Windbg
Commands
General
set breakpoint
bp <addr>
on resolved function,bu <addr>
for unresolved (set when module is loaded)set hardware breakpoint:
ba <e,r,w> <size> <addr>
enable/disable breakpoint
be/ba
clear breakpoint
bc
list breakpoints:
bl
exception info:
!analyze
memory mapping:
!address
heap info:
!heap
dereference pointer
poi(<addr>)
dump call stack:
k
continue:
g
step over:
p
step into:
t
finish function:
pt
continue until next branch:
ph
search memory
s -a 0 L?80000000 "<string>"
searches the entire 32-bit user address space for the ascii string (a
) , use-u
for unicodeshow specific module:
lm m <modulename>
, show all:lm
Show current exception handler:
!exchain
Load WinDBG Script
$><
Convert number to different formats
.formats <number>
Show memory protections
!vprot
Displaying Data
disassemble:
u <addr>
,uf <addr>
disassemble at symbol:
u kernel32!GetCurrentThread
dump memory:
dq <addr>
,dd <addr>
,dw <addr>
,db addr
dump memory, show ascii:
dc <addr>
,dW <addr>
(add e.g. L2 at the end to limit the amount displayed)dereference pointer
poi(<addr>)
dump structures:
dt <addr>
(display type), e.g.dt ntdll!_TEB
, to display nested structures usedt -r <symbol> @$teb
(teb is a pseudo register)show size of struct:
?? sizeof(<symbol>)
dump registers:
r
Editing Data
edit memory:
ed rsp 42424242
, for asci:ea
, for unicodeeu
set register value
r eip=41414141
Automate Commands on Breakpoints
bp <addr> ".printf \"Hello World\";.echo;g"
, there are also.if
and.else
for more logic
Set Working Dir
Fix Symbols
List all running processes
Find string in memory
Change value at address
Address show as x
Reboot (useful in kernel debugging)
Setup Mona
https://github.com/corelan/windbglib/issues/23
Set Symbol Path
Register DLL
Change Memory
Change string
Exploitable
To install download the extension from https://archive.codeplex.com/?p=msecdbg and put into the windbg folder under "winext".
Mona Commands
Find SEH Overwrite
E.g: SEH record (nseh field) at 0x0019fab4 overwritten with normal pattern : 0x31684630 (offset 4112), followed by 16 bytes of cyclic data after the handler
Find Pop Pop Ret Gadget
Find Register Jump
Find jmp in specific module
Generate Rop Chain
Generate Bad Byte Pattern
Formatted with shorter lines:
Compare bad bytes automatically
Show Heap:
Don't break on every exception
e.g. for access violation:
Narly
https://code.google.com/archive/p/narly/
Last updated