Wednesday, May 02, 2012

Updated Archive of the NtDebugging Twitter Debug Tips

Every Wednesday (usually) we post a debug tip to our twitter page at https://twitter.com/#!/ntdebugging. This blog is an archive of these tips to allow our readers to find this information easily. Periodically we post an updated blog with the current archive. Follow us on twitter if you want to see the new tips as we post them.

The goal of these tips is to share debug commands, and forms of commands (parameters, flags, etc) that we in Platforms Global Escalation Services find useful. I hope you can add these commands to your toolkit and they will help you debug more efficiently.

Tips:

!thread/!process [address] e - on x64 will not show you the meaningless Args to Child information.

.frame /c [FrameNumber] - sets context to specificied stack frame. On x64 provides more reliable register information than .trap.

kn - Dumps call stack with frame numbers, easier than counting stacks for .frame.

.frame /r [FrameNumber] - same as .frame /c, but shows registers without changing context.

Note: With .frame /c or /r you can only trust the nonvolatile registers. See http://bit.ly/dik4OR for vol/nonvol regs.

k=rbp rip FrameCount - Dumps call stack starting at rbp/rip on x64. Useful when the stack is corrupt.

.process/.thread /p /r [address] - sets new process context, sets .cache forcedecodeuser, and reloads user symbols.

!process [address] 17 - Sets the context for this command, avoids the need for .process to see user stacks. Try !process 0 17

~~[ThreadID]s - Changes threads in user mode. Use Thread ID number from output such as !locks. Ex: ~~[1bd4]s

runas /netonly /u:<account> windbg.exe - Launch windbg with domain account. Use when dbg computer isn't in domain and symbol server is.

!heap -p -a <address> - Shows information about the heap block containing <address>, even if you aren't using pageheap.

ub - Unassembles starting at a location prior to your address. Accepts l<number> to specify how many instructions to go back. ub . l20

!stacks 2 [FilterString] - Finds kernel mode call stacks that contain the FilterString in a symbol.

Read more: NtDebugging
QR: Inline image 1

Posted via email from Jasper-Net