( ((nt!_EPROCESS*)@$proc)->ActiveThreads );.if(@$t0==1){r $t1=@@c++( ((nt!_ETHREAD*)@$thread)->Win32StartAddress);.printf\"Win32StartAddress:\%x\\n\",@$t1;bp /p  @$proc @$t1;g;}.else{g;}"这个命令里面的(nt!_EPROCESS*)和(nt!_ETHREAD*)可以简化 ,因为 @@c++的作用,会让语句里面的一些变量自动强制转化。另外,正常命令下输入  ~5   得不到5的反码,但@@c++(~5)就可以

    The .printf token behaves like the printf statement in C.

    如:.printf "this is good %x fuck\n", 123

    $iment (Address)Returns the address of the image entry point in the loaded module list. Address specifies the Portable Executable (PE) image base address. The entry is found by looking up the image entry point in the PE image header of the image that Address specifies.有时候出错的话,是因为没符号,reload下可能会好

    The .closehandle command closes a handle owned by the target application.

    .

    ======================

    The !cchelp extension displays some brief Help text in the Debugger command window for some of the cache management extensions.

    The !poolused extension displays memory use summaries, based on the tag used for each pool allocation.这个可用于查找驱动的内存泄露,但MSDN推荐用poolmon这个工具

    The !poolfind extension finds all instances of a specific pool tag in either nonpaged or paged memory pools.

    The !pool extension displays information about a specific pool allocation or about the entire system-wide pool.

    The obow, and od commands send a byte, word, or double word to the selected port.

    The !memusage extension displays summary statistics about physical memory use.

    The !lookaside extension displays information about look-aside lists, resets the counters of look-aside lists, or modifies the depth of a look-aside list.

    The !exqueue extension displays a list of items currently queued in the ExWorkerQueue work queues.

    The !filecache extension displays information regarding the system file cache memory and PTE use.

    The !finddata extension displays the cached data at a given offset within a specified file object.用法 !finddata FileObject Offset 

    The !locks extension in Kdextx86.dll and Kdexts.dll displays information about kernel ERESOURCE locks.

    The !findstack extension locates all of the stacks that contain a specified symbol or module. 应用层

    The !exchain extension displays the current exception handler chain.//应用层

    The !for_each_process extension executes the specified debugger command once for each process in the target. 

    The !for_each_frame extension executes a debugger command one time for each frame in the stack of the current thread.

    The .crash command causes the target computer to issue a bug check.

    The !tls extension displays a thread local storage (TLS) slot.

    The !dbgprint extension displays a string that was previously sent to the DbgPrint buffer.

    The !dblink !dflink extension displays a linked list in the backward direction.

    The !deadlock extension displays information about deadlocks collected by the Deadlock Detection option of Driver Verifier.

    The !devhandles extension displays the open handles for the specified device.

    The !dh extension displays the headers for the specified image. 

    The !dpcs extension displays the deferred procedure call (DPC) queues for a specified processor. 

  • 相关阅读:
    json数据转化格式
    远程安装软件控制台
    杂、记忆点
    布局(杂,细节处理)
    自己修改代码后push推送到zhile
    js中call和apply的区别 / 函数的call、apply以及bind的作用与区别
    一元运算符a++、++a、a--、--a
    javascript基础语法和算术运算符
    不同空格符号的区别
    2020.12.11面试两家
  • 原文地址:https://www.cnblogs.com/kkindof/p/2542351.html
Copyright © 2020-2023  润新知